diff --git a/PROJECT b/PROJECT deleted file mode 100644 index 9f196235..00000000 --- a/PROJECT +++ /dev/null @@ -1,24 +0,0 @@ -domain: policy.networking.k8s.io -layout: go.kubebuilder.io/v3 -projectName: network-policy-api -repo: github.com/kubernetes-sigs/network-policy-api -resources: -- api: - crdVersion: v1 - namespaced: true - controller: false - domain: policy.networking.k8s.io - group: policy.networking.k8s.io - kind: AdminNetworkPolicy - path: github.com/kubernetes-sigs/network-policy-api/apis/v1alpha1 - version: v1alpha1 -- api: - crdVersion: v1 - namespaced: true - controller: false - domain: policy.networking.k8s.io - group: policy.networking.k8s.io - kind: BaselineAdminNetworkPolicy - path: github.com/kubernetes-sigs/network-policy-api/apis/v1alpha1 - version: v1alpha1 -version: "3" diff --git a/apis/v1alpha2/clusternetworkpolicy_types.go b/apis/v1alpha2/clusternetworkpolicy_types.go new file mode 100644 index 00000000..b007ced7 --- /dev/null +++ b/apis/v1alpha2/clusternetworkpolicy_types.go @@ -0,0 +1,484 @@ +/* +Copyright 2020 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); + +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +// All fields in this package are required unless Explicitly marked optional +// +kubebuilder:validation:Required +package v1alpha2 + +import ( + corev1 "k8s.io/api/core/v1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" +) + +// ClusterNetworkPolicy is a cluster-wide network policy resource. +// +// +genclient +// +genclient:nonNamespaced +// +kubebuilder:object:root=true +// +kubebuilder:subresource:status +// +kubebuilder:resource:shortName=cnp,scope=Cluster +// +kubebuilder:printcolumn:name="Tier",type=string,JSONPath=".spec.tier" +// +kubebuilder:printcolumn:name="Priority",type=string,JSONPath=".spec.priority" +// +kubebuilder:printcolumn:name="Age",type="date",JSONPath=".metadata.creationTimestamp" +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object +type ClusterNetworkPolicy struct { + metav1.TypeMeta `json:",inline"` + metav1.ObjectMeta `json:"metadata"` + + // Spec defines the desired behavior of ClusterNetworkPolicy. + Spec ClusterNetworkPolicySpec `json:"spec"` + + // Status is the status to be reported by the implementation. + // +optional + Status ClusterNetworkPolicyStatus `json:"status,omitempty"` +} + +// ClusterNetworkPolicySpec defines the desired state of ClusterNetworkPolicy. +type ClusterNetworkPolicySpec struct { + // Tier is used as the top-level grouping for network policy prioritization. + // + // Policy tiers are evaluated in the following order: + // * Admin tier + // * NetworkPolicy tier + // * Baseline tier + // + // ClusterNetworkPolicy can use 2 of these tiers: Admin and Baseline. + // + // The Admin tier takes precedence over all other policies. Policies + // defined in this tier are used to set cluster-wide security rules + // that cannot be overridden in the other tiers. If Admin tier has + // made a final decision (Allow or Deny) on a connection, then no + // further evaluation is done. + // + // NetworkPolicy tier is the tier for the namespaced v1.NetworkPolicy. + // These policies are intended for the application developer to describe + // the security policy associated with their deployments inside their + // namespace. v1.NetworkPolicy always makes a final decision for selected + // pods. Further evaluation only happens for Pods not selected by a + // v1.NetworkPolicy. + // + // Baseline tier is a cluster-wide policy that can be overridden by the + // v1.NetworkPolicy. If Baseline tier has made a final decision (Allow or + // Deny) on a connection, then no further evaluation is done. + // + // If a given connection wasn't allowed or denied by any of the tiers, + // the default kubernetes policy is applied, which says that + // all pods can communicate with each other. + Tier Tier `json:"tier"` + + // Priority is a value from 0 to 1000 indicating the precedence of + // the policy within its tier. Policies with lower priority values have + // higher precedence, and are checked before policies with higher priority + // values in the same tier. All Admin tier rules have higher precedence than + // NetworkPolicy or Baseline tier rules. + // If two (or more) policies in the same tier with the same priority + // could match a connection, then the implementation can apply any of the + // matching policies to the connection, and there is no way for the user to + // reliably determine which one it will choose. Administrators must be + // careful about assigning the priorities for policies with rules that will + // match many connections, and ensure that policies have unique priority + // values in cases where ambiguity would be unacceptable. + // + // +kubebuilder:validation:Minimum=0 + // +kubebuilder:validation:Maximum=1000 + Priority int32 `json:"priority"` + + // Subject defines the pods to which this ClusterNetworkPolicy applies. + Subject ClusterNetworkPolicySubject `json:"subject"` + + // Ingress is the list of Ingress rules to be applied to the selected pods. + // A total of 100 rules will be allowed in each CNP instance. + // The relative precedence of ingress rules within a single CNP object + // (all of which share the priority) will be determined by the order + // in which the rule is written. + // Thus, a rule that appears at the top of the ingress rules + // would take the highest precedence. + // CNPs with no ingress rules do not affect ingress traffic. + // + // +optional + // +kubebuilder:validation:MaxItems=100 + Ingress []ClusterNetworkPolicyIngressRule `json:"ingress,omitempty"` + + // Egress is the list of Egress rules to be applied to the selected pods. + // A total of 100 rules will be allowed in each CNP instance. + // The relative precedence of egress rules within a single CNP object + // (all of which share the priority) will be determined by the order + // in which the rule is written. + // Thus, a rule that appears at the top of the egress rules + // would take the highest precedence. + // CNPs with no egress rules do not affect egress traffic. + // + // +optional + // +kubebuilder:validation:MaxItems=100 + Egress []ClusterNetworkPolicyEgressRule `json:"egress,omitempty"` +} + +// +kubebuilder:validation:Enum={"Admin", "Baseline"} +type Tier string + +const ( + AdminTier Tier = "Admin" + BaselineTier Tier = "Baseline" +) + +// ClusterNetworkPolicyStatus defines the observed state of +// ClusterNetworkPolicy. +type ClusterNetworkPolicyStatus struct { + // +patchMergeKey=type + // +patchStrategy=merge + // +listType=map + // +listMapKey=type + Conditions []metav1.Condition `json:"conditions" patchStrategy:"merge" patchMergeKey:"type"` +} + +// ClusterNetworkPolicySubject defines what resources the policy applies to. +// Exactly one field must be set. +// Note that host-networked pods are not included in subject selection. +// +kubebuilder:validation:MaxProperties=1 +// +kubebuilder:validation:MinProperties=1 +type ClusterNetworkPolicySubject struct { + // Namespaces is used to select pods via namespace selectors. + // +optional + Namespaces *metav1.LabelSelector `json:"namespaces,omitempty"` + // Pods is used to select pods via namespace AND pod selectors. + // +optional + Pods *NamespacedPod `json:"pods,omitempty"` +} + +// ClusterNetworkPolicyIngressRule describes an action to take on a particular +// set of traffic destined for pods selected by a ClusterNetworkPolicy's +// Subject field. +type ClusterNetworkPolicyIngressRule struct { + // Name is an identifier for this rule, that may be no more than + // 100 characters in length. This field should be used by the implementation + // to help improve observability, readability and error-reporting + // for any applied AdminNetworkPolicies. + // + // +optional + // +kubebuilder:validation:MaxLength=100 + Name string `json:"name,omitempty"` + + // Action specifies the effect this rule will have on matching traffic. + // Currently the following actions are supported: + // Allow: Accepts the selected traffic. No further ClusterNetworkPolicy/ + // NetworkPolicy rules will be processed for it. + // Deny: Drops the selected traffic. No further ClusterNetworkPolicy/ + // NetworkPolicy rules will be processed for it. + // Pass: Skips all further ClusterNetworkPolicy rules in the current tier + // for the selected traffic, and passes execution to the next tier. + Action ClusterNetworkPolicyRuleAction `json:"action"` + + // From is the list of sources whose traffic this rule applies to. + // If any element matches the source of incoming + // traffic then the specified action is applied. + // This field must be defined and contain at least one item. + // + // +kubebuilder:validation:MinItems=1 + // +kubebuilder:validation:MaxItems=100 + From []ClusterNetworkPolicyIngressPeer `json:"from"` + + // Ports allows for matching traffic based on port and protocols. + // This field is a list of ports which should be matched on + // the pods selected for this policy i.e the subject of the policy. + // So it matches on the destination port for the ingress traffic. + // If Ports is not set then the rule does not filter traffic via port. + // + // +optional + // +kubebuilder:validation:MinItems=1 + // +kubebuilder:validation:MaxItems=100 + Ports *[]ClusterNetworkPolicyPort `json:"ports,omitempty"` +} + +// ClusterNetworkPolicyEgressRule describes an action to take on a particular +// set of traffic originating from pods selected by a ClusterNetworkPolicy's +// Subject field. +// +// +kubebuilder:validation:XValidation:rule="!(self.to.exists(peer, has(peer.networks) || has(peer.nodes) || has(peer.domainNames)) && has(self.ports) && self.ports.exists(port, has(port.namedPort)))",message="networks/nodes/domainNames peer cannot be set with namedPorts since there are no namedPorts for networks/nodes/domainNames" +type ClusterNetworkPolicyEgressRule struct { + // Name is an identifier for this rule, that may be no more than + // 100 characters in length. This field should be used by the implementation + // to help improve observability, readability and error-reporting + // for any applied AdminNetworkPolicies. + // + // +optional + // +kubebuilder:validation:MaxLength=100 + Name string `json:"name,omitempty"` + + // Action specifies the effect this rule will have on matching traffic. + // Currently the following actions are supported: + // Allow: Accepts the selected traffic. No further ClusterNetworkPolicy/ + // NetworkPolicy rules will be processed for it. + // Deny: Drops the selected traffic. No further ClusterNetworkPolicy/ + // NetworkPolicy rules will be processed for it. + // Pass: Skips all further ClusterNetworkPolicy rules in the current tier + // for the selected traffic, and passes execution to the next tier. + Action ClusterNetworkPolicyRuleAction `json:"action"` + + // To is the List of destinations whose traffic this rule applies to. + // If any element matches the destination of outgoing + // traffic then the specified action is applied. + // This field must be defined and contain at least one item. + // + // +kubebuilder:validation:MinItems=1 + // +kubebuilder:validation:MaxItems=100 + To []ClusterNetworkPolicyEgressPeer `json:"to"` + + // Ports allows for matching traffic based on port and protocols. + // This field is a list of destination ports for the outgoing egress traffic. + // If Ports is not set then the rule does not filter traffic via port. + // + // +optional + // +kubebuilder:validation:MinItems=1 + // +kubebuilder:validation:MaxItems=100 + Ports *[]ClusterNetworkPolicyPort `json:"ports,omitempty"` +} + +// ClusterNetworkPolicyRuleAction string describes the ClusterNetworkPolicy +// action type. +// +// +enum +// +kubebuilder:validation:Enum={"Allow", "Deny", "Pass"} +type ClusterNetworkPolicyRuleAction string + +const ( + // ClusterNetworkPolicyRuleActionAllow indicates that matching traffic + // will be allowed and no further policy evaluation will be done. + // This is a final decision. + ClusterNetworkPolicyRuleActionAllow ClusterNetworkPolicyRuleAction = "Allow" + // ClusterNetworkPolicyRuleActionDeny indicates that matching traffic + // will be denied and no further policy evaluation will be done. + // This is a final decision. + ClusterNetworkPolicyRuleActionDeny ClusterNetworkPolicyRuleAction = "Deny" + // ClusterNetworkPolicyRuleActionPass indicates that matching traffic + // will jump to the next tier evaluation. That means that all the rules + // with lower priority at the same tier will be ignored, + // but evaluation will continue at the next tier. + // For example, if an Admin tier CNP uses Pass action, + // NetworkPolicy evaluation will happen next. + ClusterNetworkPolicyRuleActionPass ClusterNetworkPolicyRuleAction = "Pass" +) + +// ClusterNetworkPolicyIngressPeer defines a peer to allow traffic from. +// +// Exactly one of the fields must be set for a given peer and this is enforced +// by the validation rules on the CRD. If an implementation sees no fields are +// set then it can infer that the deployed CRD is of an incompatible version +// with an unknown field. In that case it should fail closed. +// +// For "Allow" rules, "fail closed" means: "treat the rule as matching no +// traffic". For "Deny" and "Pass" rules, "fail closed" means: "treat the rule +// as a 'Deny all' rule". +// +// +kubebuilder:validation:MaxProperties=1 +// +kubebuilder:validation:MinProperties=1 +type ClusterNetworkPolicyIngressPeer struct { + // Namespaces defines a way to select all pods within a set of Namespaces. + // Note that host-networked pods are not included in this type of peer. + // + // +optional + Namespaces *metav1.LabelSelector `json:"namespaces,omitempty"` + // Pods defines a way to select a set of pods in + // a set of namespaces. Note that host-networked pods + // are not included in this type of peer. + // + // +optional + Pods *NamespacedPod `json:"pods,omitempty"` +} + +// ClusterNetworkPolicyPort describes how to select destination network ports. +// Exactly one field must be set. +// +kubebuilder:validation:MaxProperties=1 +// +kubebuilder:validation:MinProperties=1 +type ClusterNetworkPolicyPort struct { + // Port selects a destination port based on protocol and port number. + // + // +optional + PortNumber *Port `json:"portNumber,omitempty"` + + // PortRange selects a destination port range based on protocol and + // start and end port numbers. + // + // +optional + PortRange *PortRange `json:"portRange,omitempty"` + + // NamedPort selects a destination port on a pod based on the ContainerPort + // name. You can't use this in a rule with Nodes or Networks peers, + // because they do not have named ports. + // + // + // +optional + NamedPort *string `json:"namedPort,omitempty"` +} + +// ClusterNetworkPolicyEgressPeer defines a peer to allow traffic to. +// +// Exactly one of the fields must be set for a given peer and this is enforced +// by the validation rules on the CRD. If an implementation sees no fields are +// set then it can infer that the deployed CRD is of an incompatible version +// with an unknown field. In that case it should fail closed. +// +// For "Allow" rules, "fail closed" means: "treat the rule as matching no +// traffic". For "Deny" and "Pass" rules, "fail closed" means: "treat the rule +// as a 'Deny all' rule". +// +// +kubebuilder:validation:MaxProperties=1 +// +kubebuilder:validation:MinProperties=1 +type ClusterNetworkPolicyEgressPeer struct { + // Namespaces defines a way to select all pods within a set of Namespaces. + // Note that host-networked pods are not included in this type of peer. + // + // +optional + Namespaces *metav1.LabelSelector `json:"namespaces,omitempty"` + // Pods defines a way to select a set of pods in + // a set of namespaces. Note that host-networked pods + // are not included in this type of peer. + // + // +optional + Pods *NamespacedPod `json:"pods,omitempty"` + // Nodes defines a way to select a set of nodes in + // the cluster (based on the node's labels). It selects + // the nodeIPs as the peer type by matching on the IPs + // present in the node.Status.Addresses field of the node. + // This field follows standard label selector + // semantics; if present but empty, it selects all Nodes. + // + // + // +optional + Nodes *metav1.LabelSelector `json:"nodes,omitempty"` + // Networks defines a way to select peers via CIDR blocks. + // This is intended for representing entities that live outside the cluster, + // which can't be selected by pods, namespaces and nodes peers, but note + // that cluster-internal traffic will be checked against the rule as + // well. So if you Allow or Deny traffic to `"0.0.0.0/0"`, that will allow + // or deny all IPv4 pod-to-pod traffic as well. If you don't want that, + // add a rule that Passes all pod traffic before the Networks rule. + // + // Each item in Networks should be provided in the CIDR format and should be + // IPv4 or IPv6, for example "10.0.0.0/8" or "fd00::/8". + // + // Networks can have upto 25 CIDRs specified. + // + // +optional + // +listType=set + // +kubebuilder:validation:MinItems=1 + // +kubebuilder:validation:MaxItems=25 + Networks []CIDR `json:"networks,omitempty"` + + // DomainNames provides a way to specify domain names as peers. + // + // DomainNames is only supported for Allow rules. In order to control + // access, DomainNames Allow rules should be used with a lower priority + // egress deny -- this allows the admin to maintain an explicit "allowlist" + // of reachable domains. + // + // DomainNames can have up to 25 domain names specified in one rule. + // + // + // +optional + // +listType=set + // +kubebuilder:validation:MinItems=1 + // +kubebuilder:validation:MaxItems=25 + DomainNames []DomainName `json:"domainNames,omitempty"` +} + +// NamespacedPod allows the user to select a given set of pod(s) in +// selected namespace(s). +type NamespacedPod struct { + // NamespaceSelector follows standard label selector semantics; if empty, + // it selects all Namespaces. + NamespaceSelector metav1.LabelSelector `json:"namespaceSelector"` + + // PodSelector is used to explicitly select pods within a namespace; + // if empty, it selects all Pods. + PodSelector metav1.LabelSelector `json:"podSelector"` +} + +type Port struct { + // Protocol is the network protocol (TCP, UDP, or SCTP) which traffic must + // match. If not specified, this field defaults to TCP. + // +kubebuilder:default=TCP + // + Protocol corev1.Protocol `json:"protocol"` + + // Number defines a network port value. + // +kubebuilder:validation:Minimum=1 + // +kubebuilder:validation:Maximum=65535 + // + Port int32 `json:"port"` +} + +// PortRange defines an inclusive range of ports from the assigned +// Start value to End value. +// +kubebuilder:validation:XValidation:rule="self.start < self.end", message="Start port must be less than End port" +type PortRange struct { + // Protocol is the network protocol (TCP, UDP, or SCTP) which traffic must + // match. If not specified, this field defaults to TCP. + // +kubebuilder:default=TCP + // + Protocol corev1.Protocol `json:"protocol,omitempty"` + + // Start defines a network port that is the start of a port range, the Start + // value must be less than End. + // +kubebuilder:validation:Minimum=1 + // +kubebuilder:validation:Maximum=65535 + // + Start int32 `json:"start"` + + // End defines a network port that is the end of a port range, the End value + // must be greater than Start. + // +kubebuilder:validation:Minimum=1 + // +kubebuilder:validation:Maximum=65535 + // + End int32 `json:"end"` +} + +// CIDR is an IP address range in CIDR notation +// (for example, "10.0.0.0/8" or "fd00::/8"). +// +kubebuilder:validation:XValidation:rule="isCIDR(self)",message="Invalid CIDR format provided" +// +kubebuilder:validation:MaxLength=43 +type CIDR string + +// DomainName describes one or more domain names to be used as a peer. +// +// DomainName can be an exact match, or use the wildcard specifier '*' to match +// one or more labels. +// +// '*', the wildcard specifier, matches one or more entire labels. It does not +// support partial matches. '*' may only be specified as a prefix. +// +// Examples: +// - `kubernetes.io` matches only `kubernetes.io`. +// It does not match "www.kubernetes.io", "blog.kubernetes.io", +// "my-kubernetes.io", or "wikipedia.org". +// - `blog.kubernetes.io` matches only "blog.kubernetes.io". +// It does not match "www.kubernetes.io" or "kubernetes.io". +// - `*.kubernetes.io` matches subdomains of kubernetes.io. +// "www.kubernetes.io", "blog.kubernetes.io", and +// "latest.blog.kubernetes.io" match, however "kubernetes.io", and +// "wikipedia.org" do not. +// +// +kubebuilder:validation:Pattern=`^(\*\.)?([a-zA-z0-9]([-a-zA-Z0-9_]*[a-zA-Z0-9])?\.)+[a-zA-z0-9]([-a-zA-Z0-9_]*[a-zA-Z0-9])?\.?$` +type DomainName string + +// ClusterNetworkPolicyList contains a list of ClusterNetworkPolicy +// +kubebuilder:object:root=true +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object +type ClusterNetworkPolicyList struct { + metav1.TypeMeta `json:",inline"` + metav1.ListMeta `json:"metadata,omitempty"` + Items []ClusterNetworkPolicy `json:"items"` +} diff --git a/apis/v1alpha2/doc.go b/apis/v1alpha2/doc.go new file mode 100644 index 00000000..4ea2d9e2 --- /dev/null +++ b/apis/v1alpha2/doc.go @@ -0,0 +1,18 @@ +/* +Copyright 2020 The Kubernetes Authors. +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + http://www.apache.org/licenses/LICENSE-2.0 +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +// Package v1alpha2 contains API Schema definitions for the +// policy.networking.k8s.io API group. +// +kubebuilder:object:generate=true +// +groupName=policy.networking.k8s.io +package v1alpha2 diff --git a/apis/v1alpha2/zz_generated.deepcopy.go b/apis/v1alpha2/zz_generated.deepcopy.go new file mode 100644 index 00000000..c8d22e93 --- /dev/null +++ b/apis/v1alpha2/zz_generated.deepcopy.go @@ -0,0 +1,370 @@ +//go:build !ignore_autogenerated + +/* +Copyright The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +// Code generated by controller-gen. DO NOT EDIT. + +package v1alpha2 + +import ( + "k8s.io/apimachinery/pkg/apis/meta/v1" + runtime "k8s.io/apimachinery/pkg/runtime" +) + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ClusterNetworkPolicy) DeepCopyInto(out *ClusterNetworkPolicy) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) + in.Spec.DeepCopyInto(&out.Spec) + in.Status.DeepCopyInto(&out.Status) +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterNetworkPolicy. +func (in *ClusterNetworkPolicy) DeepCopy() *ClusterNetworkPolicy { + if in == nil { + return nil + } + out := new(ClusterNetworkPolicy) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *ClusterNetworkPolicy) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ClusterNetworkPolicyEgressPeer) DeepCopyInto(out *ClusterNetworkPolicyEgressPeer) { + *out = *in + if in.Namespaces != nil { + in, out := &in.Namespaces, &out.Namespaces + *out = new(v1.LabelSelector) + (*in).DeepCopyInto(*out) + } + if in.Pods != nil { + in, out := &in.Pods, &out.Pods + *out = new(NamespacedPod) + (*in).DeepCopyInto(*out) + } + if in.Nodes != nil { + in, out := &in.Nodes, &out.Nodes + *out = new(v1.LabelSelector) + (*in).DeepCopyInto(*out) + } + if in.Networks != nil { + in, out := &in.Networks, &out.Networks + *out = make([]CIDR, len(*in)) + copy(*out, *in) + } + if in.DomainNames != nil { + in, out := &in.DomainNames, &out.DomainNames + *out = make([]DomainName, len(*in)) + copy(*out, *in) + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterNetworkPolicyEgressPeer. +func (in *ClusterNetworkPolicyEgressPeer) DeepCopy() *ClusterNetworkPolicyEgressPeer { + if in == nil { + return nil + } + out := new(ClusterNetworkPolicyEgressPeer) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ClusterNetworkPolicyEgressRule) DeepCopyInto(out *ClusterNetworkPolicyEgressRule) { + *out = *in + if in.To != nil { + in, out := &in.To, &out.To + *out = make([]ClusterNetworkPolicyEgressPeer, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + if in.Ports != nil { + in, out := &in.Ports, &out.Ports + *out = new([]ClusterNetworkPolicyPort) + if **in != nil { + in, out := *in, *out + *out = make([]ClusterNetworkPolicyPort, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterNetworkPolicyEgressRule. +func (in *ClusterNetworkPolicyEgressRule) DeepCopy() *ClusterNetworkPolicyEgressRule { + if in == nil { + return nil + } + out := new(ClusterNetworkPolicyEgressRule) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ClusterNetworkPolicyIngressPeer) DeepCopyInto(out *ClusterNetworkPolicyIngressPeer) { + *out = *in + if in.Namespaces != nil { + in, out := &in.Namespaces, &out.Namespaces + *out = new(v1.LabelSelector) + (*in).DeepCopyInto(*out) + } + if in.Pods != nil { + in, out := &in.Pods, &out.Pods + *out = new(NamespacedPod) + (*in).DeepCopyInto(*out) + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterNetworkPolicyIngressPeer. +func (in *ClusterNetworkPolicyIngressPeer) DeepCopy() *ClusterNetworkPolicyIngressPeer { + if in == nil { + return nil + } + out := new(ClusterNetworkPolicyIngressPeer) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ClusterNetworkPolicyIngressRule) DeepCopyInto(out *ClusterNetworkPolicyIngressRule) { + *out = *in + if in.From != nil { + in, out := &in.From, &out.From + *out = make([]ClusterNetworkPolicyIngressPeer, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + if in.Ports != nil { + in, out := &in.Ports, &out.Ports + *out = new([]ClusterNetworkPolicyPort) + if **in != nil { + in, out := *in, *out + *out = make([]ClusterNetworkPolicyPort, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterNetworkPolicyIngressRule. +func (in *ClusterNetworkPolicyIngressRule) DeepCopy() *ClusterNetworkPolicyIngressRule { + if in == nil { + return nil + } + out := new(ClusterNetworkPolicyIngressRule) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ClusterNetworkPolicyList) DeepCopyInto(out *ClusterNetworkPolicyList) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ListMeta.DeepCopyInto(&out.ListMeta) + if in.Items != nil { + in, out := &in.Items, &out.Items + *out = make([]ClusterNetworkPolicy, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterNetworkPolicyList. +func (in *ClusterNetworkPolicyList) DeepCopy() *ClusterNetworkPolicyList { + if in == nil { + return nil + } + out := new(ClusterNetworkPolicyList) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *ClusterNetworkPolicyList) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ClusterNetworkPolicyPort) DeepCopyInto(out *ClusterNetworkPolicyPort) { + *out = *in + if in.PortNumber != nil { + in, out := &in.PortNumber, &out.PortNumber + *out = new(Port) + **out = **in + } + if in.NamedPort != nil { + in, out := &in.NamedPort, &out.NamedPort + *out = new(string) + **out = **in + } + if in.PortRange != nil { + in, out := &in.PortRange, &out.PortRange + *out = new(PortRange) + **out = **in + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterNetworkPolicyPort. +func (in *ClusterNetworkPolicyPort) DeepCopy() *ClusterNetworkPolicyPort { + if in == nil { + return nil + } + out := new(ClusterNetworkPolicyPort) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ClusterNetworkPolicySpec) DeepCopyInto(out *ClusterNetworkPolicySpec) { + *out = *in + in.Subject.DeepCopyInto(&out.Subject) + if in.Ingress != nil { + in, out := &in.Ingress, &out.Ingress + *out = make([]ClusterNetworkPolicyIngressRule, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + if in.Egress != nil { + in, out := &in.Egress, &out.Egress + *out = make([]ClusterNetworkPolicyEgressRule, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterNetworkPolicySpec. +func (in *ClusterNetworkPolicySpec) DeepCopy() *ClusterNetworkPolicySpec { + if in == nil { + return nil + } + out := new(ClusterNetworkPolicySpec) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ClusterNetworkPolicyStatus) DeepCopyInto(out *ClusterNetworkPolicyStatus) { + *out = *in + if in.Conditions != nil { + in, out := &in.Conditions, &out.Conditions + *out = make([]v1.Condition, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterNetworkPolicyStatus. +func (in *ClusterNetworkPolicyStatus) DeepCopy() *ClusterNetworkPolicyStatus { + if in == nil { + return nil + } + out := new(ClusterNetworkPolicyStatus) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ClusterNetworkPolicySubject) DeepCopyInto(out *ClusterNetworkPolicySubject) { + *out = *in + if in.Namespaces != nil { + in, out := &in.Namespaces, &out.Namespaces + *out = new(v1.LabelSelector) + (*in).DeepCopyInto(*out) + } + if in.Pods != nil { + in, out := &in.Pods, &out.Pods + *out = new(NamespacedPod) + (*in).DeepCopyInto(*out) + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterNetworkPolicySubject. +func (in *ClusterNetworkPolicySubject) DeepCopy() *ClusterNetworkPolicySubject { + if in == nil { + return nil + } + out := new(ClusterNetworkPolicySubject) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *NamespacedPod) DeepCopyInto(out *NamespacedPod) { + *out = *in + in.NamespaceSelector.DeepCopyInto(&out.NamespaceSelector) + in.PodSelector.DeepCopyInto(&out.PodSelector) +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NamespacedPod. +func (in *NamespacedPod) DeepCopy() *NamespacedPod { + if in == nil { + return nil + } + out := new(NamespacedPod) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *Port) DeepCopyInto(out *Port) { + *out = *in +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Port. +func (in *Port) DeepCopy() *Port { + if in == nil { + return nil + } + out := new(Port) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *PortRange) DeepCopyInto(out *PortRange) { + *out = *in +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PortRange. +func (in *PortRange) DeepCopy() *PortRange { + if in == nil { + return nil + } + out := new(PortRange) + in.DeepCopyInto(out) + return out +} diff --git a/apis/v1alpha2/zz_generated.register.go b/apis/v1alpha2/zz_generated.register.go new file mode 100644 index 00000000..1ecda9b6 --- /dev/null +++ b/apis/v1alpha2/zz_generated.register.go @@ -0,0 +1,70 @@ +//go:build !ignore_autogenerated +// +build !ignore_autogenerated + +/* +Copyright The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +// Code generated by register-gen. DO NOT EDIT. + +package v1alpha2 + +import ( + v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + runtime "k8s.io/apimachinery/pkg/runtime" + schema "k8s.io/apimachinery/pkg/runtime/schema" +) + +// GroupName specifies the group name used to register the objects. +const GroupName = "policy.networking.k8s.io" + +// GroupVersion specifies the group and the version used to register the objects. +var GroupVersion = v1.GroupVersion{Group: GroupName, Version: "v1alpha2"} + +// SchemeGroupVersion is group version used to register these objects +// Deprecated: use GroupVersion instead. +var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: "v1alpha2"} + +// Resource takes an unqualified resource and returns a Group qualified GroupResource +func Resource(resource string) schema.GroupResource { + return SchemeGroupVersion.WithResource(resource).GroupResource() +} + +var ( + // localSchemeBuilder and AddToScheme will stay in k8s.io/kubernetes. + SchemeBuilder runtime.SchemeBuilder + localSchemeBuilder = &SchemeBuilder + // Deprecated: use Install instead + AddToScheme = localSchemeBuilder.AddToScheme + Install = localSchemeBuilder.AddToScheme +) + +func init() { + // We only register manually written functions here. The registration of the + // generated functions takes place in the generated files. The separation + // makes the code compile even when the generated files are missing. + localSchemeBuilder.Register(addKnownTypes) +} + +// Adds the list of known types to Scheme. +func addKnownTypes(scheme *runtime.Scheme) error { + scheme.AddKnownTypes(SchemeGroupVersion, + &ClusterNetworkPolicy{}, + &ClusterNetworkPolicyList{}, + ) + // AddToGroupVersion allows the serialization of client types like ListOptions. + v1.AddToGroupVersion(scheme, SchemeGroupVersion) + return nil +} diff --git a/config/crd/experimental/policy.networking.k8s.io_clusternetworkpolicies.yaml b/config/crd/experimental/policy.networking.k8s.io_clusternetworkpolicies.yaml new file mode 100644 index 00000000..76ed7d75 --- /dev/null +++ b/config/crd/experimental/policy.networking.k8s.io_clusternetworkpolicies.yaml @@ -0,0 +1,1085 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.kubernetes.io: https://github.com/kubernetes-sigs/network-policy-api/pull/300 + policy.networking.k8s.io/bundle-version: v0.1.7 + policy.networking.k8s.io/channel: experimental + creationTimestamp: null + name: clusternetworkpolicies.policy.networking.k8s.io +spec: + group: policy.networking.k8s.io + names: + kind: ClusterNetworkPolicy + listKind: ClusterNetworkPolicyList + plural: clusternetworkpolicies + shortNames: + - cnp + singular: clusternetworkpolicy + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .spec.tier + name: Tier + type: string + - jsonPath: .spec.priority + name: Priority + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha2 + schema: + openAPIV3Schema: + description: ClusterNetworkPolicy is a cluster-wide network policy resource. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Spec defines the desired behavior of ClusterNetworkPolicy. + properties: + egress: + description: |- + Egress is the list of Egress rules to be applied to the selected pods. + A total of 100 rules will be allowed in each CNP instance. + The relative precedence of egress rules within a single CNP object + (all of which share the priority) will be determined by the order + in which the rule is written. + Thus, a rule that appears at the top of the egress rules + would take the highest precedence. + CNPs with no egress rules do not affect egress traffic. + items: + description: |- + ClusterNetworkPolicyEgressRule describes an action to take on a particular + set of traffic originating from pods selected by a ClusterNetworkPolicy's + Subject field. + + properties: + action: + description: |- + Action specifies the effect this rule will have on matching traffic. + Currently the following actions are supported: + Allow: Accepts the selected traffic. No further ClusterNetworkPolicy/ + NetworkPolicy rules will be processed for it. + Deny: Drops the selected traffic. No further ClusterNetworkPolicy/ + NetworkPolicy rules will be processed for it. + Pass: Skips all further ClusterNetworkPolicy rules in the current tier + for the selected traffic, and passes execution to the next tier. + enum: + - Allow + - Deny + - Pass + type: string + name: + description: |- + Name is an identifier for this rule, that may be no more than + 100 characters in length. This field should be used by the implementation + to help improve observability, readability and error-reporting + for any applied AdminNetworkPolicies. + maxLength: 100 + type: string + ports: + description: |- + Ports allows for matching traffic based on port and protocols. + This field is a list of destination ports for the outgoing egress traffic. + If Ports is not set then the rule does not filter traffic via port. + items: + description: |- + ClusterNetworkPolicyPort describes how to select destination network ports. + Exactly one field must be set. + maxProperties: 1 + minProperties: 1 + properties: + namedPort: + description: |- + NamedPort selects a destination port on a pod based on the ContainerPort + name. You can't use this in a rule with Nodes or Networks peers, + because they do not have named ports. + + + type: string + portNumber: + description: Port selects a destination port based on + protocol and port number. + properties: + port: + description: Number defines a network port value. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + protocol: + default: TCP + description: |- + Protocol is the network protocol (TCP, UDP, or SCTP) which traffic must + match. If not specified, this field defaults to TCP. + type: string + required: + - port + - protocol + type: object + portRange: + description: |- + PortRange selects a destination port range based on protocol and + start and end port numbers. + properties: + end: + description: |- + End defines a network port that is the end of a port range, the End value + must be greater than Start. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + protocol: + default: TCP + description: |- + Protocol is the network protocol (TCP, UDP, or SCTP) which traffic must + match. If not specified, this field defaults to TCP. + type: string + start: + description: |- + Start defines a network port that is the start of a port range, the Start + value must be less than End. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + required: + - end + - start + type: object + x-kubernetes-validations: + - message: Start port must be less than End port + rule: self.start < self.end + type: object + maxItems: 100 + minItems: 1 + type: array + to: + description: |- + To is the List of destinations whose traffic this rule applies to. + If any element matches the destination of outgoing + traffic then the specified action is applied. + This field must be defined and contain at least one item. + items: + description: |- + ClusterNetworkPolicyEgressPeer defines a peer to allow traffic to. + + Exactly one of the fields must be set for a given peer and this is enforced + by the validation rules on the CRD. If an implementation sees no fields are + set then it can infer that the deployed CRD is of an incompatible version + with an unknown field. In that case it should fail closed. + + For "Allow" rules, "fail closed" means: "treat the rule as matching no + traffic". For "Deny" and "Pass" rules, "fail closed" means: "treat the rule + as a 'Deny all' rule". + maxProperties: 1 + minProperties: 1 + properties: + domainNames: + description: |- + DomainNames provides a way to specify domain names as peers. + + DomainNames is only supported for Allow rules. In order to control + access, DomainNames Allow rules should be used with a lower priority + egress deny -- this allows the admin to maintain an explicit "allowlist" + of reachable domains. + + DomainNames can have up to 25 domain names specified in one rule. + + + items: + description: |- + DomainName describes one or more domain names to be used as a peer. + + DomainName can be an exact match, or use the wildcard specifier '*' to match + one or more labels. + + '*', the wildcard specifier, matches one or more entire labels. It does not + support partial matches. '*' may only be specified as a prefix. + + Examples: + - `kubernetes.io` matches only `kubernetes.io`. + It does not match "www.kubernetes.io", "blog.kubernetes.io", + "my-kubernetes.io", or "wikipedia.org". + - `blog.kubernetes.io` matches only "blog.kubernetes.io". + It does not match "www.kubernetes.io" or "kubernetes.io". + - `*.kubernetes.io` matches subdomains of kubernetes.io. + "www.kubernetes.io", "blog.kubernetes.io", and + "latest.blog.kubernetes.io" match, however "kubernetes.io", and + "wikipedia.org" do not. + pattern: ^(\*\.)?([a-zA-z0-9]([-a-zA-Z0-9_]*[a-zA-Z0-9])?\.)+[a-zA-z0-9]([-a-zA-Z0-9_]*[a-zA-Z0-9])?\.?$ + type: string + maxItems: 25 + minItems: 1 + type: array + x-kubernetes-list-type: set + namespaces: + description: |- + Namespaces defines a way to select all pods within a set of Namespaces. + Note that host-networked pods are not included in this type of peer. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + networks: + description: |- + Networks defines a way to select peers via CIDR blocks. + This is intended for representing entities that live outside the cluster, + which can't be selected by pods, namespaces and nodes peers, but note + that cluster-internal traffic will be checked against the rule as + well. So if you Allow or Deny traffic to `"0.0.0.0/0"`, that will allow + or deny all IPv4 pod-to-pod traffic as well. If you don't want that, + add a rule that Passes all pod traffic before the Networks rule. + + Each item in Networks should be provided in the CIDR format and should be + IPv4 or IPv6, for example "10.0.0.0/8" or "fd00::/8". + + Networks can have upto 25 CIDRs specified. + items: + description: |- + CIDR is an IP address range in CIDR notation + (for example, "10.0.0.0/8" or "fd00::/8"). + maxLength: 43 + type: string + x-kubernetes-validations: + - message: Invalid CIDR format provided + rule: isCIDR(self) + maxItems: 25 + minItems: 1 + type: array + x-kubernetes-list-type: set + nodes: + description: |- + Nodes defines a way to select a set of nodes in + the cluster (based on the node's labels). It selects + the nodeIPs as the peer type by matching on the IPs + present in the node.Status.Addresses field of the node. + This field follows standard label selector + semantics; if present but empty, it selects all Nodes. + + + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + pods: + description: |- + Pods defines a way to select a set of pods in + a set of namespaces. Note that host-networked pods + are not included in this type of peer. + properties: + namespaceSelector: + description: |- + NamespaceSelector follows standard label selector semantics; if empty, + it selects all Namespaces. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + podSelector: + description: |- + PodSelector is used to explicitly select pods within a namespace; + if empty, it selects all Pods. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + required: + - namespaceSelector + - podSelector + type: object + type: object + maxItems: 100 + minItems: 1 + type: array + required: + - action + - to + type: object + x-kubernetes-validations: + - message: networks/nodes/domainNames peer cannot be set with namedPorts + since there are no namedPorts for networks/nodes/domainNames + rule: '!(self.to.exists(peer, has(peer.networks) || has(peer.nodes) + || has(peer.domainNames)) && has(self.ports) && self.ports.exists(port, + has(port.namedPort)))' + maxItems: 100 + type: array + ingress: + description: |- + Ingress is the list of Ingress rules to be applied to the selected pods. + A total of 100 rules will be allowed in each CNP instance. + The relative precedence of ingress rules within a single CNP object + (all of which share the priority) will be determined by the order + in which the rule is written. + Thus, a rule that appears at the top of the ingress rules + would take the highest precedence. + CNPs with no ingress rules do not affect ingress traffic. + items: + description: |- + ClusterNetworkPolicyIngressRule describes an action to take on a particular + set of traffic destined for pods selected by a ClusterNetworkPolicy's + Subject field. + properties: + action: + description: |- + Action specifies the effect this rule will have on matching traffic. + Currently the following actions are supported: + Allow: Accepts the selected traffic. No further ClusterNetworkPolicy/ + NetworkPolicy rules will be processed for it. + Deny: Drops the selected traffic. No further ClusterNetworkPolicy/ + NetworkPolicy rules will be processed for it. + Pass: Skips all further ClusterNetworkPolicy rules in the current tier + for the selected traffic, and passes execution to the next tier. + enum: + - Allow + - Deny + - Pass + type: string + from: + description: |- + From is the list of sources whose traffic this rule applies to. + If any element matches the source of incoming + traffic then the specified action is applied. + This field must be defined and contain at least one item. + items: + description: |- + ClusterNetworkPolicyIngressPeer defines a peer to allow traffic from. + + Exactly one of the fields must be set for a given peer and this is enforced + by the validation rules on the CRD. If an implementation sees no fields are + set then it can infer that the deployed CRD is of an incompatible version + with an unknown field. In that case it should fail closed. + + For "Allow" rules, "fail closed" means: "treat the rule as matching no + traffic". For "Deny" and "Pass" rules, "fail closed" means: "treat the rule + as a 'Deny all' rule". + maxProperties: 1 + minProperties: 1 + properties: + namespaces: + description: |- + Namespaces defines a way to select all pods within a set of Namespaces. + Note that host-networked pods are not included in this type of peer. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + pods: + description: |- + Pods defines a way to select a set of pods in + a set of namespaces. Note that host-networked pods + are not included in this type of peer. + properties: + namespaceSelector: + description: |- + NamespaceSelector follows standard label selector semantics; if empty, + it selects all Namespaces. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + podSelector: + description: |- + PodSelector is used to explicitly select pods within a namespace; + if empty, it selects all Pods. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + required: + - namespaceSelector + - podSelector + type: object + type: object + maxItems: 100 + minItems: 1 + type: array + name: + description: |- + Name is an identifier for this rule, that may be no more than + 100 characters in length. This field should be used by the implementation + to help improve observability, readability and error-reporting + for any applied AdminNetworkPolicies. + maxLength: 100 + type: string + ports: + description: |- + Ports allows for matching traffic based on port and protocols. + This field is a list of ports which should be matched on + the pods selected for this policy i.e the subject of the policy. + So it matches on the destination port for the ingress traffic. + If Ports is not set then the rule does not filter traffic via port. + items: + description: |- + ClusterNetworkPolicyPort describes how to select destination network ports. + Exactly one field must be set. + maxProperties: 1 + minProperties: 1 + properties: + namedPort: + description: |- + NamedPort selects a destination port on a pod based on the ContainerPort + name. You can't use this in a rule with Nodes or Networks peers, + because they do not have named ports. + + + type: string + portNumber: + description: Port selects a destination port based on + protocol and port number. + properties: + port: + description: Number defines a network port value. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + protocol: + default: TCP + description: |- + Protocol is the network protocol (TCP, UDP, or SCTP) which traffic must + match. If not specified, this field defaults to TCP. + type: string + required: + - port + - protocol + type: object + portRange: + description: |- + PortRange selects a destination port range based on protocol and + start and end port numbers. + properties: + end: + description: |- + End defines a network port that is the end of a port range, the End value + must be greater than Start. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + protocol: + default: TCP + description: |- + Protocol is the network protocol (TCP, UDP, or SCTP) which traffic must + match. If not specified, this field defaults to TCP. + type: string + start: + description: |- + Start defines a network port that is the start of a port range, the Start + value must be less than End. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + required: + - end + - start + type: object + x-kubernetes-validations: + - message: Start port must be less than End port + rule: self.start < self.end + type: object + maxItems: 100 + minItems: 1 + type: array + required: + - action + - from + type: object + maxItems: 100 + type: array + priority: + description: |- + Priority is a value from 0 to 1000 indicating the precedence of + the policy within its tier. Policies with lower priority values have + higher precedence, and are checked before policies with higher priority + values in the same tier. All Admin tier rules have higher precedence than + NetworkPolicy or Baseline tier rules. + If two (or more) policies in the same tier with the same priority + could match a connection, then the implementation can apply any of the + matching policies to the connection, and there is no way for the user to + reliably determine which one it will choose. Administrators must be + careful about assigning the priorities for policies with rules that will + match many connections, and ensure that policies have unique priority + values in cases where ambiguity would be unacceptable. + format: int32 + maximum: 1000 + minimum: 0 + type: integer + subject: + description: Subject defines the pods to which this ClusterNetworkPolicy + applies. + maxProperties: 1 + minProperties: 1 + properties: + namespaces: + description: Namespaces is used to select pods via namespace selectors. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + pods: + description: Pods is used to select pods via namespace AND pod + selectors. + properties: + namespaceSelector: + description: |- + NamespaceSelector follows standard label selector semantics; if empty, + it selects all Namespaces. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + podSelector: + description: |- + PodSelector is used to explicitly select pods within a namespace; + if empty, it selects all Pods. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + required: + - namespaceSelector + - podSelector + type: object + type: object + tier: + description: |- + Tier is used as the top-level grouping for network policy prioritization. + + Policy tiers are evaluated in the following order: + * Admin tier + * NetworkPolicy tier + * Baseline tier + + ClusterNetworkPolicy can use 2 of these tiers: Admin and Baseline. + + The Admin tier takes precedence over all other policies. Policies + defined in this tier are used to set cluster-wide security rules + that cannot be overridden in the other tiers. If Admin tier has + made a final decision (Allow or Deny) on a connection, then no + further evaluation is done. + + NetworkPolicy tier is the tier for the namespaced v1.NetworkPolicy. + These policies are intended for the application developer to describe + the security policy associated with their deployments inside their + namespace. v1.NetworkPolicy always makes a final decision for selected + pods. Further evaluation only happens for Pods not selected by a + v1.NetworkPolicy. + + Baseline tier is a cluster-wide policy that can be overridden by the + v1.NetworkPolicy. If Baseline tier has made a final decision (Allow or + Deny) on a connection, then no further evaluation is done. + + If a given connection wasn't allowed or denied by any of the tiers, + the default kubernetes policy is applied, which says that + all pods can communicate with each other. + enum: + - Admin + - Baseline + type: string + required: + - priority + - subject + - tier + type: object + status: + description: Status is the status to be reported by the implementation. + properties: + conditions: + items: + description: Condition contains details for one aspect of the current + state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + required: + - conditions + type: object + required: + - metadata + - spec + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: null + storedVersions: null diff --git a/config/crd/standard/policy.networking.k8s.io_clusternetworkpolicies.yaml b/config/crd/standard/policy.networking.k8s.io_clusternetworkpolicies.yaml new file mode 100644 index 00000000..3af1d052 --- /dev/null +++ b/config/crd/standard/policy.networking.k8s.io_clusternetworkpolicies.yaml @@ -0,0 +1,971 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.kubernetes.io: https://github.com/kubernetes-sigs/network-policy-api/pull/300 + policy.networking.k8s.io/bundle-version: v0.1.7 + policy.networking.k8s.io/channel: standard + creationTimestamp: null + name: clusternetworkpolicies.policy.networking.k8s.io +spec: + group: policy.networking.k8s.io + names: + kind: ClusterNetworkPolicy + listKind: ClusterNetworkPolicyList + plural: clusternetworkpolicies + shortNames: + - cnp + singular: clusternetworkpolicy + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .spec.tier + name: Tier + type: string + - jsonPath: .spec.priority + name: Priority + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha2 + schema: + openAPIV3Schema: + description: ClusterNetworkPolicy is a cluster-wide network policy resource. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Spec defines the desired behavior of ClusterNetworkPolicy. + properties: + egress: + description: |- + Egress is the list of Egress rules to be applied to the selected pods. + A total of 100 rules will be allowed in each CNP instance. + The relative precedence of egress rules within a single CNP object + (all of which share the priority) will be determined by the order + in which the rule is written. + Thus, a rule that appears at the top of the egress rules + would take the highest precedence. + CNPs with no egress rules do not affect egress traffic. + items: + description: |- + ClusterNetworkPolicyEgressRule describes an action to take on a particular + set of traffic originating from pods selected by a ClusterNetworkPolicy's + Subject field. + + properties: + action: + description: |- + Action specifies the effect this rule will have on matching traffic. + Currently the following actions are supported: + Allow: Accepts the selected traffic. No further ClusterNetworkPolicy/ + NetworkPolicy rules will be processed for it. + Deny: Drops the selected traffic. No further ClusterNetworkPolicy/ + NetworkPolicy rules will be processed for it. + Pass: Skips all further ClusterNetworkPolicy rules in the current tier + for the selected traffic, and passes execution to the next tier. + enum: + - Allow + - Deny + - Pass + type: string + name: + description: |- + Name is an identifier for this rule, that may be no more than + 100 characters in length. This field should be used by the implementation + to help improve observability, readability and error-reporting + for any applied AdminNetworkPolicies. + maxLength: 100 + type: string + ports: + description: |- + Ports allows for matching traffic based on port and protocols. + This field is a list of destination ports for the outgoing egress traffic. + If Ports is not set then the rule does not filter traffic via port. + items: + description: |- + ClusterNetworkPolicyPort describes how to select destination network ports. + Exactly one field must be set. + maxProperties: 1 + minProperties: 1 + properties: + portNumber: + description: Port selects a destination port based on + protocol and port number. + properties: + port: + description: Number defines a network port value. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + protocol: + default: TCP + description: |- + Protocol is the network protocol (TCP, UDP, or SCTP) which traffic must + match. If not specified, this field defaults to TCP. + type: string + required: + - port + - protocol + type: object + portRange: + description: |- + PortRange selects a destination port range based on protocol and + start and end port numbers. + properties: + end: + description: |- + End defines a network port that is the end of a port range, the End value + must be greater than Start. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + protocol: + default: TCP + description: |- + Protocol is the network protocol (TCP, UDP, or SCTP) which traffic must + match. If not specified, this field defaults to TCP. + type: string + start: + description: |- + Start defines a network port that is the start of a port range, the Start + value must be less than End. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + required: + - end + - start + type: object + x-kubernetes-validations: + - message: Start port must be less than End port + rule: self.start < self.end + type: object + maxItems: 100 + minItems: 1 + type: array + to: + description: |- + To is the List of destinations whose traffic this rule applies to. + If any element matches the destination of outgoing + traffic then the specified action is applied. + This field must be defined and contain at least one item. + items: + description: |- + ClusterNetworkPolicyEgressPeer defines a peer to allow traffic to. + + Exactly one of the fields must be set for a given peer and this is enforced + by the validation rules on the CRD. If an implementation sees no fields are + set then it can infer that the deployed CRD is of an incompatible version + with an unknown field. In that case it should fail closed. + + For "Allow" rules, "fail closed" means: "treat the rule as matching no + traffic". For "Deny" and "Pass" rules, "fail closed" means: "treat the rule + as a 'Deny all' rule". + maxProperties: 1 + minProperties: 1 + properties: + namespaces: + description: |- + Namespaces defines a way to select all pods within a set of Namespaces. + Note that host-networked pods are not included in this type of peer. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + networks: + description: |- + Networks defines a way to select peers via CIDR blocks. + This is intended for representing entities that live outside the cluster, + which can't be selected by pods, namespaces and nodes peers, but note + that cluster-internal traffic will be checked against the rule as + well. So if you Allow or Deny traffic to `"0.0.0.0/0"`, that will allow + or deny all IPv4 pod-to-pod traffic as well. If you don't want that, + add a rule that Passes all pod traffic before the Networks rule. + + Each item in Networks should be provided in the CIDR format and should be + IPv4 or IPv6, for example "10.0.0.0/8" or "fd00::/8". + + Networks can have upto 25 CIDRs specified. + items: + description: |- + CIDR is an IP address range in CIDR notation + (for example, "10.0.0.0/8" or "fd00::/8"). + maxLength: 43 + type: string + x-kubernetes-validations: + - message: Invalid CIDR format provided + rule: isCIDR(self) + maxItems: 25 + minItems: 1 + type: array + x-kubernetes-list-type: set + pods: + description: |- + Pods defines a way to select a set of pods in + a set of namespaces. Note that host-networked pods + are not included in this type of peer. + properties: + namespaceSelector: + description: |- + NamespaceSelector follows standard label selector semantics; if empty, + it selects all Namespaces. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + podSelector: + description: |- + PodSelector is used to explicitly select pods within a namespace; + if empty, it selects all Pods. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + required: + - namespaceSelector + - podSelector + type: object + type: object + maxItems: 100 + minItems: 1 + type: array + required: + - action + - to + type: object + maxItems: 100 + type: array + ingress: + description: |- + Ingress is the list of Ingress rules to be applied to the selected pods. + A total of 100 rules will be allowed in each CNP instance. + The relative precedence of ingress rules within a single CNP object + (all of which share the priority) will be determined by the order + in which the rule is written. + Thus, a rule that appears at the top of the ingress rules + would take the highest precedence. + CNPs with no ingress rules do not affect ingress traffic. + items: + description: |- + ClusterNetworkPolicyIngressRule describes an action to take on a particular + set of traffic destined for pods selected by a ClusterNetworkPolicy's + Subject field. + properties: + action: + description: |- + Action specifies the effect this rule will have on matching traffic. + Currently the following actions are supported: + Allow: Accepts the selected traffic. No further ClusterNetworkPolicy/ + NetworkPolicy rules will be processed for it. + Deny: Drops the selected traffic. No further ClusterNetworkPolicy/ + NetworkPolicy rules will be processed for it. + Pass: Skips all further ClusterNetworkPolicy rules in the current tier + for the selected traffic, and passes execution to the next tier. + enum: + - Allow + - Deny + - Pass + type: string + from: + description: |- + From is the list of sources whose traffic this rule applies to. + If any element matches the source of incoming + traffic then the specified action is applied. + This field must be defined and contain at least one item. + items: + description: |- + ClusterNetworkPolicyIngressPeer defines a peer to allow traffic from. + + Exactly one of the fields must be set for a given peer and this is enforced + by the validation rules on the CRD. If an implementation sees no fields are + set then it can infer that the deployed CRD is of an incompatible version + with an unknown field. In that case it should fail closed. + + For "Allow" rules, "fail closed" means: "treat the rule as matching no + traffic". For "Deny" and "Pass" rules, "fail closed" means: "treat the rule + as a 'Deny all' rule". + maxProperties: 1 + minProperties: 1 + properties: + namespaces: + description: |- + Namespaces defines a way to select all pods within a set of Namespaces. + Note that host-networked pods are not included in this type of peer. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + pods: + description: |- + Pods defines a way to select a set of pods in + a set of namespaces. Note that host-networked pods + are not included in this type of peer. + properties: + namespaceSelector: + description: |- + NamespaceSelector follows standard label selector semantics; if empty, + it selects all Namespaces. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + podSelector: + description: |- + PodSelector is used to explicitly select pods within a namespace; + if empty, it selects all Pods. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + required: + - namespaceSelector + - podSelector + type: object + type: object + maxItems: 100 + minItems: 1 + type: array + name: + description: |- + Name is an identifier for this rule, that may be no more than + 100 characters in length. This field should be used by the implementation + to help improve observability, readability and error-reporting + for any applied AdminNetworkPolicies. + maxLength: 100 + type: string + ports: + description: |- + Ports allows for matching traffic based on port and protocols. + This field is a list of ports which should be matched on + the pods selected for this policy i.e the subject of the policy. + So it matches on the destination port for the ingress traffic. + If Ports is not set then the rule does not filter traffic via port. + items: + description: |- + ClusterNetworkPolicyPort describes how to select destination network ports. + Exactly one field must be set. + maxProperties: 1 + minProperties: 1 + properties: + portNumber: + description: Port selects a destination port based on + protocol and port number. + properties: + port: + description: Number defines a network port value. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + protocol: + default: TCP + description: |- + Protocol is the network protocol (TCP, UDP, or SCTP) which traffic must + match. If not specified, this field defaults to TCP. + type: string + required: + - port + - protocol + type: object + portRange: + description: |- + PortRange selects a destination port range based on protocol and + start and end port numbers. + properties: + end: + description: |- + End defines a network port that is the end of a port range, the End value + must be greater than Start. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + protocol: + default: TCP + description: |- + Protocol is the network protocol (TCP, UDP, or SCTP) which traffic must + match. If not specified, this field defaults to TCP. + type: string + start: + description: |- + Start defines a network port that is the start of a port range, the Start + value must be less than End. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + required: + - end + - start + type: object + x-kubernetes-validations: + - message: Start port must be less than End port + rule: self.start < self.end + type: object + maxItems: 100 + minItems: 1 + type: array + required: + - action + - from + type: object + maxItems: 100 + type: array + priority: + description: |- + Priority is a value from 0 to 1000 indicating the precedence of + the policy within its tier. Policies with lower priority values have + higher precedence, and are checked before policies with higher priority + values in the same tier. All Admin tier rules have higher precedence than + NetworkPolicy or Baseline tier rules. + If two (or more) policies in the same tier with the same priority + could match a connection, then the implementation can apply any of the + matching policies to the connection, and there is no way for the user to + reliably determine which one it will choose. Administrators must be + careful about assigning the priorities for policies with rules that will + match many connections, and ensure that policies have unique priority + values in cases where ambiguity would be unacceptable. + format: int32 + maximum: 1000 + minimum: 0 + type: integer + subject: + description: Subject defines the pods to which this ClusterNetworkPolicy + applies. + maxProperties: 1 + minProperties: 1 + properties: + namespaces: + description: Namespaces is used to select pods via namespace selectors. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + pods: + description: Pods is used to select pods via namespace AND pod + selectors. + properties: + namespaceSelector: + description: |- + NamespaceSelector follows standard label selector semantics; if empty, + it selects all Namespaces. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + podSelector: + description: |- + PodSelector is used to explicitly select pods within a namespace; + if empty, it selects all Pods. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + required: + - namespaceSelector + - podSelector + type: object + type: object + tier: + description: |- + Tier is used as the top-level grouping for network policy prioritization. + + Policy tiers are evaluated in the following order: + * Admin tier + * NetworkPolicy tier + * Baseline tier + + ClusterNetworkPolicy can use 2 of these tiers: Admin and Baseline. + + The Admin tier takes precedence over all other policies. Policies + defined in this tier are used to set cluster-wide security rules + that cannot be overridden in the other tiers. If Admin tier has + made a final decision (Allow or Deny) on a connection, then no + further evaluation is done. + + NetworkPolicy tier is the tier for the namespaced v1.NetworkPolicy. + These policies are intended for the application developer to describe + the security policy associated with their deployments inside their + namespace. v1.NetworkPolicy always makes a final decision for selected + pods. Further evaluation only happens for Pods not selected by a + v1.NetworkPolicy. + + Baseline tier is a cluster-wide policy that can be overridden by the + v1.NetworkPolicy. If Baseline tier has made a final decision (Allow or + Deny) on a connection, then no further evaluation is done. + + If a given connection wasn't allowed or denied by any of the tiers, + the default kubernetes policy is applied, which says that + all pods can communicate with each other. + enum: + - Admin + - Baseline + type: string + required: + - priority + - subject + - tier + type: object + status: + description: Status is the status to be reported by the implementation. + properties: + conditions: + items: + description: Condition contains details for one aspect of the current + state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + required: + - conditions + type: object + required: + - metadata + - spec + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: null + storedVersions: null diff --git a/config/samples/batch_v1alpha1_baselineadminnetworkpolicy.yaml b/config/samples/batch_v1alpha1_baselineadminnetworkpolicy.yaml deleted file mode 100644 index ea9f6572..00000000 --- a/config/samples/batch_v1alpha1_baselineadminnetworkpolicy.yaml +++ /dev/null @@ -1,7 +0,0 @@ -apiVersion: batch.policy.networking.k8s.io/v1alpha1 -kind: BaselineAdminNetworkPolicy -metadata: - name: baselineadminnetworkpolicy-sample -spec: - # Add fields here - foo: bar diff --git a/config/samples/policy.networking.k8s.io_v1alpha1_adminnetworkpolicy.yaml b/config/samples/policy.networking.k8s.io_v1alpha1_adminnetworkpolicy.yaml deleted file mode 100644 index 216ef368..00000000 --- a/config/samples/policy.networking.k8s.io_v1alpha1_adminnetworkpolicy.yaml +++ /dev/null @@ -1,7 +0,0 @@ -apiVersion: policy.networking.k8s.io/v1alpha1 -kind: AdminNetworkPolicy -metadata: - name: adminnetworkpolicy-sample -spec: - # Add fields here - foo: bar diff --git a/config/samples/policy.networking.k8s.io_v1alpha1_baselineadminnetworkpolicy.yaml b/config/samples/policy.networking.k8s.io_v1alpha1_baselineadminnetworkpolicy.yaml deleted file mode 100644 index d21ac8bc..00000000 --- a/config/samples/policy.networking.k8s.io_v1alpha1_baselineadminnetworkpolicy.yaml +++ /dev/null @@ -1,7 +0,0 @@ -apiVersion: policy.networking.k8s.io/v1alpha1 -kind: BaselineAdminNetworkPolicy -metadata: - name: baselineadminnetworkpolicy-sample -spec: - # Add fields here - foo: bar diff --git a/hack/update-codegen.sh b/hack/update-codegen.sh index bc20b9a4..878efd45 100755 --- a/hack/update-codegen.sh +++ b/hack/update-codegen.sh @@ -45,10 +45,10 @@ fi export GOMODCACHE GO111MODULE GOFLAGS GOPATH -readonly API_VERSION=v1alpha1 +readonly APIS_PKG=sigs.k8s.io/network-policy-api readonly OUTPUT_PKG=sigs.k8s.io/network-policy-api/pkg/client -readonly OUTPUT_DIR=${SCRIPT_ROOT}/pkg/client -readonly API_DIR=${SCRIPT_ROOT}/apis/${API_VERSION} +readonly OUTPUT_DIR=pkg/client +readonly APIS_PATH=apis readonly CLIENTSET_NAME=versioned readonly CLIENTSET_PKG_NAME=clientset readonly APPLYCONFIG_PKG_NAME=applyconfiguration @@ -58,45 +58,58 @@ readonly COMMON_FLAGS="${VERIFY_FLAG:-} --go-header-file ${SCRIPT_ROOT}/hack/boi echo "Generating CRDs" go run ./pkg/generator -echo "Generating applyconfig at ${OUTPUT_PKG}/${APPLYCONFIG_PKG_NAME}" +INPUT_DIRS_SPACE="" +INPUT_DIRS_CLIENTSET="" + +mapfile -t VERSIONS < <(find "${APIS_PATH}" -maxdepth 1 -type d -name "v*" -printf '%f\n' | LC_ALL=C sort -u) +for VERSION in "${VERSIONS[@]}"; do + INPUT_DIRS_SPACE+="${APIS_PKG}/${APIS_PATH}/${VERSION} " + INPUT_DIRS_CLIENTSET+="${APIS_PATH}/${VERSION}," +done + +INPUT_DIRS_SPACE="${INPUT_DIRS_SPACE%,}" # drop trailing space +INPUT_DIRS_CLIENTSET="${INPUT_DIRS_CLIENTSET%,}" # drop trailing comma + +echo "Generating applyconfig at ${APIS_PKG}/${APPLYCONFIG_PKG_NAME}" go run k8s.io/code-generator/cmd/applyconfiguration-gen \ -"${API_DIR}" \ ---output-pkg "${OUTPUT_PKG}/${APPLYCONFIG_PKG_NAME}" \ ---output-dir "${OUTPUT_DIR}/${APPLYCONFIG_PKG_NAME}" \ -${COMMON_FLAGS} + --output-pkg "${OUTPUT_PKG}/${APPLYCONFIG_PKG_NAME}" \ + --output-dir "${OUTPUT_DIR}/${APPLYCONFIG_PKG_NAME}" \ + ${COMMON_FLAGS} \ + ${INPUT_DIRS_SPACE} echo "Generating clientset at ${OUTPUT_PKG}/${CLIENTSET_PKG_NAME}" go run k8s.io/code-generator/cmd/client-gen \ ---clientset-name "${CLIENTSET_NAME}" \ ---input-base "" \ ---input "${API_DIR}" \ ---output-dir "${OUTPUT_DIR}/${CLIENTSET_PKG_NAME}" \ ---output-pkg "${OUTPUT_PKG}/${CLIENTSET_PKG_NAME}" \ ---apply-configuration-package "${OUTPUT_PKG}/${APPLYCONFIG_PKG_NAME}" \ -${COMMON_FLAGS} + --clientset-name "${CLIENTSET_NAME}" \ + --input-base "${APIS_PKG}" \ + --input "${INPUT_DIRS_CLIENTSET}" \ + --output-dir "${OUTPUT_DIR}/${CLIENTSET_PKG_NAME}" \ + --output-pkg "${OUTPUT_PKG}/${CLIENTSET_PKG_NAME}" \ + --apply-configuration-package "${OUTPUT_PKG}/${APPLYCONFIG_PKG_NAME}" \ + ${COMMON_FLAGS} echo "Generating listers at ${OUTPUT_PKG}/listers" go run k8s.io/code-generator/cmd/lister-gen \ -"${API_DIR}" \ ---output-dir "${OUTPUT_DIR}/listers" \ ---output-pkg "${OUTPUT_PKG}/listers" \ -${COMMON_FLAGS} + --output-dir "${OUTPUT_DIR}/listers" \ + --output-pkg "${OUTPUT_PKG}/listers" \ + ${COMMON_FLAGS} \ + ${INPUT_DIRS_SPACE} echo "Generating informers at ${OUTPUT_PKG}/informers" go run k8s.io/code-generator/cmd/informer-gen \ ---versioned-clientset-package "${OUTPUT_PKG}/${CLIENTSET_PKG_NAME}/${CLIENTSET_NAME}" \ ---listers-package "${OUTPUT_DIR}/listers" \ ---output-dir "${OUTPUT_DIR}/informers" \ ---output-pkg "${OUTPUT_PKG}/informers" \ -${COMMON_FLAGS} - -echo "Generating ${API_VERSION} register at ${API_DIR}" + --versioned-clientset-package "${OUTPUT_PKG}/${CLIENTSET_PKG_NAME}/${CLIENTSET_NAME}" \ + --listers-package "${OUTPUT_PKG}/listers" \ + --output-dir "${OUTPUT_DIR}/informers" \ + --output-pkg "${OUTPUT_PKG}/informers" \ + ${COMMON_FLAGS} \ + ${INPUT_DIRS_SPACE} + +echo "Generating register" go run k8s.io/code-generator/cmd/register-gen \ -"${API_DIR}" \ ---output-file "zz_generated.register.go" \ -${COMMON_FLAGS} + --output-file "zz_generated.register.go" \ + ${COMMON_FLAGS} \ + ${INPUT_DIRS_SPACE} -echo "Generating ${API_VERSION} deepcopy at ${API_DIR}" +echo "Generating deepcopy at ${APIS_PATH}" go run sigs.k8s.io/controller-tools/cmd/controller-gen \ -object:headerFile="${SCRIPT_ROOT}/hack/boilerplate.generatego.txt" \ -paths="${API_DIR}" + object:headerFile="${SCRIPT_ROOT}/hack/boilerplate.generatego.txt" \ + paths="./${APIS_PATH}" diff --git a/npeps/npep-285-combine-crds.md b/npeps/npep-285-combine-crds.md index c111b20f..2d92852a 100644 --- a/npeps/npep-285-combine-crds.md +++ b/npeps/npep-285-combine-crds.md @@ -1,7 +1,7 @@ # NPEP-285: NPEP template * Issue: [#285](https://github.com/kubernetes-sigs/network-policy-api/issues/285) -* Status: Provisional +* Status: Experimental ## TLDR diff --git a/pkg/client/applyconfiguration/apis/v1alpha2/clusternetworkpolicy.go b/pkg/client/applyconfiguration/apis/v1alpha2/clusternetworkpolicy.go new file mode 100644 index 00000000..eeb955c4 --- /dev/null +++ b/pkg/client/applyconfiguration/apis/v1alpha2/clusternetworkpolicy.go @@ -0,0 +1,224 @@ +/* +Copyright The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +// Code generated by applyconfiguration-gen. DO NOT EDIT. + +package v1alpha2 + +import ( + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + types "k8s.io/apimachinery/pkg/types" + v1 "k8s.io/client-go/applyconfigurations/meta/v1" +) + +// ClusterNetworkPolicyApplyConfiguration represents a declarative configuration of the ClusterNetworkPolicy type for use +// with apply. +type ClusterNetworkPolicyApplyConfiguration struct { + v1.TypeMetaApplyConfiguration `json:",inline"` + *v1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"` + Spec *ClusterNetworkPolicySpecApplyConfiguration `json:"spec,omitempty"` + Status *ClusterNetworkPolicyStatusApplyConfiguration `json:"status,omitempty"` +} + +// ClusterNetworkPolicy constructs a declarative configuration of the ClusterNetworkPolicy type for use with +// apply. +func ClusterNetworkPolicy(name string) *ClusterNetworkPolicyApplyConfiguration { + b := &ClusterNetworkPolicyApplyConfiguration{} + b.WithName(name) + b.WithKind("ClusterNetworkPolicy") + b.WithAPIVersion("policy.networking.k8s.io/v1alpha2") + return b +} + +// WithKind sets the Kind field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the Kind field is set to the value of the last call. +func (b *ClusterNetworkPolicyApplyConfiguration) WithKind(value string) *ClusterNetworkPolicyApplyConfiguration { + b.TypeMetaApplyConfiguration.Kind = &value + return b +} + +// WithAPIVersion sets the APIVersion field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the APIVersion field is set to the value of the last call. +func (b *ClusterNetworkPolicyApplyConfiguration) WithAPIVersion(value string) *ClusterNetworkPolicyApplyConfiguration { + b.TypeMetaApplyConfiguration.APIVersion = &value + return b +} + +// WithName sets the Name field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the Name field is set to the value of the last call. +func (b *ClusterNetworkPolicyApplyConfiguration) WithName(value string) *ClusterNetworkPolicyApplyConfiguration { + b.ensureObjectMetaApplyConfigurationExists() + b.ObjectMetaApplyConfiguration.Name = &value + return b +} + +// WithGenerateName sets the GenerateName field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the GenerateName field is set to the value of the last call. +func (b *ClusterNetworkPolicyApplyConfiguration) WithGenerateName(value string) *ClusterNetworkPolicyApplyConfiguration { + b.ensureObjectMetaApplyConfigurationExists() + b.ObjectMetaApplyConfiguration.GenerateName = &value + return b +} + +// WithNamespace sets the Namespace field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the Namespace field is set to the value of the last call. +func (b *ClusterNetworkPolicyApplyConfiguration) WithNamespace(value string) *ClusterNetworkPolicyApplyConfiguration { + b.ensureObjectMetaApplyConfigurationExists() + b.ObjectMetaApplyConfiguration.Namespace = &value + return b +} + +// WithUID sets the UID field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the UID field is set to the value of the last call. +func (b *ClusterNetworkPolicyApplyConfiguration) WithUID(value types.UID) *ClusterNetworkPolicyApplyConfiguration { + b.ensureObjectMetaApplyConfigurationExists() + b.ObjectMetaApplyConfiguration.UID = &value + return b +} + +// WithResourceVersion sets the ResourceVersion field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the ResourceVersion field is set to the value of the last call. +func (b *ClusterNetworkPolicyApplyConfiguration) WithResourceVersion(value string) *ClusterNetworkPolicyApplyConfiguration { + b.ensureObjectMetaApplyConfigurationExists() + b.ObjectMetaApplyConfiguration.ResourceVersion = &value + return b +} + +// WithGeneration sets the Generation field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the Generation field is set to the value of the last call. +func (b *ClusterNetworkPolicyApplyConfiguration) WithGeneration(value int64) *ClusterNetworkPolicyApplyConfiguration { + b.ensureObjectMetaApplyConfigurationExists() + b.ObjectMetaApplyConfiguration.Generation = &value + return b +} + +// WithCreationTimestamp sets the CreationTimestamp field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the CreationTimestamp field is set to the value of the last call. +func (b *ClusterNetworkPolicyApplyConfiguration) WithCreationTimestamp(value metav1.Time) *ClusterNetworkPolicyApplyConfiguration { + b.ensureObjectMetaApplyConfigurationExists() + b.ObjectMetaApplyConfiguration.CreationTimestamp = &value + return b +} + +// WithDeletionTimestamp sets the DeletionTimestamp field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the DeletionTimestamp field is set to the value of the last call. +func (b *ClusterNetworkPolicyApplyConfiguration) WithDeletionTimestamp(value metav1.Time) *ClusterNetworkPolicyApplyConfiguration { + b.ensureObjectMetaApplyConfigurationExists() + b.ObjectMetaApplyConfiguration.DeletionTimestamp = &value + return b +} + +// WithDeletionGracePeriodSeconds sets the DeletionGracePeriodSeconds field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the DeletionGracePeriodSeconds field is set to the value of the last call. +func (b *ClusterNetworkPolicyApplyConfiguration) WithDeletionGracePeriodSeconds(value int64) *ClusterNetworkPolicyApplyConfiguration { + b.ensureObjectMetaApplyConfigurationExists() + b.ObjectMetaApplyConfiguration.DeletionGracePeriodSeconds = &value + return b +} + +// WithLabels puts the entries into the Labels field in the declarative configuration +// and returns the receiver, so that objects can be build by chaining "With" function invocations. +// If called multiple times, the entries provided by each call will be put on the Labels field, +// overwriting an existing map entries in Labels field with the same key. +func (b *ClusterNetworkPolicyApplyConfiguration) WithLabels(entries map[string]string) *ClusterNetworkPolicyApplyConfiguration { + b.ensureObjectMetaApplyConfigurationExists() + if b.ObjectMetaApplyConfiguration.Labels == nil && len(entries) > 0 { + b.ObjectMetaApplyConfiguration.Labels = make(map[string]string, len(entries)) + } + for k, v := range entries { + b.ObjectMetaApplyConfiguration.Labels[k] = v + } + return b +} + +// WithAnnotations puts the entries into the Annotations field in the declarative configuration +// and returns the receiver, so that objects can be build by chaining "With" function invocations. +// If called multiple times, the entries provided by each call will be put on the Annotations field, +// overwriting an existing map entries in Annotations field with the same key. +func (b *ClusterNetworkPolicyApplyConfiguration) WithAnnotations(entries map[string]string) *ClusterNetworkPolicyApplyConfiguration { + b.ensureObjectMetaApplyConfigurationExists() + if b.ObjectMetaApplyConfiguration.Annotations == nil && len(entries) > 0 { + b.ObjectMetaApplyConfiguration.Annotations = make(map[string]string, len(entries)) + } + for k, v := range entries { + b.ObjectMetaApplyConfiguration.Annotations[k] = v + } + return b +} + +// WithOwnerReferences adds the given value to the OwnerReferences field in the declarative configuration +// and returns the receiver, so that objects can be build by chaining "With" function invocations. +// If called multiple times, values provided by each call will be appended to the OwnerReferences field. +func (b *ClusterNetworkPolicyApplyConfiguration) WithOwnerReferences(values ...*v1.OwnerReferenceApplyConfiguration) *ClusterNetworkPolicyApplyConfiguration { + b.ensureObjectMetaApplyConfigurationExists() + for i := range values { + if values[i] == nil { + panic("nil value passed to WithOwnerReferences") + } + b.ObjectMetaApplyConfiguration.OwnerReferences = append(b.ObjectMetaApplyConfiguration.OwnerReferences, *values[i]) + } + return b +} + +// WithFinalizers adds the given value to the Finalizers field in the declarative configuration +// and returns the receiver, so that objects can be build by chaining "With" function invocations. +// If called multiple times, values provided by each call will be appended to the Finalizers field. +func (b *ClusterNetworkPolicyApplyConfiguration) WithFinalizers(values ...string) *ClusterNetworkPolicyApplyConfiguration { + b.ensureObjectMetaApplyConfigurationExists() + for i := range values { + b.ObjectMetaApplyConfiguration.Finalizers = append(b.ObjectMetaApplyConfiguration.Finalizers, values[i]) + } + return b +} + +func (b *ClusterNetworkPolicyApplyConfiguration) ensureObjectMetaApplyConfigurationExists() { + if b.ObjectMetaApplyConfiguration == nil { + b.ObjectMetaApplyConfiguration = &v1.ObjectMetaApplyConfiguration{} + } +} + +// WithSpec sets the Spec field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the Spec field is set to the value of the last call. +func (b *ClusterNetworkPolicyApplyConfiguration) WithSpec(value *ClusterNetworkPolicySpecApplyConfiguration) *ClusterNetworkPolicyApplyConfiguration { + b.Spec = value + return b +} + +// WithStatus sets the Status field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the Status field is set to the value of the last call. +func (b *ClusterNetworkPolicyApplyConfiguration) WithStatus(value *ClusterNetworkPolicyStatusApplyConfiguration) *ClusterNetworkPolicyApplyConfiguration { + b.Status = value + return b +} + +// GetName retrieves the value of the Name field in the declarative configuration. +func (b *ClusterNetworkPolicyApplyConfiguration) GetName() *string { + b.ensureObjectMetaApplyConfigurationExists() + return b.ObjectMetaApplyConfiguration.Name +} diff --git a/pkg/client/applyconfiguration/apis/v1alpha2/clusternetworkpolicyegresspeer.go b/pkg/client/applyconfiguration/apis/v1alpha2/clusternetworkpolicyegresspeer.go new file mode 100644 index 00000000..b303c8ac --- /dev/null +++ b/pkg/client/applyconfiguration/apis/v1alpha2/clusternetworkpolicyegresspeer.go @@ -0,0 +1,84 @@ +/* +Copyright The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +// Code generated by applyconfiguration-gen. DO NOT EDIT. + +package v1alpha2 + +import ( + v1 "k8s.io/client-go/applyconfigurations/meta/v1" + apisv1alpha2 "sigs.k8s.io/network-policy-api/apis/v1alpha2" +) + +// ClusterNetworkPolicyEgressPeerApplyConfiguration represents a declarative configuration of the ClusterNetworkPolicyEgressPeer type for use +// with apply. +type ClusterNetworkPolicyEgressPeerApplyConfiguration struct { + Namespaces *v1.LabelSelectorApplyConfiguration `json:"namespaces,omitempty"` + Pods *NamespacedPodApplyConfiguration `json:"pods,omitempty"` + Nodes *v1.LabelSelectorApplyConfiguration `json:"nodes,omitempty"` + Networks []apisv1alpha2.CIDR `json:"networks,omitempty"` + DomainNames []apisv1alpha2.DomainName `json:"domainNames,omitempty"` +} + +// ClusterNetworkPolicyEgressPeerApplyConfiguration constructs a declarative configuration of the ClusterNetworkPolicyEgressPeer type for use with +// apply. +func ClusterNetworkPolicyEgressPeer() *ClusterNetworkPolicyEgressPeerApplyConfiguration { + return &ClusterNetworkPolicyEgressPeerApplyConfiguration{} +} + +// WithNamespaces sets the Namespaces field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the Namespaces field is set to the value of the last call. +func (b *ClusterNetworkPolicyEgressPeerApplyConfiguration) WithNamespaces(value *v1.LabelSelectorApplyConfiguration) *ClusterNetworkPolicyEgressPeerApplyConfiguration { + b.Namespaces = value + return b +} + +// WithPods sets the Pods field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the Pods field is set to the value of the last call. +func (b *ClusterNetworkPolicyEgressPeerApplyConfiguration) WithPods(value *NamespacedPodApplyConfiguration) *ClusterNetworkPolicyEgressPeerApplyConfiguration { + b.Pods = value + return b +} + +// WithNodes sets the Nodes field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the Nodes field is set to the value of the last call. +func (b *ClusterNetworkPolicyEgressPeerApplyConfiguration) WithNodes(value *v1.LabelSelectorApplyConfiguration) *ClusterNetworkPolicyEgressPeerApplyConfiguration { + b.Nodes = value + return b +} + +// WithNetworks adds the given value to the Networks field in the declarative configuration +// and returns the receiver, so that objects can be build by chaining "With" function invocations. +// If called multiple times, values provided by each call will be appended to the Networks field. +func (b *ClusterNetworkPolicyEgressPeerApplyConfiguration) WithNetworks(values ...apisv1alpha2.CIDR) *ClusterNetworkPolicyEgressPeerApplyConfiguration { + for i := range values { + b.Networks = append(b.Networks, values[i]) + } + return b +} + +// WithDomainNames adds the given value to the DomainNames field in the declarative configuration +// and returns the receiver, so that objects can be build by chaining "With" function invocations. +// If called multiple times, values provided by each call will be appended to the DomainNames field. +func (b *ClusterNetworkPolicyEgressPeerApplyConfiguration) WithDomainNames(values ...apisv1alpha2.DomainName) *ClusterNetworkPolicyEgressPeerApplyConfiguration { + for i := range values { + b.DomainNames = append(b.DomainNames, values[i]) + } + return b +} diff --git a/pkg/client/applyconfiguration/apis/v1alpha2/clusternetworkpolicyegressrule.go b/pkg/client/applyconfiguration/apis/v1alpha2/clusternetworkpolicyegressrule.go new file mode 100644 index 00000000..520a3516 --- /dev/null +++ b/pkg/client/applyconfiguration/apis/v1alpha2/clusternetworkpolicyegressrule.go @@ -0,0 +1,87 @@ +/* +Copyright The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +// Code generated by applyconfiguration-gen. DO NOT EDIT. + +package v1alpha2 + +import ( + apisv1alpha2 "sigs.k8s.io/network-policy-api/apis/v1alpha2" +) + +// ClusterNetworkPolicyEgressRuleApplyConfiguration represents a declarative configuration of the ClusterNetworkPolicyEgressRule type for use +// with apply. +type ClusterNetworkPolicyEgressRuleApplyConfiguration struct { + Name *string `json:"name,omitempty"` + Action *apisv1alpha2.ClusterNetworkPolicyRuleAction `json:"action,omitempty"` + To []ClusterNetworkPolicyEgressPeerApplyConfiguration `json:"to,omitempty"` + Ports *[]ClusterNetworkPolicyPortApplyConfiguration `json:"ports,omitempty"` +} + +// ClusterNetworkPolicyEgressRuleApplyConfiguration constructs a declarative configuration of the ClusterNetworkPolicyEgressRule type for use with +// apply. +func ClusterNetworkPolicyEgressRule() *ClusterNetworkPolicyEgressRuleApplyConfiguration { + return &ClusterNetworkPolicyEgressRuleApplyConfiguration{} +} + +// WithName sets the Name field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the Name field is set to the value of the last call. +func (b *ClusterNetworkPolicyEgressRuleApplyConfiguration) WithName(value string) *ClusterNetworkPolicyEgressRuleApplyConfiguration { + b.Name = &value + return b +} + +// WithAction sets the Action field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the Action field is set to the value of the last call. +func (b *ClusterNetworkPolicyEgressRuleApplyConfiguration) WithAction(value apisv1alpha2.ClusterNetworkPolicyRuleAction) *ClusterNetworkPolicyEgressRuleApplyConfiguration { + b.Action = &value + return b +} + +// WithTo adds the given value to the To field in the declarative configuration +// and returns the receiver, so that objects can be build by chaining "With" function invocations. +// If called multiple times, values provided by each call will be appended to the To field. +func (b *ClusterNetworkPolicyEgressRuleApplyConfiguration) WithTo(values ...*ClusterNetworkPolicyEgressPeerApplyConfiguration) *ClusterNetworkPolicyEgressRuleApplyConfiguration { + for i := range values { + if values[i] == nil { + panic("nil value passed to WithTo") + } + b.To = append(b.To, *values[i]) + } + return b +} + +func (b *ClusterNetworkPolicyEgressRuleApplyConfiguration) ensureClusterNetworkPolicyPortApplyConfigurationExists() { + if b.Ports == nil { + b.Ports = &[]ClusterNetworkPolicyPortApplyConfiguration{} + } +} + +// WithPorts adds the given value to the Ports field in the declarative configuration +// and returns the receiver, so that objects can be build by chaining "With" function invocations. +// If called multiple times, values provided by each call will be appended to the Ports field. +func (b *ClusterNetworkPolicyEgressRuleApplyConfiguration) WithPorts(values ...*ClusterNetworkPolicyPortApplyConfiguration) *ClusterNetworkPolicyEgressRuleApplyConfiguration { + b.ensureClusterNetworkPolicyPortApplyConfigurationExists() + for i := range values { + if values[i] == nil { + panic("nil value passed to WithPorts") + } + *b.Ports = append(*b.Ports, *values[i]) + } + return b +} diff --git a/pkg/client/applyconfiguration/apis/v1alpha2/clusternetworkpolicyingresspeer.go b/pkg/client/applyconfiguration/apis/v1alpha2/clusternetworkpolicyingresspeer.go new file mode 100644 index 00000000..ba8594ac --- /dev/null +++ b/pkg/client/applyconfiguration/apis/v1alpha2/clusternetworkpolicyingresspeer.go @@ -0,0 +1,52 @@ +/* +Copyright The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +// Code generated by applyconfiguration-gen. DO NOT EDIT. + +package v1alpha2 + +import ( + v1 "k8s.io/client-go/applyconfigurations/meta/v1" +) + +// ClusterNetworkPolicyIngressPeerApplyConfiguration represents a declarative configuration of the ClusterNetworkPolicyIngressPeer type for use +// with apply. +type ClusterNetworkPolicyIngressPeerApplyConfiguration struct { + Namespaces *v1.LabelSelectorApplyConfiguration `json:"namespaces,omitempty"` + Pods *NamespacedPodApplyConfiguration `json:"pods,omitempty"` +} + +// ClusterNetworkPolicyIngressPeerApplyConfiguration constructs a declarative configuration of the ClusterNetworkPolicyIngressPeer type for use with +// apply. +func ClusterNetworkPolicyIngressPeer() *ClusterNetworkPolicyIngressPeerApplyConfiguration { + return &ClusterNetworkPolicyIngressPeerApplyConfiguration{} +} + +// WithNamespaces sets the Namespaces field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the Namespaces field is set to the value of the last call. +func (b *ClusterNetworkPolicyIngressPeerApplyConfiguration) WithNamespaces(value *v1.LabelSelectorApplyConfiguration) *ClusterNetworkPolicyIngressPeerApplyConfiguration { + b.Namespaces = value + return b +} + +// WithPods sets the Pods field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the Pods field is set to the value of the last call. +func (b *ClusterNetworkPolicyIngressPeerApplyConfiguration) WithPods(value *NamespacedPodApplyConfiguration) *ClusterNetworkPolicyIngressPeerApplyConfiguration { + b.Pods = value + return b +} diff --git a/pkg/client/applyconfiguration/apis/v1alpha2/clusternetworkpolicyingressrule.go b/pkg/client/applyconfiguration/apis/v1alpha2/clusternetworkpolicyingressrule.go new file mode 100644 index 00000000..b1885ab4 --- /dev/null +++ b/pkg/client/applyconfiguration/apis/v1alpha2/clusternetworkpolicyingressrule.go @@ -0,0 +1,87 @@ +/* +Copyright The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +// Code generated by applyconfiguration-gen. DO NOT EDIT. + +package v1alpha2 + +import ( + apisv1alpha2 "sigs.k8s.io/network-policy-api/apis/v1alpha2" +) + +// ClusterNetworkPolicyIngressRuleApplyConfiguration represents a declarative configuration of the ClusterNetworkPolicyIngressRule type for use +// with apply. +type ClusterNetworkPolicyIngressRuleApplyConfiguration struct { + Name *string `json:"name,omitempty"` + Action *apisv1alpha2.ClusterNetworkPolicyRuleAction `json:"action,omitempty"` + From []ClusterNetworkPolicyIngressPeerApplyConfiguration `json:"from,omitempty"` + Ports *[]ClusterNetworkPolicyPortApplyConfiguration `json:"ports,omitempty"` +} + +// ClusterNetworkPolicyIngressRuleApplyConfiguration constructs a declarative configuration of the ClusterNetworkPolicyIngressRule type for use with +// apply. +func ClusterNetworkPolicyIngressRule() *ClusterNetworkPolicyIngressRuleApplyConfiguration { + return &ClusterNetworkPolicyIngressRuleApplyConfiguration{} +} + +// WithName sets the Name field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the Name field is set to the value of the last call. +func (b *ClusterNetworkPolicyIngressRuleApplyConfiguration) WithName(value string) *ClusterNetworkPolicyIngressRuleApplyConfiguration { + b.Name = &value + return b +} + +// WithAction sets the Action field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the Action field is set to the value of the last call. +func (b *ClusterNetworkPolicyIngressRuleApplyConfiguration) WithAction(value apisv1alpha2.ClusterNetworkPolicyRuleAction) *ClusterNetworkPolicyIngressRuleApplyConfiguration { + b.Action = &value + return b +} + +// WithFrom adds the given value to the From field in the declarative configuration +// and returns the receiver, so that objects can be build by chaining "With" function invocations. +// If called multiple times, values provided by each call will be appended to the From field. +func (b *ClusterNetworkPolicyIngressRuleApplyConfiguration) WithFrom(values ...*ClusterNetworkPolicyIngressPeerApplyConfiguration) *ClusterNetworkPolicyIngressRuleApplyConfiguration { + for i := range values { + if values[i] == nil { + panic("nil value passed to WithFrom") + } + b.From = append(b.From, *values[i]) + } + return b +} + +func (b *ClusterNetworkPolicyIngressRuleApplyConfiguration) ensureClusterNetworkPolicyPortApplyConfigurationExists() { + if b.Ports == nil { + b.Ports = &[]ClusterNetworkPolicyPortApplyConfiguration{} + } +} + +// WithPorts adds the given value to the Ports field in the declarative configuration +// and returns the receiver, so that objects can be build by chaining "With" function invocations. +// If called multiple times, values provided by each call will be appended to the Ports field. +func (b *ClusterNetworkPolicyIngressRuleApplyConfiguration) WithPorts(values ...*ClusterNetworkPolicyPortApplyConfiguration) *ClusterNetworkPolicyIngressRuleApplyConfiguration { + b.ensureClusterNetworkPolicyPortApplyConfigurationExists() + for i := range values { + if values[i] == nil { + panic("nil value passed to WithPorts") + } + *b.Ports = append(*b.Ports, *values[i]) + } + return b +} diff --git a/pkg/client/applyconfiguration/apis/v1alpha2/clusternetworkpolicyport.go b/pkg/client/applyconfiguration/apis/v1alpha2/clusternetworkpolicyport.go new file mode 100644 index 00000000..d0831978 --- /dev/null +++ b/pkg/client/applyconfiguration/apis/v1alpha2/clusternetworkpolicyport.go @@ -0,0 +1,57 @@ +/* +Copyright The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +// Code generated by applyconfiguration-gen. DO NOT EDIT. + +package v1alpha2 + +// ClusterNetworkPolicyPortApplyConfiguration represents a declarative configuration of the ClusterNetworkPolicyPort type for use +// with apply. +type ClusterNetworkPolicyPortApplyConfiguration struct { + PortNumber *PortApplyConfiguration `json:"portNumber,omitempty"` + PortRange *PortRangeApplyConfiguration `json:"portRange,omitempty"` + NamedPort *string `json:"namedPort,omitempty"` +} + +// ClusterNetworkPolicyPortApplyConfiguration constructs a declarative configuration of the ClusterNetworkPolicyPort type for use with +// apply. +func ClusterNetworkPolicyPort() *ClusterNetworkPolicyPortApplyConfiguration { + return &ClusterNetworkPolicyPortApplyConfiguration{} +} + +// WithPortNumber sets the PortNumber field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the PortNumber field is set to the value of the last call. +func (b *ClusterNetworkPolicyPortApplyConfiguration) WithPortNumber(value *PortApplyConfiguration) *ClusterNetworkPolicyPortApplyConfiguration { + b.PortNumber = value + return b +} + +// WithPortRange sets the PortRange field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the PortRange field is set to the value of the last call. +func (b *ClusterNetworkPolicyPortApplyConfiguration) WithPortRange(value *PortRangeApplyConfiguration) *ClusterNetworkPolicyPortApplyConfiguration { + b.PortRange = value + return b +} + +// WithNamedPort sets the NamedPort field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the NamedPort field is set to the value of the last call. +func (b *ClusterNetworkPolicyPortApplyConfiguration) WithNamedPort(value string) *ClusterNetworkPolicyPortApplyConfiguration { + b.NamedPort = &value + return b +} diff --git a/pkg/client/applyconfiguration/apis/v1alpha2/clusternetworkpolicyspec.go b/pkg/client/applyconfiguration/apis/v1alpha2/clusternetworkpolicyspec.go new file mode 100644 index 00000000..f340a1df --- /dev/null +++ b/pkg/client/applyconfiguration/apis/v1alpha2/clusternetworkpolicyspec.go @@ -0,0 +1,89 @@ +/* +Copyright The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +// Code generated by applyconfiguration-gen. DO NOT EDIT. + +package v1alpha2 + +import ( + apisv1alpha2 "sigs.k8s.io/network-policy-api/apis/v1alpha2" +) + +// ClusterNetworkPolicySpecApplyConfiguration represents a declarative configuration of the ClusterNetworkPolicySpec type for use +// with apply. +type ClusterNetworkPolicySpecApplyConfiguration struct { + Tier *apisv1alpha2.Tier `json:"tier,omitempty"` + Priority *int32 `json:"priority,omitempty"` + Subject *ClusterNetworkPolicySubjectApplyConfiguration `json:"subject,omitempty"` + Ingress []ClusterNetworkPolicyIngressRuleApplyConfiguration `json:"ingress,omitempty"` + Egress []ClusterNetworkPolicyEgressRuleApplyConfiguration `json:"egress,omitempty"` +} + +// ClusterNetworkPolicySpecApplyConfiguration constructs a declarative configuration of the ClusterNetworkPolicySpec type for use with +// apply. +func ClusterNetworkPolicySpec() *ClusterNetworkPolicySpecApplyConfiguration { + return &ClusterNetworkPolicySpecApplyConfiguration{} +} + +// WithTier sets the Tier field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the Tier field is set to the value of the last call. +func (b *ClusterNetworkPolicySpecApplyConfiguration) WithTier(value apisv1alpha2.Tier) *ClusterNetworkPolicySpecApplyConfiguration { + b.Tier = &value + return b +} + +// WithPriority sets the Priority field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the Priority field is set to the value of the last call. +func (b *ClusterNetworkPolicySpecApplyConfiguration) WithPriority(value int32) *ClusterNetworkPolicySpecApplyConfiguration { + b.Priority = &value + return b +} + +// WithSubject sets the Subject field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the Subject field is set to the value of the last call. +func (b *ClusterNetworkPolicySpecApplyConfiguration) WithSubject(value *ClusterNetworkPolicySubjectApplyConfiguration) *ClusterNetworkPolicySpecApplyConfiguration { + b.Subject = value + return b +} + +// WithIngress adds the given value to the Ingress field in the declarative configuration +// and returns the receiver, so that objects can be build by chaining "With" function invocations. +// If called multiple times, values provided by each call will be appended to the Ingress field. +func (b *ClusterNetworkPolicySpecApplyConfiguration) WithIngress(values ...*ClusterNetworkPolicyIngressRuleApplyConfiguration) *ClusterNetworkPolicySpecApplyConfiguration { + for i := range values { + if values[i] == nil { + panic("nil value passed to WithIngress") + } + b.Ingress = append(b.Ingress, *values[i]) + } + return b +} + +// WithEgress adds the given value to the Egress field in the declarative configuration +// and returns the receiver, so that objects can be build by chaining "With" function invocations. +// If called multiple times, values provided by each call will be appended to the Egress field. +func (b *ClusterNetworkPolicySpecApplyConfiguration) WithEgress(values ...*ClusterNetworkPolicyEgressRuleApplyConfiguration) *ClusterNetworkPolicySpecApplyConfiguration { + for i := range values { + if values[i] == nil { + panic("nil value passed to WithEgress") + } + b.Egress = append(b.Egress, *values[i]) + } + return b +} diff --git a/pkg/client/applyconfiguration/apis/v1alpha2/clusternetworkpolicystatus.go b/pkg/client/applyconfiguration/apis/v1alpha2/clusternetworkpolicystatus.go new file mode 100644 index 00000000..c6b8878a --- /dev/null +++ b/pkg/client/applyconfiguration/apis/v1alpha2/clusternetworkpolicystatus.go @@ -0,0 +1,48 @@ +/* +Copyright The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +// Code generated by applyconfiguration-gen. DO NOT EDIT. + +package v1alpha2 + +import ( + v1 "k8s.io/client-go/applyconfigurations/meta/v1" +) + +// ClusterNetworkPolicyStatusApplyConfiguration represents a declarative configuration of the ClusterNetworkPolicyStatus type for use +// with apply. +type ClusterNetworkPolicyStatusApplyConfiguration struct { + Conditions []v1.ConditionApplyConfiguration `json:"conditions,omitempty"` +} + +// ClusterNetworkPolicyStatusApplyConfiguration constructs a declarative configuration of the ClusterNetworkPolicyStatus type for use with +// apply. +func ClusterNetworkPolicyStatus() *ClusterNetworkPolicyStatusApplyConfiguration { + return &ClusterNetworkPolicyStatusApplyConfiguration{} +} + +// WithConditions adds the given value to the Conditions field in the declarative configuration +// and returns the receiver, so that objects can be build by chaining "With" function invocations. +// If called multiple times, values provided by each call will be appended to the Conditions field. +func (b *ClusterNetworkPolicyStatusApplyConfiguration) WithConditions(values ...*v1.ConditionApplyConfiguration) *ClusterNetworkPolicyStatusApplyConfiguration { + for i := range values { + if values[i] == nil { + panic("nil value passed to WithConditions") + } + b.Conditions = append(b.Conditions, *values[i]) + } + return b +} diff --git a/pkg/client/applyconfiguration/apis/v1alpha2/clusternetworkpolicysubject.go b/pkg/client/applyconfiguration/apis/v1alpha2/clusternetworkpolicysubject.go new file mode 100644 index 00000000..d715f86c --- /dev/null +++ b/pkg/client/applyconfiguration/apis/v1alpha2/clusternetworkpolicysubject.go @@ -0,0 +1,52 @@ +/* +Copyright The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +// Code generated by applyconfiguration-gen. DO NOT EDIT. + +package v1alpha2 + +import ( + v1 "k8s.io/client-go/applyconfigurations/meta/v1" +) + +// ClusterNetworkPolicySubjectApplyConfiguration represents a declarative configuration of the ClusterNetworkPolicySubject type for use +// with apply. +type ClusterNetworkPolicySubjectApplyConfiguration struct { + Namespaces *v1.LabelSelectorApplyConfiguration `json:"namespaces,omitempty"` + Pods *NamespacedPodApplyConfiguration `json:"pods,omitempty"` +} + +// ClusterNetworkPolicySubjectApplyConfiguration constructs a declarative configuration of the ClusterNetworkPolicySubject type for use with +// apply. +func ClusterNetworkPolicySubject() *ClusterNetworkPolicySubjectApplyConfiguration { + return &ClusterNetworkPolicySubjectApplyConfiguration{} +} + +// WithNamespaces sets the Namespaces field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the Namespaces field is set to the value of the last call. +func (b *ClusterNetworkPolicySubjectApplyConfiguration) WithNamespaces(value *v1.LabelSelectorApplyConfiguration) *ClusterNetworkPolicySubjectApplyConfiguration { + b.Namespaces = value + return b +} + +// WithPods sets the Pods field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the Pods field is set to the value of the last call. +func (b *ClusterNetworkPolicySubjectApplyConfiguration) WithPods(value *NamespacedPodApplyConfiguration) *ClusterNetworkPolicySubjectApplyConfiguration { + b.Pods = value + return b +} diff --git a/pkg/client/applyconfiguration/apis/v1alpha2/namespacedpod.go b/pkg/client/applyconfiguration/apis/v1alpha2/namespacedpod.go new file mode 100644 index 00000000..3ad9ef3b --- /dev/null +++ b/pkg/client/applyconfiguration/apis/v1alpha2/namespacedpod.go @@ -0,0 +1,52 @@ +/* +Copyright The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +// Code generated by applyconfiguration-gen. DO NOT EDIT. + +package v1alpha2 + +import ( + v1 "k8s.io/client-go/applyconfigurations/meta/v1" +) + +// NamespacedPodApplyConfiguration represents a declarative configuration of the NamespacedPod type for use +// with apply. +type NamespacedPodApplyConfiguration struct { + NamespaceSelector *v1.LabelSelectorApplyConfiguration `json:"namespaceSelector,omitempty"` + PodSelector *v1.LabelSelectorApplyConfiguration `json:"podSelector,omitempty"` +} + +// NamespacedPodApplyConfiguration constructs a declarative configuration of the NamespacedPod type for use with +// apply. +func NamespacedPod() *NamespacedPodApplyConfiguration { + return &NamespacedPodApplyConfiguration{} +} + +// WithNamespaceSelector sets the NamespaceSelector field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the NamespaceSelector field is set to the value of the last call. +func (b *NamespacedPodApplyConfiguration) WithNamespaceSelector(value *v1.LabelSelectorApplyConfiguration) *NamespacedPodApplyConfiguration { + b.NamespaceSelector = value + return b +} + +// WithPodSelector sets the PodSelector field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the PodSelector field is set to the value of the last call. +func (b *NamespacedPodApplyConfiguration) WithPodSelector(value *v1.LabelSelectorApplyConfiguration) *NamespacedPodApplyConfiguration { + b.PodSelector = value + return b +} diff --git a/pkg/client/applyconfiguration/apis/v1alpha2/port.go b/pkg/client/applyconfiguration/apis/v1alpha2/port.go new file mode 100644 index 00000000..b01dd565 --- /dev/null +++ b/pkg/client/applyconfiguration/apis/v1alpha2/port.go @@ -0,0 +1,52 @@ +/* +Copyright The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +// Code generated by applyconfiguration-gen. DO NOT EDIT. + +package v1alpha2 + +import ( + v1 "k8s.io/api/core/v1" +) + +// PortApplyConfiguration represents a declarative configuration of the Port type for use +// with apply. +type PortApplyConfiguration struct { + Protocol *v1.Protocol `json:"protocol,omitempty"` + Port *int32 `json:"port,omitempty"` +} + +// PortApplyConfiguration constructs a declarative configuration of the Port type for use with +// apply. +func Port() *PortApplyConfiguration { + return &PortApplyConfiguration{} +} + +// WithProtocol sets the Protocol field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the Protocol field is set to the value of the last call. +func (b *PortApplyConfiguration) WithProtocol(value v1.Protocol) *PortApplyConfiguration { + b.Protocol = &value + return b +} + +// WithPort sets the Port field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the Port field is set to the value of the last call. +func (b *PortApplyConfiguration) WithPort(value int32) *PortApplyConfiguration { + b.Port = &value + return b +} diff --git a/pkg/client/applyconfiguration/apis/v1alpha2/portrange.go b/pkg/client/applyconfiguration/apis/v1alpha2/portrange.go new file mode 100644 index 00000000..1accaad9 --- /dev/null +++ b/pkg/client/applyconfiguration/apis/v1alpha2/portrange.go @@ -0,0 +1,61 @@ +/* +Copyright The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +// Code generated by applyconfiguration-gen. DO NOT EDIT. + +package v1alpha2 + +import ( + v1 "k8s.io/api/core/v1" +) + +// PortRangeApplyConfiguration represents a declarative configuration of the PortRange type for use +// with apply. +type PortRangeApplyConfiguration struct { + Protocol *v1.Protocol `json:"protocol,omitempty"` + Start *int32 `json:"start,omitempty"` + End *int32 `json:"end,omitempty"` +} + +// PortRangeApplyConfiguration constructs a declarative configuration of the PortRange type for use with +// apply. +func PortRange() *PortRangeApplyConfiguration { + return &PortRangeApplyConfiguration{} +} + +// WithProtocol sets the Protocol field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the Protocol field is set to the value of the last call. +func (b *PortRangeApplyConfiguration) WithProtocol(value v1.Protocol) *PortRangeApplyConfiguration { + b.Protocol = &value + return b +} + +// WithStart sets the Start field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the Start field is set to the value of the last call. +func (b *PortRangeApplyConfiguration) WithStart(value int32) *PortRangeApplyConfiguration { + b.Start = &value + return b +} + +// WithEnd sets the End field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the End field is set to the value of the last call. +func (b *PortRangeApplyConfiguration) WithEnd(value int32) *PortRangeApplyConfiguration { + b.End = &value + return b +} diff --git a/pkg/client/applyconfiguration/utils.go b/pkg/client/applyconfiguration/utils.go index 0152fb2f..79d875bf 100644 --- a/pkg/client/applyconfiguration/utils.go +++ b/pkg/client/applyconfiguration/utils.go @@ -23,7 +23,9 @@ import ( schema "k8s.io/apimachinery/pkg/runtime/schema" testing "k8s.io/client-go/testing" v1alpha1 "sigs.k8s.io/network-policy-api/apis/v1alpha1" + v1alpha2 "sigs.k8s.io/network-policy-api/apis/v1alpha2" apisv1alpha1 "sigs.k8s.io/network-policy-api/pkg/client/applyconfiguration/apis/v1alpha1" + apisv1alpha2 "sigs.k8s.io/network-policy-api/pkg/client/applyconfiguration/apis/v1alpha2" internal "sigs.k8s.io/network-policy-api/pkg/client/applyconfiguration/internal" ) @@ -69,6 +71,32 @@ func ForKind(kind schema.GroupVersionKind) interface{} { case v1alpha1.SchemeGroupVersion.WithKind("PortRange"): return &apisv1alpha1.PortRangeApplyConfiguration{} + // Group=policy.networking.k8s.io, Version=v1alpha2 + case v1alpha2.SchemeGroupVersion.WithKind("ClusterNetworkPolicy"): + return &apisv1alpha2.ClusterNetworkPolicyApplyConfiguration{} + case v1alpha2.SchemeGroupVersion.WithKind("ClusterNetworkPolicyEgressPeer"): + return &apisv1alpha2.ClusterNetworkPolicyEgressPeerApplyConfiguration{} + case v1alpha2.SchemeGroupVersion.WithKind("ClusterNetworkPolicyEgressRule"): + return &apisv1alpha2.ClusterNetworkPolicyEgressRuleApplyConfiguration{} + case v1alpha2.SchemeGroupVersion.WithKind("ClusterNetworkPolicyIngressPeer"): + return &apisv1alpha2.ClusterNetworkPolicyIngressPeerApplyConfiguration{} + case v1alpha2.SchemeGroupVersion.WithKind("ClusterNetworkPolicyIngressRule"): + return &apisv1alpha2.ClusterNetworkPolicyIngressRuleApplyConfiguration{} + case v1alpha2.SchemeGroupVersion.WithKind("ClusterNetworkPolicyPort"): + return &apisv1alpha2.ClusterNetworkPolicyPortApplyConfiguration{} + case v1alpha2.SchemeGroupVersion.WithKind("ClusterNetworkPolicySpec"): + return &apisv1alpha2.ClusterNetworkPolicySpecApplyConfiguration{} + case v1alpha2.SchemeGroupVersion.WithKind("ClusterNetworkPolicyStatus"): + return &apisv1alpha2.ClusterNetworkPolicyStatusApplyConfiguration{} + case v1alpha2.SchemeGroupVersion.WithKind("ClusterNetworkPolicySubject"): + return &apisv1alpha2.ClusterNetworkPolicySubjectApplyConfiguration{} + case v1alpha2.SchemeGroupVersion.WithKind("NamespacedPod"): + return &apisv1alpha2.NamespacedPodApplyConfiguration{} + case v1alpha2.SchemeGroupVersion.WithKind("Port"): + return &apisv1alpha2.PortApplyConfiguration{} + case v1alpha2.SchemeGroupVersion.WithKind("PortRange"): + return &apisv1alpha2.PortRangeApplyConfiguration{} + } return nil } diff --git a/pkg/client/clientset/versioned/clientset.go b/pkg/client/clientset/versioned/clientset.go index ce0965c7..6f8e7969 100644 --- a/pkg/client/clientset/versioned/clientset.go +++ b/pkg/client/clientset/versioned/clientset.go @@ -26,17 +26,20 @@ import ( rest "k8s.io/client-go/rest" flowcontrol "k8s.io/client-go/util/flowcontrol" policyv1alpha1 "sigs.k8s.io/network-policy-api/pkg/client/clientset/versioned/typed/apis/v1alpha1" + policyv1alpha2 "sigs.k8s.io/network-policy-api/pkg/client/clientset/versioned/typed/apis/v1alpha2" ) type Interface interface { Discovery() discovery.DiscoveryInterface PolicyV1alpha1() policyv1alpha1.PolicyV1alpha1Interface + PolicyV1alpha2() policyv1alpha2.PolicyV1alpha2Interface } // Clientset contains the clients for groups. type Clientset struct { *discovery.DiscoveryClient policyV1alpha1 *policyv1alpha1.PolicyV1alpha1Client + policyV1alpha2 *policyv1alpha2.PolicyV1alpha2Client } // PolicyV1alpha1 retrieves the PolicyV1alpha1Client @@ -44,6 +47,11 @@ func (c *Clientset) PolicyV1alpha1() policyv1alpha1.PolicyV1alpha1Interface { return c.policyV1alpha1 } +// PolicyV1alpha2 retrieves the PolicyV1alpha2Client +func (c *Clientset) PolicyV1alpha2() policyv1alpha2.PolicyV1alpha2Interface { + return c.policyV1alpha2 +} + // Discovery retrieves the DiscoveryClient func (c *Clientset) Discovery() discovery.DiscoveryInterface { if c == nil { @@ -92,6 +100,10 @@ func NewForConfigAndClient(c *rest.Config, httpClient *http.Client) (*Clientset, if err != nil { return nil, err } + cs.policyV1alpha2, err = policyv1alpha2.NewForConfigAndClient(&configShallowCopy, httpClient) + if err != nil { + return nil, err + } cs.DiscoveryClient, err = discovery.NewDiscoveryClientForConfigAndClient(&configShallowCopy, httpClient) if err != nil { @@ -114,6 +126,7 @@ func NewForConfigOrDie(c *rest.Config) *Clientset { func New(c rest.Interface) *Clientset { var cs Clientset cs.policyV1alpha1 = policyv1alpha1.New(c) + cs.policyV1alpha2 = policyv1alpha2.New(c) cs.DiscoveryClient = discovery.NewDiscoveryClient(c) return &cs diff --git a/pkg/client/clientset/versioned/fake/clientset_generated.go b/pkg/client/clientset/versioned/fake/clientset_generated.go index a5dda5e3..3991e887 100644 --- a/pkg/client/clientset/versioned/fake/clientset_generated.go +++ b/pkg/client/clientset/versioned/fake/clientset_generated.go @@ -29,6 +29,8 @@ import ( clientset "sigs.k8s.io/network-policy-api/pkg/client/clientset/versioned" policyv1alpha1 "sigs.k8s.io/network-policy-api/pkg/client/clientset/versioned/typed/apis/v1alpha1" fakepolicyv1alpha1 "sigs.k8s.io/network-policy-api/pkg/client/clientset/versioned/typed/apis/v1alpha1/fake" + policyv1alpha2 "sigs.k8s.io/network-policy-api/pkg/client/clientset/versioned/typed/apis/v1alpha2" + fakepolicyv1alpha2 "sigs.k8s.io/network-policy-api/pkg/client/clientset/versioned/typed/apis/v1alpha2/fake" ) // NewSimpleClientset returns a clientset that will respond with the provided objects. @@ -129,3 +131,8 @@ var ( func (c *Clientset) PolicyV1alpha1() policyv1alpha1.PolicyV1alpha1Interface { return &fakepolicyv1alpha1.FakePolicyV1alpha1{Fake: &c.Fake} } + +// PolicyV1alpha2 retrieves the PolicyV1alpha2Client +func (c *Clientset) PolicyV1alpha2() policyv1alpha2.PolicyV1alpha2Interface { + return &fakepolicyv1alpha2.FakePolicyV1alpha2{Fake: &c.Fake} +} diff --git a/pkg/client/clientset/versioned/fake/register.go b/pkg/client/clientset/versioned/fake/register.go index 8e146459..b0717455 100644 --- a/pkg/client/clientset/versioned/fake/register.go +++ b/pkg/client/clientset/versioned/fake/register.go @@ -25,6 +25,7 @@ import ( serializer "k8s.io/apimachinery/pkg/runtime/serializer" utilruntime "k8s.io/apimachinery/pkg/util/runtime" policyv1alpha1 "sigs.k8s.io/network-policy-api/apis/v1alpha1" + policyv1alpha2 "sigs.k8s.io/network-policy-api/apis/v1alpha2" ) var scheme = runtime.NewScheme() @@ -32,6 +33,7 @@ var codecs = serializer.NewCodecFactory(scheme) var localSchemeBuilder = runtime.SchemeBuilder{ policyv1alpha1.AddToScheme, + policyv1alpha2.AddToScheme, } // AddToScheme adds all types of this clientset into the given scheme. This allows composition diff --git a/pkg/client/clientset/versioned/scheme/register.go b/pkg/client/clientset/versioned/scheme/register.go index 9918e22c..b22beeef 100644 --- a/pkg/client/clientset/versioned/scheme/register.go +++ b/pkg/client/clientset/versioned/scheme/register.go @@ -25,6 +25,7 @@ import ( serializer "k8s.io/apimachinery/pkg/runtime/serializer" utilruntime "k8s.io/apimachinery/pkg/util/runtime" policyv1alpha1 "sigs.k8s.io/network-policy-api/apis/v1alpha1" + policyv1alpha2 "sigs.k8s.io/network-policy-api/apis/v1alpha2" ) var Scheme = runtime.NewScheme() @@ -32,6 +33,7 @@ var Codecs = serializer.NewCodecFactory(Scheme) var ParameterCodec = runtime.NewParameterCodec(Scheme) var localSchemeBuilder = runtime.SchemeBuilder{ policyv1alpha1.AddToScheme, + policyv1alpha2.AddToScheme, } // AddToScheme adds all types of this clientset into the given scheme. This allows composition diff --git a/pkg/client/clientset/versioned/typed/apis/v1alpha2/apis_client.go b/pkg/client/clientset/versioned/typed/apis/v1alpha2/apis_client.go new file mode 100644 index 00000000..edc341fd --- /dev/null +++ b/pkg/client/clientset/versioned/typed/apis/v1alpha2/apis_client.go @@ -0,0 +1,101 @@ +/* +Copyright The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +// Code generated by client-gen. DO NOT EDIT. + +package v1alpha2 + +import ( + http "net/http" + + rest "k8s.io/client-go/rest" + apisv1alpha2 "sigs.k8s.io/network-policy-api/apis/v1alpha2" + scheme "sigs.k8s.io/network-policy-api/pkg/client/clientset/versioned/scheme" +) + +type PolicyV1alpha2Interface interface { + RESTClient() rest.Interface + ClusterNetworkPoliciesGetter +} + +// PolicyV1alpha2Client is used to interact with features provided by the policy.networking.k8s.io group. +type PolicyV1alpha2Client struct { + restClient rest.Interface +} + +func (c *PolicyV1alpha2Client) ClusterNetworkPolicies() ClusterNetworkPolicyInterface { + return newClusterNetworkPolicies(c) +} + +// NewForConfig creates a new PolicyV1alpha2Client for the given config. +// NewForConfig is equivalent to NewForConfigAndClient(c, httpClient), +// where httpClient was generated with rest.HTTPClientFor(c). +func NewForConfig(c *rest.Config) (*PolicyV1alpha2Client, error) { + config := *c + setConfigDefaults(&config) + httpClient, err := rest.HTTPClientFor(&config) + if err != nil { + return nil, err + } + return NewForConfigAndClient(&config, httpClient) +} + +// NewForConfigAndClient creates a new PolicyV1alpha2Client for the given config and http client. +// Note the http client provided takes precedence over the configured transport values. +func NewForConfigAndClient(c *rest.Config, h *http.Client) (*PolicyV1alpha2Client, error) { + config := *c + setConfigDefaults(&config) + client, err := rest.RESTClientForConfigAndClient(&config, h) + if err != nil { + return nil, err + } + return &PolicyV1alpha2Client{client}, nil +} + +// NewForConfigOrDie creates a new PolicyV1alpha2Client for the given config and +// panics if there is an error in the config. +func NewForConfigOrDie(c *rest.Config) *PolicyV1alpha2Client { + client, err := NewForConfig(c) + if err != nil { + panic(err) + } + return client +} + +// New creates a new PolicyV1alpha2Client for the given RESTClient. +func New(c rest.Interface) *PolicyV1alpha2Client { + return &PolicyV1alpha2Client{c} +} + +func setConfigDefaults(config *rest.Config) { + gv := apisv1alpha2.SchemeGroupVersion + config.GroupVersion = &gv + config.APIPath = "/apis" + config.NegotiatedSerializer = rest.CodecFactoryForGeneratedClient(scheme.Scheme, scheme.Codecs).WithoutConversion() + + if config.UserAgent == "" { + config.UserAgent = rest.DefaultKubernetesUserAgent() + } +} + +// RESTClient returns a RESTClient that is used to communicate +// with API server by this client implementation. +func (c *PolicyV1alpha2Client) RESTClient() rest.Interface { + if c == nil { + return nil + } + return c.restClient +} diff --git a/pkg/client/clientset/versioned/typed/apis/v1alpha2/clusternetworkpolicy.go b/pkg/client/clientset/versioned/typed/apis/v1alpha2/clusternetworkpolicy.go new file mode 100644 index 00000000..5def75a1 --- /dev/null +++ b/pkg/client/clientset/versioned/typed/apis/v1alpha2/clusternetworkpolicy.go @@ -0,0 +1,74 @@ +/* +Copyright The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +// Code generated by client-gen. DO NOT EDIT. + +package v1alpha2 + +import ( + context "context" + + v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + types "k8s.io/apimachinery/pkg/types" + watch "k8s.io/apimachinery/pkg/watch" + gentype "k8s.io/client-go/gentype" + apisv1alpha2 "sigs.k8s.io/network-policy-api/apis/v1alpha2" + applyconfigurationapisv1alpha2 "sigs.k8s.io/network-policy-api/pkg/client/applyconfiguration/apis/v1alpha2" + scheme "sigs.k8s.io/network-policy-api/pkg/client/clientset/versioned/scheme" +) + +// ClusterNetworkPoliciesGetter has a method to return a ClusterNetworkPolicyInterface. +// A group's client should implement this interface. +type ClusterNetworkPoliciesGetter interface { + ClusterNetworkPolicies() ClusterNetworkPolicyInterface +} + +// ClusterNetworkPolicyInterface has methods to work with ClusterNetworkPolicy resources. +type ClusterNetworkPolicyInterface interface { + Create(ctx context.Context, clusterNetworkPolicy *apisv1alpha2.ClusterNetworkPolicy, opts v1.CreateOptions) (*apisv1alpha2.ClusterNetworkPolicy, error) + Update(ctx context.Context, clusterNetworkPolicy *apisv1alpha2.ClusterNetworkPolicy, opts v1.UpdateOptions) (*apisv1alpha2.ClusterNetworkPolicy, error) + // Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus(). + UpdateStatus(ctx context.Context, clusterNetworkPolicy *apisv1alpha2.ClusterNetworkPolicy, opts v1.UpdateOptions) (*apisv1alpha2.ClusterNetworkPolicy, error) + Delete(ctx context.Context, name string, opts v1.DeleteOptions) error + DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error + Get(ctx context.Context, name string, opts v1.GetOptions) (*apisv1alpha2.ClusterNetworkPolicy, error) + List(ctx context.Context, opts v1.ListOptions) (*apisv1alpha2.ClusterNetworkPolicyList, error) + Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) + Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *apisv1alpha2.ClusterNetworkPolicy, err error) + Apply(ctx context.Context, clusterNetworkPolicy *applyconfigurationapisv1alpha2.ClusterNetworkPolicyApplyConfiguration, opts v1.ApplyOptions) (result *apisv1alpha2.ClusterNetworkPolicy, err error) + // Add a +genclient:noStatus comment above the type to avoid generating ApplyStatus(). + ApplyStatus(ctx context.Context, clusterNetworkPolicy *applyconfigurationapisv1alpha2.ClusterNetworkPolicyApplyConfiguration, opts v1.ApplyOptions) (result *apisv1alpha2.ClusterNetworkPolicy, err error) + ClusterNetworkPolicyExpansion +} + +// clusterNetworkPolicies implements ClusterNetworkPolicyInterface +type clusterNetworkPolicies struct { + *gentype.ClientWithListAndApply[*apisv1alpha2.ClusterNetworkPolicy, *apisv1alpha2.ClusterNetworkPolicyList, *applyconfigurationapisv1alpha2.ClusterNetworkPolicyApplyConfiguration] +} + +// newClusterNetworkPolicies returns a ClusterNetworkPolicies +func newClusterNetworkPolicies(c *PolicyV1alpha2Client) *clusterNetworkPolicies { + return &clusterNetworkPolicies{ + gentype.NewClientWithListAndApply[*apisv1alpha2.ClusterNetworkPolicy, *apisv1alpha2.ClusterNetworkPolicyList, *applyconfigurationapisv1alpha2.ClusterNetworkPolicyApplyConfiguration]( + "clusternetworkpolicies", + c.RESTClient(), + scheme.ParameterCodec, + "", + func() *apisv1alpha2.ClusterNetworkPolicy { return &apisv1alpha2.ClusterNetworkPolicy{} }, + func() *apisv1alpha2.ClusterNetworkPolicyList { return &apisv1alpha2.ClusterNetworkPolicyList{} }, + ), + } +} diff --git a/pkg/client/clientset/versioned/typed/apis/v1alpha2/doc.go b/pkg/client/clientset/versioned/typed/apis/v1alpha2/doc.go new file mode 100644 index 00000000..baaf2d98 --- /dev/null +++ b/pkg/client/clientset/versioned/typed/apis/v1alpha2/doc.go @@ -0,0 +1,20 @@ +/* +Copyright The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +// Code generated by client-gen. DO NOT EDIT. + +// This package has the automatically generated typed clients. +package v1alpha2 diff --git a/pkg/client/clientset/versioned/typed/apis/v1alpha2/fake/doc.go b/pkg/client/clientset/versioned/typed/apis/v1alpha2/fake/doc.go new file mode 100644 index 00000000..16f44399 --- /dev/null +++ b/pkg/client/clientset/versioned/typed/apis/v1alpha2/fake/doc.go @@ -0,0 +1,20 @@ +/* +Copyright The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +// Code generated by client-gen. DO NOT EDIT. + +// Package fake has the automatically generated clients. +package fake diff --git a/pkg/client/clientset/versioned/typed/apis/v1alpha2/fake/fake_apis_client.go b/pkg/client/clientset/versioned/typed/apis/v1alpha2/fake/fake_apis_client.go new file mode 100644 index 00000000..8cbece84 --- /dev/null +++ b/pkg/client/clientset/versioned/typed/apis/v1alpha2/fake/fake_apis_client.go @@ -0,0 +1,40 @@ +/* +Copyright The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +// Code generated by client-gen. DO NOT EDIT. + +package fake + +import ( + rest "k8s.io/client-go/rest" + testing "k8s.io/client-go/testing" + v1alpha2 "sigs.k8s.io/network-policy-api/pkg/client/clientset/versioned/typed/apis/v1alpha2" +) + +type FakePolicyV1alpha2 struct { + *testing.Fake +} + +func (c *FakePolicyV1alpha2) ClusterNetworkPolicies() v1alpha2.ClusterNetworkPolicyInterface { + return newFakeClusterNetworkPolicies(c) +} + +// RESTClient returns a RESTClient that is used to communicate +// with API server by this client implementation. +func (c *FakePolicyV1alpha2) RESTClient() rest.Interface { + var ret *rest.RESTClient + return ret +} diff --git a/pkg/client/clientset/versioned/typed/apis/v1alpha2/fake/fake_clusternetworkpolicy.go b/pkg/client/clientset/versioned/typed/apis/v1alpha2/fake/fake_clusternetworkpolicy.go new file mode 100644 index 00000000..32b12a5f --- /dev/null +++ b/pkg/client/clientset/versioned/typed/apis/v1alpha2/fake/fake_clusternetworkpolicy.go @@ -0,0 +1,53 @@ +/* +Copyright The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +// Code generated by client-gen. DO NOT EDIT. + +package fake + +import ( + gentype "k8s.io/client-go/gentype" + v1alpha2 "sigs.k8s.io/network-policy-api/apis/v1alpha2" + apisv1alpha2 "sigs.k8s.io/network-policy-api/pkg/client/applyconfiguration/apis/v1alpha2" + typedapisv1alpha2 "sigs.k8s.io/network-policy-api/pkg/client/clientset/versioned/typed/apis/v1alpha2" +) + +// fakeClusterNetworkPolicies implements ClusterNetworkPolicyInterface +type fakeClusterNetworkPolicies struct { + *gentype.FakeClientWithListAndApply[*v1alpha2.ClusterNetworkPolicy, *v1alpha2.ClusterNetworkPolicyList, *apisv1alpha2.ClusterNetworkPolicyApplyConfiguration] + Fake *FakePolicyV1alpha2 +} + +func newFakeClusterNetworkPolicies(fake *FakePolicyV1alpha2) typedapisv1alpha2.ClusterNetworkPolicyInterface { + return &fakeClusterNetworkPolicies{ + gentype.NewFakeClientWithListAndApply[*v1alpha2.ClusterNetworkPolicy, *v1alpha2.ClusterNetworkPolicyList, *apisv1alpha2.ClusterNetworkPolicyApplyConfiguration]( + fake.Fake, + "", + v1alpha2.SchemeGroupVersion.WithResource("clusternetworkpolicies"), + v1alpha2.SchemeGroupVersion.WithKind("ClusterNetworkPolicy"), + func() *v1alpha2.ClusterNetworkPolicy { return &v1alpha2.ClusterNetworkPolicy{} }, + func() *v1alpha2.ClusterNetworkPolicyList { return &v1alpha2.ClusterNetworkPolicyList{} }, + func(dst, src *v1alpha2.ClusterNetworkPolicyList) { dst.ListMeta = src.ListMeta }, + func(list *v1alpha2.ClusterNetworkPolicyList) []*v1alpha2.ClusterNetworkPolicy { + return gentype.ToPointerSlice(list.Items) + }, + func(list *v1alpha2.ClusterNetworkPolicyList, items []*v1alpha2.ClusterNetworkPolicy) { + list.Items = gentype.FromPointerSlice(items) + }, + ), + fake, + } +} diff --git a/pkg/client/clientset/versioned/typed/apis/v1alpha2/generated_expansion.go b/pkg/client/clientset/versioned/typed/apis/v1alpha2/generated_expansion.go new file mode 100644 index 00000000..06340651 --- /dev/null +++ b/pkg/client/clientset/versioned/typed/apis/v1alpha2/generated_expansion.go @@ -0,0 +1,21 @@ +/* +Copyright The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +// Code generated by client-gen. DO NOT EDIT. + +package v1alpha2 + +type ClusterNetworkPolicyExpansion interface{} diff --git a/pkg/client/informers/externalversions/apis/interface.go b/pkg/client/informers/externalversions/apis/interface.go index c5aafdc3..8862fb2a 100644 --- a/pkg/client/informers/externalversions/apis/interface.go +++ b/pkg/client/informers/externalversions/apis/interface.go @@ -20,6 +20,7 @@ package apis import ( v1alpha1 "sigs.k8s.io/network-policy-api/pkg/client/informers/externalversions/apis/v1alpha1" + v1alpha2 "sigs.k8s.io/network-policy-api/pkg/client/informers/externalversions/apis/v1alpha2" internalinterfaces "sigs.k8s.io/network-policy-api/pkg/client/informers/externalversions/internalinterfaces" ) @@ -27,6 +28,8 @@ import ( type Interface interface { // V1alpha1 provides access to shared informers for resources in V1alpha1. V1alpha1() v1alpha1.Interface + // V1alpha2 provides access to shared informers for resources in V1alpha2. + V1alpha2() v1alpha2.Interface } type group struct { @@ -44,3 +47,8 @@ func New(f internalinterfaces.SharedInformerFactory, namespace string, tweakList func (g *group) V1alpha1() v1alpha1.Interface { return v1alpha1.New(g.factory, g.namespace, g.tweakListOptions) } + +// V1alpha2 returns a new v1alpha2.Interface. +func (g *group) V1alpha2() v1alpha2.Interface { + return v1alpha2.New(g.factory, g.namespace, g.tweakListOptions) +} diff --git a/pkg/client/informers/externalversions/apis/v1alpha1/adminnetworkpolicy.go b/pkg/client/informers/externalversions/apis/v1alpha1/adminnetworkpolicy.go index c696af36..fc046eca 100644 --- a/pkg/client/informers/externalversions/apis/v1alpha1/adminnetworkpolicy.go +++ b/pkg/client/informers/externalversions/apis/v1alpha1/adminnetworkpolicy.go @@ -19,24 +19,24 @@ limitations under the License. package v1alpha1 import ( - "context" + context "context" time "time" v1 "k8s.io/apimachinery/pkg/apis/meta/v1" runtime "k8s.io/apimachinery/pkg/runtime" watch "k8s.io/apimachinery/pkg/watch" cache "k8s.io/client-go/tools/cache" - apisv1alpha1 "sigs.k8s.io/network-policy-api/apis/v1alpha1" + networkpolicyapiapisv1alpha1 "sigs.k8s.io/network-policy-api/apis/v1alpha1" versioned "sigs.k8s.io/network-policy-api/pkg/client/clientset/versioned" internalinterfaces "sigs.k8s.io/network-policy-api/pkg/client/informers/externalversions/internalinterfaces" - v1alpha1 "sigs.k8s.io/network-policy-api/pkg/client/listers/apis/v1alpha1" + apisv1alpha1 "sigs.k8s.io/network-policy-api/pkg/client/listers/apis/v1alpha1" ) // AdminNetworkPolicyInformer provides access to a shared informer and lister for // AdminNetworkPolicies. type AdminNetworkPolicyInformer interface { Informer() cache.SharedIndexInformer - Lister() v1alpha1.AdminNetworkPolicyLister + Lister() apisv1alpha1.AdminNetworkPolicyLister } type adminNetworkPolicyInformer struct { @@ -61,16 +61,28 @@ func NewFilteredAdminNetworkPolicyInformer(client versioned.Interface, resyncPer if tweakListOptions != nil { tweakListOptions(&options) } - return client.PolicyV1alpha1().AdminNetworkPolicies().List(context.TODO(), options) + return client.PolicyV1alpha1().AdminNetworkPolicies().List(context.Background(), options) }, WatchFunc: func(options v1.ListOptions) (watch.Interface, error) { if tweakListOptions != nil { tweakListOptions(&options) } - return client.PolicyV1alpha1().AdminNetworkPolicies().Watch(context.TODO(), options) + return client.PolicyV1alpha1().AdminNetworkPolicies().Watch(context.Background(), options) + }, + ListWithContextFunc: func(ctx context.Context, options v1.ListOptions) (runtime.Object, error) { + if tweakListOptions != nil { + tweakListOptions(&options) + } + return client.PolicyV1alpha1().AdminNetworkPolicies().List(ctx, options) + }, + WatchFuncWithContext: func(ctx context.Context, options v1.ListOptions) (watch.Interface, error) { + if tweakListOptions != nil { + tweakListOptions(&options) + } + return client.PolicyV1alpha1().AdminNetworkPolicies().Watch(ctx, options) }, }, - &apisv1alpha1.AdminNetworkPolicy{}, + &networkpolicyapiapisv1alpha1.AdminNetworkPolicy{}, resyncPeriod, indexers, ) @@ -81,9 +93,9 @@ func (f *adminNetworkPolicyInformer) defaultInformer(client versioned.Interface, } func (f *adminNetworkPolicyInformer) Informer() cache.SharedIndexInformer { - return f.factory.InformerFor(&apisv1alpha1.AdminNetworkPolicy{}, f.defaultInformer) + return f.factory.InformerFor(&networkpolicyapiapisv1alpha1.AdminNetworkPolicy{}, f.defaultInformer) } -func (f *adminNetworkPolicyInformer) Lister() v1alpha1.AdminNetworkPolicyLister { - return v1alpha1.NewAdminNetworkPolicyLister(f.Informer().GetIndexer()) +func (f *adminNetworkPolicyInformer) Lister() apisv1alpha1.AdminNetworkPolicyLister { + return apisv1alpha1.NewAdminNetworkPolicyLister(f.Informer().GetIndexer()) } diff --git a/pkg/client/informers/externalversions/apis/v1alpha1/baselineadminnetworkpolicy.go b/pkg/client/informers/externalversions/apis/v1alpha1/baselineadminnetworkpolicy.go index f02c1ef4..3a30f904 100644 --- a/pkg/client/informers/externalversions/apis/v1alpha1/baselineadminnetworkpolicy.go +++ b/pkg/client/informers/externalversions/apis/v1alpha1/baselineadminnetworkpolicy.go @@ -19,24 +19,24 @@ limitations under the License. package v1alpha1 import ( - "context" + context "context" time "time" v1 "k8s.io/apimachinery/pkg/apis/meta/v1" runtime "k8s.io/apimachinery/pkg/runtime" watch "k8s.io/apimachinery/pkg/watch" cache "k8s.io/client-go/tools/cache" - apisv1alpha1 "sigs.k8s.io/network-policy-api/apis/v1alpha1" + networkpolicyapiapisv1alpha1 "sigs.k8s.io/network-policy-api/apis/v1alpha1" versioned "sigs.k8s.io/network-policy-api/pkg/client/clientset/versioned" internalinterfaces "sigs.k8s.io/network-policy-api/pkg/client/informers/externalversions/internalinterfaces" - v1alpha1 "sigs.k8s.io/network-policy-api/pkg/client/listers/apis/v1alpha1" + apisv1alpha1 "sigs.k8s.io/network-policy-api/pkg/client/listers/apis/v1alpha1" ) // BaselineAdminNetworkPolicyInformer provides access to a shared informer and lister for // BaselineAdminNetworkPolicies. type BaselineAdminNetworkPolicyInformer interface { Informer() cache.SharedIndexInformer - Lister() v1alpha1.BaselineAdminNetworkPolicyLister + Lister() apisv1alpha1.BaselineAdminNetworkPolicyLister } type baselineAdminNetworkPolicyInformer struct { @@ -61,16 +61,28 @@ func NewFilteredBaselineAdminNetworkPolicyInformer(client versioned.Interface, r if tweakListOptions != nil { tweakListOptions(&options) } - return client.PolicyV1alpha1().BaselineAdminNetworkPolicies().List(context.TODO(), options) + return client.PolicyV1alpha1().BaselineAdminNetworkPolicies().List(context.Background(), options) }, WatchFunc: func(options v1.ListOptions) (watch.Interface, error) { if tweakListOptions != nil { tweakListOptions(&options) } - return client.PolicyV1alpha1().BaselineAdminNetworkPolicies().Watch(context.TODO(), options) + return client.PolicyV1alpha1().BaselineAdminNetworkPolicies().Watch(context.Background(), options) + }, + ListWithContextFunc: func(ctx context.Context, options v1.ListOptions) (runtime.Object, error) { + if tweakListOptions != nil { + tweakListOptions(&options) + } + return client.PolicyV1alpha1().BaselineAdminNetworkPolicies().List(ctx, options) + }, + WatchFuncWithContext: func(ctx context.Context, options v1.ListOptions) (watch.Interface, error) { + if tweakListOptions != nil { + tweakListOptions(&options) + } + return client.PolicyV1alpha1().BaselineAdminNetworkPolicies().Watch(ctx, options) }, }, - &apisv1alpha1.BaselineAdminNetworkPolicy{}, + &networkpolicyapiapisv1alpha1.BaselineAdminNetworkPolicy{}, resyncPeriod, indexers, ) @@ -81,9 +93,9 @@ func (f *baselineAdminNetworkPolicyInformer) defaultInformer(client versioned.In } func (f *baselineAdminNetworkPolicyInformer) Informer() cache.SharedIndexInformer { - return f.factory.InformerFor(&apisv1alpha1.BaselineAdminNetworkPolicy{}, f.defaultInformer) + return f.factory.InformerFor(&networkpolicyapiapisv1alpha1.BaselineAdminNetworkPolicy{}, f.defaultInformer) } -func (f *baselineAdminNetworkPolicyInformer) Lister() v1alpha1.BaselineAdminNetworkPolicyLister { - return v1alpha1.NewBaselineAdminNetworkPolicyLister(f.Informer().GetIndexer()) +func (f *baselineAdminNetworkPolicyInformer) Lister() apisv1alpha1.BaselineAdminNetworkPolicyLister { + return apisv1alpha1.NewBaselineAdminNetworkPolicyLister(f.Informer().GetIndexer()) } diff --git a/pkg/client/informers/externalversions/apis/v1alpha2/clusternetworkpolicy.go b/pkg/client/informers/externalversions/apis/v1alpha2/clusternetworkpolicy.go new file mode 100644 index 00000000..8762fa48 --- /dev/null +++ b/pkg/client/informers/externalversions/apis/v1alpha2/clusternetworkpolicy.go @@ -0,0 +1,101 @@ +/* +Copyright The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +// Code generated by informer-gen. DO NOT EDIT. + +package v1alpha2 + +import ( + context "context" + time "time" + + v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + runtime "k8s.io/apimachinery/pkg/runtime" + watch "k8s.io/apimachinery/pkg/watch" + cache "k8s.io/client-go/tools/cache" + networkpolicyapiapisv1alpha2 "sigs.k8s.io/network-policy-api/apis/v1alpha2" + versioned "sigs.k8s.io/network-policy-api/pkg/client/clientset/versioned" + internalinterfaces "sigs.k8s.io/network-policy-api/pkg/client/informers/externalversions/internalinterfaces" + apisv1alpha2 "sigs.k8s.io/network-policy-api/pkg/client/listers/apis/v1alpha2" +) + +// ClusterNetworkPolicyInformer provides access to a shared informer and lister for +// ClusterNetworkPolicies. +type ClusterNetworkPolicyInformer interface { + Informer() cache.SharedIndexInformer + Lister() apisv1alpha2.ClusterNetworkPolicyLister +} + +type clusterNetworkPolicyInformer struct { + factory internalinterfaces.SharedInformerFactory + tweakListOptions internalinterfaces.TweakListOptionsFunc +} + +// NewClusterNetworkPolicyInformer constructs a new informer for ClusterNetworkPolicy type. +// Always prefer using an informer factory to get a shared informer instead of getting an independent +// one. This reduces memory footprint and number of connections to the server. +func NewClusterNetworkPolicyInformer(client versioned.Interface, resyncPeriod time.Duration, indexers cache.Indexers) cache.SharedIndexInformer { + return NewFilteredClusterNetworkPolicyInformer(client, resyncPeriod, indexers, nil) +} + +// NewFilteredClusterNetworkPolicyInformer constructs a new informer for ClusterNetworkPolicy type. +// Always prefer using an informer factory to get a shared informer instead of getting an independent +// one. This reduces memory footprint and number of connections to the server. +func NewFilteredClusterNetworkPolicyInformer(client versioned.Interface, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer { + return cache.NewSharedIndexInformer( + &cache.ListWatch{ + ListFunc: func(options v1.ListOptions) (runtime.Object, error) { + if tweakListOptions != nil { + tweakListOptions(&options) + } + return client.PolicyV1alpha2().ClusterNetworkPolicies().List(context.Background(), options) + }, + WatchFunc: func(options v1.ListOptions) (watch.Interface, error) { + if tweakListOptions != nil { + tweakListOptions(&options) + } + return client.PolicyV1alpha2().ClusterNetworkPolicies().Watch(context.Background(), options) + }, + ListWithContextFunc: func(ctx context.Context, options v1.ListOptions) (runtime.Object, error) { + if tweakListOptions != nil { + tweakListOptions(&options) + } + return client.PolicyV1alpha2().ClusterNetworkPolicies().List(ctx, options) + }, + WatchFuncWithContext: func(ctx context.Context, options v1.ListOptions) (watch.Interface, error) { + if tweakListOptions != nil { + tweakListOptions(&options) + } + return client.PolicyV1alpha2().ClusterNetworkPolicies().Watch(ctx, options) + }, + }, + &networkpolicyapiapisv1alpha2.ClusterNetworkPolicy{}, + resyncPeriod, + indexers, + ) +} + +func (f *clusterNetworkPolicyInformer) defaultInformer(client versioned.Interface, resyncPeriod time.Duration) cache.SharedIndexInformer { + return NewFilteredClusterNetworkPolicyInformer(client, resyncPeriod, cache.Indexers{cache.NamespaceIndex: cache.MetaNamespaceIndexFunc}, f.tweakListOptions) +} + +func (f *clusterNetworkPolicyInformer) Informer() cache.SharedIndexInformer { + return f.factory.InformerFor(&networkpolicyapiapisv1alpha2.ClusterNetworkPolicy{}, f.defaultInformer) +} + +func (f *clusterNetworkPolicyInformer) Lister() apisv1alpha2.ClusterNetworkPolicyLister { + return apisv1alpha2.NewClusterNetworkPolicyLister(f.Informer().GetIndexer()) +} diff --git a/pkg/client/informers/externalversions/apis/v1alpha2/interface.go b/pkg/client/informers/externalversions/apis/v1alpha2/interface.go new file mode 100644 index 00000000..0c2dce96 --- /dev/null +++ b/pkg/client/informers/externalversions/apis/v1alpha2/interface.go @@ -0,0 +1,45 @@ +/* +Copyright The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +// Code generated by informer-gen. DO NOT EDIT. + +package v1alpha2 + +import ( + internalinterfaces "sigs.k8s.io/network-policy-api/pkg/client/informers/externalversions/internalinterfaces" +) + +// Interface provides access to all the informers in this group version. +type Interface interface { + // ClusterNetworkPolicies returns a ClusterNetworkPolicyInformer. + ClusterNetworkPolicies() ClusterNetworkPolicyInformer +} + +type version struct { + factory internalinterfaces.SharedInformerFactory + namespace string + tweakListOptions internalinterfaces.TweakListOptionsFunc +} + +// New returns a new Interface. +func New(f internalinterfaces.SharedInformerFactory, namespace string, tweakListOptions internalinterfaces.TweakListOptionsFunc) Interface { + return &version{factory: f, namespace: namespace, tweakListOptions: tweakListOptions} +} + +// ClusterNetworkPolicies returns a ClusterNetworkPolicyInformer. +func (v *version) ClusterNetworkPolicies() ClusterNetworkPolicyInformer { + return &clusterNetworkPolicyInformer{factory: v.factory, tweakListOptions: v.tweakListOptions} +} diff --git a/pkg/client/informers/externalversions/factory.go b/pkg/client/informers/externalversions/factory.go index 6d5d0289..1344bf3d 100644 --- a/pkg/client/informers/externalversions/factory.go +++ b/pkg/client/informers/externalversions/factory.go @@ -228,6 +228,7 @@ type SharedInformerFactory interface { // Start initializes all requested informers. They are handled in goroutines // which run until the stop channel gets closed. + // Warning: Start does not block. When run in a go-routine, it will race with a later WaitForCacheSync. Start(stopCh <-chan struct{}) // Shutdown marks a factory as shutting down. At that point no new diff --git a/pkg/client/informers/externalversions/generic.go b/pkg/client/informers/externalversions/generic.go index 62d56a70..02a7d7ff 100644 --- a/pkg/client/informers/externalversions/generic.go +++ b/pkg/client/informers/externalversions/generic.go @@ -19,11 +19,12 @@ limitations under the License. package externalversions import ( - "fmt" + fmt "fmt" schema "k8s.io/apimachinery/pkg/runtime/schema" cache "k8s.io/client-go/tools/cache" v1alpha1 "sigs.k8s.io/network-policy-api/apis/v1alpha1" + v1alpha2 "sigs.k8s.io/network-policy-api/apis/v1alpha2" ) // GenericInformer is type of SharedIndexInformer which will locate and delegate to other @@ -58,6 +59,10 @@ func (f *sharedInformerFactory) ForResource(resource schema.GroupVersionResource case v1alpha1.SchemeGroupVersion.WithResource("baselineadminnetworkpolicies"): return &genericInformer{resource: resource.GroupResource(), informer: f.Policy().V1alpha1().BaselineAdminNetworkPolicies().Informer()}, nil + // Group=policy.networking.k8s.io, Version=v1alpha2 + case v1alpha2.SchemeGroupVersion.WithResource("clusternetworkpolicies"): + return &genericInformer{resource: resource.GroupResource(), informer: f.Policy().V1alpha2().ClusterNetworkPolicies().Informer()}, nil + } return nil, fmt.Errorf("no informer found for %v", resource) diff --git a/pkg/client/listers/apis/v1alpha2/clusternetworkpolicy.go b/pkg/client/listers/apis/v1alpha2/clusternetworkpolicy.go new file mode 100644 index 00000000..7196d953 --- /dev/null +++ b/pkg/client/listers/apis/v1alpha2/clusternetworkpolicy.go @@ -0,0 +1,48 @@ +/* +Copyright The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +// Code generated by lister-gen. DO NOT EDIT. + +package v1alpha2 + +import ( + labels "k8s.io/apimachinery/pkg/labels" + listers "k8s.io/client-go/listers" + cache "k8s.io/client-go/tools/cache" + apisv1alpha2 "sigs.k8s.io/network-policy-api/apis/v1alpha2" +) + +// ClusterNetworkPolicyLister helps list ClusterNetworkPolicies. +// All objects returned here must be treated as read-only. +type ClusterNetworkPolicyLister interface { + // List lists all ClusterNetworkPolicies in the indexer. + // Objects returned here must be treated as read-only. + List(selector labels.Selector) (ret []*apisv1alpha2.ClusterNetworkPolicy, err error) + // Get retrieves the ClusterNetworkPolicy from the index for a given name. + // Objects returned here must be treated as read-only. + Get(name string) (*apisv1alpha2.ClusterNetworkPolicy, error) + ClusterNetworkPolicyListerExpansion +} + +// clusterNetworkPolicyLister implements the ClusterNetworkPolicyLister interface. +type clusterNetworkPolicyLister struct { + listers.ResourceIndexer[*apisv1alpha2.ClusterNetworkPolicy] +} + +// NewClusterNetworkPolicyLister returns a new ClusterNetworkPolicyLister. +func NewClusterNetworkPolicyLister(indexer cache.Indexer) ClusterNetworkPolicyLister { + return &clusterNetworkPolicyLister{listers.New[*apisv1alpha2.ClusterNetworkPolicy](indexer, apisv1alpha2.Resource("clusternetworkpolicy"))} +} diff --git a/pkg/client/listers/apis/v1alpha2/expansion_generated.go b/pkg/client/listers/apis/v1alpha2/expansion_generated.go new file mode 100644 index 00000000..de7b73f8 --- /dev/null +++ b/pkg/client/listers/apis/v1alpha2/expansion_generated.go @@ -0,0 +1,23 @@ +/* +Copyright The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +// Code generated by lister-gen. DO NOT EDIT. + +package v1alpha2 + +// ClusterNetworkPolicyListerExpansion allows custom methods to be added to +// ClusterNetworkPolicyLister. +type ClusterNetworkPolicyListerExpansion interface{} diff --git a/pkg/generator/main.go b/pkg/generator/main.go index f592e1e0..12631409 100644 --- a/pkg/generator/main.go +++ b/pkg/generator/main.go @@ -39,6 +39,7 @@ const ( var standardKinds = map[string]bool{ "AdminNetworkPolicy": true, "BaselineAdminNetworkPolicy": true, + "ClusterNetworkPolicy": true, } // This generation code is largely copied from @@ -47,6 +48,7 @@ func main() { roots, err := loader.LoadRoots( "k8s.io/apimachinery/pkg/runtime/schema", // Needed to parse generated register functions. "sigs.k8s.io/network-policy-api/apis/v1alpha1", + "sigs.k8s.io/network-policy-api/apis/v1alpha2", ) if err != nil { log.Fatalf("failed to load package roots: %s", err)