diff --git a/.github/workflows/conformance.yml b/.github/workflows/conformance.yml index 86c04280..50e40780 100644 --- a/.github/workflows/conformance.yml +++ b/.github/workflows/conformance.yml @@ -76,10 +76,9 @@ jobs: - name: Install kube-network-policies run: | # install CRDs - /usr/local/bin/kubectl apply -f ./config/crd/experimental/policy.networking.k8s.io_adminnetworkpolicies.yaml - /usr/local/bin/kubectl apply -f ./config/crd/experimental/policy.networking.k8s.io_baselineadminnetworkpolicies.yaml + /usr/local/bin/kubectl apply -f ./config/crd/experimental/policy.networking.k8s.io_clusternetworkpolicies.yaml # install kube-network-policies - /usr/local/bin/kubectl apply -f https://raw.githubusercontent.com/kubernetes-sigs/kube-network-policies/v0.6.1/install-anp.yaml + /usr/local/bin/kubectl apply -f https://raw.githubusercontent.com/kubernetes-sigs/kube-network-policies/e13ebef3765467da51d0a83435f804880f132a4e/install-cnp.yaml - name: Get Cluster status run: | @@ -93,7 +92,7 @@ jobs: - name: Run tests run: | go mod download - go test -v ./conformance -run TestConformanceProfiles -args --conformance-profiles=AdminNetworkPolicy,BaselineAdminNetworkPolicy --organization=kubernetes --project=kube-network-policies --url=https://github.com/kubernetes-sigs/kube-network-policies --version=0.6.1 --contact=antonio.ojea.garcia@gmail.com --additional-info=https://github.com/kubernetes-sigs/kube-network-policies + go test -v ./conformance -run TestConformanceProfiles -args --conformance-profiles=ClusterNetworkPolicy --organization=kubernetes --project=kube-network-policies --url=https://github.com/kubernetes-sigs/kube-network-policies --version=0.6.1 --contact=antonio.ojea.garcia@gmail.com --additional-info=https://github.com/kubernetes-sigs/kube-network-policies - name: Upload Junit Reports if: always() diff --git a/config/crd/experimental/kustomization.yaml b/config/crd/experimental/kustomization.yaml index c4a47a74..f4aa44ac 100644 --- a/config/crd/experimental/kustomization.yaml +++ b/config/crd/experimental/kustomization.yaml @@ -2,8 +2,7 @@ # since it depends on service name and namespace that are out of this kustomize package. # It should be run by config/default resources: -- policy.networking.k8s.io_adminnetworkpolicies.yaml -- policy.networking.k8s.io_baselineadminnetworkpolicies.yaml +- policy.networking.k8s.io_clusternetworkpolicies.yaml #+kubebuilder:scaffold:crdkustomizeresource # the following config is for teaching kustomize how to do kustomization for CRDs. diff --git a/config/crd/experimental/policy.networking.k8s.io_adminnetworkpolicies.yaml b/config/crd/experimental/policy.networking.k8s.io_adminnetworkpolicies.yaml deleted file mode 100644 index 1cd182a4..00000000 --- a/config/crd/experimental/policy.networking.k8s.io_adminnetworkpolicies.yaml +++ /dev/null @@ -1,1034 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - api-approved.kubernetes.io: https://github.com/kubernetes-sigs/network-policy-api/pull/300 - policy.networking.k8s.io/bundle-version: v0.1.7 - policy.networking.k8s.io/channel: experimental - creationTimestamp: null - name: adminnetworkpolicies.policy.networking.k8s.io -spec: - group: policy.networking.k8s.io - names: - kind: AdminNetworkPolicy - listKind: AdminNetworkPolicyList - plural: adminnetworkpolicies - shortNames: - - anp - singular: adminnetworkpolicy - scope: Cluster - versions: - - additionalPrinterColumns: - - jsonPath: .spec.priority - name: Priority - type: string - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha1 - schema: - openAPIV3Schema: - description: |- - AdminNetworkPolicy is a cluster level resource that is part of the - AdminNetworkPolicy API. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: Specification of the desired behavior of AdminNetworkPolicy. - properties: - egress: - description: |- - Egress is the list of Egress rules to be applied to the selected pods. - A total of 100 rules will be allowed in each ANP instance. - The relative precedence of egress rules within a single ANP object (all of - which share the priority) will be determined by the order in which the rule - is written. Thus, a rule that appears at the top of the egress rules - would take the highest precedence. - ANPs with no egress rules do not affect egress traffic. - items: - description: |- - AdminNetworkPolicyEgressRule describes an action to take on a particular - set of traffic originating from pods selected by a AdminNetworkPolicy's - Subject field. - - properties: - action: - description: |- - Action specifies the effect this rule will have on matching traffic. - Currently the following actions are supported: - Allow: allows the selected traffic (even if it would otherwise have been denied by NetworkPolicy) - Deny: denies the selected traffic - Pass: instructs the selected traffic to skip any remaining ANP rules, and - then pass execution to any NetworkPolicies that select the pod. - If the pod is not selected by any NetworkPolicies then execution - is passed to any BaselineAdminNetworkPolicies that select the pod. - enum: - - Allow - - Deny - - Pass - type: string - name: - description: |- - Name is an identifier for this rule, that may be no more than 100 characters - in length. This field should be used by the implementation to help - improve observability, readability and error-reporting for any applied - AdminNetworkPolicies. - maxLength: 100 - type: string - ports: - description: |- - Ports allows for matching traffic based on port and protocols. - This field is a list of destination ports for the outgoing egress traffic. - If Ports is not set then the rule does not filter traffic via port. - items: - description: |- - AdminNetworkPolicyPort describes how to select network ports on pod(s). - Exactly one field must be set. - maxProperties: 1 - minProperties: 1 - properties: - namedPort: - description: |- - NamedPort selects a port on a pod(s) based on name. - - - type: string - portNumber: - description: Port selects a port on a pod(s) based on - number. - properties: - port: - description: Number defines a network port value. - format: int32 - maximum: 65535 - minimum: 1 - type: integer - protocol: - default: TCP - description: |- - Protocol is the network protocol (TCP, UDP, or SCTP) which traffic must - match. If not specified, this field defaults to TCP. - type: string - required: - - port - - protocol - type: object - portRange: - description: |- - PortRange selects a port range on a pod(s) based on provided start and end - values. - properties: - end: - description: |- - End defines a network port that is the end of a port range, the End value - must be greater than Start. - format: int32 - maximum: 65535 - minimum: 1 - type: integer - protocol: - default: TCP - description: |- - Protocol is the network protocol (TCP, UDP, or SCTP) which traffic must - match. If not specified, this field defaults to TCP. - type: string - start: - description: |- - Start defines a network port that is the start of a port range, the Start - value must be less than End. - format: int32 - maximum: 65535 - minimum: 1 - type: integer - required: - - end - - start - type: object - type: object - maxItems: 100 - minItems: 1 - type: array - to: - description: |- - To is the List of destinations whose traffic this rule applies to. - If any element matches the destination of outgoing - traffic then the specified action is applied. - This field must be defined and contain at least one item. - items: - description: |- - AdminNetworkPolicyEgressPeer defines a peer to allow traffic to. - - Exactly one of the fields must be set for a given peer and this is enforced - by the validation rules on the CRD. If an implementation sees no fields are - set then it can infer that the deployed CRD is of an incompatible version - with an unknown field. In that case it should fail closed. - - For "Allow" rules, "fail closed" means: "treat the rule as matching no - traffic". For "Deny" and "Pass" rules, "fail closed" means: "treat the rule - as a 'Deny all' rule". - maxProperties: 1 - minProperties: 1 - properties: - domainNames: - description: |- - DomainNames provides a way to specify domain names as peers. - - DomainNames is only supported for ALLOW rules. In order to control - access, DomainNames Allow rules should be used with a lower priority - egress deny -- this allows the admin to maintain an explicit "allowlist" - of reachable domains. - - DomainNames can have up to 25 domain names specified in one rule. - - - items: - description: |- - DomainName describes one or more domain names to be used as a peer. - - DomainName can be an exact match, or use the wildcard specifier '*' to match - one or more labels. - - '*', the wildcard specifier, matches one or more entire labels. It does not - support partial matches. '*' may only be specified as a prefix. - - Examples: - - `kubernetes.io` matches only `kubernetes.io`. - It does not match "www.kubernetes.io", "blog.kubernetes.io", - "my-kubernetes.io", or "wikipedia.org". - - `blog.kubernetes.io` matches only "blog.kubernetes.io". - It does not match "www.kubernetes.io" or "kubernetes.io". - - `*.kubernetes.io` matches subdomains of kubernetes.io. - "www.kubernetes.io", "blog.kubernetes.io", and - "latest.blog.kubernetes.io" match, however "kubernetes.io", and - "wikipedia.org" do not. - pattern: ^(\*\.)?([a-zA-z0-9]([-a-zA-Z0-9_]*[a-zA-Z0-9])?\.)+[a-zA-z0-9]([-a-zA-Z0-9_]*[a-zA-Z0-9])?\.?$ - type: string - maxItems: 25 - minItems: 1 - type: array - x-kubernetes-list-type: set - namespaces: - description: |- - Namespaces defines a way to select all pods within a set of Namespaces. - Note that host-networked pods are not included in this type of peer. - properties: - matchExpressions: - description: matchExpressions is a list of label selector - requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector - applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - networks: - description: |- - Networks defines a way to select peers via CIDR blocks. - This is intended for representing entities that live outside the cluster, - which can't be selected by pods, namespaces and nodes peers, but note - that cluster-internal traffic will be checked against the rule as - well. So if you Allow or Deny traffic to `"0.0.0.0/0"`, that will allow - or deny all IPv4 pod-to-pod traffic as well. If you don't want that, - add a rule that Passes all pod traffic before the Networks rule. - - Each item in Networks should be provided in the CIDR format and should be - IPv4 or IPv6, for example "10.0.0.0/8" or "fd00::/8". - - Networks can have upto 25 CIDRs specified. - items: - description: CIDR is an IP address range in CIDR notation - (for example, "10.0.0.0/8" or "fd00::/8"). - maxLength: 43 - type: string - x-kubernetes-validations: - - message: Invalid CIDR format provided - rule: isCIDR(self) - maxItems: 25 - minItems: 1 - type: array - x-kubernetes-list-type: set - nodes: - description: |- - Nodes defines a way to select a set of nodes in - the cluster (based on the node's labels). It selects - the nodeIPs as the peer type by matching on the IPs - present in the node.Status.Addresses field of the node. - This field follows standard label selector - semantics; if present but empty, it selects all Nodes. - - - properties: - matchExpressions: - description: matchExpressions is a list of label selector - requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector - applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - pods: - description: |- - Pods defines a way to select a set of pods in - a set of namespaces. Note that host-networked pods - are not included in this type of peer. - properties: - namespaceSelector: - description: |- - NamespaceSelector follows standard label selector semantics; if empty, - it selects all Namespaces. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are - ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - podSelector: - description: |- - PodSelector is used to explicitly select pods within a namespace; if empty, - it selects all Pods. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are - ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - required: - - namespaceSelector - - podSelector - type: object - type: object - maxItems: 100 - minItems: 1 - type: array - required: - - action - - to - type: object - x-kubernetes-validations: - - message: networks/nodes/domainNames peer cannot be set with namedPorts - since there are no namedPorts for networks/nodes/domainNames - rule: '!(self.to.exists(peer, has(peer.networks) || has(peer.nodes) - || has(peer.domainNames)) && has(self.ports) && self.ports.exists(port, - has(port.namedPort)))' - maxItems: 100 - type: array - ingress: - description: |- - Ingress is the list of Ingress rules to be applied to the selected pods. - A total of 100 rules will be allowed in each ANP instance. - The relative precedence of ingress rules within a single ANP object (all of - which share the priority) will be determined by the order in which the rule - is written. Thus, a rule that appears at the top of the ingress rules - would take the highest precedence. - ANPs with no ingress rules do not affect ingress traffic. - items: - description: |- - AdminNetworkPolicyIngressRule describes an action to take on a particular - set of traffic destined for pods selected by an AdminNetworkPolicy's - Subject field. - properties: - action: - description: |- - Action specifies the effect this rule will have on matching traffic. - Currently the following actions are supported: - Allow: allows the selected traffic (even if it would otherwise have been denied by NetworkPolicy) - Deny: denies the selected traffic - Pass: instructs the selected traffic to skip any remaining ANP rules, and - then pass execution to any NetworkPolicies that select the pod. - If the pod is not selected by any NetworkPolicies then execution - is passed to any BaselineAdminNetworkPolicies that select the pod. - enum: - - Allow - - Deny - - Pass - type: string - from: - description: |- - From is the list of sources whose traffic this rule applies to. - If any element matches the source of incoming - traffic then the specified action is applied. - This field must be defined and contain at least one item. - items: - description: |- - AdminNetworkPolicyIngressPeer defines a peer to allow traffic to. - - Exactly one of the fields must be set for a given peer and this is enforced - by the validation rules on the CRD. If an implementation sees no fields are - set then it can infer that the deployed CRD is of an incompatible version - with an unknown field. In that case it should fail closed. - - For "Allow" rules, "fail closed" means: "treat the rule as matching no - traffic". For "Deny" and "Pass" rules, "fail closed" means: "treat the rule - as a 'Deny all' rule". - maxProperties: 1 - minProperties: 1 - properties: - namespaces: - description: |- - Namespaces defines a way to select all pods within a set of Namespaces. - Note that host-networked pods are not included in this type of peer. - properties: - matchExpressions: - description: matchExpressions is a list of label selector - requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector - applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - pods: - description: |- - Pods defines a way to select a set of pods in - a set of namespaces. Note that host-networked pods - are not included in this type of peer. - properties: - namespaceSelector: - description: |- - NamespaceSelector follows standard label selector semantics; if empty, - it selects all Namespaces. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are - ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - podSelector: - description: |- - PodSelector is used to explicitly select pods within a namespace; if empty, - it selects all Pods. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are - ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - required: - - namespaceSelector - - podSelector - type: object - type: object - maxItems: 100 - minItems: 1 - type: array - name: - description: |- - Name is an identifier for this rule, that may be no more than 100 characters - in length. This field should be used by the implementation to help - improve observability, readability and error-reporting for any applied - AdminNetworkPolicies. - maxLength: 100 - type: string - ports: - description: |- - Ports allows for matching traffic based on port and protocols. - This field is a list of ports which should be matched on - the pods selected for this policy i.e the subject of the policy. - So it matches on the destination port for the ingress traffic. - If Ports is not set then the rule does not filter traffic via port. - items: - description: |- - AdminNetworkPolicyPort describes how to select network ports on pod(s). - Exactly one field must be set. - maxProperties: 1 - minProperties: 1 - properties: - namedPort: - description: |- - NamedPort selects a port on a pod(s) based on name. - - - type: string - portNumber: - description: Port selects a port on a pod(s) based on - number. - properties: - port: - description: Number defines a network port value. - format: int32 - maximum: 65535 - minimum: 1 - type: integer - protocol: - default: TCP - description: |- - Protocol is the network protocol (TCP, UDP, or SCTP) which traffic must - match. If not specified, this field defaults to TCP. - type: string - required: - - port - - protocol - type: object - portRange: - description: |- - PortRange selects a port range on a pod(s) based on provided start and end - values. - properties: - end: - description: |- - End defines a network port that is the end of a port range, the End value - must be greater than Start. - format: int32 - maximum: 65535 - minimum: 1 - type: integer - protocol: - default: TCP - description: |- - Protocol is the network protocol (TCP, UDP, or SCTP) which traffic must - match. If not specified, this field defaults to TCP. - type: string - start: - description: |- - Start defines a network port that is the start of a port range, the Start - value must be less than End. - format: int32 - maximum: 65535 - minimum: 1 - type: integer - required: - - end - - start - type: object - type: object - maxItems: 100 - minItems: 1 - type: array - required: - - action - - from - type: object - maxItems: 100 - type: array - priority: - description: |- - Priority is a value from 0 to 1000. Policies with lower priority values have - higher precedence, and are checked before policies with higher priority values. - All AdminNetworkPolicy rules have higher precedence than NetworkPolicy or - BaselineAdminNetworkPolicy rules. - If two (or more) policies with the same priority could both match a connection, - then the implementation can apply any of the matching policies to the - connection, and there is no way for the user to reliably determine which one it - will choose. Administrators must be careful about assigning the priorities for - policies with rules that will match many connections, and ensure that policies - have unique priority values in cases where ambiguity would be unacceptable. - format: int32 - maximum: 1000 - minimum: 0 - type: integer - subject: - description: |- - Subject defines the pods to which this AdminNetworkPolicy applies. - Note that host-networked pods are not included in subject selection. - maxProperties: 1 - minProperties: 1 - properties: - namespaces: - description: Namespaces is used to select pods via namespace selectors. - properties: - matchExpressions: - description: matchExpressions is a list of label selector - requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector - applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - pods: - description: Pods is used to select pods via namespace AND pod - selectors. - properties: - namespaceSelector: - description: |- - NamespaceSelector follows standard label selector semantics; if empty, - it selects all Namespaces. - properties: - matchExpressions: - description: matchExpressions is a list of label selector - requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector - applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - podSelector: - description: |- - PodSelector is used to explicitly select pods within a namespace; if empty, - it selects all Pods. - properties: - matchExpressions: - description: matchExpressions is a list of label selector - requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector - applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - required: - - namespaceSelector - - podSelector - type: object - type: object - required: - - priority - - subject - type: object - status: - description: Status is the status to be reported by the implementation. - properties: - conditions: - items: - description: Condition contains details for one aspect of the current - state of this API Resource. - properties: - lastTransitionTime: - description: |- - lastTransitionTime is the last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: |- - message is a human readable message indicating details about the transition. - This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: |- - observedGeneration represents the .metadata.generation that the condition was set based upon. - For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - with respect to the current state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: |- - reason contains a programmatic identifier indicating the reason for the condition's last transition. - Producers of specific condition types may define expected values and meanings for this field, - and whether the values are considered a guaranteed API. - The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - x-kubernetes-list-map-keys: - - type - x-kubernetes-list-type: map - required: - - conditions - type: object - required: - - metadata - - spec - type: object - served: true - storage: true - subresources: - status: {} -status: - acceptedNames: - kind: "" - plural: "" - conditions: null - storedVersions: null diff --git a/config/crd/experimental/policy.networking.k8s.io_baselineadminnetworkpolicies.yaml b/config/crd/experimental/policy.networking.k8s.io_baselineadminnetworkpolicies.yaml deleted file mode 100644 index 191ceee0..00000000 --- a/config/crd/experimental/policy.networking.k8s.io_baselineadminnetworkpolicies.yaml +++ /dev/null @@ -1,971 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - api-approved.kubernetes.io: https://github.com/kubernetes-sigs/network-policy-api/pull/300 - policy.networking.k8s.io/bundle-version: v0.1.7 - policy.networking.k8s.io/channel: experimental - creationTimestamp: null - name: baselineadminnetworkpolicies.policy.networking.k8s.io -spec: - group: policy.networking.k8s.io - names: - kind: BaselineAdminNetworkPolicy - listKind: BaselineAdminNetworkPolicyList - plural: baselineadminnetworkpolicies - shortNames: - - banp - singular: baselineadminnetworkpolicy - scope: Cluster - versions: - - additionalPrinterColumns: - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha1 - schema: - openAPIV3Schema: - description: |- - BaselineAdminNetworkPolicy is a cluster level resource that is part of the - AdminNetworkPolicy API. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: Specification of the desired behavior of BaselineAdminNetworkPolicy. - properties: - egress: - description: |- - Egress is the list of Egress rules to be applied to the selected pods if - they are not matched by any AdminNetworkPolicy or NetworkPolicy rules. - A total of 100 Egress rules will be allowed in each BANP instance. - The relative precedence of egress rules within a single BANP object - will be determined by the order in which the rule is written. - Thus, a rule that appears at the top of the egress rules - would take the highest precedence. - BANPs with no egress rules do not affect egress traffic. - items: - description: |- - BaselineAdminNetworkPolicyEgressRule describes an action to take on a particular - set of traffic originating from pods selected by a BaselineAdminNetworkPolicy's - Subject field. - - properties: - action: - description: |- - Action specifies the effect this rule will have on matching traffic. - Currently the following actions are supported: - Allow: allows the selected traffic - Deny: denies the selected traffic - enum: - - Allow - - Deny - type: string - name: - description: |- - Name is an identifier for this rule, that may be no more than 100 characters - in length. This field should be used by the implementation to help - improve observability, readability and error-reporting for any applied - BaselineAdminNetworkPolicies. - maxLength: 100 - type: string - ports: - description: |- - Ports allows for matching traffic based on port and protocols. - This field is a list of destination ports for the outgoing egress traffic. - If Ports is not set then the rule does not filter traffic via port. - items: - description: |- - AdminNetworkPolicyPort describes how to select network ports on pod(s). - Exactly one field must be set. - maxProperties: 1 - minProperties: 1 - properties: - namedPort: - description: |- - NamedPort selects a port on a pod(s) based on name. - - - type: string - portNumber: - description: Port selects a port on a pod(s) based on - number. - properties: - port: - description: Number defines a network port value. - format: int32 - maximum: 65535 - minimum: 1 - type: integer - protocol: - default: TCP - description: |- - Protocol is the network protocol (TCP, UDP, or SCTP) which traffic must - match. If not specified, this field defaults to TCP. - type: string - required: - - port - - protocol - type: object - portRange: - description: |- - PortRange selects a port range on a pod(s) based on provided start and end - values. - properties: - end: - description: |- - End defines a network port that is the end of a port range, the End value - must be greater than Start. - format: int32 - maximum: 65535 - minimum: 1 - type: integer - protocol: - default: TCP - description: |- - Protocol is the network protocol (TCP, UDP, or SCTP) which traffic must - match. If not specified, this field defaults to TCP. - type: string - start: - description: |- - Start defines a network port that is the start of a port range, the Start - value must be less than End. - format: int32 - maximum: 65535 - minimum: 1 - type: integer - required: - - end - - start - type: object - type: object - maxItems: 100 - minItems: 1 - type: array - to: - description: |- - To is the list of destinations whose traffic this rule applies to. - If any element matches the destination of outgoing - traffic then the specified action is applied. - This field must be defined and contain at least one item. - items: - description: |- - BaselineAdminNetworkPolicyEgressPeer defines a peer to allow traffic to. - - Exactly one of the fields must be set for a given peer and this is enforced - by the validation rules on the CRD. If an implementation sees no fields are - set then it can infer that the deployed CRD is of an incompatible version - with an unknown field. In that case it should fail closed. - - For "Allow" rules, "fail closed" means: "treat the rule as matching no - traffic". For "Deny" and "Pass" rules, "fail closed" means: "treat the rule - as a 'Deny all' rule". - maxProperties: 1 - minProperties: 1 - properties: - namespaces: - description: |- - Namespaces defines a way to select all pods within a set of Namespaces. - Note that host-networked pods are not included in this type of peer. - properties: - matchExpressions: - description: matchExpressions is a list of label selector - requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector - applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - networks: - description: |- - Networks defines a way to select peers via CIDR blocks. - This is intended for representing entities that live outside the cluster, - which can't be selected by pods, namespaces and nodes peers, but note - that cluster-internal traffic will be checked against the rule as - well. So if you Allow or Deny traffic to `"0.0.0.0/0"`, that will allow - or deny all IPv4 pod-to-pod traffic as well. If you don't want that, - add a rule that Passes all pod traffic before the Networks rule. - - Each item in Networks should be provided in the CIDR format and should be - IPv4 or IPv6, for example "10.0.0.0/8" or "fd00::/8". - - Networks can have upto 25 CIDRs specified. - items: - description: CIDR is an IP address range in CIDR notation - (for example, "10.0.0.0/8" or "fd00::/8"). - maxLength: 43 - type: string - x-kubernetes-validations: - - message: Invalid CIDR format provided - rule: isCIDR(self) - maxItems: 25 - minItems: 1 - type: array - x-kubernetes-list-type: set - nodes: - description: |- - Nodes defines a way to select a set of nodes in - the cluster (based on the node's labels). It selects - the nodeIPs as the peer type by matching on the IPs - present in the node.Status.Addresses field of the node. - This field follows standard label selector - semantics; if present but empty, it selects all Nodes. - - - properties: - matchExpressions: - description: matchExpressions is a list of label selector - requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector - applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - pods: - description: |- - Pods defines a way to select a set of pods in - a set of namespaces. Note that host-networked pods - are not included in this type of peer. - properties: - namespaceSelector: - description: |- - NamespaceSelector follows standard label selector semantics; if empty, - it selects all Namespaces. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are - ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - podSelector: - description: |- - PodSelector is used to explicitly select pods within a namespace; if empty, - it selects all Pods. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are - ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - required: - - namespaceSelector - - podSelector - type: object - type: object - maxItems: 100 - minItems: 1 - type: array - required: - - action - - to - type: object - x-kubernetes-validations: - - message: networks/nodes peer cannot be set with namedPorts since - there are no namedPorts for networks/nodes - rule: '!(self.to.exists(peer, has(peer.networks) || has(peer.nodes)) - && has(self.ports) && self.ports.exists(port, has(port.namedPort)))' - maxItems: 100 - type: array - ingress: - description: |- - Ingress is the list of Ingress rules to be applied to the selected pods - if they are not matched by any AdminNetworkPolicy or NetworkPolicy rules. - A total of 100 Ingress rules will be allowed in each BANP instance. - The relative precedence of ingress rules within a single BANP object - will be determined by the order in which the rule is written. - Thus, a rule that appears at the top of the ingress rules - would take the highest precedence. - BANPs with no ingress rules do not affect ingress traffic. - items: - description: |- - BaselineAdminNetworkPolicyIngressRule describes an action to take on a particular - set of traffic destined for pods selected by a BaselineAdminNetworkPolicy's - Subject field. - properties: - action: - description: |- - Action specifies the effect this rule will have on matching traffic. - Currently the following actions are supported: - Allow: allows the selected traffic - Deny: denies the selected traffic - enum: - - Allow - - Deny - type: string - from: - description: |- - From is the list of sources whose traffic this rule applies to. - If any element matches the source of incoming - traffic then the specified action is applied. - This field must be defined and contain at least one item. - items: - description: |- - AdminNetworkPolicyIngressPeer defines a peer to allow traffic to. - - Exactly one of the fields must be set for a given peer and this is enforced - by the validation rules on the CRD. If an implementation sees no fields are - set then it can infer that the deployed CRD is of an incompatible version - with an unknown field. In that case it should fail closed. - - For "Allow" rules, "fail closed" means: "treat the rule as matching no - traffic". For "Deny" and "Pass" rules, "fail closed" means: "treat the rule - as a 'Deny all' rule". - maxProperties: 1 - minProperties: 1 - properties: - namespaces: - description: |- - Namespaces defines a way to select all pods within a set of Namespaces. - Note that host-networked pods are not included in this type of peer. - properties: - matchExpressions: - description: matchExpressions is a list of label selector - requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector - applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - pods: - description: |- - Pods defines a way to select a set of pods in - a set of namespaces. Note that host-networked pods - are not included in this type of peer. - properties: - namespaceSelector: - description: |- - NamespaceSelector follows standard label selector semantics; if empty, - it selects all Namespaces. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are - ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - podSelector: - description: |- - PodSelector is used to explicitly select pods within a namespace; if empty, - it selects all Pods. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are - ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - required: - - namespaceSelector - - podSelector - type: object - type: object - maxItems: 100 - minItems: 1 - type: array - name: - description: |- - Name is an identifier for this rule, that may be no more than 100 characters - in length. This field should be used by the implementation to help - improve observability, readability and error-reporting for any applied - BaselineAdminNetworkPolicies. - maxLength: 100 - type: string - ports: - description: |- - Ports allows for matching traffic based on port and protocols. - This field is a list of ports which should be matched on - the pods selected for this policy i.e the subject of the policy. - So it matches on the destination port for the ingress traffic. - If Ports is not set then the rule does not filter traffic via port. - items: - description: |- - AdminNetworkPolicyPort describes how to select network ports on pod(s). - Exactly one field must be set. - maxProperties: 1 - minProperties: 1 - properties: - namedPort: - description: |- - NamedPort selects a port on a pod(s) based on name. - - - type: string - portNumber: - description: Port selects a port on a pod(s) based on - number. - properties: - port: - description: Number defines a network port value. - format: int32 - maximum: 65535 - minimum: 1 - type: integer - protocol: - default: TCP - description: |- - Protocol is the network protocol (TCP, UDP, or SCTP) which traffic must - match. If not specified, this field defaults to TCP. - type: string - required: - - port - - protocol - type: object - portRange: - description: |- - PortRange selects a port range on a pod(s) based on provided start and end - values. - properties: - end: - description: |- - End defines a network port that is the end of a port range, the End value - must be greater than Start. - format: int32 - maximum: 65535 - minimum: 1 - type: integer - protocol: - default: TCP - description: |- - Protocol is the network protocol (TCP, UDP, or SCTP) which traffic must - match. If not specified, this field defaults to TCP. - type: string - start: - description: |- - Start defines a network port that is the start of a port range, the Start - value must be less than End. - format: int32 - maximum: 65535 - minimum: 1 - type: integer - required: - - end - - start - type: object - type: object - maxItems: 100 - minItems: 1 - type: array - required: - - action - - from - type: object - maxItems: 100 - type: array - subject: - description: |- - Subject defines the pods to which this BaselineAdminNetworkPolicy applies. - Note that host-networked pods are not included in subject selection. - maxProperties: 1 - minProperties: 1 - properties: - namespaces: - description: Namespaces is used to select pods via namespace selectors. - properties: - matchExpressions: - description: matchExpressions is a list of label selector - requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector - applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - pods: - description: Pods is used to select pods via namespace AND pod - selectors. - properties: - namespaceSelector: - description: |- - NamespaceSelector follows standard label selector semantics; if empty, - it selects all Namespaces. - properties: - matchExpressions: - description: matchExpressions is a list of label selector - requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector - applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - podSelector: - description: |- - PodSelector is used to explicitly select pods within a namespace; if empty, - it selects all Pods. - properties: - matchExpressions: - description: matchExpressions is a list of label selector - requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector - applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - required: - - namespaceSelector - - podSelector - type: object - type: object - required: - - subject - type: object - status: - description: Status is the status to be reported by the implementation. - properties: - conditions: - items: - description: Condition contains details for one aspect of the current - state of this API Resource. - properties: - lastTransitionTime: - description: |- - lastTransitionTime is the last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: |- - message is a human readable message indicating details about the transition. - This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: |- - observedGeneration represents the .metadata.generation that the condition was set based upon. - For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - with respect to the current state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: |- - reason contains a programmatic identifier indicating the reason for the condition's last transition. - Producers of specific condition types may define expected values and meanings for this field, - and whether the values are considered a guaranteed API. - The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - x-kubernetes-list-map-keys: - - type - x-kubernetes-list-type: map - required: - - conditions - type: object - required: - - metadata - - spec - type: object - x-kubernetes-validations: - - message: Only one baseline admin network policy with metadata.name="default" - can be created in the cluster - rule: self.metadata.name == 'default' - served: true - storage: true - subresources: - status: {} -status: - acceptedNames: - kind: "" - plural: "" - conditions: null - storedVersions: null diff --git a/config/crd/standard/kustomization.yaml b/config/crd/standard/kustomization.yaml index c4a47a74..f4aa44ac 100644 --- a/config/crd/standard/kustomization.yaml +++ b/config/crd/standard/kustomization.yaml @@ -2,8 +2,7 @@ # since it depends on service name and namespace that are out of this kustomize package. # It should be run by config/default resources: -- policy.networking.k8s.io_adminnetworkpolicies.yaml -- policy.networking.k8s.io_baselineadminnetworkpolicies.yaml +- policy.networking.k8s.io_clusternetworkpolicies.yaml #+kubebuilder:scaffold:crdkustomizeresource # the following config is for teaching kustomize how to do kustomization for CRDs. diff --git a/config/crd/standard/policy.networking.k8s.io_adminnetworkpolicies.yaml b/config/crd/standard/policy.networking.k8s.io_adminnetworkpolicies.yaml deleted file mode 100644 index 021de260..00000000 --- a/config/crd/standard/policy.networking.k8s.io_adminnetworkpolicies.yaml +++ /dev/null @@ -1,924 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - api-approved.kubernetes.io: https://github.com/kubernetes-sigs/network-policy-api/pull/300 - policy.networking.k8s.io/bundle-version: v0.1.7 - policy.networking.k8s.io/channel: standard - creationTimestamp: null - name: adminnetworkpolicies.policy.networking.k8s.io -spec: - group: policy.networking.k8s.io - names: - kind: AdminNetworkPolicy - listKind: AdminNetworkPolicyList - plural: adminnetworkpolicies - shortNames: - - anp - singular: adminnetworkpolicy - scope: Cluster - versions: - - additionalPrinterColumns: - - jsonPath: .spec.priority - name: Priority - type: string - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha1 - schema: - openAPIV3Schema: - description: |- - AdminNetworkPolicy is a cluster level resource that is part of the - AdminNetworkPolicy API. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: Specification of the desired behavior of AdminNetworkPolicy. - properties: - egress: - description: |- - Egress is the list of Egress rules to be applied to the selected pods. - A total of 100 rules will be allowed in each ANP instance. - The relative precedence of egress rules within a single ANP object (all of - which share the priority) will be determined by the order in which the rule - is written. Thus, a rule that appears at the top of the egress rules - would take the highest precedence. - ANPs with no egress rules do not affect egress traffic. - items: - description: |- - AdminNetworkPolicyEgressRule describes an action to take on a particular - set of traffic originating from pods selected by a AdminNetworkPolicy's - Subject field. - - properties: - action: - description: |- - Action specifies the effect this rule will have on matching traffic. - Currently the following actions are supported: - Allow: allows the selected traffic (even if it would otherwise have been denied by NetworkPolicy) - Deny: denies the selected traffic - Pass: instructs the selected traffic to skip any remaining ANP rules, and - then pass execution to any NetworkPolicies that select the pod. - If the pod is not selected by any NetworkPolicies then execution - is passed to any BaselineAdminNetworkPolicies that select the pod. - enum: - - Allow - - Deny - - Pass - type: string - name: - description: |- - Name is an identifier for this rule, that may be no more than 100 characters - in length. This field should be used by the implementation to help - improve observability, readability and error-reporting for any applied - AdminNetworkPolicies. - maxLength: 100 - type: string - ports: - description: |- - Ports allows for matching traffic based on port and protocols. - This field is a list of destination ports for the outgoing egress traffic. - If Ports is not set then the rule does not filter traffic via port. - items: - description: |- - AdminNetworkPolicyPort describes how to select network ports on pod(s). - Exactly one field must be set. - maxProperties: 1 - minProperties: 1 - properties: - portNumber: - description: Port selects a port on a pod(s) based on - number. - properties: - port: - description: Number defines a network port value. - format: int32 - maximum: 65535 - minimum: 1 - type: integer - protocol: - default: TCP - description: |- - Protocol is the network protocol (TCP, UDP, or SCTP) which traffic must - match. If not specified, this field defaults to TCP. - type: string - required: - - port - - protocol - type: object - portRange: - description: |- - PortRange selects a port range on a pod(s) based on provided start and end - values. - properties: - end: - description: |- - End defines a network port that is the end of a port range, the End value - must be greater than Start. - format: int32 - maximum: 65535 - minimum: 1 - type: integer - protocol: - default: TCP - description: |- - Protocol is the network protocol (TCP, UDP, or SCTP) which traffic must - match. If not specified, this field defaults to TCP. - type: string - start: - description: |- - Start defines a network port that is the start of a port range, the Start - value must be less than End. - format: int32 - maximum: 65535 - minimum: 1 - type: integer - required: - - end - - start - type: object - type: object - maxItems: 100 - minItems: 1 - type: array - to: - description: |- - To is the List of destinations whose traffic this rule applies to. - If any element matches the destination of outgoing - traffic then the specified action is applied. - This field must be defined and contain at least one item. - items: - description: |- - AdminNetworkPolicyEgressPeer defines a peer to allow traffic to. - - Exactly one of the fields must be set for a given peer and this is enforced - by the validation rules on the CRD. If an implementation sees no fields are - set then it can infer that the deployed CRD is of an incompatible version - with an unknown field. In that case it should fail closed. - - For "Allow" rules, "fail closed" means: "treat the rule as matching no - traffic". For "Deny" and "Pass" rules, "fail closed" means: "treat the rule - as a 'Deny all' rule". - maxProperties: 1 - minProperties: 1 - properties: - namespaces: - description: |- - Namespaces defines a way to select all pods within a set of Namespaces. - Note that host-networked pods are not included in this type of peer. - properties: - matchExpressions: - description: matchExpressions is a list of label selector - requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector - applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - networks: - description: |- - Networks defines a way to select peers via CIDR blocks. - This is intended for representing entities that live outside the cluster, - which can't be selected by pods, namespaces and nodes peers, but note - that cluster-internal traffic will be checked against the rule as - well. So if you Allow or Deny traffic to `"0.0.0.0/0"`, that will allow - or deny all IPv4 pod-to-pod traffic as well. If you don't want that, - add a rule that Passes all pod traffic before the Networks rule. - - Each item in Networks should be provided in the CIDR format and should be - IPv4 or IPv6, for example "10.0.0.0/8" or "fd00::/8". - - Networks can have upto 25 CIDRs specified. - items: - description: CIDR is an IP address range in CIDR notation - (for example, "10.0.0.0/8" or "fd00::/8"). - maxLength: 43 - type: string - x-kubernetes-validations: - - message: Invalid CIDR format provided - rule: isCIDR(self) - maxItems: 25 - minItems: 1 - type: array - x-kubernetes-list-type: set - pods: - description: |- - Pods defines a way to select a set of pods in - a set of namespaces. Note that host-networked pods - are not included in this type of peer. - properties: - namespaceSelector: - description: |- - NamespaceSelector follows standard label selector semantics; if empty, - it selects all Namespaces. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are - ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - podSelector: - description: |- - PodSelector is used to explicitly select pods within a namespace; if empty, - it selects all Pods. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are - ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - required: - - namespaceSelector - - podSelector - type: object - type: object - maxItems: 100 - minItems: 1 - type: array - required: - - action - - to - type: object - maxItems: 100 - type: array - ingress: - description: |- - Ingress is the list of Ingress rules to be applied to the selected pods. - A total of 100 rules will be allowed in each ANP instance. - The relative precedence of ingress rules within a single ANP object (all of - which share the priority) will be determined by the order in which the rule - is written. Thus, a rule that appears at the top of the ingress rules - would take the highest precedence. - ANPs with no ingress rules do not affect ingress traffic. - items: - description: |- - AdminNetworkPolicyIngressRule describes an action to take on a particular - set of traffic destined for pods selected by an AdminNetworkPolicy's - Subject field. - properties: - action: - description: |- - Action specifies the effect this rule will have on matching traffic. - Currently the following actions are supported: - Allow: allows the selected traffic (even if it would otherwise have been denied by NetworkPolicy) - Deny: denies the selected traffic - Pass: instructs the selected traffic to skip any remaining ANP rules, and - then pass execution to any NetworkPolicies that select the pod. - If the pod is not selected by any NetworkPolicies then execution - is passed to any BaselineAdminNetworkPolicies that select the pod. - enum: - - Allow - - Deny - - Pass - type: string - from: - description: |- - From is the list of sources whose traffic this rule applies to. - If any element matches the source of incoming - traffic then the specified action is applied. - This field must be defined and contain at least one item. - items: - description: |- - AdminNetworkPolicyIngressPeer defines a peer to allow traffic to. - - Exactly one of the fields must be set for a given peer and this is enforced - by the validation rules on the CRD. If an implementation sees no fields are - set then it can infer that the deployed CRD is of an incompatible version - with an unknown field. In that case it should fail closed. - - For "Allow" rules, "fail closed" means: "treat the rule as matching no - traffic". For "Deny" and "Pass" rules, "fail closed" means: "treat the rule - as a 'Deny all' rule". - maxProperties: 1 - minProperties: 1 - properties: - namespaces: - description: |- - Namespaces defines a way to select all pods within a set of Namespaces. - Note that host-networked pods are not included in this type of peer. - properties: - matchExpressions: - description: matchExpressions is a list of label selector - requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector - applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - pods: - description: |- - Pods defines a way to select a set of pods in - a set of namespaces. Note that host-networked pods - are not included in this type of peer. - properties: - namespaceSelector: - description: |- - NamespaceSelector follows standard label selector semantics; if empty, - it selects all Namespaces. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are - ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - podSelector: - description: |- - PodSelector is used to explicitly select pods within a namespace; if empty, - it selects all Pods. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are - ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - required: - - namespaceSelector - - podSelector - type: object - type: object - maxItems: 100 - minItems: 1 - type: array - name: - description: |- - Name is an identifier for this rule, that may be no more than 100 characters - in length. This field should be used by the implementation to help - improve observability, readability and error-reporting for any applied - AdminNetworkPolicies. - maxLength: 100 - type: string - ports: - description: |- - Ports allows for matching traffic based on port and protocols. - This field is a list of ports which should be matched on - the pods selected for this policy i.e the subject of the policy. - So it matches on the destination port for the ingress traffic. - If Ports is not set then the rule does not filter traffic via port. - items: - description: |- - AdminNetworkPolicyPort describes how to select network ports on pod(s). - Exactly one field must be set. - maxProperties: 1 - minProperties: 1 - properties: - portNumber: - description: Port selects a port on a pod(s) based on - number. - properties: - port: - description: Number defines a network port value. - format: int32 - maximum: 65535 - minimum: 1 - type: integer - protocol: - default: TCP - description: |- - Protocol is the network protocol (TCP, UDP, or SCTP) which traffic must - match. If not specified, this field defaults to TCP. - type: string - required: - - port - - protocol - type: object - portRange: - description: |- - PortRange selects a port range on a pod(s) based on provided start and end - values. - properties: - end: - description: |- - End defines a network port that is the end of a port range, the End value - must be greater than Start. - format: int32 - maximum: 65535 - minimum: 1 - type: integer - protocol: - default: TCP - description: |- - Protocol is the network protocol (TCP, UDP, or SCTP) which traffic must - match. If not specified, this field defaults to TCP. - type: string - start: - description: |- - Start defines a network port that is the start of a port range, the Start - value must be less than End. - format: int32 - maximum: 65535 - minimum: 1 - type: integer - required: - - end - - start - type: object - type: object - maxItems: 100 - minItems: 1 - type: array - required: - - action - - from - type: object - maxItems: 100 - type: array - priority: - description: |- - Priority is a value from 0 to 1000. Policies with lower priority values have - higher precedence, and are checked before policies with higher priority values. - All AdminNetworkPolicy rules have higher precedence than NetworkPolicy or - BaselineAdminNetworkPolicy rules. - If two (or more) policies with the same priority could both match a connection, - then the implementation can apply any of the matching policies to the - connection, and there is no way for the user to reliably determine which one it - will choose. Administrators must be careful about assigning the priorities for - policies with rules that will match many connections, and ensure that policies - have unique priority values in cases where ambiguity would be unacceptable. - format: int32 - maximum: 1000 - minimum: 0 - type: integer - subject: - description: |- - Subject defines the pods to which this AdminNetworkPolicy applies. - Note that host-networked pods are not included in subject selection. - maxProperties: 1 - minProperties: 1 - properties: - namespaces: - description: Namespaces is used to select pods via namespace selectors. - properties: - matchExpressions: - description: matchExpressions is a list of label selector - requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector - applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - pods: - description: Pods is used to select pods via namespace AND pod - selectors. - properties: - namespaceSelector: - description: |- - NamespaceSelector follows standard label selector semantics; if empty, - it selects all Namespaces. - properties: - matchExpressions: - description: matchExpressions is a list of label selector - requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector - applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - podSelector: - description: |- - PodSelector is used to explicitly select pods within a namespace; if empty, - it selects all Pods. - properties: - matchExpressions: - description: matchExpressions is a list of label selector - requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector - applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - required: - - namespaceSelector - - podSelector - type: object - type: object - required: - - priority - - subject - type: object - status: - description: Status is the status to be reported by the implementation. - properties: - conditions: - items: - description: Condition contains details for one aspect of the current - state of this API Resource. - properties: - lastTransitionTime: - description: |- - lastTransitionTime is the last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: |- - message is a human readable message indicating details about the transition. - This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: |- - observedGeneration represents the .metadata.generation that the condition was set based upon. - For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - with respect to the current state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: |- - reason contains a programmatic identifier indicating the reason for the condition's last transition. - Producers of specific condition types may define expected values and meanings for this field, - and whether the values are considered a guaranteed API. - The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - x-kubernetes-list-map-keys: - - type - x-kubernetes-list-type: map - required: - - conditions - type: object - required: - - metadata - - spec - type: object - served: true - storage: true - subresources: - status: {} -status: - acceptedNames: - kind: "" - plural: "" - conditions: null - storedVersions: null diff --git a/config/crd/standard/policy.networking.k8s.io_baselineadminnetworkpolicies.yaml b/config/crd/standard/policy.networking.k8s.io_baselineadminnetworkpolicies.yaml deleted file mode 100644 index c172b6be..00000000 --- a/config/crd/standard/policy.networking.k8s.io_baselineadminnetworkpolicies.yaml +++ /dev/null @@ -1,900 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - api-approved.kubernetes.io: https://github.com/kubernetes-sigs/network-policy-api/pull/300 - policy.networking.k8s.io/bundle-version: v0.1.7 - policy.networking.k8s.io/channel: standard - creationTimestamp: null - name: baselineadminnetworkpolicies.policy.networking.k8s.io -spec: - group: policy.networking.k8s.io - names: - kind: BaselineAdminNetworkPolicy - listKind: BaselineAdminNetworkPolicyList - plural: baselineadminnetworkpolicies - shortNames: - - banp - singular: baselineadminnetworkpolicy - scope: Cluster - versions: - - additionalPrinterColumns: - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha1 - schema: - openAPIV3Schema: - description: |- - BaselineAdminNetworkPolicy is a cluster level resource that is part of the - AdminNetworkPolicy API. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: Specification of the desired behavior of BaselineAdminNetworkPolicy. - properties: - egress: - description: |- - Egress is the list of Egress rules to be applied to the selected pods if - they are not matched by any AdminNetworkPolicy or NetworkPolicy rules. - A total of 100 Egress rules will be allowed in each BANP instance. - The relative precedence of egress rules within a single BANP object - will be determined by the order in which the rule is written. - Thus, a rule that appears at the top of the egress rules - would take the highest precedence. - BANPs with no egress rules do not affect egress traffic. - items: - description: |- - BaselineAdminNetworkPolicyEgressRule describes an action to take on a particular - set of traffic originating from pods selected by a BaselineAdminNetworkPolicy's - Subject field. - - properties: - action: - description: |- - Action specifies the effect this rule will have on matching traffic. - Currently the following actions are supported: - Allow: allows the selected traffic - Deny: denies the selected traffic - enum: - - Allow - - Deny - type: string - name: - description: |- - Name is an identifier for this rule, that may be no more than 100 characters - in length. This field should be used by the implementation to help - improve observability, readability and error-reporting for any applied - BaselineAdminNetworkPolicies. - maxLength: 100 - type: string - ports: - description: |- - Ports allows for matching traffic based on port and protocols. - This field is a list of destination ports for the outgoing egress traffic. - If Ports is not set then the rule does not filter traffic via port. - items: - description: |- - AdminNetworkPolicyPort describes how to select network ports on pod(s). - Exactly one field must be set. - maxProperties: 1 - minProperties: 1 - properties: - portNumber: - description: Port selects a port on a pod(s) based on - number. - properties: - port: - description: Number defines a network port value. - format: int32 - maximum: 65535 - minimum: 1 - type: integer - protocol: - default: TCP - description: |- - Protocol is the network protocol (TCP, UDP, or SCTP) which traffic must - match. If not specified, this field defaults to TCP. - type: string - required: - - port - - protocol - type: object - portRange: - description: |- - PortRange selects a port range on a pod(s) based on provided start and end - values. - properties: - end: - description: |- - End defines a network port that is the end of a port range, the End value - must be greater than Start. - format: int32 - maximum: 65535 - minimum: 1 - type: integer - protocol: - default: TCP - description: |- - Protocol is the network protocol (TCP, UDP, or SCTP) which traffic must - match. If not specified, this field defaults to TCP. - type: string - start: - description: |- - Start defines a network port that is the start of a port range, the Start - value must be less than End. - format: int32 - maximum: 65535 - minimum: 1 - type: integer - required: - - end - - start - type: object - type: object - maxItems: 100 - minItems: 1 - type: array - to: - description: |- - To is the list of destinations whose traffic this rule applies to. - If any element matches the destination of outgoing - traffic then the specified action is applied. - This field must be defined and contain at least one item. - items: - description: |- - BaselineAdminNetworkPolicyEgressPeer defines a peer to allow traffic to. - - Exactly one of the fields must be set for a given peer and this is enforced - by the validation rules on the CRD. If an implementation sees no fields are - set then it can infer that the deployed CRD is of an incompatible version - with an unknown field. In that case it should fail closed. - - For "Allow" rules, "fail closed" means: "treat the rule as matching no - traffic". For "Deny" and "Pass" rules, "fail closed" means: "treat the rule - as a 'Deny all' rule". - maxProperties: 1 - minProperties: 1 - properties: - namespaces: - description: |- - Namespaces defines a way to select all pods within a set of Namespaces. - Note that host-networked pods are not included in this type of peer. - properties: - matchExpressions: - description: matchExpressions is a list of label selector - requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector - applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - networks: - description: |- - Networks defines a way to select peers via CIDR blocks. - This is intended for representing entities that live outside the cluster, - which can't be selected by pods, namespaces and nodes peers, but note - that cluster-internal traffic will be checked against the rule as - well. So if you Allow or Deny traffic to `"0.0.0.0/0"`, that will allow - or deny all IPv4 pod-to-pod traffic as well. If you don't want that, - add a rule that Passes all pod traffic before the Networks rule. - - Each item in Networks should be provided in the CIDR format and should be - IPv4 or IPv6, for example "10.0.0.0/8" or "fd00::/8". - - Networks can have upto 25 CIDRs specified. - items: - description: CIDR is an IP address range in CIDR notation - (for example, "10.0.0.0/8" or "fd00::/8"). - maxLength: 43 - type: string - x-kubernetes-validations: - - message: Invalid CIDR format provided - rule: isCIDR(self) - maxItems: 25 - minItems: 1 - type: array - x-kubernetes-list-type: set - pods: - description: |- - Pods defines a way to select a set of pods in - a set of namespaces. Note that host-networked pods - are not included in this type of peer. - properties: - namespaceSelector: - description: |- - NamespaceSelector follows standard label selector semantics; if empty, - it selects all Namespaces. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are - ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - podSelector: - description: |- - PodSelector is used to explicitly select pods within a namespace; if empty, - it selects all Pods. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are - ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - required: - - namespaceSelector - - podSelector - type: object - type: object - maxItems: 100 - minItems: 1 - type: array - required: - - action - - to - type: object - maxItems: 100 - type: array - ingress: - description: |- - Ingress is the list of Ingress rules to be applied to the selected pods - if they are not matched by any AdminNetworkPolicy or NetworkPolicy rules. - A total of 100 Ingress rules will be allowed in each BANP instance. - The relative precedence of ingress rules within a single BANP object - will be determined by the order in which the rule is written. - Thus, a rule that appears at the top of the ingress rules - would take the highest precedence. - BANPs with no ingress rules do not affect ingress traffic. - items: - description: |- - BaselineAdminNetworkPolicyIngressRule describes an action to take on a particular - set of traffic destined for pods selected by a BaselineAdminNetworkPolicy's - Subject field. - properties: - action: - description: |- - Action specifies the effect this rule will have on matching traffic. - Currently the following actions are supported: - Allow: allows the selected traffic - Deny: denies the selected traffic - enum: - - Allow - - Deny - type: string - from: - description: |- - From is the list of sources whose traffic this rule applies to. - If any element matches the source of incoming - traffic then the specified action is applied. - This field must be defined and contain at least one item. - items: - description: |- - AdminNetworkPolicyIngressPeer defines a peer to allow traffic to. - - Exactly one of the fields must be set for a given peer and this is enforced - by the validation rules on the CRD. If an implementation sees no fields are - set then it can infer that the deployed CRD is of an incompatible version - with an unknown field. In that case it should fail closed. - - For "Allow" rules, "fail closed" means: "treat the rule as matching no - traffic". For "Deny" and "Pass" rules, "fail closed" means: "treat the rule - as a 'Deny all' rule". - maxProperties: 1 - minProperties: 1 - properties: - namespaces: - description: |- - Namespaces defines a way to select all pods within a set of Namespaces. - Note that host-networked pods are not included in this type of peer. - properties: - matchExpressions: - description: matchExpressions is a list of label selector - requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector - applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - pods: - description: |- - Pods defines a way to select a set of pods in - a set of namespaces. Note that host-networked pods - are not included in this type of peer. - properties: - namespaceSelector: - description: |- - NamespaceSelector follows standard label selector semantics; if empty, - it selects all Namespaces. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are - ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - podSelector: - description: |- - PodSelector is used to explicitly select pods within a namespace; if empty, - it selects all Pods. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are - ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - required: - - namespaceSelector - - podSelector - type: object - type: object - maxItems: 100 - minItems: 1 - type: array - name: - description: |- - Name is an identifier for this rule, that may be no more than 100 characters - in length. This field should be used by the implementation to help - improve observability, readability and error-reporting for any applied - BaselineAdminNetworkPolicies. - maxLength: 100 - type: string - ports: - description: |- - Ports allows for matching traffic based on port and protocols. - This field is a list of ports which should be matched on - the pods selected for this policy i.e the subject of the policy. - So it matches on the destination port for the ingress traffic. - If Ports is not set then the rule does not filter traffic via port. - items: - description: |- - AdminNetworkPolicyPort describes how to select network ports on pod(s). - Exactly one field must be set. - maxProperties: 1 - minProperties: 1 - properties: - portNumber: - description: Port selects a port on a pod(s) based on - number. - properties: - port: - description: Number defines a network port value. - format: int32 - maximum: 65535 - minimum: 1 - type: integer - protocol: - default: TCP - description: |- - Protocol is the network protocol (TCP, UDP, or SCTP) which traffic must - match. If not specified, this field defaults to TCP. - type: string - required: - - port - - protocol - type: object - portRange: - description: |- - PortRange selects a port range on a pod(s) based on provided start and end - values. - properties: - end: - description: |- - End defines a network port that is the end of a port range, the End value - must be greater than Start. - format: int32 - maximum: 65535 - minimum: 1 - type: integer - protocol: - default: TCP - description: |- - Protocol is the network protocol (TCP, UDP, or SCTP) which traffic must - match. If not specified, this field defaults to TCP. - type: string - start: - description: |- - Start defines a network port that is the start of a port range, the Start - value must be less than End. - format: int32 - maximum: 65535 - minimum: 1 - type: integer - required: - - end - - start - type: object - type: object - maxItems: 100 - minItems: 1 - type: array - required: - - action - - from - type: object - maxItems: 100 - type: array - subject: - description: |- - Subject defines the pods to which this BaselineAdminNetworkPolicy applies. - Note that host-networked pods are not included in subject selection. - maxProperties: 1 - minProperties: 1 - properties: - namespaces: - description: Namespaces is used to select pods via namespace selectors. - properties: - matchExpressions: - description: matchExpressions is a list of label selector - requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector - applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - pods: - description: Pods is used to select pods via namespace AND pod - selectors. - properties: - namespaceSelector: - description: |- - NamespaceSelector follows standard label selector semantics; if empty, - it selects all Namespaces. - properties: - matchExpressions: - description: matchExpressions is a list of label selector - requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector - applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - podSelector: - description: |- - PodSelector is used to explicitly select pods within a namespace; if empty, - it selects all Pods. - properties: - matchExpressions: - description: matchExpressions is a list of label selector - requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector - applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - required: - - namespaceSelector - - podSelector - type: object - type: object - required: - - subject - type: object - status: - description: Status is the status to be reported by the implementation. - properties: - conditions: - items: - description: Condition contains details for one aspect of the current - state of this API Resource. - properties: - lastTransitionTime: - description: |- - lastTransitionTime is the last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: |- - message is a human readable message indicating details about the transition. - This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: |- - observedGeneration represents the .metadata.generation that the condition was set based upon. - For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - with respect to the current state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: |- - reason contains a programmatic identifier indicating the reason for the condition's last transition. - Producers of specific condition types may define expected values and meanings for this field, - and whether the values are considered a guaranteed API. - The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - x-kubernetes-list-map-keys: - - type - x-kubernetes-list-type: map - required: - - conditions - type: object - required: - - metadata - - spec - type: object - x-kubernetes-validations: - - message: Only one baseline admin network policy with metadata.name="default" - can be created in the cluster - rule: self.metadata.name == 'default' - served: true - storage: true - subresources: - status: {} -status: - acceptedNames: - kind: "" - plural: "" - conditions: null - storedVersions: null diff --git a/conformance/apis/v1alpha1/profilereport.go b/conformance/apis/v1alpha1/profilereport.go index 5e7a24ee..27922667 100644 --- a/conformance/apis/v1alpha1/profilereport.go +++ b/conformance/apis/v1alpha1/profilereport.go @@ -20,7 +20,7 @@ package v1alpha1 // named conformance profile. type ProfileReport struct { // Name indicates the name of the conformance profile - // (e.g. "AdminNetworkPolicy", "BaselineAdminNetworkPolicy") + // (e.g. "ClusterNetworkPolicy", "AdminNetworkPolicy", "BaselineAdminNetworkPolicy") Name string `json:"name"` // Standard indicates the standard support level which includes the set of tests diff --git a/conformance/base/admin_network_policy/experimental-egress-selector-rules.yaml b/conformance/base/admin_tier/experimental-egress-selector-rules.yaml similarity index 92% rename from conformance/base/admin_network_policy/experimental-egress-selector-rules.yaml rename to conformance/base/admin_tier/experimental-egress-selector-rules.yaml index adad2c3b..4bdb45e2 100644 --- a/conformance/base/admin_network_policy/experimental-egress-selector-rules.yaml +++ b/conformance/base/admin_tier/experimental-egress-selector-rules.yaml @@ -1,8 +1,9 @@ -apiVersion: policy.networking.k8s.io/v1alpha1 -kind: AdminNetworkPolicy +apiVersion: policy.networking.k8s.io/v1alpha2 +kind: ClusterNetworkPolicy metadata: name: node-and-cidr-as-peers-example spec: + tier: Admin priority: 75 subject: pods: diff --git a/conformance/base/admin_network_policy/standard-egress-inline-cidr-rules.yaml b/conformance/base/admin_tier/standard-egress-inline-cidr-rules.yaml similarity index 90% rename from conformance/base/admin_network_policy/standard-egress-inline-cidr-rules.yaml rename to conformance/base/admin_tier/standard-egress-inline-cidr-rules.yaml index a5a37b23..f25a6c5f 100644 --- a/conformance/base/admin_network_policy/standard-egress-inline-cidr-rules.yaml +++ b/conformance/base/admin_tier/standard-egress-inline-cidr-rules.yaml @@ -1,8 +1,9 @@ -apiVersion: policy.networking.k8s.io/v1alpha1 -kind: AdminNetworkPolicy +apiVersion: policy.networking.k8s.io/v1alpha2 +kind: ClusterNetworkPolicy metadata: name: inline-cidr-as-peers-example spec: + tier: Admin priority: 85 subject: pods: diff --git a/conformance/base/admin_network_policy/standard-egress-sctp-rules.yaml b/conformance/base/admin_tier/standard-egress-sctp-rules.yaml similarity index 95% rename from conformance/base/admin_network_policy/standard-egress-sctp-rules.yaml rename to conformance/base/admin_tier/standard-egress-sctp-rules.yaml index d8f77117..630cdf82 100644 --- a/conformance/base/admin_network_policy/standard-egress-sctp-rules.yaml +++ b/conformance/base/admin_tier/standard-egress-sctp-rules.yaml @@ -1,8 +1,9 @@ -apiVersion: policy.networking.k8s.io/v1alpha1 -kind: AdminNetworkPolicy +apiVersion: policy.networking.k8s.io/v1alpha2 +kind: ClusterNetworkPolicy metadata: name: egress-sctp spec: + tier: Admin priority: 8 subject: namespaces: diff --git a/conformance/base/admin_network_policy/standard-egress-tcp-rules.yaml b/conformance/base/admin_tier/standard-egress-tcp-rules.yaml similarity index 95% rename from conformance/base/admin_network_policy/standard-egress-tcp-rules.yaml rename to conformance/base/admin_tier/standard-egress-tcp-rules.yaml index df65431e..f5ff7acf 100644 --- a/conformance/base/admin_network_policy/standard-egress-tcp-rules.yaml +++ b/conformance/base/admin_tier/standard-egress-tcp-rules.yaml @@ -1,8 +1,9 @@ -apiVersion: policy.networking.k8s.io/v1alpha1 -kind: AdminNetworkPolicy +apiVersion: policy.networking.k8s.io/v1alpha2 +kind: ClusterNetworkPolicy metadata: name: egress-tcp spec: + tier: Admin priority: 6 subject: namespaces: diff --git a/conformance/base/admin_network_policy/standard-egress-udp-rules.yaml b/conformance/base/admin_tier/standard-egress-udp-rules.yaml similarity index 95% rename from conformance/base/admin_network_policy/standard-egress-udp-rules.yaml rename to conformance/base/admin_tier/standard-egress-udp-rules.yaml index fb7e801f..fd3c7031 100644 --- a/conformance/base/admin_network_policy/standard-egress-udp-rules.yaml +++ b/conformance/base/admin_tier/standard-egress-udp-rules.yaml @@ -1,8 +1,9 @@ -apiVersion: policy.networking.k8s.io/v1alpha1 -kind: AdminNetworkPolicy +apiVersion: policy.networking.k8s.io/v1alpha2 +kind: ClusterNetworkPolicy metadata: name: egress-udp spec: + tier: Admin priority: 7 subject: namespaces: diff --git a/conformance/base/admin_network_policy/standard-gress-rules-combined.yaml b/conformance/base/admin_tier/standard-gress-rules-combined.yaml similarity index 97% rename from conformance/base/admin_network_policy/standard-gress-rules-combined.yaml rename to conformance/base/admin_tier/standard-gress-rules-combined.yaml index 0587fd98..7fb2f2bf 100644 --- a/conformance/base/admin_network_policy/standard-gress-rules-combined.yaml +++ b/conformance/base/admin_tier/standard-gress-rules-combined.yaml @@ -1,8 +1,9 @@ -apiVersion: policy.networking.k8s.io/v1alpha1 -kind: AdminNetworkPolicy +apiVersion: policy.networking.k8s.io/v1alpha2 +kind: ClusterNetworkPolicy metadata: name: gress-rules spec: + tier: Admin priority: 15 subject: namespaces: diff --git a/conformance/base/admin_network_policy/standard-ingress-sctp-rules.yaml b/conformance/base/admin_tier/standard-ingress-sctp-rules.yaml similarity index 95% rename from conformance/base/admin_network_policy/standard-ingress-sctp-rules.yaml rename to conformance/base/admin_tier/standard-ingress-sctp-rules.yaml index 90fa9f46..0384a613 100644 --- a/conformance/base/admin_network_policy/standard-ingress-sctp-rules.yaml +++ b/conformance/base/admin_tier/standard-ingress-sctp-rules.yaml @@ -1,8 +1,9 @@ -apiVersion: policy.networking.k8s.io/v1alpha1 -kind: AdminNetworkPolicy +apiVersion: policy.networking.k8s.io/v1alpha2 +kind: ClusterNetworkPolicy metadata: name: ingress-sctp spec: + tier: Admin priority: 5 subject: namespaces: diff --git a/conformance/base/admin_network_policy/standard-ingress-tcp-rules.yaml b/conformance/base/admin_tier/standard-ingress-tcp-rules.yaml similarity index 95% rename from conformance/base/admin_network_policy/standard-ingress-tcp-rules.yaml rename to conformance/base/admin_tier/standard-ingress-tcp-rules.yaml index a13a612d..a297a78e 100644 --- a/conformance/base/admin_network_policy/standard-ingress-tcp-rules.yaml +++ b/conformance/base/admin_tier/standard-ingress-tcp-rules.yaml @@ -1,8 +1,9 @@ -apiVersion: policy.networking.k8s.io/v1alpha1 -kind: AdminNetworkPolicy +apiVersion: policy.networking.k8s.io/v1alpha2 +kind: ClusterNetworkPolicy metadata: name: ingress-tcp spec: + tier: Admin priority: 3 subject: namespaces: diff --git a/conformance/base/admin_network_policy/standard-ingress-udp-rules.yaml b/conformance/base/admin_tier/standard-ingress-udp-rules.yaml similarity index 95% rename from conformance/base/admin_network_policy/standard-ingress-udp-rules.yaml rename to conformance/base/admin_tier/standard-ingress-udp-rules.yaml index 78c44216..d4bca13c 100644 --- a/conformance/base/admin_network_policy/standard-ingress-udp-rules.yaml +++ b/conformance/base/admin_tier/standard-ingress-udp-rules.yaml @@ -1,8 +1,9 @@ -apiVersion: policy.networking.k8s.io/v1alpha1 -kind: AdminNetworkPolicy +apiVersion: policy.networking.k8s.io/v1alpha2 +kind: ClusterNetworkPolicy metadata: name: ingress-udp spec: + tier: Admin priority: 4 subject: namespaces: diff --git a/conformance/base/admin_network_policy/standard-priority-field.yaml b/conformance/base/admin_tier/standard-priority-field.yaml similarity index 89% rename from conformance/base/admin_network_policy/standard-priority-field.yaml rename to conformance/base/admin_tier/standard-priority-field.yaml index 4da94b4b..76ea919d 100644 --- a/conformance/base/admin_network_policy/standard-priority-field.yaml +++ b/conformance/base/admin_tier/standard-priority-field.yaml @@ -1,8 +1,9 @@ -apiVersion: policy.networking.k8s.io/v1alpha1 -kind: AdminNetworkPolicy +apiVersion: policy.networking.k8s.io/v1alpha2 +kind: ClusterNetworkPolicy metadata: name: priority-50-example spec: + tier: Admin priority: 50 subject: pods: @@ -35,11 +36,12 @@ spec: matchLabels: conformance-house: slytherin --- -apiVersion: policy.networking.k8s.io/v1alpha1 -kind: AdminNetworkPolicy +apiVersion: policy.networking.k8s.io/v1alpha2 +kind: ClusterNetworkPolicy metadata: name: old-priority-60-new-priority-40-example spec: + tier: Admin priority: 60 # will be updated to 40 in the tests thus taking higher precedence over the deny at priority 50 subject: pods: @@ -72,11 +74,13 @@ spec: matchLabels: conformance-house: slytherin --- -apiVersion: policy.networking.k8s.io/v1alpha1 -kind: BaselineAdminNetworkPolicy +apiVersion: policy.networking.k8s.io/v1alpha2 +kind: ClusterNetworkPolicy metadata: name: default spec: + tier: Baseline + priority: 10 subject: pods: namespaceSelector: diff --git a/conformance/base/api_integration/standard-anp-np-banp.yaml b/conformance/base/api_integration/standard-anp-np-banp.yaml index 0d7c4458..08398dc1 100644 --- a/conformance/base/api_integration/standard-anp-np-banp.yaml +++ b/conformance/base/api_integration/standard-anp-np-banp.yaml @@ -1,8 +1,9 @@ -apiVersion: policy.networking.k8s.io/v1alpha1 -kind: AdminNetworkPolicy +apiVersion: policy.networking.k8s.io/v1alpha2 +kind: ClusterNetworkPolicy metadata: name: pass-example spec: + tier: Admin priority: 10 subject: namespaces: @@ -44,11 +45,13 @@ spec: matchLabels: conformance-house: slytherin --- -apiVersion: policy.networking.k8s.io/v1alpha1 -kind: BaselineAdminNetworkPolicy +apiVersion: policy.networking.k8s.io/v1alpha2 +kind: ClusterNetworkPolicy metadata: name: default spec: + tier: Baseline + priority: 10 subject: namespaces: matchLabels: diff --git a/conformance/base/baseline_admin_network_policy/experimental-egress-selector-rules.yaml b/conformance/base/baseline_tier/experimental-egress-selector-rules.yaml similarity index 84% rename from conformance/base/baseline_admin_network_policy/experimental-egress-selector-rules.yaml rename to conformance/base/baseline_tier/experimental-egress-selector-rules.yaml index b9376e4f..b901fe6e 100644 --- a/conformance/base/baseline_admin_network_policy/experimental-egress-selector-rules.yaml +++ b/conformance/base/baseline_tier/experimental-egress-selector-rules.yaml @@ -1,8 +1,10 @@ -apiVersion: policy.networking.k8s.io/v1alpha1 -kind: BaselineAdminNetworkPolicy +apiVersion: policy.networking.k8s.io/v1alpha2 +kind: ClusterNetworkPolicy metadata: name: default spec: + tier: Baseline + priority: 10 subject: namespaces: matchLabels: diff --git a/conformance/base/baseline_admin_network_policy/standard-egress-inline-cidr-rules.yaml b/conformance/base/baseline_tier/standard-egress-inline-cidr-rules.yaml similarity index 87% rename from conformance/base/baseline_admin_network_policy/standard-egress-inline-cidr-rules.yaml rename to conformance/base/baseline_tier/standard-egress-inline-cidr-rules.yaml index 256f66aa..f5baa448 100644 --- a/conformance/base/baseline_admin_network_policy/standard-egress-inline-cidr-rules.yaml +++ b/conformance/base/baseline_tier/standard-egress-inline-cidr-rules.yaml @@ -1,8 +1,10 @@ -apiVersion: policy.networking.k8s.io/v1alpha1 -kind: BaselineAdminNetworkPolicy +apiVersion: policy.networking.k8s.io/v1alpha2 +kind: ClusterNetworkPolicy metadata: name: default spec: + tier: Baseline + priority: 10 subject: namespaces: matchLabels: diff --git a/conformance/base/baseline_admin_network_policy/standard-egress-sctp-rules.yaml b/conformance/base/baseline_tier/standard-egress-sctp-rules.yaml similarity index 92% rename from conformance/base/baseline_admin_network_policy/standard-egress-sctp-rules.yaml rename to conformance/base/baseline_tier/standard-egress-sctp-rules.yaml index 27d53c5c..d2bfa5cb 100644 --- a/conformance/base/baseline_admin_network_policy/standard-egress-sctp-rules.yaml +++ b/conformance/base/baseline_tier/standard-egress-sctp-rules.yaml @@ -1,8 +1,10 @@ -apiVersion: policy.networking.k8s.io/v1alpha1 -kind: BaselineAdminNetworkPolicy +apiVersion: policy.networking.k8s.io/v1alpha2 +kind: ClusterNetworkPolicy metadata: name: default spec: + tier: Baseline + priority: 10 subject: namespaces: matchLabels: diff --git a/conformance/base/baseline_admin_network_policy/standard-egress-tcp-rules.yaml b/conformance/base/baseline_tier/standard-egress-tcp-rules.yaml similarity index 92% rename from conformance/base/baseline_admin_network_policy/standard-egress-tcp-rules.yaml rename to conformance/base/baseline_tier/standard-egress-tcp-rules.yaml index 1b46d75b..fe59e33f 100644 --- a/conformance/base/baseline_admin_network_policy/standard-egress-tcp-rules.yaml +++ b/conformance/base/baseline_tier/standard-egress-tcp-rules.yaml @@ -1,8 +1,10 @@ -apiVersion: policy.networking.k8s.io/v1alpha1 -kind: BaselineAdminNetworkPolicy +apiVersion: policy.networking.k8s.io/v1alpha2 +kind: ClusterNetworkPolicy metadata: name: default spec: + tier: Baseline + priority: 10 subject: namespaces: matchLabels: diff --git a/conformance/base/baseline_admin_network_policy/standard-egress-udp-rules.yaml b/conformance/base/baseline_tier/standard-egress-udp-rules.yaml similarity index 92% rename from conformance/base/baseline_admin_network_policy/standard-egress-udp-rules.yaml rename to conformance/base/baseline_tier/standard-egress-udp-rules.yaml index 7b0250e8..26b5048b 100644 --- a/conformance/base/baseline_admin_network_policy/standard-egress-udp-rules.yaml +++ b/conformance/base/baseline_tier/standard-egress-udp-rules.yaml @@ -1,8 +1,10 @@ -apiVersion: policy.networking.k8s.io/v1alpha1 -kind: BaselineAdminNetworkPolicy +apiVersion: policy.networking.k8s.io/v1alpha2 +kind: ClusterNetworkPolicy metadata: name: default spec: + tier: Baseline + priority: 10 subject: namespaces: matchLabels: diff --git a/conformance/base/baseline_admin_network_policy/standard-gress-rules-combined.yaml b/conformance/base/baseline_tier/standard-gress-rules-combined.yaml similarity index 96% rename from conformance/base/baseline_admin_network_policy/standard-gress-rules-combined.yaml rename to conformance/base/baseline_tier/standard-gress-rules-combined.yaml index 6f22cd81..7ab61e63 100644 --- a/conformance/base/baseline_admin_network_policy/standard-gress-rules-combined.yaml +++ b/conformance/base/baseline_tier/standard-gress-rules-combined.yaml @@ -1,8 +1,10 @@ -apiVersion: policy.networking.k8s.io/v1alpha1 -kind: BaselineAdminNetworkPolicy +apiVersion: policy.networking.k8s.io/v1alpha2 +kind: ClusterNetworkPolicy metadata: name: default spec: + tier: Baseline + priority: 10 subject: namespaces: matchLabels: diff --git a/conformance/base/baseline_admin_network_policy/standard-ingress-sctp-rules.yaml b/conformance/base/baseline_tier/standard-ingress-sctp-rules.yaml similarity index 92% rename from conformance/base/baseline_admin_network_policy/standard-ingress-sctp-rules.yaml rename to conformance/base/baseline_tier/standard-ingress-sctp-rules.yaml index 81911597..e2ab60d2 100644 --- a/conformance/base/baseline_admin_network_policy/standard-ingress-sctp-rules.yaml +++ b/conformance/base/baseline_tier/standard-ingress-sctp-rules.yaml @@ -1,8 +1,10 @@ -apiVersion: policy.networking.k8s.io/v1alpha1 -kind: BaselineAdminNetworkPolicy +apiVersion: policy.networking.k8s.io/v1alpha2 +kind: ClusterNetworkPolicy metadata: name: default spec: + tier: Baseline + priority: 10 subject: namespaces: matchLabels: diff --git a/conformance/base/baseline_admin_network_policy/standard-ingress-tcp-rules.yaml b/conformance/base/baseline_tier/standard-ingress-tcp-rules.yaml similarity index 92% rename from conformance/base/baseline_admin_network_policy/standard-ingress-tcp-rules.yaml rename to conformance/base/baseline_tier/standard-ingress-tcp-rules.yaml index 08155b45..2347ef8c 100644 --- a/conformance/base/baseline_admin_network_policy/standard-ingress-tcp-rules.yaml +++ b/conformance/base/baseline_tier/standard-ingress-tcp-rules.yaml @@ -1,8 +1,10 @@ -apiVersion: policy.networking.k8s.io/v1alpha1 -kind: BaselineAdminNetworkPolicy +apiVersion: policy.networking.k8s.io/v1alpha2 +kind: ClusterNetworkPolicy metadata: name: default spec: + tier: Baseline + priority: 10 subject: namespaces: matchLabels: diff --git a/conformance/base/baseline_admin_network_policy/standard-ingress-udp-rules.yaml b/conformance/base/baseline_tier/standard-ingress-udp-rules.yaml similarity index 92% rename from conformance/base/baseline_admin_network_policy/standard-ingress-udp-rules.yaml rename to conformance/base/baseline_tier/standard-ingress-udp-rules.yaml index 2f7f3e8b..9c2fc5d9 100644 --- a/conformance/base/baseline_admin_network_policy/standard-ingress-udp-rules.yaml +++ b/conformance/base/baseline_tier/standard-ingress-udp-rules.yaml @@ -1,8 +1,10 @@ -apiVersion: policy.networking.k8s.io/v1alpha1 -kind: BaselineAdminNetworkPolicy +apiVersion: policy.networking.k8s.io/v1alpha2 +kind: ClusterNetworkPolicy metadata: name: default spec: + tier: Baseline + priority: 10 subject: namespaces: matchLabels: diff --git a/conformance/conformance_profile_test.go b/conformance/conformance_profile_test.go index 69d156c5..341a8537 100644 --- a/conformance/conformance_profile_test.go +++ b/conformance/conformance_profile_test.go @@ -28,7 +28,7 @@ import ( "sigs.k8s.io/controller-runtime/pkg/client/config" "sigs.k8s.io/yaml" - "sigs.k8s.io/network-policy-api/apis/v1alpha1" + "sigs.k8s.io/network-policy-api/apis/v1alpha2" confv1a1 "sigs.k8s.io/network-policy-api/conformance/apis/v1alpha1" "sigs.k8s.io/network-policy-api/conformance/tests" "sigs.k8s.io/network-policy-api/conformance/utils/flags" @@ -67,7 +67,10 @@ func TestConformanceProfiles(t *testing.T) { t.Fatalf("error when creating Kubernetes ClientSet: %v", err) } - v1alpha1.Install(c.Scheme()) + err = v1alpha2.Install(c.Scheme()) + if err != nil { + t.Fatalf("Error installing v1alpha2 scheme: %v", err) + } // standard conformance flags supportedFeatures = suite.ParseSupportedFeatures(*flags.SupportedFeatures) diff --git a/conformance/conformance_test.go b/conformance/conformance_test.go index 3777c4b6..d593d348 100644 --- a/conformance/conformance_test.go +++ b/conformance/conformance_test.go @@ -26,7 +26,7 @@ import ( "sigs.k8s.io/controller-runtime/pkg/client" "sigs.k8s.io/controller-runtime/pkg/client/config" - "sigs.k8s.io/network-policy-api/apis/v1alpha1" + "sigs.k8s.io/network-policy-api/apis/v1alpha2" "sigs.k8s.io/network-policy-api/conformance/tests" "sigs.k8s.io/network-policy-api/conformance/utils/flags" "sigs.k8s.io/network-policy-api/conformance/utils/suite" @@ -51,7 +51,10 @@ func TestConformance(t *testing.T) { t.Fatalf("error when creating Kubernetes ClientSet: %v", err) } - v1alpha1.Install(c.Scheme()) + err = v1alpha2.Install(c.Scheme()) + if err != nil { + t.Fatalf("Error installing v1alpha2 scheme: %v", err) + } supportedFeatures := suite.ParseSupportedFeatures(*flags.SupportedFeatures) exemptFeatures := suite.ParseSupportedFeatures(*flags.ExemptFeatures) diff --git a/conformance/tests/admin-network-policy-experimental-egress-rules.go b/conformance/tests/admin-network-policy-experimental-egress-rules.go index caf1adb3..fb558021 100644 --- a/conformance/tests/admin-network-policy-experimental-egress-rules.go +++ b/conformance/tests/admin-network-policy-experimental-egress-rules.go @@ -25,32 +25,32 @@ import ( v1 "k8s.io/api/core/v1" "sigs.k8s.io/controller-runtime/pkg/client" - "sigs.k8s.io/network-policy-api/apis/v1alpha1" + "sigs.k8s.io/network-policy-api/apis/v1alpha2" "sigs.k8s.io/network-policy-api/conformance/utils/kubernetes" "sigs.k8s.io/network-policy-api/conformance/utils/suite" ) func init() { ConformanceTests = append(ConformanceTests, - AdminNetworkPolicyEgressNamedPort, - AdminNetworkPolicyEgressNodePeers, + CNPAdminTierEgressNamedPort, + CNPAdminTierEgressNodePeers, ) } -var AdminNetworkPolicyEgressNamedPort = suite.ConformanceTest{ - ShortName: "AdminNetworkPolicyEgressNamedPort", - Description: "Tests support for egress traffic on a named port using admin network policy API based on a server and client model", +var CNPAdminTierEgressNamedPort = suite.ConformanceTest{ + ShortName: "CNPAdminTierEgressNamedPort", + Description: "Tests support for egress traffic on a named port using cluster network policy API based on a server and client model", Features: []suite.SupportedFeature{ - suite.SupportAdminNetworkPolicy, - suite.SupportAdminNetworkPolicyNamedPorts, + suite.SupportClusterNetworkPolicy, + suite.SupportClusterNetworkPolicyNamedPorts, }, - Manifests: []string{"base/admin_network_policy/standard-egress-tcp-rules.yaml"}, + Manifests: []string{"base/admin_tier/standard-egress-tcp-rules.yaml"}, Test: func(t *testing.T, s *suite.ConformanceTestSuite) { t.Run("Should support an 'allow-egress' policy for named port", func(t *testing.T) { ctx, cancel := context.WithTimeout(context.Background(), s.TimeoutConfig.GetTimeout) defer cancel() - // This test uses `egress-tcp` ANP + // This test uses `egress-tcp` admin CNP // cedric-diggory-1 is our server pod in hufflepuff namespace serverPod := &v1.Pod{} err := s.Client.Get(ctx, client.ObjectKey{ @@ -58,23 +58,23 @@ var AdminNetworkPolicyEgressNamedPort = suite.ConformanceTest{ Name: "cedric-diggory-1", }, serverPod) require.NoErrorf(t, err, "unable to fetch the server pod") - anp := &v1alpha1.AdminNetworkPolicy{} + cnp := &v1alpha2.ClusterNetworkPolicy{} err = s.Client.Get(ctx, client.ObjectKey{ Name: "egress-tcp", - }, anp) - require.NoErrorf(t, err, "unable to fetch the admin network policy") - mutate := anp.DeepCopy() + }, cnp) + require.NoErrorf(t, err, "unable to fetch the cluster network policy") + mutate := cnp.DeepCopy() namedPortRule := mutate.Spec.Egress[5] webPort := "web" // replace the tcp port 8080 rule as named port rule which translate to tcp port 80 instead - namedPortRule.Ports = &[]v1alpha1.AdminNetworkPolicyPort{ + namedPortRule.Ports = &[]v1alpha2.ClusterNetworkPolicyPort{ { NamedPort: &webPort, }, } mutate.Spec.Egress[5] = namedPortRule - err = s.Client.Patch(ctx, mutate, client.MergeFrom(anp)) - require.NoErrorf(t, err, "unable to patch the admin network policy") + err = s.Client.Patch(ctx, mutate, client.MergeFrom(cnp)) + require.NoErrorf(t, err, "unable to patch the cluster network policy") // harry-potter-0 is our client pod in gryffindor namespace // ensure egress is ALLOWED to hufflepuff from gryffindor at the web port, which is defined as TCP at port 80 in pod spec // egressRule at index5 should take effect @@ -91,18 +91,18 @@ var AdminNetworkPolicyEgressNamedPort = suite.ConformanceTest{ }, } -var AdminNetworkPolicyEgressNodePeers = suite.ConformanceTest{ - ShortName: "AdminNetworkPolicyEgressNodePeers", - Description: "Tests support for egress traffic to node peers using admin network policy API based on a server and client model", +var CNPAdminTierEgressNodePeers = suite.ConformanceTest{ + ShortName: "CNPAdminTierEgressNodePeers", + Description: "Tests support for egress traffic to node peers using cluster network policy API based on a server and client model", Features: []suite.SupportedFeature{ - suite.SupportAdminNetworkPolicy, - suite.SupportAdminNetworkPolicyEgressNodePeers, + suite.SupportClusterNetworkPolicy, + suite.SupportClusterNetworkPolicyEgressNodePeers, }, - Manifests: []string{"base/admin_network_policy/experimental-egress-selector-rules.yaml"}, + Manifests: []string{"base/admin_tier/experimental-egress-selector-rules.yaml"}, Test: func(t *testing.T, s *suite.ConformanceTestSuite) { ctx, cancel := context.WithTimeout(context.Background(), s.TimeoutConfig.GetTimeout) defer cancel() - // This test uses `node-and-cidr-as-peers-example` ANP + // This test uses `node-and-cidr-as-peers-example` admin CNP // centaur-1 is our server host-networked pod in forbidden-forrest namespace serverPod := &v1.Pod{} err := s.Client.Get(ctx, client.ObjectKey{ diff --git a/conformance/tests/admin-network-policy-experimental-ingress-rules.go b/conformance/tests/admin-network-policy-experimental-ingress-rules.go index bb48e92a..c55ec7f2 100644 --- a/conformance/tests/admin-network-policy-experimental-ingress-rules.go +++ b/conformance/tests/admin-network-policy-experimental-ingress-rules.go @@ -25,25 +25,25 @@ import ( v1 "k8s.io/api/core/v1" "sigs.k8s.io/controller-runtime/pkg/client" - "sigs.k8s.io/network-policy-api/apis/v1alpha1" + "sigs.k8s.io/network-policy-api/apis/v1alpha2" "sigs.k8s.io/network-policy-api/conformance/utils/kubernetes" "sigs.k8s.io/network-policy-api/conformance/utils/suite" ) -var AdminNetworkPolicyIngressNamedPort = suite.ConformanceTest{ - ShortName: "AdminNetworkPolicyIngressNamedPort", - Description: "Tests support for ingress traffic on a named port using admin network policy API based on a server and client model", +var CNPAdminTierIngressNamedPort = suite.ConformanceTest{ + ShortName: "CNPAdminTierIngressNamedPort", + Description: "Tests support for ingress traffic on a named port using cluster network policy API based on a server and client model", Features: []suite.SupportedFeature{ - suite.SupportAdminNetworkPolicy, - suite.SupportAdminNetworkPolicyNamedPorts, + suite.SupportClusterNetworkPolicy, + suite.SupportClusterNetworkPolicyNamedPorts, }, - Manifests: []string{"base/admin_network_policy/standard-ingress-udp-rules.yaml"}, + Manifests: []string{"base/admin_tier/standard-ingress-udp-rules.yaml"}, Test: func(t *testing.T, s *suite.ConformanceTestSuite) { t.Run("Should support an 'allow-ingress' policy for named port", func(t *testing.T) { ctx, cancel := context.WithTimeout(context.Background(), s.TimeoutConfig.GetTimeout) defer cancel() - // This test uses `ingress-udp` ANP + // This test uses `ingress-udp` admin CNP // cedric-diggory-1 is our server pod in hufflepuff namespace serverPod := &v1.Pod{} err := s.Client.Get(ctx, client.ObjectKey{ @@ -51,23 +51,23 @@ var AdminNetworkPolicyIngressNamedPort = suite.ConformanceTest{ Name: "cedric-diggory-1", }, serverPod) require.NoErrorf(t, err, "unable to fetch the server pod") - anp := &v1alpha1.AdminNetworkPolicy{} + cnp := &v1alpha2.ClusterNetworkPolicy{} err = s.Client.Get(ctx, client.ObjectKey{ Name: "ingress-udp", - }, anp) - require.NoErrorf(t, err, "unable to fetch the admin network policy") - mutate := anp.DeepCopy() + }, cnp) + require.NoErrorf(t, err, "unable to fetch the cluster network policy") + mutate := cnp.DeepCopy() dnsPortRule := mutate.DeepCopy().Spec.Ingress[5] dnsPort := "dns" // rewrite the udp port 53 rule as named port rule - dnsPortRule.Ports = &[]v1alpha1.AdminNetworkPolicyPort{ + dnsPortRule.Ports = &[]v1alpha2.ClusterNetworkPolicyPort{ { NamedPort: &dnsPort, }, } mutate.Spec.Ingress[5] = dnsPortRule - err = s.Client.Patch(ctx, mutate, client.MergeFrom(anp)) - require.NoErrorf(t, err, "unable to patch the admin network policy") + err = s.Client.Patch(ctx, mutate, client.MergeFrom(cnp)) + require.NoErrorf(t, err, "unable to patch the cluster network policy") // harry-potter-0 is our client pod in gryffindor namespace // ensure ingress is ALLOWED from gryffindor to hufflepuff at the dns port, which is defined as UDP at port 53 in pod spec // modified ingressRule at index5 should take effect diff --git a/conformance/tests/admin-network-policy-standard-egress-inline-cidr-rules.go b/conformance/tests/admin-network-policy-standard-egress-inline-cidr-rules.go index 6b37161b..f3f4afe2 100644 --- a/conformance/tests/admin-network-policy-standard-egress-inline-cidr-rules.go +++ b/conformance/tests/admin-network-policy-standard-egress-inline-cidr-rules.go @@ -26,28 +26,28 @@ import ( "k8s.io/utils/net" "sigs.k8s.io/controller-runtime/pkg/client" - "sigs.k8s.io/network-policy-api/apis/v1alpha1" + "sigs.k8s.io/network-policy-api/apis/v1alpha2" "sigs.k8s.io/network-policy-api/conformance/utils/kubernetes" "sigs.k8s.io/network-policy-api/conformance/utils/suite" ) func init() { ConformanceTests = append(ConformanceTests, - AdminNetworkPolicyEgressInlineCIDRPeers, + CNPAdminTierEgressInlineCIDRPeers, ) } -var AdminNetworkPolicyEgressInlineCIDRPeers = suite.ConformanceTest{ - ShortName: "AdminNetworkPolicyEgressInlineCIDRPeers", - Description: "Tests support for egress traffic to CIDR peers using admin network policy API based on a server and client model", +var CNPAdminTierEgressInlineCIDRPeers = suite.ConformanceTest{ + ShortName: "CNPAdminTierEgressInlineCIDRPeers", + Description: "Tests support for egress traffic to CIDR peers using cluster network policy API based on a server and client model", Features: []suite.SupportedFeature{ - suite.SupportAdminNetworkPolicy, + suite.SupportClusterNetworkPolicy, }, - Manifests: []string{"base/admin_network_policy/standard-egress-inline-cidr-rules.yaml"}, + Manifests: []string{"base/admin_tier/standard-egress-inline-cidr-rules.yaml"}, Test: func(t *testing.T, s *suite.ConformanceTestSuite) { ctx, cancel := context.WithTimeout(context.Background(), s.TimeoutConfig.GetTimeout) defer cancel() - // This test uses `inline-cidr-as-peers-example` ANP + // This test uses `inline-cidr-as-peers-example` admin CNP t.Run("Should support a 'deny-egress' rule policy for egress-cidr-peer", func(t *testing.T) { // harry-potter-1 is our client pod in gryffindor namespace // Let us pick a pod in ravenclaw namespace and try to connect, it won't work @@ -125,12 +125,12 @@ var AdminNetworkPolicyEgressInlineCIDRPeers = suite.ConformanceTest{ Name: "cedric-diggory-0", }, serverPodHufflepuff) require.NoErrorf(t, err, "unable to fetch the server pod") - anp := &v1alpha1.AdminNetworkPolicy{} + cnp := &v1alpha2.ClusterNetworkPolicy{} err = s.Client.Get(ctx, client.ObjectKey{ Name: "inline-cidr-as-peers-example", - }, anp) - require.NoErrorf(t, err, "unable to fetch the admin network policy") - mutate := anp.DeepCopy() + }, cnp) + require.NoErrorf(t, err, "unable to fetch the cluster network policy") + mutate := cnp.DeepCopy() var mask string if net.IsIPv4String(serverPodRavenclaw.Status.PodIP) { mask = "/32" @@ -138,23 +138,23 @@ var AdminNetworkPolicyEgressInlineCIDRPeers = suite.ConformanceTest{ mask = "/128" } // insert new rule at index0; append the rest of the rules in the inline-cidr-as-peers-example - newRule := []v1alpha1.AdminNetworkPolicyEgressRule{ + newRule := []v1alpha2.ClusterNetworkPolicyEgressRule{ { Name: "allow-egress-to-specific-podIPs", Action: "Allow", - To: []v1alpha1.AdminNetworkPolicyEgressPeer{ + To: []v1alpha2.ClusterNetworkPolicyEgressPeer{ { - Networks: []v1alpha1.CIDR{ - v1alpha1.CIDR(serverPodRavenclaw.Status.PodIP + mask), - v1alpha1.CIDR(serverPodHufflepuff.Status.PodIP + mask), + Networks: []v1alpha2.CIDR{ + v1alpha2.CIDR(serverPodRavenclaw.Status.PodIP + mask), + v1alpha2.CIDR(serverPodHufflepuff.Status.PodIP + mask), }, }, }, }, } mutate.Spec.Egress = append(newRule, mutate.Spec.Egress...) - err = s.Client.Patch(ctx, mutate, client.MergeFrom(anp)) - require.NoErrorf(t, err, "unable to patch the admin network policy") + err = s.Client.Patch(ctx, mutate, client.MergeFrom(cnp)) + require.NoErrorf(t, err, "unable to patch the cluster network policy") // harry-potter-0 is our client pod in gryffindor namespace // ensure egress is ALLOWED to luna-lovegood-0.IP and cedric-diggory-0.IP // new egressRule at index0 should take effect diff --git a/conformance/tests/admin-network-policy-standard-egress-sctp-rules.go b/conformance/tests/admin-network-policy-standard-egress-sctp-rules.go index d8525d53..9aa6b930 100644 --- a/conformance/tests/admin-network-policy-standard-egress-sctp-rules.go +++ b/conformance/tests/admin-network-policy-standard-egress-sctp-rules.go @@ -25,30 +25,30 @@ import ( v1 "k8s.io/api/core/v1" "sigs.k8s.io/controller-runtime/pkg/client" - "sigs.k8s.io/network-policy-api/apis/v1alpha1" + "sigs.k8s.io/network-policy-api/apis/v1alpha2" "sigs.k8s.io/network-policy-api/conformance/utils/kubernetes" "sigs.k8s.io/network-policy-api/conformance/utils/suite" ) func init() { ConformanceTests = append(ConformanceTests, - AdminNetworkPolicyEgressSCTP, + CNPAdminTierEgressSCTP, ) } -var AdminNetworkPolicyEgressSCTP = suite.ConformanceTest{ - ShortName: "AdminNetworkPolicyEgressSCTP", - Description: "Tests support for egress traffic (SCTP protocol) using admin network policy API based on a server and client model", +var CNPAdminTierEgressSCTP = suite.ConformanceTest{ + ShortName: "CNPAdminTierEgressSCTP", + Description: "Tests support for egress traffic (SCTP protocol) using cluster network policy API based on a server and client model", Features: []suite.SupportedFeature{ - suite.SupportAdminNetworkPolicy, + suite.SupportClusterNetworkPolicy, }, - Manifests: []string{"base/admin_network_policy/standard-egress-sctp-rules.yaml"}, + Manifests: []string{"base/admin_tier/standard-egress-sctp-rules.yaml"}, Test: func(t *testing.T, s *suite.ConformanceTestSuite) { t.Run("Should support an 'allow-egress' policy for SCTP protocol; ensure rule ordering is respected", func(t *testing.T) { ctx, cancel := context.WithTimeout(context.Background(), s.TimeoutConfig.GetTimeout) defer cancel() - // This test uses `egress-sctp` ANP + // This test uses `egress-sctp` admin CNP // harry-potter-0 is our server pod in gryffindor namespace serverPod := &v1.Pod{} err := s.Client.Get(ctx, client.ObjectKey{ @@ -71,7 +71,7 @@ var AdminNetworkPolicyEgressSCTP = suite.ConformanceTest{ t.Run("Should support an 'allow-egress' policy for SCTP protocol at the specified port", func(t *testing.T) { ctx, cancel := context.WithTimeout(context.Background(), s.TimeoutConfig.GetTimeout) defer cancel() - // This test uses `egress-sctp` ANP + // This test uses `egress-sctp` admin CNP // cedric-diggory-1 is our server pod in hufflepuff namespace serverPod := &v1.Pod{} err := s.Client.Get(ctx, client.ObjectKey{ @@ -94,7 +94,7 @@ var AdminNetworkPolicyEgressSCTP = suite.ConformanceTest{ t.Run("Should support an 'deny-egress' policy for SCTP protocol; ensure rule ordering is respected", func(t *testing.T) { ctx, cancel := context.WithTimeout(context.Background(), s.TimeoutConfig.GetTimeout) defer cancel() - // This test uses `egress-sctp` ANP + // This test uses `egress-sctp` admin CNP // harry-potter-0 is our server pod in gryffindor namespace serverPod := &v1.Pod{} err := s.Client.Get(ctx, client.ObjectKey{ @@ -102,18 +102,18 @@ var AdminNetworkPolicyEgressSCTP = suite.ConformanceTest{ Name: "harry-potter-1", }, serverPod) require.NoErrorf(t, err, "unable to fetch the server pod") - anp := &v1alpha1.AdminNetworkPolicy{} + cnp := &v1alpha2.ClusterNetworkPolicy{} err = s.Client.Get(ctx, client.ObjectKey{ Name: "egress-sctp", - }, anp) - require.NoErrorf(t, err, "unable to fetch the admin network policy") - mutate := anp.DeepCopy() + }, cnp) + require.NoErrorf(t, err, "unable to fetch the cluster network policy") + mutate := cnp.DeepCopy() // swap rules at index0 and index1 allowRule := mutate.Spec.Egress[0] mutate.Spec.Egress[0] = mutate.Spec.Egress[1] mutate.Spec.Egress[1] = allowRule - err = s.Client.Patch(ctx, mutate, client.MergeFrom(anp)) - require.NoErrorf(t, err, "unable to patch the admin network policy") + err = s.Client.Patch(ctx, mutate, client.MergeFrom(cnp)) + require.NoErrorf(t, err, "unable to patch the cluster network policy") // luna-lovegood-0 is our client pod in gryffindor namespace // ensure egress is DENIED to gryffindor from ravenclaw // egressRule at index0 will take precedence over egressRule at index1; thus DENY takes precedence over ALLOW since rules are ordered @@ -129,7 +129,7 @@ var AdminNetworkPolicyEgressSCTP = suite.ConformanceTest{ t.Run("Should support a 'deny-egress' policy for SCTP protocol at the specified port", func(t *testing.T) { ctx, cancel := context.WithTimeout(context.Background(), s.TimeoutConfig.GetTimeout) defer cancel() - // This test uses `egress-sctp` ANP + // This test uses `egress-sctp` admin CNP // draco-malfoy-0 is our server pod in slytherin namespace serverPod := &v1.Pod{} err := s.Client.Get(ctx, client.ObjectKey{ @@ -152,7 +152,7 @@ var AdminNetworkPolicyEgressSCTP = suite.ConformanceTest{ t.Run("Should support an 'pass-egress' policy for SCTP protocol; ensure rule ordering is respected", func(t *testing.T) { ctx, cancel := context.WithTimeout(context.Background(), s.TimeoutConfig.GetTimeout) defer cancel() - // This test uses `egress-sctp` ANP + // This test uses `egress-sctp` admin CNP // harry-potter-0 is our server pod in gryffindor namespace serverPod := &v1.Pod{} err := s.Client.Get(ctx, client.ObjectKey{ @@ -160,18 +160,18 @@ var AdminNetworkPolicyEgressSCTP = suite.ConformanceTest{ Name: "harry-potter-1", }, serverPod) require.NoErrorf(t, err, "unable to fetch the server pod") - anp := &v1alpha1.AdminNetworkPolicy{} + cnp := &v1alpha2.ClusterNetworkPolicy{} err = s.Client.Get(ctx, client.ObjectKey{ Name: "egress-sctp", - }, anp) - require.NoErrorf(t, err, "unable to fetch the admin network policy") - mutate := anp.DeepCopy() + }, cnp) + require.NoErrorf(t, err, "unable to fetch the cluster network policy") + mutate := cnp.DeepCopy() // swap rules at index0 and index2 denyRule := mutate.Spec.Egress[0] mutate.Spec.Egress[0] = mutate.Spec.Egress[2] mutate.Spec.Egress[2] = denyRule - err = s.Client.Patch(ctx, mutate, client.MergeFrom(anp)) - require.NoErrorf(t, err, "unable to patch the admin network policy") + err = s.Client.Patch(ctx, mutate, client.MergeFrom(cnp)) + require.NoErrorf(t, err, "unable to patch the cluster network policy") // luna-lovegood-0 is our client pod in ravenclaw namespace // ensure egress is PASSED from gryffindor to ravenclaw // egressRule at index0 will take precedence over egressRule at index1&index2; thus PASS takes precedence over ALLOW/DENY since rules are ordered @@ -187,7 +187,7 @@ var AdminNetworkPolicyEgressSCTP = suite.ConformanceTest{ t.Run("Should support a 'pass-egress' policy for SCTP protocol at the specified port", func(t *testing.T) { ctx, cancel := context.WithTimeout(context.Background(), s.TimeoutConfig.GetTimeout) defer cancel() - // This test uses `egress-sctp` ANP + // This test uses `egress-sctp` admin CNP // draco-malfoy-0 is our server pod in slytherin namespace serverPod := &v1.Pod{} err := s.Client.Get(ctx, client.ObjectKey{ @@ -195,18 +195,18 @@ var AdminNetworkPolicyEgressSCTP = suite.ConformanceTest{ Name: "draco-malfoy-0", }, serverPod) require.NoErrorf(t, err, "unable to fetch the server pod") - anp := &v1alpha1.AdminNetworkPolicy{} + cnp := &v1alpha2.ClusterNetworkPolicy{} err = s.Client.Get(ctx, client.ObjectKey{ Name: "egress-sctp", - }, anp) - require.NoErrorf(t, err, "unable to fetch the admin network policy") - mutate := anp.DeepCopy() + }, cnp) + require.NoErrorf(t, err, "unable to fetch the cluster network policy") + mutate := cnp.DeepCopy() // swap rules at index3 and index4 denyRule := mutate.Spec.Egress[3] mutate.Spec.Egress[3] = mutate.Spec.Egress[4] mutate.Spec.Egress[4] = denyRule - err = s.Client.Patch(ctx, mutate, client.MergeFrom(anp)) - require.NoErrorf(t, err, "unable to patch the admin network policy") + err = s.Client.Patch(ctx, mutate, client.MergeFrom(cnp)) + require.NoErrorf(t, err, "unable to patch the cluster network policy") // luna-lovegood-0 is our client pod in ravenclaw namespace // ensure egress to slytherin is PASSED from ravenclaw at port 9003; egressRule at index3 should take effect success := kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-ravenclaw", "luna-lovegood-0", "sctp", diff --git a/conformance/tests/admin-network-policy-standard-egress-tcp-rules.go b/conformance/tests/admin-network-policy-standard-egress-tcp-rules.go index 87ea39a6..fadef816 100644 --- a/conformance/tests/admin-network-policy-standard-egress-tcp-rules.go +++ b/conformance/tests/admin-network-policy-standard-egress-tcp-rules.go @@ -25,30 +25,30 @@ import ( v1 "k8s.io/api/core/v1" "sigs.k8s.io/controller-runtime/pkg/client" - "sigs.k8s.io/network-policy-api/apis/v1alpha1" + "sigs.k8s.io/network-policy-api/apis/v1alpha2" "sigs.k8s.io/network-policy-api/conformance/utils/kubernetes" "sigs.k8s.io/network-policy-api/conformance/utils/suite" ) func init() { ConformanceTests = append(ConformanceTests, - AdminNetworkPolicyEgressTCP, + CNPAdminTierEgressTCP, ) } -var AdminNetworkPolicyEgressTCP = suite.ConformanceTest{ - ShortName: "AdminNetworkPolicyEgressTCP", - Description: "Tests support for egress traffic (TCP protocol) using admin network policy API based on a server and client model", +var CNPAdminTierEgressTCP = suite.ConformanceTest{ + ShortName: "CNPAdminTierEgressTCP", + Description: "Tests support for egress traffic (TCP protocol) using cluster network policy API based on a server and client model", Features: []suite.SupportedFeature{ - suite.SupportAdminNetworkPolicy, + suite.SupportClusterNetworkPolicy, }, - Manifests: []string{"base/admin_network_policy/standard-egress-tcp-rules.yaml"}, + Manifests: []string{"base/admin_tier/standard-egress-tcp-rules.yaml"}, Test: func(t *testing.T, s *suite.ConformanceTestSuite) { t.Run("Should support an 'allow-egress' policy for TCP protocol; ensure rule ordering is respected", func(t *testing.T) { ctx, cancel := context.WithTimeout(context.Background(), s.TimeoutConfig.GetTimeout) defer cancel() - // This test uses `egress-tcp` ANP + // This test uses `egress-tcp` admin CNP // luna-lovegood-0 is our server pod in ravenclaw namespace serverPod := &v1.Pod{} err := s.Client.Get(ctx, client.ObjectKey{ @@ -70,7 +70,7 @@ var AdminNetworkPolicyEgressTCP = suite.ConformanceTest{ t.Run("Should support an 'allow-egress' policy for TCP protocol at the specified port", func(t *testing.T) { ctx, cancel := context.WithTimeout(context.Background(), s.TimeoutConfig.GetTimeout) defer cancel() - // This test uses `egress-tcp` ANP + // This test uses `egress-tcp` admin CNP // cedric-diggory-1 is our server pod in hufflepuff namespace serverPod := &v1.Pod{} err := s.Client.Get(ctx, client.ObjectKey{ @@ -93,7 +93,7 @@ var AdminNetworkPolicyEgressTCP = suite.ConformanceTest{ t.Run("Should support an 'deny-egress' policy for TCP protocol; ensure rule ordering is respected", func(t *testing.T) { ctx, cancel := context.WithTimeout(context.Background(), s.TimeoutConfig.GetTimeout) defer cancel() - // This test uses `egress-tcp` ANP + // This test uses `egress-tcp` admin CNP // luna-lovegood-1 is our server pod in ravenclaw namespace serverPod := &v1.Pod{} err := s.Client.Get(ctx, client.ObjectKey{ @@ -101,18 +101,18 @@ var AdminNetworkPolicyEgressTCP = suite.ConformanceTest{ Name: "luna-lovegood-1", }, serverPod) require.NoErrorf(t, err, "unable to fetch the server pod") - anp := &v1alpha1.AdminNetworkPolicy{} + cnp := &v1alpha2.ClusterNetworkPolicy{} err = s.Client.Get(ctx, client.ObjectKey{ Name: "egress-tcp", - }, anp) - require.NoErrorf(t, err, "unable to fetch the admin network policy") - mutate := anp.DeepCopy() + }, cnp) + require.NoErrorf(t, err, "unable to fetch the cluster network policy") + mutate := cnp.DeepCopy() // swap rules at index0 and index1 allowRule := mutate.Spec.Egress[0] mutate.Spec.Egress[0] = mutate.Spec.Egress[1] mutate.Spec.Egress[1] = allowRule - err = s.Client.Patch(ctx, mutate, client.MergeFrom(anp)) - require.NoErrorf(t, err, "unable to patch the admin network policy") + err = s.Client.Patch(ctx, mutate, client.MergeFrom(cnp)) + require.NoErrorf(t, err, "unable to patch the cluster network policy") // harry-potter-0 is our client pod in gryffindor namespace // ensure egress is DENIED to ravenclaw from gryffindor // egressRule at index0 will take precedence over egressRule at index1; thus DENY takes precedence over ALLOW since rules are ordered @@ -128,7 +128,7 @@ var AdminNetworkPolicyEgressTCP = suite.ConformanceTest{ t.Run("Should support a 'deny-egress' policy for TCP protocol at the specified port", func(t *testing.T) { ctx, cancel := context.WithTimeout(context.Background(), s.TimeoutConfig.GetTimeout) defer cancel() - // This test uses `egress-tcp` ANP + // This test uses `egress-tcp` admin CNP // draco-malfoy-0 is our server pod in slytherin namespace serverPod := &v1.Pod{} err := s.Client.Get(ctx, client.ObjectKey{ @@ -151,7 +151,7 @@ var AdminNetworkPolicyEgressTCP = suite.ConformanceTest{ t.Run("Should support an 'pass-egress' policy for TCP protocol; ensure rule ordering is respected", func(t *testing.T) { ctx, cancel := context.WithTimeout(context.Background(), s.TimeoutConfig.GetTimeout) defer cancel() - // This test uses `egress-tcp` ANP + // This test uses `egress-tcp` admin CNP // luna-lovegood-0 is our server pod in ravenclaw namespace serverPod := &v1.Pod{} err := s.Client.Get(ctx, client.ObjectKey{ @@ -159,18 +159,18 @@ var AdminNetworkPolicyEgressTCP = suite.ConformanceTest{ Name: "luna-lovegood-0", }, serverPod) require.NoErrorf(t, err, "unable to fetch the server pod") - anp := &v1alpha1.AdminNetworkPolicy{} + cnp := &v1alpha2.ClusterNetworkPolicy{} err = s.Client.Get(ctx, client.ObjectKey{ Name: "egress-tcp", - }, anp) - require.NoErrorf(t, err, "unable to fetch the admin network policy") - mutate := anp.DeepCopy() + }, cnp) + require.NoErrorf(t, err, "unable to fetch the cluster network policy") + mutate := cnp.DeepCopy() // swap rules at index0 and index2 denyRule := mutate.Spec.Egress[0] mutate.Spec.Egress[0] = mutate.Spec.Egress[2] mutate.Spec.Egress[2] = denyRule - err = s.Client.Patch(ctx, mutate, client.MergeFrom(anp)) - require.NoErrorf(t, err, "unable to patch the admin network policy") + err = s.Client.Patch(ctx, mutate, client.MergeFrom(cnp)) + require.NoErrorf(t, err, "unable to patch the cluster network policy") // harry-potter-0 is our server pod in gryffindor namespace // ensure egress is PASSED from gryffindor to ravenclaw // egressRule at index0 will take precedence over egressRule at index1&index2; thus PASS takes precedence over ALLOW/DENY since rules are ordered @@ -186,7 +186,7 @@ var AdminNetworkPolicyEgressTCP = suite.ConformanceTest{ t.Run("Should support a 'pass-egress' policy for TCP protocol at the specified port", func(t *testing.T) { ctx, cancel := context.WithTimeout(context.Background(), s.TimeoutConfig.GetTimeout) defer cancel() - // This test uses `egress-tcp` ANP + // This test uses `egress-tcp` admin CNP // draco-malfoy-0 is our server pod in slytherin namespace serverPod := &v1.Pod{} err := s.Client.Get(ctx, client.ObjectKey{ @@ -194,18 +194,18 @@ var AdminNetworkPolicyEgressTCP = suite.ConformanceTest{ Name: "draco-malfoy-0", }, serverPod) require.NoErrorf(t, err, "unable to fetch the server pod") - anp := &v1alpha1.AdminNetworkPolicy{} + cnp := &v1alpha2.ClusterNetworkPolicy{} err = s.Client.Get(ctx, client.ObjectKey{ Name: "egress-tcp", - }, anp) - require.NoErrorf(t, err, "unable to fetch the admin network policy") - mutate := anp.DeepCopy() + }, cnp) + require.NoErrorf(t, err, "unable to fetch the cluster network policy") + mutate := cnp.DeepCopy() // swap rules at index3 and index4 denyRule := mutate.Spec.Egress[3] mutate.Spec.Egress[3] = mutate.Spec.Egress[4] mutate.Spec.Egress[4] = denyRule - err = s.Client.Patch(ctx, mutate, client.MergeFrom(anp)) - require.NoErrorf(t, err, "unable to patch the admin network policy") + err = s.Client.Patch(ctx, mutate, client.MergeFrom(cnp)) + require.NoErrorf(t, err, "unable to patch the cluster network policy") // harry-potter-0 is our client pod in gryffindor namespace // ensure egress from gryffindor is PASSED to slytherin at port 80; egressRule at index3 should take effect success := kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-0", "tcp", diff --git a/conformance/tests/admin-network-policy-standard-egress-udp-rules.go b/conformance/tests/admin-network-policy-standard-egress-udp-rules.go index a0720155..bec70d38 100644 --- a/conformance/tests/admin-network-policy-standard-egress-udp-rules.go +++ b/conformance/tests/admin-network-policy-standard-egress-udp-rules.go @@ -25,30 +25,30 @@ import ( v1 "k8s.io/api/core/v1" "sigs.k8s.io/controller-runtime/pkg/client" - "sigs.k8s.io/network-policy-api/apis/v1alpha1" + "sigs.k8s.io/network-policy-api/apis/v1alpha2" "sigs.k8s.io/network-policy-api/conformance/utils/kubernetes" "sigs.k8s.io/network-policy-api/conformance/utils/suite" ) func init() { ConformanceTests = append(ConformanceTests, - AdminNetworkPolicyEgressUDP, + CNPAdminTierEgressUDP, ) } -var AdminNetworkPolicyEgressUDP = suite.ConformanceTest{ - ShortName: "AdminNetworkPolicyEgressUDP", - Description: "Tests support for egress traffic (UDP protocol) using admin network policy API based on a server and client model", +var CNPAdminTierEgressUDP = suite.ConformanceTest{ + ShortName: "CNPAdminTierEgressUDP", + Description: "Tests support for egress traffic (UDP protocol) using cluster network policy API based on a server and client model", Features: []suite.SupportedFeature{ - suite.SupportAdminNetworkPolicy, + suite.SupportClusterNetworkPolicy, }, - Manifests: []string{"base/admin_network_policy/standard-egress-udp-rules.yaml"}, + Manifests: []string{"base/admin_tier/standard-egress-udp-rules.yaml"}, Test: func(t *testing.T, s *suite.ConformanceTestSuite) { t.Run("Should support an 'allow-egress' policy for UDP protocol; ensure rule ordering is respected", func(t *testing.T) { ctx, cancel := context.WithTimeout(context.Background(), s.TimeoutConfig.GetTimeout) defer cancel() - // This test uses `egress-udp` ANP + // This test uses `egress-udp` admin CNP // luna-lovegood-0 is our server pod in ravenclaw namespace serverPod := &v1.Pod{} err := s.Client.Get(ctx, client.ObjectKey{ @@ -71,7 +71,7 @@ var AdminNetworkPolicyEgressUDP = suite.ConformanceTest{ t.Run("Should support an 'allow-egress' policy for UDP protocol at the specified port", func(t *testing.T) { ctx, cancel := context.WithTimeout(context.Background(), s.TimeoutConfig.GetTimeout) defer cancel() - // This test uses `egress-udp` ANP + // This test uses `egress-udp` admin CNP // harry-potter-1 is our server pod in gryffindor namespace serverPod := &v1.Pod{} err := s.Client.Get(ctx, client.ObjectKey{ @@ -94,7 +94,7 @@ var AdminNetworkPolicyEgressUDP = suite.ConformanceTest{ t.Run("Should support an 'deny-egress' policy for UDP protocol; ensure rule ordering is respected", func(t *testing.T) { ctx, cancel := context.WithTimeout(context.Background(), s.TimeoutConfig.GetTimeout) defer cancel() - // This test uses `egress-udp` ANP + // This test uses `egress-udp` admin CNP // luna-lovegood-1 is our server pod in ravenclaw namespace serverPod := &v1.Pod{} err := s.Client.Get(ctx, client.ObjectKey{ @@ -102,18 +102,18 @@ var AdminNetworkPolicyEgressUDP = suite.ConformanceTest{ Name: "luna-lovegood-1", }, serverPod) require.NoErrorf(t, err, "unable to fetch the server pod") - anp := &v1alpha1.AdminNetworkPolicy{} + cnp := &v1alpha2.ClusterNetworkPolicy{} err = s.Client.Get(ctx, client.ObjectKey{ Name: "egress-udp", - }, anp) - require.NoErrorf(t, err, "unable to fetch the admin network policy") - mutate := anp.DeepCopy() + }, cnp) + require.NoErrorf(t, err, "unable to fetch the cluster network policy") + mutate := cnp.DeepCopy() // swap rules at index0 and index1 allowRule := mutate.Spec.Egress[0] mutate.Spec.Egress[0] = mutate.Spec.Egress[1] mutate.Spec.Egress[1] = allowRule - err = s.Client.Patch(ctx, mutate, client.MergeFrom(anp)) - require.NoErrorf(t, err, "unable to patch the admin network policy") + err = s.Client.Patch(ctx, mutate, client.MergeFrom(cnp)) + require.NoErrorf(t, err, "unable to patch the cluster network policy") // cedric-diggory-0 is our client pod in hufflepuff namespace // ensure egress is DENIED to ravenclaw to hufflepuff // egressRule at index0 will take precedence over egressRule at index1; thus DENY takes precedence over ALLOW since rules are ordered @@ -129,7 +129,7 @@ var AdminNetworkPolicyEgressUDP = suite.ConformanceTest{ t.Run("Should support a 'deny-egress' policy for UDP protocol at the specified port", func(t *testing.T) { ctx, cancel := context.WithTimeout(context.Background(), s.TimeoutConfig.GetTimeout) defer cancel() - // This test uses `egress-udp` ANP + // This test uses `egress-udp` admin CNP // draco-malfoy-0 is our server pod in slytherin namespace serverPod := &v1.Pod{} err := s.Client.Get(ctx, client.ObjectKey{ @@ -152,7 +152,7 @@ var AdminNetworkPolicyEgressUDP = suite.ConformanceTest{ t.Run("Should support an 'pass-egress' policy for UDP protocol; ensure rule ordering is respected", func(t *testing.T) { ctx, cancel := context.WithTimeout(context.Background(), s.TimeoutConfig.GetTimeout) defer cancel() - // This test uses `egress-udp` ANP + // This test uses `egress-udp` admin CNP // luna-lovegood-1 is our server pod in ravenclaw namespace serverPod := &v1.Pod{} err := s.Client.Get(ctx, client.ObjectKey{ @@ -160,18 +160,18 @@ var AdminNetworkPolicyEgressUDP = suite.ConformanceTest{ Name: "luna-lovegood-1", }, serverPod) require.NoErrorf(t, err, "unable to fetch the server pod") - anp := &v1alpha1.AdminNetworkPolicy{} + cnp := &v1alpha2.ClusterNetworkPolicy{} err = s.Client.Get(ctx, client.ObjectKey{ Name: "egress-udp", - }, anp) - require.NoErrorf(t, err, "unable to fetch the admin network policy") - mutate := anp.DeepCopy() + }, cnp) + require.NoErrorf(t, err, "unable to fetch the cluster network policy") + mutate := cnp.DeepCopy() // swap rules at index0 and index2 denyRule := mutate.Spec.Egress[0] mutate.Spec.Egress[0] = mutate.Spec.Egress[2] mutate.Spec.Egress[2] = denyRule - err = s.Client.Patch(ctx, mutate, client.MergeFrom(anp)) - require.NoErrorf(t, err, "unable to patch the admin network policy") + err = s.Client.Patch(ctx, mutate, client.MergeFrom(cnp)) + require.NoErrorf(t, err, "unable to patch the cluster network policy") // cedric-diggory-0 is our client pod in hufflepuff namespace // ensure egress is PASSED to ravenclaw from hufflepuff // egressRule at index0 will take precedence over egressRule at index1&index2; thus PASS takes precedence over ALLOW/DENY since rules are ordered @@ -187,7 +187,7 @@ var AdminNetworkPolicyEgressUDP = suite.ConformanceTest{ t.Run("Should support a 'pass-egress' policy for UDP protocol at the specified port", func(t *testing.T) { ctx, cancel := context.WithTimeout(context.Background(), s.TimeoutConfig.GetTimeout) defer cancel() - // This test uses `egress-udp` ANP + // This test uses `egress-udp` admin CNP // draco-malfoy-0 is our server pod in slytherin namespace serverPod := &v1.Pod{} err := s.Client.Get(ctx, client.ObjectKey{ @@ -195,18 +195,18 @@ var AdminNetworkPolicyEgressUDP = suite.ConformanceTest{ Name: "draco-malfoy-0", }, serverPod) require.NoErrorf(t, err, "unable to fetch the server pod") - anp := &v1alpha1.AdminNetworkPolicy{} + cnp := &v1alpha2.ClusterNetworkPolicy{} err = s.Client.Get(ctx, client.ObjectKey{ Name: "egress-udp", - }, anp) - require.NoErrorf(t, err, "unable to fetch the admin network policy") - mutate := anp.DeepCopy() + }, cnp) + require.NoErrorf(t, err, "unable to fetch the cluster network policy") + mutate := cnp.DeepCopy() // swap rules at index3 and index4 denyRule := mutate.Spec.Egress[3] mutate.Spec.Egress[3] = mutate.Spec.Egress[4] mutate.Spec.Egress[4] = denyRule - err = s.Client.Patch(ctx, mutate, client.MergeFrom(anp)) - require.NoErrorf(t, err, "unable to patch the admin network policy") + err = s.Client.Patch(ctx, mutate, client.MergeFrom(cnp)) + require.NoErrorf(t, err, "unable to patch the cluster network policy") // cedric-diggory-0 is our client pod in hufflepuff namespace // ensure egress to slytherin is PASSED from hufflepuff at port 5353; egressRule at index3 should take effect success := kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-hufflepuff", "cedric-diggory-0", "udp", diff --git a/conformance/tests/admin-network-policy-standard-gress-rules.go b/conformance/tests/admin-network-policy-standard-gress-rules.go index f2d136b3..6b1d9b8e 100644 --- a/conformance/tests/admin-network-policy-standard-gress-rules.go +++ b/conformance/tests/admin-network-policy-standard-gress-rules.go @@ -25,30 +25,30 @@ import ( v1 "k8s.io/api/core/v1" "sigs.k8s.io/controller-runtime/pkg/client" - "sigs.k8s.io/network-policy-api/apis/v1alpha1" + "sigs.k8s.io/network-policy-api/apis/v1alpha2" "sigs.k8s.io/network-policy-api/conformance/utils/kubernetes" "sigs.k8s.io/network-policy-api/conformance/utils/suite" ) func init() { ConformanceTests = append(ConformanceTests, - AdminNetworkPolicyGress, + CNPAdminTierGress, ) } -var AdminNetworkPolicyGress = suite.ConformanceTest{ - ShortName: "AdminNetworkPolicyGress", - Description: "Tests support for combined ingress and egress traffic rules in the admin network policy API based on a server and client model", +var CNPAdminTierGress = suite.ConformanceTest{ + ShortName: "CNPAdminTierGress", + Description: "Tests support for combined ingress and egress traffic rules in the cluster network policy API based on a server and client model", Features: []suite.SupportedFeature{ - suite.SupportAdminNetworkPolicy, + suite.SupportClusterNetworkPolicy, }, - Manifests: []string{"base/admin_network_policy/standard-gress-rules-combined.yaml"}, + Manifests: []string{"base/admin_tier/standard-gress-rules-combined.yaml"}, Test: func(t *testing.T, s *suite.ConformanceTestSuite) { t.Run("Should support an 'allow-gress' policy across different protocols", func(t *testing.T) { ctx, cancel := context.WithTimeout(context.Background(), s.TimeoutConfig.GetTimeout) defer cancel() - // This test uses `gress-rules` ANP + // This test uses `gress-rules` admin CNP /* First; let's test egress works! */ // luna-lovegood-0 is our server pod in ravenclaw namespace @@ -95,7 +95,7 @@ var AdminNetworkPolicyGress = suite.ConformanceTest{ t.Run("Should support an 'allow-gress' policy across different protocols at the specified ports", func(t *testing.T) { ctx, cancel := context.WithTimeout(context.Background(), s.TimeoutConfig.GetTimeout) defer cancel() - // This test uses `gress-rules` ANP + // This test uses `gress-rules` admin CNP /* First; let's test egress works! */ // cedric-diggory-1 is our server pod in hufflepuff namespace @@ -178,7 +178,7 @@ var AdminNetworkPolicyGress = suite.ConformanceTest{ t.Run("Should support an 'deny-gress' policy across different protocols", func(t *testing.T) { ctx, cancel := context.WithTimeout(context.Background(), s.TimeoutConfig.GetTimeout) defer cancel() - // This test uses `gress-rules` ANP + // This test uses `gress-rules` admin CNP /* First; let's test egress works! */ // luna-lovegood-1 is our server pod in ravenclaw namespace @@ -188,12 +188,12 @@ var AdminNetworkPolicyGress = suite.ConformanceTest{ Name: "luna-lovegood-1", }, serverPod) require.NoErrorf(t, err, "unable to fetch the server pod") - anp := &v1alpha1.AdminNetworkPolicy{} + cnp := &v1alpha2.ClusterNetworkPolicy{} err = s.Client.Get(ctx, client.ObjectKey{ Name: "gress-rules", - }, anp) - require.NoErrorf(t, err, "unable to fetch the admin network policy") - mutate := anp.DeepCopy() + }, cnp) + require.NoErrorf(t, err, "unable to fetch the cluster network policy") + mutate := cnp.DeepCopy() // swap rules at index0 and index1 for both ingress and egress allowOutRule := mutate.Spec.Egress[0] mutate.Spec.Egress[0] = mutate.Spec.Egress[1] @@ -201,8 +201,8 @@ var AdminNetworkPolicyGress = suite.ConformanceTest{ allowInRule := mutate.Spec.Ingress[0] mutate.Spec.Ingress[0] = mutate.Spec.Ingress[1] mutate.Spec.Ingress[1] = allowInRule - err = s.Client.Patch(ctx, mutate, client.MergeFrom(anp)) - require.NoErrorf(t, err, "unable to patch the admin network policy") + err = s.Client.Patch(ctx, mutate, client.MergeFrom(cnp)) + require.NoErrorf(t, err, "unable to patch the cluster network policy") // harry-potter-x is our client pod in gryffindor namespace // ensure egress is DENIED to ravenclaw from gryffindor // egressRule at index0 will take precedence over egressRule at index1; thus DENY takes precedence over ALLOW since rules are ordered @@ -240,7 +240,7 @@ var AdminNetworkPolicyGress = suite.ConformanceTest{ t.Run("Should support a 'deny-gress' policy across different protocols at the specified ports", func(t *testing.T) { ctx, cancel := context.WithTimeout(context.Background(), s.TimeoutConfig.GetTimeout) defer cancel() - // This test uses `gress-rules` ANP + // This test uses `gress-rules` admin CNP /* First; let's test egress works! */ // draco-malfoy-0 is our server pod in slytherin namespace @@ -323,7 +323,7 @@ var AdminNetworkPolicyGress = suite.ConformanceTest{ t.Run("Should support an 'pass-gress' policy across different protocols", func(t *testing.T) { ctx, cancel := context.WithTimeout(context.Background(), s.TimeoutConfig.GetTimeout) defer cancel() - // This test uses `gress-rules` ANP + // This test uses `gress-rules` admin CNP /* First; let's test egress works! */ // luna-lovegood-0 is our server pod in ravenclaw namespace @@ -333,12 +333,12 @@ var AdminNetworkPolicyGress = suite.ConformanceTest{ Name: "luna-lovegood-0", }, serverPod) require.NoErrorf(t, err, "unable to fetch the server pod") - anp := &v1alpha1.AdminNetworkPolicy{} + cnp := &v1alpha2.ClusterNetworkPolicy{} err = s.Client.Get(ctx, client.ObjectKey{ Name: "gress-rules", - }, anp) - require.NoErrorf(t, err, "unable to fetch the admin network policy") - mutate := anp.DeepCopy() + }, cnp) + require.NoErrorf(t, err, "unable to fetch the cluster network policy") + mutate := cnp.DeepCopy() // swap rules at index0 and index2 for both ingress and egress denyOutRule := mutate.Spec.Egress[0] mutate.Spec.Egress[0] = mutate.Spec.Egress[2] @@ -346,8 +346,8 @@ var AdminNetworkPolicyGress = suite.ConformanceTest{ denyInRule := mutate.Spec.Ingress[0] mutate.Spec.Ingress[0] = mutate.Spec.Ingress[2] mutate.Spec.Ingress[2] = denyInRule - err = s.Client.Patch(ctx, mutate, client.MergeFrom(anp)) - require.NoErrorf(t, err, "unable to patch the admin network policy") + err = s.Client.Patch(ctx, mutate, client.MergeFrom(cnp)) + require.NoErrorf(t, err, "unable to patch the cluster network policy") // harry-potter-0 is our server pod in gryffindor namespace // ensure egress is PASSED from gryffindor to ravenclaw // egressRule at index0 will take precedence over egressRule at index1&index2; thus PASS takes precedence over ALLOW/DENY since rules are ordered @@ -393,7 +393,7 @@ var AdminNetworkPolicyGress = suite.ConformanceTest{ t.Run("Should support a 'pass-gress' policy across different protocols at the specified ports", func(t *testing.T) { ctx, cancel := context.WithTimeout(context.Background(), s.TimeoutConfig.GetTimeout) defer cancel() - // This test uses `gress-rules` ANP + // This test uses `gress-rules` admin CNP /* First; let's test egress works! */ // draco-malfoy-0 is our server pod in slytherin namespace @@ -403,12 +403,12 @@ var AdminNetworkPolicyGress = suite.ConformanceTest{ Name: "draco-malfoy-0", }, serverPod) require.NoErrorf(t, err, "unable to fetch the server pod") - anp := &v1alpha1.AdminNetworkPolicy{} + cnp := &v1alpha2.ClusterNetworkPolicy{} err = s.Client.Get(ctx, client.ObjectKey{ Name: "gress-rules", - }, anp) - require.NoErrorf(t, err, "unable to fetch the admin network policy") - mutate := anp.DeepCopy() + }, cnp) + require.NoErrorf(t, err, "unable to fetch the cluster network policy") + mutate := cnp.DeepCopy() // swap rules at index3 and index4 denyToRule := mutate.Spec.Egress[3] mutate.Spec.Egress[3] = mutate.Spec.Egress[4] @@ -416,8 +416,8 @@ var AdminNetworkPolicyGress = suite.ConformanceTest{ denyInRule := mutate.Spec.Ingress[3] mutate.Spec.Ingress[3] = mutate.Spec.Ingress[4] mutate.Spec.Ingress[4] = denyInRule - err = s.Client.Patch(ctx, mutate, client.MergeFrom(anp)) - require.NoErrorf(t, err, "unable to patch the admin network policy") + err = s.Client.Patch(ctx, mutate, client.MergeFrom(cnp)) + require.NoErrorf(t, err, "unable to patch the cluster network policy") // harry-potter-0 is our client pod in gryffindor namespace // ensure egress from gryffindor is PASSED to slytherin at port 80; egressRule at index3 should take effect success := kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-0", "tcp", diff --git a/conformance/tests/admin-network-policy-standard-ingress-sctp-rules.go b/conformance/tests/admin-network-policy-standard-ingress-sctp-rules.go index c1ab93b7..3d080001 100644 --- a/conformance/tests/admin-network-policy-standard-ingress-sctp-rules.go +++ b/conformance/tests/admin-network-policy-standard-ingress-sctp-rules.go @@ -25,30 +25,30 @@ import ( v1 "k8s.io/api/core/v1" "sigs.k8s.io/controller-runtime/pkg/client" - "sigs.k8s.io/network-policy-api/apis/v1alpha1" + "sigs.k8s.io/network-policy-api/apis/v1alpha2" "sigs.k8s.io/network-policy-api/conformance/utils/kubernetes" "sigs.k8s.io/network-policy-api/conformance/utils/suite" ) func init() { ConformanceTests = append(ConformanceTests, - AdminNetworkPolicyIngressSCTP, + CNPAdminTierIngressSCTP, ) } -var AdminNetworkPolicyIngressSCTP = suite.ConformanceTest{ - ShortName: "AdminNetworkPolicyIngressSCTP", - Description: "Tests support for ingress traffic (SCTP protocol) using admin network policy API based on a server and client model", +var CNPAdminTierIngressSCTP = suite.ConformanceTest{ + ShortName: "CNPAdminTierIngressSCTP", + Description: "Tests support for ingress traffic (SCTP protocol) using cluster network policy API based on a server and client model", Features: []suite.SupportedFeature{ - suite.SupportAdminNetworkPolicy, + suite.SupportClusterNetworkPolicy, }, - Manifests: []string{"base/admin_network_policy/standard-ingress-sctp-rules.yaml"}, + Manifests: []string{"base/admin_tier/standard-ingress-sctp-rules.yaml"}, Test: func(t *testing.T, s *suite.ConformanceTestSuite) { t.Run("Should support an 'allow-ingress' policy for SCTP protocol; ensure rule ordering is respected", func(t *testing.T) { ctx, cancel := context.WithTimeout(context.Background(), s.TimeoutConfig.GetTimeout) defer cancel() - // This test uses `ingress-sctp` ANP + // This test uses `ingress-sctp` admin CNP // luna-lovegood-0 is our server pod in ravenclaw namespace serverPod := &v1.Pod{} err := s.Client.Get(ctx, client.ObjectKey{ @@ -70,7 +70,7 @@ var AdminNetworkPolicyIngressSCTP = suite.ConformanceTest{ t.Run("Should support an 'allow-ingress' policy for SCTP protocol at the specified port", func(t *testing.T) { ctx, cancel := context.WithTimeout(context.Background(), s.TimeoutConfig.GetTimeout) defer cancel() - // This test uses `ingress-sctp` ANP + // This test uses `ingress-sctp` admin CNP // luna-lovegood-1 is our server pod in ravenclaw namespace serverPod := &v1.Pod{} err := s.Client.Get(ctx, client.ObjectKey{ @@ -93,7 +93,7 @@ var AdminNetworkPolicyIngressSCTP = suite.ConformanceTest{ t.Run("Should support an 'deny-ingress' policy for SCTP protocol; ensure rule ordering is respected", func(t *testing.T) { ctx, cancel := context.WithTimeout(context.Background(), s.TimeoutConfig.GetTimeout) defer cancel() - // This test uses `ingress-sctp` ANP + // This test uses `ingress-sctp` admin CNP // luna-lovegood-1 is our server pod in ravenclaw namespace serverPod := &v1.Pod{} err := s.Client.Get(ctx, client.ObjectKey{ @@ -101,18 +101,18 @@ var AdminNetworkPolicyIngressSCTP = suite.ConformanceTest{ Name: "luna-lovegood-1", }, serverPod) require.NoErrorf(t, err, "unable to fetch the server pod") - anp := &v1alpha1.AdminNetworkPolicy{} + cnp := &v1alpha2.ClusterNetworkPolicy{} err = s.Client.Get(ctx, client.ObjectKey{ Name: "ingress-sctp", - }, anp) - require.NoErrorf(t, err, "unable to fetch the admin network policy") - mutate := anp.DeepCopy() + }, cnp) + require.NoErrorf(t, err, "unable to fetch the cluster network policy") + mutate := cnp.DeepCopy() // swap rules at index0 and index1 allowRule := mutate.Spec.Ingress[0] mutate.Spec.Ingress[0] = mutate.Spec.Ingress[1] mutate.Spec.Ingress[1] = allowRule - err = s.Client.Patch(ctx, mutate, client.MergeFrom(anp)) - require.NoErrorf(t, err, "unable to patch the admin network policy") + err = s.Client.Patch(ctx, mutate, client.MergeFrom(cnp)) + require.NoErrorf(t, err, "unable to patch the cluster network policy") // harry-potter-0 is our client pod in gryffindor namespace // ensure ingress is DENIED from gryffindor to ravenclaw // ingressRule at index0 will take precedence over ingressRule at index1; thus DENY takes precedence over ALLOW since rules are ordered @@ -128,7 +128,7 @@ var AdminNetworkPolicyIngressSCTP = suite.ConformanceTest{ t.Run("Should support a 'deny-ingress' policy for SCTP protocol at the specified port", func(t *testing.T) { ctx, cancel := context.WithTimeout(context.Background(), s.TimeoutConfig.GetTimeout) defer cancel() - // This test uses `ingress-sctp` ANP + // This test uses `ingress-sctp` admin CNP // luna-lovegood-0 is our server pod in ravenclaw namespace serverPod := &v1.Pod{} err := s.Client.Get(ctx, client.ObjectKey{ @@ -151,7 +151,7 @@ var AdminNetworkPolicyIngressSCTP = suite.ConformanceTest{ t.Run("Should support an 'pass-ingress' policy for SCTP protocol; ensure rule ordering is respected", func(t *testing.T) { ctx, cancel := context.WithTimeout(context.Background(), s.TimeoutConfig.GetTimeout) defer cancel() - // This test uses `ingress-sctp` ANP + // This test uses `ingress-sctp` admin CNP // luna-lovegood-1 is our server pod in ravenclaw namespace serverPod := &v1.Pod{} err := s.Client.Get(ctx, client.ObjectKey{ @@ -159,18 +159,18 @@ var AdminNetworkPolicyIngressSCTP = suite.ConformanceTest{ Name: "luna-lovegood-1", }, serverPod) require.NoErrorf(t, err, "unable to fetch the server pod") - anp := &v1alpha1.AdminNetworkPolicy{} + cnp := &v1alpha2.ClusterNetworkPolicy{} err = s.Client.Get(ctx, client.ObjectKey{ Name: "ingress-sctp", - }, anp) - require.NoErrorf(t, err, "unable to fetch the admin network policy") - mutate := anp.DeepCopy() + }, cnp) + require.NoErrorf(t, err, "unable to fetch the cluster network policy") + mutate := cnp.DeepCopy() // swap rules at index0 and index2 denyRule := mutate.Spec.Ingress[0] mutate.Spec.Ingress[0] = mutate.Spec.Ingress[2] mutate.Spec.Ingress[2] = denyRule - err = s.Client.Patch(ctx, mutate, client.MergeFrom(anp)) - require.NoErrorf(t, err, "unable to patch the admin network policy") + err = s.Client.Patch(ctx, mutate, client.MergeFrom(cnp)) + require.NoErrorf(t, err, "unable to patch the cluster network policy") // harry-potter-0 is our client pod in gryffindor namespace // ensure ingress is PASSED from gryffindor to ravenclaw // ingressRule at index0 will take precedence over ingressRule at index1&index2; thus PASS takes precedence over ALLOW/DENY since rules are ordered @@ -186,7 +186,7 @@ var AdminNetworkPolicyIngressSCTP = suite.ConformanceTest{ t.Run("Should support a 'pass-ingress' policy for SCTP protocol at the specified port", func(t *testing.T) { ctx, cancel := context.WithTimeout(context.Background(), s.TimeoutConfig.GetTimeout) defer cancel() - // This test uses `ingress-sctp` ANP + // This test uses `ingress-sctp` admin CNP // luna-lovegood-0 is our server pod in ravenclaw namespace serverPod := &v1.Pod{} err := s.Client.Get(ctx, client.ObjectKey{ @@ -194,18 +194,18 @@ var AdminNetworkPolicyIngressSCTP = suite.ConformanceTest{ Name: "luna-lovegood-0", }, serverPod) require.NoErrorf(t, err, "unable to fetch the server pod") - anp := &v1alpha1.AdminNetworkPolicy{} + cnp := &v1alpha2.ClusterNetworkPolicy{} err = s.Client.Get(ctx, client.ObjectKey{ Name: "ingress-sctp", - }, anp) - require.NoErrorf(t, err, "unable to fetch the admin network policy") - mutate := anp.DeepCopy() + }, cnp) + require.NoErrorf(t, err, "unable to fetch the cluster network policy") + mutate := cnp.DeepCopy() // swap rules at index3 and index4 denyRule := mutate.Spec.Ingress[3] mutate.Spec.Ingress[3] = mutate.Spec.Ingress[4] mutate.Spec.Ingress[4] = denyRule - err = s.Client.Patch(ctx, mutate, client.MergeFrom(anp)) - require.NoErrorf(t, err, "unable to patch the admin network policy") + err = s.Client.Patch(ctx, mutate, client.MergeFrom(cnp)) + require.NoErrorf(t, err, "unable to patch the cluster network policy") // draco-malfoy-0 is our client pod in slytherin namespace // ensure ingress from slytherin is PASSED to ravenclaw at port 9003; ingressRule at index3 should take effect success := kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-slytherin", "draco-malfoy-0", "sctp", diff --git a/conformance/tests/admin-network-policy-standard-ingress-tcp-rules.go b/conformance/tests/admin-network-policy-standard-ingress-tcp-rules.go index 4f215d7e..3e4962fe 100644 --- a/conformance/tests/admin-network-policy-standard-ingress-tcp-rules.go +++ b/conformance/tests/admin-network-policy-standard-ingress-tcp-rules.go @@ -25,30 +25,30 @@ import ( v1 "k8s.io/api/core/v1" "sigs.k8s.io/controller-runtime/pkg/client" - "sigs.k8s.io/network-policy-api/apis/v1alpha1" + "sigs.k8s.io/network-policy-api/apis/v1alpha2" "sigs.k8s.io/network-policy-api/conformance/utils/kubernetes" "sigs.k8s.io/network-policy-api/conformance/utils/suite" ) func init() { ConformanceTests = append(ConformanceTests, - AdminNetworkPolicyIngressTCP, + CNPAdminTierIngressTCP, ) } -var AdminNetworkPolicyIngressTCP = suite.ConformanceTest{ - ShortName: "AdminNetworkPolicyIngressTCP", - Description: "Tests support for ingress traffic (TCP protocol) using admin network policy API based on a server and client model", +var CNPAdminTierIngressTCP = suite.ConformanceTest{ + ShortName: "CNPAdminTierIngressTCP", + Description: "Tests support for ingress traffic (TCP protocol) using cluster network policy API based on a server and client model", Features: []suite.SupportedFeature{ - suite.SupportAdminNetworkPolicy, + suite.SupportClusterNetworkPolicy, }, - Manifests: []string{"base/admin_network_policy/standard-ingress-tcp-rules.yaml"}, + Manifests: []string{"base/admin_tier/standard-ingress-tcp-rules.yaml"}, Test: func(t *testing.T, s *suite.ConformanceTestSuite) { t.Run("Should support an 'allow-ingress' policy for TCP protocol; ensure rule ordering is respected", func(t *testing.T) { ctx, cancel := context.WithTimeout(context.Background(), s.TimeoutConfig.GetTimeout) defer cancel() - // This test uses `ingress-tcp` ANP + // This test uses `ingress-tcp` admin CNP // harry-potter-0 is our server pod in gryffindor namespace serverPod := &v1.Pod{} err := s.Client.Get(ctx, client.ObjectKey{ @@ -70,7 +70,7 @@ var AdminNetworkPolicyIngressTCP = suite.ConformanceTest{ t.Run("Should support an 'allow-ingress' policy for TCP protocol at the specified port", func(t *testing.T) { ctx, cancel := context.WithTimeout(context.Background(), s.TimeoutConfig.GetTimeout) defer cancel() - // This test uses `ingress-tcp` ANP + // This test uses `ingress-tcp` admin CNP // harry-potter-1 is our server pod in gryffindor namespace serverPod := &v1.Pod{} err := s.Client.Get(ctx, client.ObjectKey{ @@ -93,7 +93,7 @@ var AdminNetworkPolicyIngressTCP = suite.ConformanceTest{ t.Run("Should support an 'deny-ingress' policy for TCP protocol; ensure rule ordering is respected", func(t *testing.T) { ctx, cancel := context.WithTimeout(context.Background(), s.TimeoutConfig.GetTimeout) defer cancel() - // This test uses `ingress-tcp` ANP + // This test uses `ingress-tcp` admin CNP // harry-potter-1 is our server pod in gryffindor namespace serverPod := &v1.Pod{} err := s.Client.Get(ctx, client.ObjectKey{ @@ -101,18 +101,18 @@ var AdminNetworkPolicyIngressTCP = suite.ConformanceTest{ Name: "harry-potter-1", }, serverPod) require.NoErrorf(t, err, "unable to fetch the server pod") - anp := &v1alpha1.AdminNetworkPolicy{} + cnp := &v1alpha2.ClusterNetworkPolicy{} err = s.Client.Get(ctx, client.ObjectKey{ Name: "ingress-tcp", - }, anp) - require.NoErrorf(t, err, "unable to fetch the admin network policy") - mutate := anp.DeepCopy() + }, cnp) + require.NoErrorf(t, err, "unable to fetch the cluster network policy") + mutate := cnp.DeepCopy() // swap rules at index0 and index1 allowRule := mutate.Spec.Ingress[0] mutate.Spec.Ingress[0] = mutate.Spec.Ingress[1] mutate.Spec.Ingress[1] = allowRule - err = s.Client.Patch(ctx, mutate, client.MergeFrom(anp)) - require.NoErrorf(t, err, "unable to patch the admin network policy") + err = s.Client.Patch(ctx, mutate, client.MergeFrom(cnp)) + require.NoErrorf(t, err, "unable to patch the cluster network policy") // luna-lovegood-0 is our client pod in ravenclaw namespace // ensure ingress is DENIED from ravenclaw to gryffindor // ingressRule at index0 will take precedence over ingressRule at index1; thus DENY takes precedence over ALLOW since rules are ordered @@ -128,7 +128,7 @@ var AdminNetworkPolicyIngressTCP = suite.ConformanceTest{ t.Run("Should support a 'deny-ingress' policy for TCP protocol at the specified port", func(t *testing.T) { ctx, cancel := context.WithTimeout(context.Background(), s.TimeoutConfig.GetTimeout) defer cancel() - // This test uses `ingress-tcp` ANP + // This test uses `ingress-tcp` admin CNP // harry-potter-0 is our server pod in gryffindor namespace serverPod := &v1.Pod{} err := s.Client.Get(ctx, client.ObjectKey{ @@ -151,7 +151,7 @@ var AdminNetworkPolicyIngressTCP = suite.ConformanceTest{ t.Run("Should support an 'pass-ingress' policy for TCP protocol; ensure rule ordering is respected", func(t *testing.T) { ctx, cancel := context.WithTimeout(context.Background(), s.TimeoutConfig.GetTimeout) defer cancel() - // This test uses `ingress-tcp` ANP + // This test uses `ingress-tcp` admin CNP // harry-potter-0 is our server pod in gryffindor namespace serverPod := &v1.Pod{} err := s.Client.Get(ctx, client.ObjectKey{ @@ -159,18 +159,18 @@ var AdminNetworkPolicyIngressTCP = suite.ConformanceTest{ Name: "harry-potter-0", }, serverPod) require.NoErrorf(t, err, "unable to fetch the server pod") - anp := &v1alpha1.AdminNetworkPolicy{} + cnp := &v1alpha2.ClusterNetworkPolicy{} err = s.Client.Get(ctx, client.ObjectKey{ Name: "ingress-tcp", - }, anp) - require.NoErrorf(t, err, "unable to fetch the admin network policy") - mutate := anp.DeepCopy() + }, cnp) + require.NoErrorf(t, err, "unable to fetch the cluster network policy") + mutate := cnp.DeepCopy() // swap rules at index0 and index2 denyRule := mutate.Spec.Ingress[0] mutate.Spec.Ingress[0] = mutate.Spec.Ingress[2] mutate.Spec.Ingress[2] = denyRule - err = s.Client.Patch(ctx, mutate, client.MergeFrom(anp)) - require.NoErrorf(t, err, "unable to patch the admin network policy") + err = s.Client.Patch(ctx, mutate, client.MergeFrom(cnp)) + require.NoErrorf(t, err, "unable to patch the cluster network policy") // luna-lovegood-0 is our client pod in ravenclaw namespace // ensure ingress is PASSED from ravenclaw to gryffindor // ingressRule at index0 will take precedence over ingressRule at index1&index2; thus PASS takes precedence over ALLOW/DENY since rules are ordered @@ -186,7 +186,7 @@ var AdminNetworkPolicyIngressTCP = suite.ConformanceTest{ t.Run("Should support a 'pass-ingress' policy for TCP protocol at the specified port", func(t *testing.T) { ctx, cancel := context.WithTimeout(context.Background(), s.TimeoutConfig.GetTimeout) defer cancel() - // This test uses `ingress-tcp` ANP + // This test uses `ingress-tcp` admin CNP // harry-potter-0 is our server pod in gryffindor namespace serverPod := &v1.Pod{} err := s.Client.Get(ctx, client.ObjectKey{ @@ -194,18 +194,18 @@ var AdminNetworkPolicyIngressTCP = suite.ConformanceTest{ Name: "harry-potter-0", }, serverPod) require.NoErrorf(t, err, "unable to fetch the server pod") - anp := &v1alpha1.AdminNetworkPolicy{} + cnp := &v1alpha2.ClusterNetworkPolicy{} err = s.Client.Get(ctx, client.ObjectKey{ Name: "ingress-tcp", - }, anp) - require.NoErrorf(t, err, "unable to fetch the admin network policy") - mutate := anp.DeepCopy() + }, cnp) + require.NoErrorf(t, err, "unable to fetch the cluster network policy") + mutate := cnp.DeepCopy() // swap rules at index3 and index4 denyRule := mutate.Spec.Ingress[3] mutate.Spec.Ingress[3] = mutate.Spec.Ingress[4] mutate.Spec.Ingress[4] = denyRule - err = s.Client.Patch(ctx, mutate, client.MergeFrom(anp)) - require.NoErrorf(t, err, "unable to patch the admin network policy") + err = s.Client.Patch(ctx, mutate, client.MergeFrom(cnp)) + require.NoErrorf(t, err, "unable to patch the cluster network policy") // draco-malfoy-0 is our client pod in slytherin namespace // ensure ingress from slytherin is PASSED to gryffindor at port 9003; ingressRule at index3 should take effect success := kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-slytherin", "draco-malfoy-0", "tcp", diff --git a/conformance/tests/admin-network-policy-standard-ingress-udp-rules.go b/conformance/tests/admin-network-policy-standard-ingress-udp-rules.go index 6004cc5f..763e5253 100644 --- a/conformance/tests/admin-network-policy-standard-ingress-udp-rules.go +++ b/conformance/tests/admin-network-policy-standard-ingress-udp-rules.go @@ -25,31 +25,31 @@ import ( v1 "k8s.io/api/core/v1" "sigs.k8s.io/controller-runtime/pkg/client" - "sigs.k8s.io/network-policy-api/apis/v1alpha1" + "sigs.k8s.io/network-policy-api/apis/v1alpha2" "sigs.k8s.io/network-policy-api/conformance/utils/kubernetes" "sigs.k8s.io/network-policy-api/conformance/utils/suite" ) func init() { ConformanceTests = append(ConformanceTests, - AdminNetworkPolicyIngressUDP, - AdminNetworkPolicyIngressNamedPort, + CNPAdminTierIngressUDP, + CNPAdminTierIngressNamedPort, ) } -var AdminNetworkPolicyIngressUDP = suite.ConformanceTest{ - ShortName: "AdminNetworkPolicyIngressUDP", - Description: "Tests support for ingress traffic (UDP protocol) using admin network policy API based on a server and client model", +var CNPAdminTierIngressUDP = suite.ConformanceTest{ + ShortName: "CNPAdminTierIngressUDP", + Description: "Tests support for ingress traffic (UDP protocol) using cluster network policy API based on a server and client model", Features: []suite.SupportedFeature{ - suite.SupportAdminNetworkPolicy, + suite.SupportClusterNetworkPolicy, }, - Manifests: []string{"base/admin_network_policy/standard-ingress-udp-rules.yaml"}, + Manifests: []string{"base/admin_tier/standard-ingress-udp-rules.yaml"}, Test: func(t *testing.T, s *suite.ConformanceTestSuite) { t.Run("Should support an 'allow-ingress' policy for UDP protocol; ensure rule ordering is respected", func(t *testing.T) { ctx, cancel := context.WithTimeout(context.Background(), s.TimeoutConfig.GetTimeout) defer cancel() - // This test uses `ingress-udp` ANP + // This test uses `ingress-udp` admin CNP // cedric-diggory-0 is our server pod in hufflepuff namespace serverPod := &v1.Pod{} err := s.Client.Get(ctx, client.ObjectKey{ @@ -71,7 +71,7 @@ var AdminNetworkPolicyIngressUDP = suite.ConformanceTest{ t.Run("Should support an 'allow-ingress' policy for UDP protocol at the specified port", func(t *testing.T) { ctx, cancel := context.WithTimeout(context.Background(), s.TimeoutConfig.GetTimeout) defer cancel() - // This test uses `ingress-udp` ANP + // This test uses `ingress-udp` admin CNP // cedric-diggory-1 is our server pod in hufflepuff namespace serverPod := &v1.Pod{} err := s.Client.Get(ctx, client.ObjectKey{ @@ -94,7 +94,7 @@ var AdminNetworkPolicyIngressUDP = suite.ConformanceTest{ t.Run("Should support an 'deny-ingress' policy for UDP protocol; ensure rule ordering is respected", func(t *testing.T) { ctx, cancel := context.WithTimeout(context.Background(), s.TimeoutConfig.GetTimeout) defer cancel() - // This test uses `ingress-udp` ANP + // This test uses `ingress-udp` admin CNP // cedric-diggory-1 is our server pod in hufflepuff namespace serverPod := &v1.Pod{} err := s.Client.Get(ctx, client.ObjectKey{ @@ -102,18 +102,18 @@ var AdminNetworkPolicyIngressUDP = suite.ConformanceTest{ Name: "cedric-diggory-1", }, serverPod) require.NoErrorf(t, err, "unable to fetch the server pod") - anp := &v1alpha1.AdminNetworkPolicy{} + cnp := &v1alpha2.ClusterNetworkPolicy{} err = s.Client.Get(ctx, client.ObjectKey{ Name: "ingress-udp", - }, anp) - require.NoErrorf(t, err, "unable to fetch the admin network policy") - mutate := anp.DeepCopy() + }, cnp) + require.NoErrorf(t, err, "unable to fetch the cluster network policy") + mutate := cnp.DeepCopy() // swap rules at index0 and index1 allowRule := mutate.Spec.Ingress[0] mutate.Spec.Ingress[0] = mutate.Spec.Ingress[1] mutate.Spec.Ingress[1] = allowRule - err = s.Client.Patch(ctx, mutate, client.MergeFrom(anp)) - require.NoErrorf(t, err, "unable to patch the admin network policy") + err = s.Client.Patch(ctx, mutate, client.MergeFrom(cnp)) + require.NoErrorf(t, err, "unable to patch the cluster network policy") // luna-lovegood-0 is our client pod in ravenclaw namespace // ensure ingress is DENIED from ravenclaw to hufflepuff // ingressRule at index0 will take precedence over ingressRule at index1; thus DENY takes precedence over ALLOW since rules are ordered @@ -129,7 +129,7 @@ var AdminNetworkPolicyIngressUDP = suite.ConformanceTest{ t.Run("Should support a 'deny-ingress' policy for UDP protocol at the specified port", func(t *testing.T) { ctx, cancel := context.WithTimeout(context.Background(), s.TimeoutConfig.GetTimeout) defer cancel() - // This test uses `ingress-udp` ANP + // This test uses `ingress-udp` admin CNP // cedric-diggory-0 is our server pod in hufflepuff namespace serverPod := &v1.Pod{} err := s.Client.Get(ctx, client.ObjectKey{ @@ -152,7 +152,7 @@ var AdminNetworkPolicyIngressUDP = suite.ConformanceTest{ t.Run("Should support an 'pass-ingress' policy for UDP protocol; ensure rule ordering is respected", func(t *testing.T) { ctx, cancel := context.WithTimeout(context.Background(), s.TimeoutConfig.GetTimeout) defer cancel() - // This test uses `ingress-udp` ANP + // This test uses `ingress-udp` admin CNP // cedric-diggory-1 is our server pod in hufflepuff namespace serverPod := &v1.Pod{} err := s.Client.Get(ctx, client.ObjectKey{ @@ -160,18 +160,18 @@ var AdminNetworkPolicyIngressUDP = suite.ConformanceTest{ Name: "cedric-diggory-1", }, serverPod) require.NoErrorf(t, err, "unable to fetch the server pod") - anp := &v1alpha1.AdminNetworkPolicy{} + cnp := &v1alpha2.ClusterNetworkPolicy{} err = s.Client.Get(ctx, client.ObjectKey{ Name: "ingress-udp", - }, anp) - require.NoErrorf(t, err, "unable to fetch the admin network policy") - mutate := anp.DeepCopy() + }, cnp) + require.NoErrorf(t, err, "unable to fetch the cluster network policy") + mutate := cnp.DeepCopy() // swap rules at index0 and index2 denyRule := mutate.Spec.Ingress[0] mutate.Spec.Ingress[0] = mutate.Spec.Ingress[2] mutate.Spec.Ingress[2] = denyRule - err = s.Client.Patch(ctx, mutate, client.MergeFrom(anp)) - require.NoErrorf(t, err, "unable to patch the admin network policy") + err = s.Client.Patch(ctx, mutate, client.MergeFrom(cnp)) + require.NoErrorf(t, err, "unable to patch the cluster network policy") // luna-lovegood-0 is our client pod in ravenclaw namespace // ensure ingress is PASSED from ravenclaw to hufflepuff // ingressRule at index0 will take precedence over ingressRule at index1&index2; thus PASS takes precedence over ALLOW/DENY since rules are ordered @@ -187,7 +187,7 @@ var AdminNetworkPolicyIngressUDP = suite.ConformanceTest{ t.Run("Should support a 'pass-ingress' policy for UDP protocol at the specified port", func(t *testing.T) { ctx, cancel := context.WithTimeout(context.Background(), s.TimeoutConfig.GetTimeout) defer cancel() - // This test uses `ingress-udp` ANP + // This test uses `ingress-udp` admin CNP // cedric-diggory-0 is our server pod in hufflepuff namespace serverPod := &v1.Pod{} err := s.Client.Get(ctx, client.ObjectKey{ @@ -195,18 +195,18 @@ var AdminNetworkPolicyIngressUDP = suite.ConformanceTest{ Name: "cedric-diggory-0", }, serverPod) require.NoErrorf(t, err, "unable to fetch the server pod") - anp := &v1alpha1.AdminNetworkPolicy{} + cnp := &v1alpha2.ClusterNetworkPolicy{} err = s.Client.Get(ctx, client.ObjectKey{ Name: "ingress-udp", - }, anp) - require.NoErrorf(t, err, "unable to fetch the admin network policy") - mutate := anp.DeepCopy() + }, cnp) + require.NoErrorf(t, err, "unable to fetch the cluster network policy") + mutate := cnp.DeepCopy() // swap rules at index3 and index4 denyRule := mutate.Spec.Ingress[3] mutate.Spec.Ingress[3] = mutate.Spec.Ingress[4] mutate.Spec.Ingress[4] = denyRule - err = s.Client.Patch(ctx, mutate, client.MergeFrom(anp)) - require.NoErrorf(t, err, "unable to patch the admin network policy") + err = s.Client.Patch(ctx, mutate, client.MergeFrom(cnp)) + require.NoErrorf(t, err, "unable to patch the cluster network policy") // draco-malfoy-0 is our client pod in slytherin namespace // ensure ingress from slytherin is PASSED to hufflepuff at port 5353; ingressRule at index3 should take effect success := kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-slytherin", "draco-malfoy-0", "udp", diff --git a/conformance/tests/admin-network-policy-standard-integration.go b/conformance/tests/admin-network-policy-standard-integration.go index 8255916c..9ca70d19 100644 --- a/conformance/tests/admin-network-policy-standard-integration.go +++ b/conformance/tests/admin-network-policy-standard-integration.go @@ -26,31 +26,30 @@ import ( networkingv1 "k8s.io/api/networking/v1" "sigs.k8s.io/controller-runtime/pkg/client" - "sigs.k8s.io/network-policy-api/apis/v1alpha1" + "sigs.k8s.io/network-policy-api/apis/v1alpha2" "sigs.k8s.io/network-policy-api/conformance/utils/kubernetes" "sigs.k8s.io/network-policy-api/conformance/utils/suite" ) func init() { ConformanceTests = append(ConformanceTests, - AdminNetworkPolicyIntegration, + CNPAdminTierIntegration, ) } -var AdminNetworkPolicyIntegration = suite.ConformanceTest{ - ShortName: "AdminNetworkPolicyIntegration", - Description: "Tests integration support for gress traffic between ANP, NP and BANP using PASS action based on a server and client model", +var CNPAdminTierIntegration = suite.ConformanceTest{ + ShortName: "CNPAdminTierIntegration", + Description: "Tests integration support for gress traffic between admin CNP, NP and baseline CNP using PASS action based on a server and client model", Features: []suite.SupportedFeature{ - suite.SupportAdminNetworkPolicy, - suite.SupportBaselineAdminNetworkPolicy, + suite.SupportClusterNetworkPolicy, }, Manifests: []string{"base/api_integration/standard-anp-np-banp.yaml"}, Test: func(t *testing.T, s *suite.ConformanceTestSuite) { - t.Run("Should Deny traffic from slytherin to gryffindor respecting ANP", func(t *testing.T) { + t.Run("Should Deny traffic from slytherin to gryffindor respecting admin CNP", func(t *testing.T) { ctx, cancel := context.WithTimeout(context.Background(), s.TimeoutConfig.GetTimeout) defer cancel() - // This test uses `pass-example` ANP from api_integration/standard-anp-np-banp.yaml + // This test uses `pass-example` admin CNP from api_integration/standard-anp-np-banp.yaml // harry-potter-0 is our server pod in gryffindor namespace serverPod := &v1.Pod{} err := s.Client.Get(ctx, client.ObjectKey{ @@ -70,10 +69,10 @@ var AdminNetworkPolicyIntegration = suite.ConformanceTest{ assert.True(t, success) }) - t.Run("Should Deny traffic to slytherin from gryffindor respecting ANP", func(t *testing.T) { + t.Run("Should Deny traffic to slytherin from gryffindor respecting admin CNP", func(t *testing.T) { ctx, cancel := context.WithTimeout(context.Background(), s.TimeoutConfig.GetTimeout) defer cancel() - // This test uses `pass-example` ANP from api_integration/standard-anp-np-banp.yaml + // This test uses `pass-example` admin CNP from api_integration/standard-anp-np-banp.yaml // draco-malfoy-0 is our server pod in slytherin namespace serverPod := &v1.Pod{} err := s.Client.Get(ctx, client.ObjectKey{ @@ -93,21 +92,21 @@ var AdminNetworkPolicyIntegration = suite.ConformanceTest{ assert.True(t, success) }) - t.Run("Should support a 'pass-ingress' policy for ANP and respect the match for network policy", func(t *testing.T) { + t.Run("Should support a 'pass-ingress' policy for admin CNP and respect the match for network policy", func(t *testing.T) { ctx, cancel := context.WithTimeout(context.Background(), s.TimeoutConfig.GetTimeout) defer cancel() - // This test uses `pass example` ANP from api_integration/standard-anp-np-banp.yaml + // This test uses `pass example` admin CNP from api_integration/standard-anp-np-banp.yaml // and alters the ingress rule action to "pass" - anp := &v1alpha1.AdminNetworkPolicy{} + cnp := &v1alpha2.ClusterNetworkPolicy{} err := s.Client.Get(ctx, client.ObjectKey{ Name: "pass-example", - }, anp) - require.NoErrorf(t, err, "unable to fetch the admin network policy") - mutate := anp.DeepCopy() + }, cnp) + require.NoErrorf(t, err, "unable to fetch the cluster network policy") + mutate := cnp.DeepCopy() // change ingress rule from "deny" to "pass" - mutate.Spec.Ingress[0].Action = v1alpha1.AdminNetworkPolicyRuleActionPass - err = s.Client.Patch(ctx, mutate, client.MergeFrom(anp)) - require.NoErrorf(t, err, "unable to patch the admin network policy") + mutate.Spec.Ingress[0].Action = v1alpha2.ClusterNetworkPolicyRuleActionPass + err = s.Client.Patch(ctx, mutate, client.MergeFrom(cnp)) + require.NoErrorf(t, err, "unable to patch the cluster network policy") // harry-potter-0 is our server pod in gryffindor namespace serverPod := &v1.Pod{} err = s.Client.Get(ctx, client.ObjectKey{ @@ -127,21 +126,21 @@ var AdminNetworkPolicyIntegration = suite.ConformanceTest{ assert.True(t, success) }) - t.Run("Should support a 'pass-egress' policy for ANP and respect the match for network policy", func(t *testing.T) { + t.Run("Should support a 'pass-egress' policy for admin CNP and respect the match for network policy", func(t *testing.T) { ctx, cancel := context.WithTimeout(context.Background(), s.TimeoutConfig.GetTimeout) defer cancel() - // This test uses `pass example` ANP from api_integration/standard-anp-np-banp.yaml + // This test uses `pass example` admin CNP from api_integration/standard-anp-np-banp.yaml // and alters the egress rule action to "pass" - anp := &v1alpha1.AdminNetworkPolicy{} + cnp := &v1alpha2.ClusterNetworkPolicy{} err := s.Client.Get(ctx, client.ObjectKey{ Name: "pass-example", - }, anp) - require.NoErrorf(t, err, "unable to fetch the admin network policy") - mutate := anp.DeepCopy() + }, cnp) + require.NoErrorf(t, err, "unable to fetch the cluster network policy") + mutate := cnp.DeepCopy() // change egress rule from "deny" to "pass" - mutate.Spec.Egress[0].Action = v1alpha1.AdminNetworkPolicyRuleActionPass - err = s.Client.Patch(ctx, mutate, client.MergeFrom(anp)) - require.NoErrorf(t, err, "unable to patch the admin network policy") + mutate.Spec.Egress[0].Action = v1alpha2.ClusterNetworkPolicyRuleActionPass + err = s.Client.Patch(ctx, mutate, client.MergeFrom(cnp)) + require.NoErrorf(t, err, "unable to patch the cluster network policy") // draco-malfoy-0 is our server pod in slytherin namespace serverPod := &v1.Pod{} err = s.Client.Get(ctx, client.ObjectKey{ @@ -161,17 +160,17 @@ var AdminNetworkPolicyIntegration = suite.ConformanceTest{ assert.True(t, success) }) - t.Run("Should support a 'pass-ingress' policy for ANP and respect the match for baseline admin network policy", func(t *testing.T) { + t.Run("Should support a 'pass-ingress' policy for admin CNP and respect the match for baseline cluster network policy", func(t *testing.T) { ctx, cancel := context.WithTimeout(context.Background(), s.TimeoutConfig.GetTimeout) defer cancel() - // This test uses `default` BANP from api_integration/standard-anp-np-banp.yaml + // This test uses `default` baseline CNP from api_integration/standard-anp-np-banp.yaml np := &networkingv1.NetworkPolicy{} err := s.Client.Get(ctx, client.ObjectKey{ Namespace: "network-policy-conformance-gryffindor", Name: "allow-gress-from-to-slytherin-to-gryffindor", }, np) require.NoErrorf(t, err, "unable to fetch the network policy") - // delete network policy so that BANP takes effect + // delete network policy so that baseline CNP takes effect err = s.Client.Delete(ctx, np) require.NoErrorf(t, err, "unable to delete the network policy") // harry-potter-0 is our server pod in gryffindor namespace @@ -182,7 +181,7 @@ var AdminNetworkPolicyIntegration = suite.ConformanceTest{ }, clientPod) require.NoErrorf(t, err, "unable to fetch the server pod") // draco-malfoy-0 is our client pod in slytherin namespace - // ensure ingress is PASSED to gryffindor from slytherin - the baseline admin network policy DENY should take effect + // ensure ingress is PASSED to gryffindor from slytherin - the baseline cluster network policy DENY should take effect // inressRule at index0 will take effect success := kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-slytherin", "draco-malfoy-0", "tcp", clientPod.Status.PodIP, int32(80), s.TimeoutConfig.RequestTimeout, false) @@ -193,10 +192,10 @@ var AdminNetworkPolicyIntegration = suite.ConformanceTest{ assert.True(t, success) }) - t.Run("Should support a 'pass-egress' policy for ANP and respect the match for baseline admin network policy", func(t *testing.T) { + t.Run("Should support a 'pass-egress' policy for admin CNP and respect the match for baseline cluster network policy", func(t *testing.T) { ctx, cancel := context.WithTimeout(context.Background(), s.TimeoutConfig.GetTimeout) defer cancel() - // This test uses `default` BANP from api_integration/standard-anp-np-banp.yaml + // This test uses `default` baseline CNP from api_integration/standard-anp-np-banp.yaml // draco-malfoy-0 is our server pod in slytherin namespace clientPod := &v1.Pod{} err := s.Client.Get(ctx, client.ObjectKey{ @@ -205,7 +204,7 @@ var AdminNetworkPolicyIntegration = suite.ConformanceTest{ }, clientPod) require.NoErrorf(t, err, "unable to fetch the server pod") // harry-potter-0 is our client pod in gryffindor namespace - // ensure ingress is PASSED to gryffindor from slytherin - the underlying baseline admin network policy DENY should take effect + // ensure ingress is PASSED to gryffindor from slytherin - the underlying baseline cluster network policy DENY should take effect // egressRule at index0 will take effect success := kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-0", "tcp", clientPod.Status.PodIP, int32(80), s.TimeoutConfig.RequestTimeout, false) diff --git a/conformance/tests/admin-network-policy-standard-priority.go b/conformance/tests/admin-network-policy-standard-priority.go index 8e863a1f..bf3c4f71 100644 --- a/conformance/tests/admin-network-policy-standard-priority.go +++ b/conformance/tests/admin-network-policy-standard-priority.go @@ -25,31 +25,30 @@ import ( v1 "k8s.io/api/core/v1" "sigs.k8s.io/controller-runtime/pkg/client" - "sigs.k8s.io/network-policy-api/apis/v1alpha1" + "sigs.k8s.io/network-policy-api/apis/v1alpha2" "sigs.k8s.io/network-policy-api/conformance/utils/kubernetes" "sigs.k8s.io/network-policy-api/conformance/utils/suite" ) func init() { ConformanceTests = append(ConformanceTests, - AdminNetworkPolicyPriorityField, + CNPAdminTierPriorityField, ) } -var AdminNetworkPolicyPriorityField = suite.ConformanceTest{ - ShortName: "AdminNetworkPolicyPriorityField", - Description: "Tests support for admin network policy API's .spec.priority field based on a server and client model", +var CNPAdminTierPriorityField = suite.ConformanceTest{ + ShortName: "CNPAdminTierPriorityField", + Description: "Tests support for cluster network policy API's .spec.priority field based on a server and client model", Features: []suite.SupportedFeature{ - suite.SupportAdminNetworkPolicy, - suite.SupportBaselineAdminNetworkPolicy, // priority change of ANP should play well with existing BANP's + suite.SupportClusterNetworkPolicy, }, - Manifests: []string{"base/admin_network_policy/standard-priority-field.yaml"}, + Manifests: []string{"base/admin_tier/standard-priority-field.yaml"}, Test: func(t *testing.T, s *suite.ConformanceTestSuite) { - t.Run("Should Deny traffic from slytherin to gryffindor respecting ANP", func(t *testing.T) { + t.Run("Should Deny traffic from slytherin to gryffindor respecting admin CNP", func(t *testing.T) { ctx, cancel := context.WithTimeout(context.Background(), s.TimeoutConfig.GetTimeout) defer cancel() - // This test uses `priority-50-example` ANP; takes precedence over old-priority-60-new-priority-40-example ANP + // This test uses `priority-50-example` admin CNP; takes precedence over old-priority-60-new-priority-40-example admin CNP // harry-potter-0 is our server pod in gryffindor namespace serverPod := &v1.Pod{} err := s.Client.Get(ctx, client.ObjectKey{ @@ -69,10 +68,10 @@ var AdminNetworkPolicyPriorityField = suite.ConformanceTest{ assert.True(t, success) }) - t.Run("Should Deny traffic to slytherin from gryffindor respecting ANP", func(t *testing.T) { + t.Run("Should Deny traffic to slytherin from gryffindor respecting admin CNP", func(t *testing.T) { ctx, cancel := context.WithTimeout(context.Background(), s.TimeoutConfig.GetTimeout) defer cancel() - // This test uses `priority-50-example` ANP; takes precedence over old-priority-60-new-priority-40-example ANP + // This test uses `priority-50-example` admin CNP; takes precedence over old-priority-60-new-priority-40-example admin CNP // draco-malfoy-0 is our server pod in slytherin namespace serverPod := &v1.Pod{} err := s.Client.Get(ctx, client.ObjectKey{ @@ -92,20 +91,20 @@ var AdminNetworkPolicyPriorityField = suite.ConformanceTest{ assert.True(t, success) }) - t.Run("Should respect ANP priority field; thus passing both ingress and egress traffic over to BANP", func(t *testing.T) { + t.Run("Should respect admin CNP priority field; thus passing both ingress and egress traffic over to baseline CNP", func(t *testing.T) { ctx, cancel := context.WithTimeout(context.Background(), s.TimeoutConfig.GetTimeout) defer cancel() - // This test uses `old-priority-60-new-priority-40-example` ANP - anp := &v1alpha1.AdminNetworkPolicy{} + // This test uses `old-priority-60-new-priority-40-example` admin CNP + cnp := &v1alpha2.ClusterNetworkPolicy{} err := s.Client.Get(ctx, client.ObjectKey{ Name: "old-priority-60-new-priority-40-example", - }, anp) - require.NoErrorf(t, err, "unable to fetch the admin network policy") - mutate := anp.DeepCopy() + }, cnp) + require.NoErrorf(t, err, "unable to fetch the cluster network policy") + mutate := cnp.DeepCopy() // change priority from 60 to 40 mutate.Spec.Priority = 40 - err = s.Client.Patch(ctx, mutate, client.MergeFrom(anp)) - require.NoErrorf(t, err, "unable to patch the admin network policy") + err = s.Client.Patch(ctx, mutate, client.MergeFrom(cnp)) + require.NoErrorf(t, err, "unable to patch the cluster network policy") // harry-potter-0 is our server pod in gryffindor namespace serverPod := &v1.Pod{} err = s.Client.Get(ctx, client.ObjectKey{ @@ -114,7 +113,7 @@ var AdminNetworkPolicyPriorityField = suite.ConformanceTest{ }, serverPod) require.NoErrorf(t, err, "unable to fetch the server pod") // draco-malfoy-0 is our client pod in slytherin namespace - // ensure ingress is PASSED to gryffindor from slytherin - the baseline admin network policy ALLOW should take effect + // ensure ingress is PASSED to gryffindor from slytherin - the baseline cluster network policy ALLOW should take effect // inressRule at index0 should take effect success := kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-slytherin", "draco-malfoy-0", "tcp", serverPod.Status.PodIP, int32(80), s.TimeoutConfig.RequestTimeout, true) @@ -131,7 +130,7 @@ var AdminNetworkPolicyPriorityField = suite.ConformanceTest{ }, serverPod) require.NoErrorf(t, err, "unable to fetch the server pod") // harry-potter-0 is our client pod in gryffindor namespace - // ensure ingress is PASSED to gryffindor from slytherin - the baseline admin network policy ALLOW should take effect + // ensure ingress is PASSED to gryffindor from slytherin - the baseline cluster network policy ALLOW should take effect // egressRule at index0 should take effect success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-0", "tcp", serverPod.Status.PodIP, int32(80), s.TimeoutConfig.RequestTimeout, true) diff --git a/conformance/tests/baseline-admin-network-policy-experimental-egress-rules.go b/conformance/tests/baseline-admin-network-policy-experimental-egress-rules.go index 4f55755e..8ab06767 100644 --- a/conformance/tests/baseline-admin-network-policy-experimental-egress-rules.go +++ b/conformance/tests/baseline-admin-network-policy-experimental-egress-rules.go @@ -25,32 +25,32 @@ import ( v1 "k8s.io/api/core/v1" "sigs.k8s.io/controller-runtime/pkg/client" - "sigs.k8s.io/network-policy-api/apis/v1alpha1" + "sigs.k8s.io/network-policy-api/apis/v1alpha2" "sigs.k8s.io/network-policy-api/conformance/utils/kubernetes" "sigs.k8s.io/network-policy-api/conformance/utils/suite" ) func init() { ConformanceTests = append(ConformanceTests, - BaselineAdminNetworkPolicyEgressNamedPort, - BaselineAdminNetworkPolicyEgressNodePeers, + CNPBaselineTierEgressNamedPort, + CNPBaselineTierEgressNodePeers, ) } -var BaselineAdminNetworkPolicyEgressNamedPort = suite.ConformanceTest{ - ShortName: "BaselineAdminNetworkPolicyEgressNamedPort", - Description: "Tests support for egress traffic on a named port using baseline admin network policy API based on a server and client model", +var CNPBaselineTierEgressNamedPort = suite.ConformanceTest{ + ShortName: "CNPBaselineTierEgressNamedPort", + Description: "Tests support for egress traffic on a named port using baseline cluster network policy API based on a server and client model", Features: []suite.SupportedFeature{ - suite.SupportBaselineAdminNetworkPolicy, - suite.SupportBaselineAdminNetworkPolicyNamedPorts, + suite.SupportClusterNetworkPolicy, + suite.SupportClusterNetworkPolicyNamedPorts, }, - Manifests: []string{"base/baseline_admin_network_policy/standard-egress-udp-rules.yaml"}, + Manifests: []string{"base/baseline_tier/standard-egress-udp-rules.yaml"}, Test: func(t *testing.T, s *suite.ConformanceTestSuite) { t.Run("Should support an 'allow-egress' policy for named port", func(t *testing.T) { ctx, cancel := context.WithTimeout(context.Background(), s.TimeoutConfig.GetTimeout) defer cancel() - // This test uses `default` BANP + // This test uses `default` baseline CNP // harry-potter-1 is our server pod in gryffindor namespace serverPod := &v1.Pod{} err := s.Client.Get(ctx, client.ObjectKey{ @@ -58,23 +58,23 @@ var BaselineAdminNetworkPolicyEgressNamedPort = suite.ConformanceTest{ Name: "harry-potter-1", }, serverPod) require.NoErrorf(t, err, "unable to fetch the server pod") - banp := &v1alpha1.BaselineAdminNetworkPolicy{} + cnp := &v1alpha2.ClusterNetworkPolicy{} err = s.Client.Get(ctx, client.ObjectKey{ Name: "default", - }, banp) - require.NoErrorf(t, err, "unable to fetch the baseline admin network policy") - mutate := banp.DeepCopy() + }, cnp) + require.NoErrorf(t, err, "unable to fetch the baseline cluster network policy") + mutate := cnp.DeepCopy() dnsPortRule := mutate.Spec.Egress[3] dnsPort := "dns" // rewrite the udp port 53 rule as named port rule - dnsPortRule.Ports = &[]v1alpha1.AdminNetworkPolicyPort{ + dnsPortRule.Ports = &[]v1alpha2.ClusterNetworkPolicyPort{ { NamedPort: &dnsPort, }, } mutate.Spec.Egress[3] = dnsPortRule - err = s.Client.Patch(ctx, mutate, client.MergeFrom(banp)) - require.NoErrorf(t, err, "unable to patch the baseline admin network policy") + err = s.Client.Patch(ctx, mutate, client.MergeFrom(cnp)) + require.NoErrorf(t, err, "unable to patch the baseline cluster network policy") // cedric-diggory-0 is our client pod in hufflepuff namespace // ensure egress is ALLOWED to gryffindor from hufflepuff at the dns port, which is defined as UDP at port 53 in pod spec // modified ingressRule at index3 should take effect @@ -91,14 +91,14 @@ var BaselineAdminNetworkPolicyEgressNamedPort = suite.ConformanceTest{ }, } -var BaselineAdminNetworkPolicyEgressNodePeers = suite.ConformanceTest{ - ShortName: "BaselineAdminNetworkPolicyEgressNodePeers", - Description: "Tests support for egress traffic to node peers using baseline admin network policy API based on a server and client model", +var CNPBaselineTierEgressNodePeers = suite.ConformanceTest{ + ShortName: "CNPBaselineTierEgressNodePeers", + Description: "Tests support for egress traffic to node peers using baseline cluster network policy API based on a server and client model", Features: []suite.SupportedFeature{ - suite.SupportBaselineAdminNetworkPolicy, - suite.SupportBaselineAdminNetworkPolicyEgressNodePeers, + suite.SupportClusterNetworkPolicy, + suite.SupportClusterNetworkPolicyEgressNodePeers, }, - Manifests: []string{"base/baseline_admin_network_policy/experimental-egress-selector-rules.yaml"}, + Manifests: []string{"base/baseline_tier/experimental-egress-selector-rules.yaml"}, Test: func(t *testing.T, s *suite.ConformanceTestSuite) { ctx, cancel := context.WithTimeout(context.Background(), s.TimeoutConfig.GetTimeout) defer cancel() diff --git a/conformance/tests/baseline-admin-network-policy-experimental-ingress-rules.go b/conformance/tests/baseline-admin-network-policy-experimental-ingress-rules.go index 77290da6..7654ed5e 100644 --- a/conformance/tests/baseline-admin-network-policy-experimental-ingress-rules.go +++ b/conformance/tests/baseline-admin-network-policy-experimental-ingress-rules.go @@ -25,31 +25,31 @@ import ( v1 "k8s.io/api/core/v1" "sigs.k8s.io/controller-runtime/pkg/client" - "sigs.k8s.io/network-policy-api/apis/v1alpha1" + "sigs.k8s.io/network-policy-api/apis/v1alpha2" "sigs.k8s.io/network-policy-api/conformance/utils/kubernetes" "sigs.k8s.io/network-policy-api/conformance/utils/suite" ) func init() { ConformanceTests = append(ConformanceTests, - BaselineAdminNetworkPolicyIngressNamedPort, + CNPBaselineTierIngressNamedPort, ) } -var BaselineAdminNetworkPolicyIngressNamedPort = suite.ConformanceTest{ - ShortName: "BaselineAdminNetworkPolicyIngressNamedPort", - Description: "Tests support for ingress traffic on a named port using baseline admin network policy API based on a server and client model", +var CNPBaselineTierIngressNamedPort = suite.ConformanceTest{ + ShortName: "CNPBaselineTierIngressNamedPort", + Description: "Tests support for ingress traffic on a named port using baseline cluster network policy API based on a server and client model", Features: []suite.SupportedFeature{ - suite.SupportBaselineAdminNetworkPolicy, - suite.SupportBaselineAdminNetworkPolicyNamedPorts, + suite.SupportClusterNetworkPolicy, + suite.SupportClusterNetworkPolicyNamedPorts, }, - Manifests: []string{"base/baseline_admin_network_policy/standard-ingress-tcp-rules.yaml"}, + Manifests: []string{"base/baseline_tier/standard-ingress-tcp-rules.yaml"}, Test: func(t *testing.T, s *suite.ConformanceTestSuite) { t.Run("Should support an 'allow-ingress' policy for named port", func(t *testing.T) { ctx, cancel := context.WithTimeout(context.Background(), s.TimeoutConfig.GetTimeout) defer cancel() - // This test uses `default` BANP + // This test uses `default` baseline CNP // harry-potter-1 is our server pod in gryffindor namespace serverPod := &v1.Pod{} err := s.Client.Get(ctx, client.ObjectKey{ @@ -57,23 +57,23 @@ var BaselineAdminNetworkPolicyIngressNamedPort = suite.ConformanceTest{ Name: "harry-potter-1", }, serverPod) require.NoErrorf(t, err, "unable to fetch the server pod") - banp := &v1alpha1.BaselineAdminNetworkPolicy{} + cnp := &v1alpha2.ClusterNetworkPolicy{} err = s.Client.Get(ctx, client.ObjectKey{ Name: "default", - }, banp) - require.NoErrorf(t, err, "unable to fetch the baseline admin network policy") - mutate := banp.DeepCopy() + }, cnp) + require.NoErrorf(t, err, "unable to fetch the baseline cluster network policy") + mutate := cnp.DeepCopy() namedPortRule := mutate.Spec.Ingress[3] webPort := "web" // rewrite the tcp port 80 rule as named port rule - namedPortRule.Ports = &[]v1alpha1.AdminNetworkPolicyPort{ + namedPortRule.Ports = &[]v1alpha2.ClusterNetworkPolicyPort{ { NamedPort: &webPort, }, } mutate.Spec.Ingress[3] = namedPortRule - err = s.Client.Patch(ctx, mutate, client.MergeFrom(banp)) - require.NoErrorf(t, err, "unable to patch the baseline admin network policy") + err = s.Client.Patch(ctx, mutate, client.MergeFrom(cnp)) + require.NoErrorf(t, err, "unable to patch the baseline cluster network policy") // cedric-diggory-0 is our client pod in hufflepuff namespace // ensure ingress is ALLOWED from hufflepuff to gryffindor at at the web port, which is defined as TCP at port 80 in pod spec // ingressRule at index3 should take effect diff --git a/conformance/tests/baseline-admin-network-policy-standard-egress-inline-cidr-rules.go b/conformance/tests/baseline-admin-network-policy-standard-egress-inline-cidr-rules.go index 850be371..625d372a 100644 --- a/conformance/tests/baseline-admin-network-policy-standard-egress-inline-cidr-rules.go +++ b/conformance/tests/baseline-admin-network-policy-standard-egress-inline-cidr-rules.go @@ -26,24 +26,24 @@ import ( "k8s.io/utils/net" "sigs.k8s.io/controller-runtime/pkg/client" - "sigs.k8s.io/network-policy-api/apis/v1alpha1" + "sigs.k8s.io/network-policy-api/apis/v1alpha2" "sigs.k8s.io/network-policy-api/conformance/utils/kubernetes" "sigs.k8s.io/network-policy-api/conformance/utils/suite" ) func init() { ConformanceTests = append(ConformanceTests, - BaselineAdminNetworkPolicyEgressInlineCIDRPeers, + CNPBaselineTierEgressInlineCIDRPeers, ) } -var BaselineAdminNetworkPolicyEgressInlineCIDRPeers = suite.ConformanceTest{ - ShortName: "BaselineAdminNetworkPolicyEgressInlineCIDRPeers", - Description: "Tests support for egress traffic to CIDR peers using baseline admin network policy API based on a server and client model", +var CNPBaselineTierEgressInlineCIDRPeers = suite.ConformanceTest{ + ShortName: "CNPBaselineTierEgressInlineCIDRPeers", + Description: "Tests support for egress traffic to CIDR peers using baseline cluster network policy API based on a server and client model", Features: []suite.SupportedFeature{ - suite.SupportBaselineAdminNetworkPolicy, + suite.SupportClusterNetworkPolicy, }, - Manifests: []string{"base/baseline_admin_network_policy/standard-egress-inline-cidr-rules.yaml"}, + Manifests: []string{"base/baseline_tier/standard-egress-inline-cidr-rules.yaml"}, Test: func(t *testing.T, s *suite.ConformanceTestSuite) { ctx, cancel := context.WithTimeout(context.Background(), s.TimeoutConfig.GetTimeout) defer cancel() @@ -124,36 +124,36 @@ var BaselineAdminNetworkPolicyEgressInlineCIDRPeers = suite.ConformanceTest{ Name: "cedric-diggory-0", }, serverPodHufflepuff) require.NoErrorf(t, err, "unable to fetch the server pod") - banp := &v1alpha1.BaselineAdminNetworkPolicy{} + cnp := &v1alpha2.ClusterNetworkPolicy{} err = s.Client.Get(ctx, client.ObjectKey{ Name: "default", - }, banp) - require.NoErrorf(t, err, "unable to fetch the baseline admin network policy") - mutate := banp.DeepCopy() + }, cnp) + require.NoErrorf(t, err, "unable to fetch the baseline cluster network policy") + mutate := cnp.DeepCopy() var mask string if net.IsIPv4String(serverPodRavenclaw.Status.PodIP) { mask = "/32" } else { mask = "/128" } - // insert new rule at index0; append the rest of the rules in the default BANP - newRule := []v1alpha1.BaselineAdminNetworkPolicyEgressRule{ + // insert new rule at index0; append the rest of the rules in the default baseline CNP + newRule := []v1alpha2.ClusterNetworkPolicyEgressRule{ { Name: "allow-egress-to-specific-podIPs", Action: "Allow", - To: []v1alpha1.BaselineAdminNetworkPolicyEgressPeer{ + To: []v1alpha2.ClusterNetworkPolicyEgressPeer{ { - Networks: []v1alpha1.CIDR{ - v1alpha1.CIDR(serverPodRavenclaw.Status.PodIP + mask), - v1alpha1.CIDR(serverPodHufflepuff.Status.PodIP + mask), + Networks: []v1alpha2.CIDR{ + v1alpha2.CIDR(serverPodRavenclaw.Status.PodIP + mask), + v1alpha2.CIDR(serverPodHufflepuff.Status.PodIP + mask), }, }, }, }, } mutate.Spec.Egress = append(newRule, mutate.Spec.Egress...) - err = s.Client.Patch(ctx, mutate, client.MergeFrom(banp)) - require.NoErrorf(t, err, "unable to patch the baseline admin network policy") + err = s.Client.Patch(ctx, mutate, client.MergeFrom(cnp)) + require.NoErrorf(t, err, "unable to patch the baseline cluster network policy") // harry-potter-0 is our client pod in gryffindor namespace // ensure egress is ALLOWED to luna-lovegood-0.IP and cedric-diggory-0.IP // new egressRule at index0 should take effect diff --git a/conformance/tests/baseline-admin-network-policy-standard-egress-sctp-rules.go b/conformance/tests/baseline-admin-network-policy-standard-egress-sctp-rules.go index f23fbd3b..ba114939 100644 --- a/conformance/tests/baseline-admin-network-policy-standard-egress-sctp-rules.go +++ b/conformance/tests/baseline-admin-network-policy-standard-egress-sctp-rules.go @@ -25,30 +25,30 @@ import ( v1 "k8s.io/api/core/v1" "sigs.k8s.io/controller-runtime/pkg/client" - "sigs.k8s.io/network-policy-api/apis/v1alpha1" + "sigs.k8s.io/network-policy-api/apis/v1alpha2" "sigs.k8s.io/network-policy-api/conformance/utils/kubernetes" "sigs.k8s.io/network-policy-api/conformance/utils/suite" ) func init() { ConformanceTests = append(ConformanceTests, - BaselineAdminNetworkPolicyEgressSCTP, + CNPBaselineTierEgressSCTP, ) } -var BaselineAdminNetworkPolicyEgressSCTP = suite.ConformanceTest{ - ShortName: "BaselineAdminNetworkPolicyEgressSCTP", - Description: "Tests support for egress traffic (SCTP protocol) using baseline admin network policy API based on a server and client model", +var CNPBaselineTierEgressSCTP = suite.ConformanceTest{ + ShortName: "CNPBaselineTierEgressSCTP", + Description: "Tests support for egress traffic (SCTP protocol) using baseline cluster network policy API based on a server and client model", Features: []suite.SupportedFeature{ - suite.SupportBaselineAdminNetworkPolicy, + suite.SupportClusterNetworkPolicy, }, - Manifests: []string{"base/baseline_admin_network_policy/standard-egress-sctp-rules.yaml"}, + Manifests: []string{"base/baseline_tier/standard-egress-sctp-rules.yaml"}, Test: func(t *testing.T, s *suite.ConformanceTestSuite) { t.Run("Should support an 'allow-egress' policy for SCTP protocol; ensure rule ordering is respected", func(t *testing.T) { ctx, cancel := context.WithTimeout(context.Background(), s.TimeoutConfig.GetTimeout) defer cancel() - // This test uses `default` BANP + // This test uses `default` baseline CNP // harry-potter-0 is our server pod in gryffindor namespace serverPod := &v1.Pod{} err := s.Client.Get(ctx, client.ObjectKey{ @@ -71,7 +71,7 @@ var BaselineAdminNetworkPolicyEgressSCTP = suite.ConformanceTest{ t.Run("Should support an 'allow-egress' policy for SCTP protocol at the specified port", func(t *testing.T) { ctx, cancel := context.WithTimeout(context.Background(), s.TimeoutConfig.GetTimeout) defer cancel() - // This test uses `default` BANP + // This test uses `default` baseline CNP // cedric-diggory-1 is our server pod in hufflepuff namespace serverPod := &v1.Pod{} err := s.Client.Get(ctx, client.ObjectKey{ @@ -94,7 +94,7 @@ var BaselineAdminNetworkPolicyEgressSCTP = suite.ConformanceTest{ t.Run("Should support an 'deny-egress' policy for SCTP protocol; ensure rule ordering is respected", func(t *testing.T) { ctx, cancel := context.WithTimeout(context.Background(), s.TimeoutConfig.GetTimeout) defer cancel() - // This test uses `default` BANP + // This test uses `default` baseline CNP // harry-potter-0 is our server pod in gryffindor namespace serverPod := &v1.Pod{} err := s.Client.Get(ctx, client.ObjectKey{ @@ -102,18 +102,18 @@ var BaselineAdminNetworkPolicyEgressSCTP = suite.ConformanceTest{ Name: "harry-potter-1", }, serverPod) require.NoErrorf(t, err, "unable to fetch the server pod") - banp := &v1alpha1.BaselineAdminNetworkPolicy{} + cnp := &v1alpha2.ClusterNetworkPolicy{} err = s.Client.Get(ctx, client.ObjectKey{ Name: "default", - }, banp) - require.NoErrorf(t, err, "unable to fetch the baseline admin network policy") - mutate := banp.DeepCopy() + }, cnp) + require.NoErrorf(t, err, "unable to fetch the baseline cluster network policy") + mutate := cnp.DeepCopy() // swap rules at index0 and index1 allowRule := mutate.Spec.Egress[0] mutate.Spec.Egress[0] = mutate.Spec.Egress[1] mutate.Spec.Egress[1] = allowRule - err = s.Client.Patch(ctx, mutate, client.MergeFrom(banp)) - require.NoErrorf(t, err, "unable to patch the baseline admin network policy") + err = s.Client.Patch(ctx, mutate, client.MergeFrom(cnp)) + require.NoErrorf(t, err, "unable to patch the baseline cluster network policy") // luna-lovegood-0 is our client pod in gryffindor namespace // ensure egress is DENIED to gryffindor from ravenclaw // egressRule at index0 will take precedence over egressRule at index1; thus DENY takes precedence over ALLOW since rules are ordered @@ -129,7 +129,7 @@ var BaselineAdminNetworkPolicyEgressSCTP = suite.ConformanceTest{ t.Run("Should support a 'deny-egress' policy for SCTP protocol at the specified port", func(t *testing.T) { ctx, cancel := context.WithTimeout(context.Background(), s.TimeoutConfig.GetTimeout) defer cancel() - // This test uses `default` BANP + // This test uses `default` baseline CNP // draco-malfoy-0 is our server pod in slytherin namespace serverPod := &v1.Pod{} err := s.Client.Get(ctx, client.ObjectKey{ diff --git a/conformance/tests/baseline-admin-network-policy-standard-egress-tcp-rules.go b/conformance/tests/baseline-admin-network-policy-standard-egress-tcp-rules.go index 84283007..1b657328 100644 --- a/conformance/tests/baseline-admin-network-policy-standard-egress-tcp-rules.go +++ b/conformance/tests/baseline-admin-network-policy-standard-egress-tcp-rules.go @@ -25,30 +25,30 @@ import ( v1 "k8s.io/api/core/v1" "sigs.k8s.io/controller-runtime/pkg/client" - "sigs.k8s.io/network-policy-api/apis/v1alpha1" + "sigs.k8s.io/network-policy-api/apis/v1alpha2" "sigs.k8s.io/network-policy-api/conformance/utils/kubernetes" "sigs.k8s.io/network-policy-api/conformance/utils/suite" ) func init() { ConformanceTests = append(ConformanceTests, - BaselineAdminNetworkPolicyEgressTCP, + CNPBaselineTierEgressTCP, ) } -var BaselineAdminNetworkPolicyEgressTCP = suite.ConformanceTest{ - ShortName: "BaselineAdminNetworkPolicyEgressTCP", - Description: "Tests support for egress traffic (TCP protocol) using baseline admin network policy API based on a server and client model", +var CNPBaselineTierEgressTCP = suite.ConformanceTest{ + ShortName: "CNPBaselineTierEgressTCP", + Description: "Tests support for egress traffic (TCP protocol) using baseline cluster network policy API based on a server and client model", Features: []suite.SupportedFeature{ - suite.SupportBaselineAdminNetworkPolicy, + suite.SupportClusterNetworkPolicy, }, - Manifests: []string{"base/baseline_admin_network_policy/standard-egress-tcp-rules.yaml"}, + Manifests: []string{"base/baseline_tier/standard-egress-tcp-rules.yaml"}, Test: func(t *testing.T, s *suite.ConformanceTestSuite) { t.Run("Should support an 'allow-egress' policy for TCP protocol; ensure rule ordering is respected", func(t *testing.T) { ctx, cancel := context.WithTimeout(context.Background(), s.TimeoutConfig.GetTimeout) defer cancel() - // This test uses `default` BANP + // This test uses `default` baseline CNP // luna-lovegood-0 is our server pod in ravenclaw namespace serverPod := &v1.Pod{} err := s.Client.Get(ctx, client.ObjectKey{ @@ -70,7 +70,7 @@ var BaselineAdminNetworkPolicyEgressTCP = suite.ConformanceTest{ t.Run("Should support an 'allow-egress' policy for TCP protocol at the specified port", func(t *testing.T) { ctx, cancel := context.WithTimeout(context.Background(), s.TimeoutConfig.GetTimeout) defer cancel() - // This test uses `default` BANP + // This test uses `default` baseline CNP // cedric-diggory-1 is our server pod in hufflepuff namespace serverPod := &v1.Pod{} err := s.Client.Get(ctx, client.ObjectKey{ @@ -93,7 +93,7 @@ var BaselineAdminNetworkPolicyEgressTCP = suite.ConformanceTest{ t.Run("Should support an 'deny-egress' policy for TCP protocol; ensure rule ordering is respected", func(t *testing.T) { ctx, cancel := context.WithTimeout(context.Background(), s.TimeoutConfig.GetTimeout) defer cancel() - // This test uses `default` BANP + // This test uses `default` baseline CNP // luna-lovegood-1 is our server pod in ravenclaw namespace serverPod := &v1.Pod{} err := s.Client.Get(ctx, client.ObjectKey{ @@ -101,18 +101,18 @@ var BaselineAdminNetworkPolicyEgressTCP = suite.ConformanceTest{ Name: "luna-lovegood-1", }, serverPod) require.NoErrorf(t, err, "unable to fetch the server pod") - banp := &v1alpha1.BaselineAdminNetworkPolicy{} + cnp := &v1alpha2.ClusterNetworkPolicy{} err = s.Client.Get(ctx, client.ObjectKey{ Name: "default", - }, banp) - require.NoErrorf(t, err, "unable to fetch the baseline admin network policy") - mutate := banp.DeepCopy() + }, cnp) + require.NoErrorf(t, err, "unable to fetch the baseline cluster network policy") + mutate := cnp.DeepCopy() // swap rules at index0 and index1 allowRule := mutate.Spec.Egress[0] mutate.Spec.Egress[0] = mutate.Spec.Egress[1] mutate.Spec.Egress[1] = allowRule - err = s.Client.Patch(ctx, mutate, client.MergeFrom(banp)) - require.NoErrorf(t, err, "unable to patch the baseline admin network policy") + err = s.Client.Patch(ctx, mutate, client.MergeFrom(cnp)) + require.NoErrorf(t, err, "unable to patch the baseline cluster network policy") // harry-potter-0 is our client pod in gryffindor namespace // ensure egress is DENIED to ravenclaw from gryffindor // egressRule at index0 will take precedence over egressRule at index1; thus DENY takes precedence over ALLOW since rules are ordered @@ -128,7 +128,7 @@ var BaselineAdminNetworkPolicyEgressTCP = suite.ConformanceTest{ t.Run("Should support a 'deny-egress' policy for TCP protocol at the specified port", func(t *testing.T) { ctx, cancel := context.WithTimeout(context.Background(), s.TimeoutConfig.GetTimeout) defer cancel() - // This test uses `default` BANP + // This test uses `default` baseline CNP // draco-malfoy-0 is our server pod in slytherin namespace serverPod := &v1.Pod{} err := s.Client.Get(ctx, client.ObjectKey{ diff --git a/conformance/tests/baseline-admin-network-policy-standard-egress-udp-rules.go b/conformance/tests/baseline-admin-network-policy-standard-egress-udp-rules.go index 06e6f574..c4f5ae31 100644 --- a/conformance/tests/baseline-admin-network-policy-standard-egress-udp-rules.go +++ b/conformance/tests/baseline-admin-network-policy-standard-egress-udp-rules.go @@ -25,30 +25,30 @@ import ( v1 "k8s.io/api/core/v1" "sigs.k8s.io/controller-runtime/pkg/client" - "sigs.k8s.io/network-policy-api/apis/v1alpha1" + "sigs.k8s.io/network-policy-api/apis/v1alpha2" "sigs.k8s.io/network-policy-api/conformance/utils/kubernetes" "sigs.k8s.io/network-policy-api/conformance/utils/suite" ) func init() { ConformanceTests = append(ConformanceTests, - BaselineAdminNetworkPolicyEgressUDP, + CNPBaselineTierEgressUDP, ) } -var BaselineAdminNetworkPolicyEgressUDP = suite.ConformanceTest{ - ShortName: "BaselineAdminNetworkPolicyEgressUDP", - Description: "Tests support for egress traffic (UDP protocol) using baseline admin network policy API based on a server and client model", +var CNPBaselineTierEgressUDP = suite.ConformanceTest{ + ShortName: "CNPBaselineTierEgressUDP", + Description: "Tests support for egress traffic (UDP protocol) using baseline cluster network policy API based on a server and client model", Features: []suite.SupportedFeature{ - suite.SupportBaselineAdminNetworkPolicy, + suite.SupportClusterNetworkPolicy, }, - Manifests: []string{"base/baseline_admin_network_policy/standard-egress-udp-rules.yaml"}, + Manifests: []string{"base/baseline_tier/standard-egress-udp-rules.yaml"}, Test: func(t *testing.T, s *suite.ConformanceTestSuite) { t.Run("Should support an 'allow-egress' policy for UDP protocol; ensure rule ordering is respected", func(t *testing.T) { ctx, cancel := context.WithTimeout(context.Background(), s.TimeoutConfig.GetTimeout) defer cancel() - // This test uses `default` BANP + // This test uses `default` baseline CNP // luna-lovegood-0 is our server pod in ravenclaw namespace serverPod := &v1.Pod{} err := s.Client.Get(ctx, client.ObjectKey{ @@ -71,7 +71,7 @@ var BaselineAdminNetworkPolicyEgressUDP = suite.ConformanceTest{ t.Run("Should support an 'allow-egress' policy for UDP protocol at the specified port", func(t *testing.T) { ctx, cancel := context.WithTimeout(context.Background(), s.TimeoutConfig.GetTimeout) defer cancel() - // This test uses `default` BANP + // This test uses `default` baseline CNP // harry-potter-1 is our server pod in gryffindor namespace serverPod := &v1.Pod{} err := s.Client.Get(ctx, client.ObjectKey{ @@ -94,7 +94,7 @@ var BaselineAdminNetworkPolicyEgressUDP = suite.ConformanceTest{ t.Run("Should support an 'deny-egress' policy for UDP protocol; ensure rule ordering is respected", func(t *testing.T) { ctx, cancel := context.WithTimeout(context.Background(), s.TimeoutConfig.GetTimeout) defer cancel() - // This test uses `default` BANP + // This test uses `default` baseline CNP // luna-lovegood-1 is our server pod in ravenclaw namespace serverPod := &v1.Pod{} err := s.Client.Get(ctx, client.ObjectKey{ @@ -102,18 +102,18 @@ var BaselineAdminNetworkPolicyEgressUDP = suite.ConformanceTest{ Name: "luna-lovegood-1", }, serverPod) require.NoErrorf(t, err, "unable to fetch the server pod") - banp := &v1alpha1.BaselineAdminNetworkPolicy{} + cnp := &v1alpha2.ClusterNetworkPolicy{} err = s.Client.Get(ctx, client.ObjectKey{ Name: "default", - }, banp) - require.NoErrorf(t, err, "unable to fetch the baseline admin network policy") - mutate := banp.DeepCopy() + }, cnp) + require.NoErrorf(t, err, "unable to fetch the baseline cluster network policy") + mutate := cnp.DeepCopy() // swap rules at index0 and index1 allowRule := mutate.Spec.Egress[0] mutate.Spec.Egress[0] = mutate.Spec.Egress[1] mutate.Spec.Egress[1] = allowRule - err = s.Client.Patch(ctx, mutate, client.MergeFrom(banp)) - require.NoErrorf(t, err, "unable to patch the baseline admin network policy") + err = s.Client.Patch(ctx, mutate, client.MergeFrom(cnp)) + require.NoErrorf(t, err, "unable to patch the baseline cluster network policy") // cedric-diggory-0 is our client pod in hufflepuff namespace // ensure egress is DENIED to ravenclaw to hufflepuff // egressRule at index0 will take precedence over egressRule at index1; thus DENY takes precedence over ALLOW since rules are ordered @@ -129,7 +129,7 @@ var BaselineAdminNetworkPolicyEgressUDP = suite.ConformanceTest{ t.Run("Should support a 'deny-egress' policy for UDP protocol at the specified port", func(t *testing.T) { ctx, cancel := context.WithTimeout(context.Background(), s.TimeoutConfig.GetTimeout) defer cancel() - // This test uses `default` BANP + // This test uses `default` baseline CNP // draco-malfoy-0 is our server pod in slytherin namespace serverPod := &v1.Pod{} err := s.Client.Get(ctx, client.ObjectKey{ diff --git a/conformance/tests/baseline-admin-network-policy-standard-gress-rules.go b/conformance/tests/baseline-admin-network-policy-standard-gress-rules.go index 41f056c5..fed16f85 100644 --- a/conformance/tests/baseline-admin-network-policy-standard-gress-rules.go +++ b/conformance/tests/baseline-admin-network-policy-standard-gress-rules.go @@ -25,30 +25,30 @@ import ( v1 "k8s.io/api/core/v1" "sigs.k8s.io/controller-runtime/pkg/client" - "sigs.k8s.io/network-policy-api/apis/v1alpha1" + "sigs.k8s.io/network-policy-api/apis/v1alpha2" "sigs.k8s.io/network-policy-api/conformance/utils/kubernetes" "sigs.k8s.io/network-policy-api/conformance/utils/suite" ) func init() { ConformanceTests = append(ConformanceTests, - BaselineAdminNetworkPolicyGress, + CNPBaselineTierGress, ) } -var BaselineAdminNetworkPolicyGress = suite.ConformanceTest{ - ShortName: "BaselineAdminNetworkPolicyGress", - Description: "Tests support for combined ingress and egress traffic rules in the baseline admin network policy API based on a server and client model", +var CNPBaselineTierGress = suite.ConformanceTest{ + ShortName: "CNPBaselineTierGress", + Description: "Tests support for combined ingress and egress traffic rules in the baseline cluster network policy API based on a server and client model", Features: []suite.SupportedFeature{ - suite.SupportBaselineAdminNetworkPolicy, + suite.SupportClusterNetworkPolicy, }, - Manifests: []string{"base/baseline_admin_network_policy/standard-gress-rules-combined.yaml"}, + Manifests: []string{"base/baseline_tier/standard-gress-rules-combined.yaml"}, Test: func(t *testing.T, s *suite.ConformanceTestSuite) { t.Run("Should support an 'allow-gress' policy across different protocols", func(t *testing.T) { ctx, cancel := context.WithTimeout(context.Background(), s.TimeoutConfig.GetTimeout) defer cancel() - // This test uses `default` BANP + // This test uses `default` baseline CNP /* First; let's test egress works! */ // luna-lovegood-0 is our server pod in ravenclaw namespace @@ -95,7 +95,7 @@ var BaselineAdminNetworkPolicyGress = suite.ConformanceTest{ t.Run("Should support an 'allow-gress' policy across different protocols at the specified ports", func(t *testing.T) { ctx, cancel := context.WithTimeout(context.Background(), s.TimeoutConfig.GetTimeout) defer cancel() - // This test uses `default` BANP + // This test uses `default` baseline CNP /* First; let's test egress works! */ // cedric-diggory-1 is our server pod in hufflepuff namespace @@ -178,7 +178,7 @@ var BaselineAdminNetworkPolicyGress = suite.ConformanceTest{ t.Run("Should support an 'deny-gress' policy across different protocols", func(t *testing.T) { ctx, cancel := context.WithTimeout(context.Background(), s.TimeoutConfig.GetTimeout) defer cancel() - // This test uses `default` BANP + // This test uses `default` baseline CNP /* First; let's test egress works! */ // luna-lovegood-1 is our server pod in ravenclaw namespace @@ -188,12 +188,12 @@ var BaselineAdminNetworkPolicyGress = suite.ConformanceTest{ Name: "luna-lovegood-1", }, serverPod) require.NoErrorf(t, err, "unable to fetch the server pod") - banp := &v1alpha1.BaselineAdminNetworkPolicy{} + cnp := &v1alpha2.ClusterNetworkPolicy{} err = s.Client.Get(ctx, client.ObjectKey{ Name: "default", - }, banp) - require.NoErrorf(t, err, "unable to fetch the baseline admin network policy") - mutate := banp.DeepCopy() + }, cnp) + require.NoErrorf(t, err, "unable to fetch the baseline cluster network policy") + mutate := cnp.DeepCopy() // swap rules at index0 and index1 for both ingress and egress allowOutRule := mutate.Spec.Egress[0] mutate.Spec.Egress[0] = mutate.Spec.Egress[1] @@ -201,8 +201,8 @@ var BaselineAdminNetworkPolicyGress = suite.ConformanceTest{ allowInRule := mutate.Spec.Ingress[0] mutate.Spec.Ingress[0] = mutate.Spec.Ingress[1] mutate.Spec.Ingress[1] = allowInRule - err = s.Client.Patch(ctx, mutate, client.MergeFrom(banp)) - require.NoErrorf(t, err, "unable to patch the baseline admin network policy") + err = s.Client.Patch(ctx, mutate, client.MergeFrom(cnp)) + require.NoErrorf(t, err, "unable to patch the baseline cluster network policy") // harry-potter-x is our client pod in gryffindor namespace // ensure egress is DENIED to ravenclaw from gryffindor // egressRule at index0 will take precedence over egressRule at index1; thus DENY takes precedence over ALLOW since rules are ordered @@ -240,7 +240,7 @@ var BaselineAdminNetworkPolicyGress = suite.ConformanceTest{ t.Run("Should support a 'deny-gress' policy across different protocols at the specified ports", func(t *testing.T) { ctx, cancel := context.WithTimeout(context.Background(), s.TimeoutConfig.GetTimeout) defer cancel() - // This test uses `default` BANP + // This test uses `default` baseline CNP /* First; let's test egress works! */ // draco-malfoy-0 is our server pod in slytherin namespace diff --git a/conformance/tests/baseline-admin-network-policy-standard-ingress-sctp-rules.go b/conformance/tests/baseline-admin-network-policy-standard-ingress-sctp-rules.go index 2e9d823a..8f07f650 100644 --- a/conformance/tests/baseline-admin-network-policy-standard-ingress-sctp-rules.go +++ b/conformance/tests/baseline-admin-network-policy-standard-ingress-sctp-rules.go @@ -25,30 +25,30 @@ import ( v1 "k8s.io/api/core/v1" "sigs.k8s.io/controller-runtime/pkg/client" - "sigs.k8s.io/network-policy-api/apis/v1alpha1" + "sigs.k8s.io/network-policy-api/apis/v1alpha2" "sigs.k8s.io/network-policy-api/conformance/utils/kubernetes" "sigs.k8s.io/network-policy-api/conformance/utils/suite" ) func init() { ConformanceTests = append(ConformanceTests, - BaselineAdminNetworkPolicyIngressSCTP, + CNPBaselineTierIngressSCTP, ) } -var BaselineAdminNetworkPolicyIngressSCTP = suite.ConformanceTest{ - ShortName: "BaselineAdminNetworkPolicyIngressSCTP", - Description: "Tests support for ingress traffic (SCTP protocol) using baseline admin network policy API based on a server and client model", +var CNPBaselineTierIngressSCTP = suite.ConformanceTest{ + ShortName: "CNPBaselineTierIngressSCTP", + Description: "Tests support for ingress traffic (SCTP protocol) using baseline cluster network policy API based on a server and client model", Features: []suite.SupportedFeature{ - suite.SupportBaselineAdminNetworkPolicy, + suite.SupportClusterNetworkPolicy, }, - Manifests: []string{"base/baseline_admin_network_policy/standard-ingress-sctp-rules.yaml"}, + Manifests: []string{"base/baseline_tier/standard-ingress-sctp-rules.yaml"}, Test: func(t *testing.T, s *suite.ConformanceTestSuite) { t.Run("Should support an 'allow-ingress' policy for SCTP protocol; ensure rule ordering is respected", func(t *testing.T) { ctx, cancel := context.WithTimeout(context.Background(), s.TimeoutConfig.GetTimeout) defer cancel() - // This test uses `default` BANP + // This test uses `default` baseline CNP // luna-lovegood-0 is our server pod in ravenclaw namespace serverPod := &v1.Pod{} err := s.Client.Get(ctx, client.ObjectKey{ @@ -70,7 +70,7 @@ var BaselineAdminNetworkPolicyIngressSCTP = suite.ConformanceTest{ t.Run("Should support an 'allow-ingress' policy for SCTP protocol at the specified port", func(t *testing.T) { ctx, cancel := context.WithTimeout(context.Background(), s.TimeoutConfig.GetTimeout) defer cancel() - // This test uses `default` BANP + // This test uses `default` baseline CNP // luna-lovegood-1 is our server pod in ravenclaw namespace serverPod := &v1.Pod{} err := s.Client.Get(ctx, client.ObjectKey{ @@ -93,7 +93,7 @@ var BaselineAdminNetworkPolicyIngressSCTP = suite.ConformanceTest{ t.Run("Should support an 'deny-ingress' policy for SCTP protocol; ensure rule ordering is respected", func(t *testing.T) { ctx, cancel := context.WithTimeout(context.Background(), s.TimeoutConfig.GetTimeout) defer cancel() - // This test uses `default` BANP + // This test uses `default` baseline CNP // luna-lovegood-1 is our server pod in ravenclaw namespace serverPod := &v1.Pod{} err := s.Client.Get(ctx, client.ObjectKey{ @@ -101,18 +101,18 @@ var BaselineAdminNetworkPolicyIngressSCTP = suite.ConformanceTest{ Name: "luna-lovegood-1", }, serverPod) require.NoErrorf(t, err, "unable to fetch the server pod") - banp := &v1alpha1.BaselineAdminNetworkPolicy{} + cnp := &v1alpha2.ClusterNetworkPolicy{} err = s.Client.Get(ctx, client.ObjectKey{ Name: "default", - }, banp) - require.NoErrorf(t, err, "unable to fetch the baseline admin network policy") - mutate := banp.DeepCopy() + }, cnp) + require.NoErrorf(t, err, "unable to fetch the baseline cluster network policy") + mutate := cnp.DeepCopy() // swap rules at index0 and index1 allowRule := mutate.Spec.Ingress[0] mutate.Spec.Ingress[0] = mutate.Spec.Ingress[1] mutate.Spec.Ingress[1] = allowRule - err = s.Client.Patch(ctx, mutate, client.MergeFrom(banp)) - require.NoErrorf(t, err, "unable to patch the baseline admin network policy") + err = s.Client.Patch(ctx, mutate, client.MergeFrom(cnp)) + require.NoErrorf(t, err, "unable to patch the baseline cluster network policy") // harry-potter-0 is our client pod in gryffindor namespace // ensure ingress is DENIED from gryffindor to ravenclaw // ingressRule at index0 will take precedence over ingressRule at index1; thus DENY takes precedence over ALLOW since rules are ordered @@ -128,7 +128,7 @@ var BaselineAdminNetworkPolicyIngressSCTP = suite.ConformanceTest{ t.Run("Should support a 'deny-ingress' policy for SCTP protocol at the specified port", func(t *testing.T) { ctx, cancel := context.WithTimeout(context.Background(), s.TimeoutConfig.GetTimeout) defer cancel() - // This test uses `default` BANP + // This test uses `default` baseline CNP // luna-lovegood-0 is our server pod in ravenclaw namespace serverPod := &v1.Pod{} err := s.Client.Get(ctx, client.ObjectKey{ diff --git a/conformance/tests/baseline-admin-network-policy-standard-ingress-tcp-rules.go b/conformance/tests/baseline-admin-network-policy-standard-ingress-tcp-rules.go index f92582b4..85137f26 100644 --- a/conformance/tests/baseline-admin-network-policy-standard-ingress-tcp-rules.go +++ b/conformance/tests/baseline-admin-network-policy-standard-ingress-tcp-rules.go @@ -25,30 +25,30 @@ import ( v1 "k8s.io/api/core/v1" "sigs.k8s.io/controller-runtime/pkg/client" - "sigs.k8s.io/network-policy-api/apis/v1alpha1" + "sigs.k8s.io/network-policy-api/apis/v1alpha2" "sigs.k8s.io/network-policy-api/conformance/utils/kubernetes" "sigs.k8s.io/network-policy-api/conformance/utils/suite" ) func init() { ConformanceTests = append(ConformanceTests, - BaselineAdminNetworkPolicyIngressTCP, + CNPBaselineTierIngressTCP, ) } -var BaselineAdminNetworkPolicyIngressTCP = suite.ConformanceTest{ - ShortName: "BaselineAdminNetworkPolicyIngressTCP", - Description: "Tests support for ingress traffic (TCP protocol) using baseline admin network policy API based on a server and client model", +var CNPBaselineTierIngressTCP = suite.ConformanceTest{ + ShortName: "CNPBaselineTierIngressTCP", + Description: "Tests support for ingress traffic (TCP protocol) using baseline cluster network policy API based on a server and client model", Features: []suite.SupportedFeature{ - suite.SupportBaselineAdminNetworkPolicy, + suite.SupportClusterNetworkPolicy, }, - Manifests: []string{"base/baseline_admin_network_policy/standard-ingress-tcp-rules.yaml"}, + Manifests: []string{"base/baseline_tier/standard-ingress-tcp-rules.yaml"}, Test: func(t *testing.T, s *suite.ConformanceTestSuite) { t.Run("Should support an 'allow-ingress' policy for TCP protocol; ensure rule ordering is respected", func(t *testing.T) { ctx, cancel := context.WithTimeout(context.Background(), s.TimeoutConfig.GetTimeout) defer cancel() - // This test uses `default` BANP + // This test uses `default` baseline CNP // harry-potter-0 is our server pod in gryffindor namespace serverPod := &v1.Pod{} err := s.Client.Get(ctx, client.ObjectKey{ @@ -70,7 +70,7 @@ var BaselineAdminNetworkPolicyIngressTCP = suite.ConformanceTest{ t.Run("Should support an 'allow-ingress' policy for TCP protocol at the specified port", func(t *testing.T) { ctx, cancel := context.WithTimeout(context.Background(), s.TimeoutConfig.GetTimeout) defer cancel() - // This test uses `default` BANP + // This test uses `default` baseline CNP // harry-potter-1 is our server pod in gryffindor namespace serverPod := &v1.Pod{} err := s.Client.Get(ctx, client.ObjectKey{ @@ -93,7 +93,7 @@ var BaselineAdminNetworkPolicyIngressTCP = suite.ConformanceTest{ t.Run("Should support an 'deny-ingress' policy for TCP protocol; ensure rule ordering is respected", func(t *testing.T) { ctx, cancel := context.WithTimeout(context.Background(), s.TimeoutConfig.GetTimeout) defer cancel() - // This test uses `default` BANP + // This test uses `default` baseline CNP // harry-potter-1 is our server pod in gryffindor namespace serverPod := &v1.Pod{} err := s.Client.Get(ctx, client.ObjectKey{ @@ -101,18 +101,18 @@ var BaselineAdminNetworkPolicyIngressTCP = suite.ConformanceTest{ Name: "harry-potter-1", }, serverPod) require.NoErrorf(t, err, "unable to fetch the server pod") - banp := &v1alpha1.BaselineAdminNetworkPolicy{} + cnp := &v1alpha2.ClusterNetworkPolicy{} err = s.Client.Get(ctx, client.ObjectKey{ Name: "default", - }, banp) - require.NoErrorf(t, err, "unable to fetch the baseline admin network policy") - mutate := banp.DeepCopy() + }, cnp) + require.NoErrorf(t, err, "unable to fetch the baseline cluster network policy") + mutate := cnp.DeepCopy() // swap rules at index0 and index1 allowRule := mutate.Spec.Ingress[0] mutate.Spec.Ingress[0] = mutate.Spec.Ingress[1] mutate.Spec.Ingress[1] = allowRule - err = s.Client.Patch(ctx, mutate, client.MergeFrom(banp)) - require.NoErrorf(t, err, "unable to patch the baseline admin network policy") + err = s.Client.Patch(ctx, mutate, client.MergeFrom(cnp)) + require.NoErrorf(t, err, "unable to patch the baseline cluster network policy") // luna-lovegood-0 is our client pod in ravenclaw namespace // ensure ingress is DENIED from ravenclaw to gryffindor // ingressRule at index0 will take precedence over ingressRule at index1; thus DENY takes precedence over ALLOW since rules are ordered @@ -128,7 +128,7 @@ var BaselineAdminNetworkPolicyIngressTCP = suite.ConformanceTest{ t.Run("Should support a 'deny-ingress' policy for TCP protocol at the specified port", func(t *testing.T) { ctx, cancel := context.WithTimeout(context.Background(), s.TimeoutConfig.GetTimeout) defer cancel() - // This test uses `default` BANP + // This test uses `default` baseline CNP // harry-potter-0 is our server pod in gryffindor namespace serverPod := &v1.Pod{} err := s.Client.Get(ctx, client.ObjectKey{ diff --git a/conformance/tests/baseline-admin-network-policy-standard-ingress-udp-rules.go b/conformance/tests/baseline-admin-network-policy-standard-ingress-udp-rules.go index 68e947dc..26ecc4bd 100644 --- a/conformance/tests/baseline-admin-network-policy-standard-ingress-udp-rules.go +++ b/conformance/tests/baseline-admin-network-policy-standard-ingress-udp-rules.go @@ -25,30 +25,30 @@ import ( v1 "k8s.io/api/core/v1" "sigs.k8s.io/controller-runtime/pkg/client" - "sigs.k8s.io/network-policy-api/apis/v1alpha1" + "sigs.k8s.io/network-policy-api/apis/v1alpha2" "sigs.k8s.io/network-policy-api/conformance/utils/kubernetes" "sigs.k8s.io/network-policy-api/conformance/utils/suite" ) func init() { ConformanceTests = append(ConformanceTests, - BaselineAdminNetworkPolicyIngressUDP, + CNPBaselineTierIngressUDP, ) } -var BaselineAdminNetworkPolicyIngressUDP = suite.ConformanceTest{ - ShortName: "BaselineAdminNetworkPolicyIngressUDP", - Description: "Tests support for ingress traffic (UDP protocol) using baseline admin network policy API based on a server and client model", +var CNPBaselineTierIngressUDP = suite.ConformanceTest{ + ShortName: "CNPBaselineTierIngressUDP", + Description: "Tests support for ingress traffic (UDP protocol) using baseline cluster network policy API based on a server and client model", Features: []suite.SupportedFeature{ - suite.SupportBaselineAdminNetworkPolicy, + suite.SupportClusterNetworkPolicy, }, - Manifests: []string{"base/baseline_admin_network_policy/standard-ingress-udp-rules.yaml"}, + Manifests: []string{"base/baseline_tier/standard-ingress-udp-rules.yaml"}, Test: func(t *testing.T, s *suite.ConformanceTestSuite) { t.Run("Should support an 'allow-ingress' policy for UDP protocol; ensure rule ordering is respected", func(t *testing.T) { ctx, cancel := context.WithTimeout(context.Background(), s.TimeoutConfig.GetTimeout) defer cancel() - // This test uses `default` BANP + // This test uses `default` baseline CNP // cedric-diggory-0 is our server pod in hufflepuff namespace serverPod := &v1.Pod{} err := s.Client.Get(ctx, client.ObjectKey{ @@ -70,7 +70,7 @@ var BaselineAdminNetworkPolicyIngressUDP = suite.ConformanceTest{ t.Run("Should support an 'allow-ingress' policy for UDP protocol at the specified port", func(t *testing.T) { ctx, cancel := context.WithTimeout(context.Background(), s.TimeoutConfig.GetTimeout) defer cancel() - // This test uses `default` BANP + // This test uses `default` baseline CNP // cedric-diggory-1 is our server pod in hufflepuff namespace serverPod := &v1.Pod{} err := s.Client.Get(ctx, client.ObjectKey{ @@ -93,7 +93,7 @@ var BaselineAdminNetworkPolicyIngressUDP = suite.ConformanceTest{ t.Run("Should support an 'deny-ingress' policy for UDP protocol; ensure rule ordering is respected", func(t *testing.T) { ctx, cancel := context.WithTimeout(context.Background(), s.TimeoutConfig.GetTimeout) defer cancel() - // This test uses `default` BANP + // This test uses `default` baseline CNP // cedric-diggory-1 is our server pod in hufflepuff namespace serverPod := &v1.Pod{} err := s.Client.Get(ctx, client.ObjectKey{ @@ -101,18 +101,18 @@ var BaselineAdminNetworkPolicyIngressUDP = suite.ConformanceTest{ Name: "cedric-diggory-1", }, serverPod) require.NoErrorf(t, err, "unable to fetch the server pod") - banp := &v1alpha1.BaselineAdminNetworkPolicy{} + cnp := &v1alpha2.ClusterNetworkPolicy{} err = s.Client.Get(ctx, client.ObjectKey{ Name: "default", - }, banp) - require.NoErrorf(t, err, "unable to fetch the admin network policy") - mutate := banp.DeepCopy() + }, cnp) + require.NoErrorf(t, err, "unable to fetch the cluster network policy") + mutate := cnp.DeepCopy() // swap rules at index0 and index1 allowRule := mutate.Spec.Ingress[0] mutate.Spec.Ingress[0] = mutate.Spec.Ingress[1] mutate.Spec.Ingress[1] = allowRule - err = s.Client.Patch(ctx, mutate, client.MergeFrom(banp)) - require.NoErrorf(t, err, "unable to patch the baseline admin network policy") + err = s.Client.Patch(ctx, mutate, client.MergeFrom(cnp)) + require.NoErrorf(t, err, "unable to patch the baseline cluster network policy") // luna-lovegood-0 is our client pod in ravenclaw namespace // ensure ingress is DENIED from ravenclaw to hufflepuff // ingressRule at index0 will take precedence over ingressRule at index1; thus DENY takes precedence over ALLOW since rules are ordered @@ -128,7 +128,7 @@ var BaselineAdminNetworkPolicyIngressUDP = suite.ConformanceTest{ t.Run("Should support a 'deny-ingress' policy for UDP protocol at the specified port", func(t *testing.T) { ctx, cancel := context.WithTimeout(context.Background(), s.TimeoutConfig.GetTimeout) defer cancel() - // This test uses `default` BANP + // This test uses `default` baseline CNP // cedric-diggory-0 is our server pod in hufflepuff namespace serverPod := &v1.Pod{} err := s.Client.Get(ctx, client.ObjectKey{ diff --git a/conformance/utils/suite/conformance_profiles.go b/conformance/utils/suite/conformance_profiles.go index fb780079..4a503216 100644 --- a/conformance/utils/suite/conformance_profiles.go +++ b/conformance/utils/suite/conformance_profiles.go @@ -39,13 +39,9 @@ type ConformanceProfile struct { type ConformanceProfileName string const ( - // ANPConformanceProfileName indicates the name of the conformance profile - // which covers AdminNetworkPolicy core API - ANPConformanceProfileName ConformanceProfileName = "AdminNetworkPolicy" - - // BANPConformanceProfileName indicates the name of the conformance profile - // which covers BaselineAdminNetworkPolicy core API - BANPConformanceProfileName ConformanceProfileName = "BaselineAdminNetworkPolicy" + // CNPConformanceProfileName indicates the name of the conformance profile + // which covers ClusterNetworkPolicy core API + CNPConformanceProfileName ConformanceProfileName = "ClusterNetworkPolicy" ) // ----------------------------------------------------------------------------- @@ -53,27 +49,15 @@ const ( // ----------------------------------------------------------------------------- var ( - // ANPConformanceProfile is a ConformanceProfile that covers testing ANP API - ANPConformanceProfile = ConformanceProfile{ - Name: ANPConformanceProfileName, - StandardFeatures: sets.New( - SupportAdminNetworkPolicy, - ), - ExperimentalFeatures: sets.New( - SupportAdminNetworkPolicyNamedPorts, - SupportAdminNetworkPolicyEgressNodePeers, - ), - } - - // BANPConformanceProfile is a ConformanceProfile that covers testing BANP API - BANPConformanceProfile = ConformanceProfile{ - Name: BANPConformanceProfileName, + // CNPConformanceProfile is a ConformanceProfile that covers testing CNP API + CNPConformanceProfile = ConformanceProfile{ + Name: CNPConformanceProfileName, StandardFeatures: sets.New( - SupportBaselineAdminNetworkPolicy, + SupportClusterNetworkPolicy, ), ExperimentalFeatures: sets.New( - SupportBaselineAdminNetworkPolicyNamedPorts, - SupportBaselineAdminNetworkPolicyEgressNodePeers, + SupportClusterNetworkPolicyNamedPorts, + SupportClusterNetworkPolicyEgressNodePeers, ), } ) @@ -85,8 +69,7 @@ var ( // conformanceProfileMap maps short human-readable names to their respective // ConformanceProfiles. var conformanceProfileMap = map[ConformanceProfileName]ConformanceProfile{ - ANPConformanceProfileName: ANPConformanceProfile, - BANPConformanceProfileName: BANPConformanceProfile, + CNPConformanceProfileName: CNPConformanceProfile, } // getConformanceProfileForName retrieves a known ConformanceProfile by it's simple diff --git a/conformance/utils/suite/features.go b/conformance/utils/suite/features.go index 04efba6e..e1bc738a 100644 --- a/conformance/utils/suite/features.go +++ b/conformance/utils/suite/features.go @@ -32,16 +32,13 @@ type SupportedFeature string const ( // This option indicates support for ANP (standard conformance). - SupportAdminNetworkPolicy SupportedFeature = "AdminNetworkPolicy" - // This option indicates support for BANP (standard conformance). - SupportBaselineAdminNetworkPolicy SupportedFeature = "BaselineAdminNetworkPolicy" + SupportClusterNetworkPolicy SupportedFeature = "ClusterNetworkPolicy" ) // StandardFeatures are the features that are required to be conformant with // the Core API features (e.g. all fields in the API except for NamedPorts). var StandardFeatures = sets.New( - SupportAdminNetworkPolicy, - SupportBaselineAdminNetworkPolicy, + SupportClusterNetworkPolicy, ) // ----------------------------------------------------------------------------- @@ -49,21 +46,17 @@ var StandardFeatures = sets.New( // ----------------------------------------------------------------------------- const ( - // This option indicates AdminNetworkPolicy's NamedPorts, EgressNodePeers + // This option indicates ClusterNetworkPolicy's NamedPorts, EgressNodePeers // fall under the extended test conformance. - SupportAdminNetworkPolicyNamedPorts SupportedFeature = "AdminNetworkPolicyNamedPorts" - SupportAdminNetworkPolicyEgressNodePeers SupportedFeature = "AdminNetworkPolicyEgressNodePeers" - SupportBaselineAdminNetworkPolicyNamedPorts SupportedFeature = "BaselineAdminNetworkPolicyNamedPorts" - SupportBaselineAdminNetworkPolicyEgressNodePeers SupportedFeature = "BaselineAdminNetworkPolicyEgressNodePeers" + SupportClusterNetworkPolicyNamedPorts SupportedFeature = "ClusterNetworkPolicyNamedPorts" + SupportClusterNetworkPolicyEgressNodePeers SupportedFeature = "ClusterNetworkPolicyEgressNodePeers" ) // ExperimentalFeatures are newer, unstable features that are not part of the standard channel. // If implementations want to use these features, they can use the experimental CR to leverage them. var ExperimentalFeatures = sets.New( - SupportAdminNetworkPolicyNamedPorts, - SupportAdminNetworkPolicyEgressNodePeers, - SupportBaselineAdminNetworkPolicyNamedPorts, - SupportBaselineAdminNetworkPolicyEgressNodePeers, + SupportClusterNetworkPolicyNamedPorts, + SupportClusterNetworkPolicyEgressNodePeers, ).Insert(StandardFeatures.UnsortedList()...) // ----------------------------------------------------------------------------- diff --git a/conformance/utils/suite/suite.go b/conformance/utils/suite/suite.go index 98e03794..0e2af11a 100644 --- a/conformance/utils/suite/suite.go +++ b/conformance/utils/suite/suite.go @@ -121,7 +121,7 @@ func New(s Options) *ConformanceTestSuite { func (suite *ConformanceTestSuite) Setup(t *testing.T) { suite.Applier.FS = suite.FS - if suite.SupportedFeatures.Has(SupportAdminNetworkPolicy) { + if suite.SupportedFeatures.Has(SupportClusterNetworkPolicy) { t.Logf("Test Setup: Applying base manifests") suite.Applier.MustApplyWithCleanup(t, suite.Client, suite.TimeoutConfig, suite.BaseManifests, suite.Cleanup) diff --git a/pkg/generator/main.go b/pkg/generator/main.go index 12631409..7708fbb3 100644 --- a/pkg/generator/main.go +++ b/pkg/generator/main.go @@ -37,9 +37,7 @@ const ( ) var standardKinds = map[string]bool{ - "AdminNetworkPolicy": true, - "BaselineAdminNetworkPolicy": true, - "ClusterNetworkPolicy": true, + "ClusterNetworkPolicy": true, } // This generation code is largely copied from @@ -47,7 +45,6 @@ var standardKinds = map[string]bool{ func main() { roots, err := loader.LoadRoots( "k8s.io/apimachinery/pkg/runtime/schema", // Needed to parse generated register functions. - "sigs.k8s.io/network-policy-api/apis/v1alpha1", "sigs.k8s.io/network-policy-api/apis/v1alpha2", ) if err != nil {