diff --git a/pkg/agent/controller/networkpolicy/cache.go b/pkg/agent/controller/networkpolicy/cache.go index 94240c29894..be56ae38bc8 100644 --- a/pkg/agent/controller/networkpolicy/cache.go +++ b/pkg/agent/controller/networkpolicy/cache.go @@ -78,6 +78,12 @@ type rule struct { PolicyName string // PolicyNamespace is empty for ClusterNetworkPolicy. PolicyNamespace string + // Reference to the original NetworkPolicy that the rule belongs to. + // Note it has different meaning from PolicyUID, PolicyName, and + // PolicyNamespace which are the metadata of controlplane NetworkPolicy. + // Although they are same for now, it might change in future, features that + // need the information of the original NetworkPolicy should use SourceRef. + SourceRef *v1beta1.NetworkPolicyReference } // hashRule calculates a string based on the rule's content. @@ -113,9 +119,9 @@ func (r *CompletedRule) String() string { r.ID, r.Direction, len(r.Pods), addressString, len(r.Services), r.PolicyPriority, r.Priority) } -// isAntreaNetworkPolicyRule returns true if the rule is part of a ClusterNetworkPolicy. +// isAntreaNetworkPolicyRule returns true if the rule is part of a Antrea policy. func (r *CompletedRule) isAntreaNetworkPolicyRule() bool { - return r.PolicyPriority != nil + return r.SourceRef.Type != v1beta1.K8sNetworkPolicy } // ruleCache caches Antrea AddressGroups, AppliedToGroups and NetworkPolicies, @@ -200,6 +206,7 @@ func addRuleToNetworkPolicy(np *v1beta1.NetworkPolicy, rule *rule) *v1beta1.Netw ObjectMeta: metav1.ObjectMeta{UID: rule.PolicyUID, Name: rule.PolicyName, Namespace: rule.PolicyNamespace}, + SourceRef: rule.SourceRef, AppliedToGroups: rule.AppliedToGroups, Priority: rule.PolicyPriority, TierPriority: rule.TierPriority, @@ -564,6 +571,7 @@ func toRule(r *v1beta1.NetworkPolicyRule, policy *v1beta1.NetworkPolicy) *rule { TierPriority: policy.TierPriority, AppliedToGroups: policy.AppliedToGroups, PolicyUID: policy.UID, + SourceRef: policy.SourceRef, } rule.ID = hashRule(rule) rule.PolicyNamespace = policy.Namespace diff --git a/pkg/agent/controller/networkpolicy/networkpolicy_controller.go b/pkg/agent/controller/networkpolicy/networkpolicy_controller.go index c664b337e1b..b2a3cb2effb 100644 --- a/pkg/agent/controller/networkpolicy/networkpolicy_controller.go +++ b/pkg/agent/controller/networkpolicy/networkpolicy_controller.go @@ -114,7 +114,7 @@ func NewNetworkPolicyController(antreaClientGetter agent.AntreaClientProvider, return fmt.Errorf("cannot convert to *v1beta1.NetworkPolicy: %v", obj) } c.ruleCache.AddNetworkPolicy(policy) - klog.Infof("NetworkPolicy %s/%s applied to Pods on this Node", policy.Namespace, policy.Name) + klog.Infof("NetworkPolicy %s applied to Pods on this Node", policy.SourceRef.ToString()) return nil }, UpdateFunc: func(obj runtime.Object) error { @@ -131,7 +131,7 @@ func NewNetworkPolicyController(antreaClientGetter agent.AntreaClientProvider, return fmt.Errorf("cannot convert to *v1beta1.NetworkPolicy: %v", obj) } c.ruleCache.DeleteNetworkPolicy(policy) - klog.Infof("NetworkPolicy %s/%s no longer applied to Pods on this Node", policy.Namespace, policy.Name) + klog.Infof("NetworkPolicy %s no longer applied to Pods on this Node", policy.SourceRef.ToString()) return nil }, ReplaceFunc: func(objs []runtime.Object) error { @@ -142,7 +142,7 @@ func NewNetworkPolicyController(antreaClientGetter agent.AntreaClientProvider, if !ok { return fmt.Errorf("cannot convert to *v1beta1.NetworkPolicy: %v", objs[i]) } - klog.Infof("NetworkPolicy %s/%s applied to Pods on this Node", policies[i].Namespace, policies[i].Name) + klog.Infof("NetworkPolicy %s applied to Pods on this Node", policies[i].SourceRef.ToString()) } c.ruleCache.ReplaceNetworkPolicies(policies) return nil diff --git a/pkg/agent/controller/networkpolicy/networkpolicy_controller_test.go b/pkg/agent/controller/networkpolicy/networkpolicy_controller_test.go index f76ca8b4ff2..1335a04fcd2 100644 --- a/pkg/agent/controller/networkpolicy/networkpolicy_controller_test.go +++ b/pkg/agent/controller/networkpolicy/networkpolicy_controller_test.go @@ -128,6 +128,12 @@ func newNetworkPolicy(uid string, from, to, appliedTo []string, services []v1bet ObjectMeta: v1.ObjectMeta{UID: types.UID(uid), Name: uid, Namespace: testNamespace}, Rules: []v1beta1.NetworkPolicyRule{networkPolicyRule1}, AppliedToGroups: appliedTo, + SourceRef: &v1beta1.NetworkPolicyReference{ + Type: v1beta1.K8sNetworkPolicy, + Namespace: testNamespace, + Name: uid, + UID: types.UID(uid), + }, } } @@ -148,6 +154,12 @@ func getNetworkPolicyWithMultipleRules(uid string, from, to, appliedTo []string, ObjectMeta: v1.ObjectMeta{UID: types.UID(uid), Name: uid, Namespace: testNamespace}, Rules: []v1beta1.NetworkPolicyRule{networkPolicyRule1, networkPolicyRule2}, AppliedToGroups: appliedTo, + SourceRef: &v1beta1.NetworkPolicyReference{ + Type: v1beta1.K8sNetworkPolicy, + Namespace: testNamespace, + Name: uid, + UID: types.UID(uid), + }, } } diff --git a/pkg/agent/controller/networkpolicy/reconciler.go b/pkg/agent/controller/networkpolicy/reconciler.go index 4d5e58acfd4..9165826832d 100644 --- a/pkg/agent/controller/networkpolicy/reconciler.go +++ b/pkg/agent/controller/networkpolicy/reconciler.go @@ -147,7 +147,7 @@ func newLastRealized(rule *CompletedRule) *lastRealized { } // tablePriorityAssigner groups the priorityAssigner and mutex for a single OVS table -// that is reserved for installing ClusterNetworkPolicy rules. +// that is reserved for installing Antrea policy rules. type tablePriorityAssigner struct { assigner *priorityAssigner mutex sync.RWMutex @@ -197,7 +197,7 @@ func newReconciler(ofClient openflow.Client, ifaceStore interfacestore.Interface // Reconcile checks whether the provided rule have been enforced or not, and // invoke the add or update method accordingly. func (r *reconciler) Reconcile(rule *CompletedRule) error { - klog.Infof("Reconciling rule %s of NetworkPolicy %s/%s", rule.ID, rule.PolicyNamespace, rule.PolicyName) + klog.Infof("Reconciling rule %s of NetworkPolicy %s", rule.ID, rule.SourceRef.ToString()) var err error var ofPriority *uint16 @@ -250,7 +250,7 @@ func (r *reconciler) getOFRuleTable(rule *CompletedRule) binding.TableIDType { // getOFPriority retrieves the OFPriority for the input CompletedRule to be installed, // and re-arranges installed priorities on OVS if necessary. func (r *reconciler) getOFPriority(rule *CompletedRule, table binding.TableIDType, pa *tablePriorityAssigner) (*uint16, error) { - if rule.PolicyPriority == nil { + if !rule.isAntreaNetworkPolicyRule() { klog.V(2).Infof("Assigning default priority for k8s NetworkPolicy.") return nil, nil } @@ -295,7 +295,7 @@ func (r *reconciler) BatchReconcile(rules []*CompletedRule) error { for _, rule := range rulesToInstall { ruleTable := r.getOFRuleTable(rule) priorityAssigner := r.priorityAssigners[ruleTable] - klog.V(2).Infof("Adding rule %s of NetworkPolicy %s/%s to be reconciled in batch", rule.ID, rule.PolicyNamespace, rule.PolicyName) + klog.V(2).Infof("Adding rule %s of NetworkPolicy %s to be reconciled in batch", rule.ID, rule.SourceRef.ToString()) ofPriority, _ := r.getOFPriority(rule, ruleTable, priorityAssigner) priorities = append(priorities, ofPriority) if ofPriority != nil { @@ -348,8 +348,6 @@ func (r *reconciler) add(rule *CompletedRule, ofPriority *uint16, table binding. return fmt.Errorf("error allocating Openflow ID") } ofRule.FlowID = ofID - ofRule.PolicyName = lastRealized.CompletedRule.PolicyName - ofRule.PolicyNamespace = lastRealized.CompletedRule.PolicyNamespace if err = r.installOFRule(ofRule); err != nil { return err } @@ -386,6 +384,7 @@ func (r *reconciler) computeOFRulesForAdd(rule *CompletedRule, ofPriority *uint1 Action: rule.Action, Priority: ofPriority, TableID: table, + PolicyRef: rule.SourceRef, } } } else { @@ -402,6 +401,7 @@ func (r *reconciler) computeOFRulesForAdd(rule *CompletedRule, ofPriority *uint1 Action: rule.Action, Priority: ofPriority, TableID: table, + PolicyRef: rule.SourceRef, } } @@ -409,7 +409,7 @@ func (r *reconciler) computeOFRulesForAdd(rule *CompletedRule, ofPriority *uint1 // We must ensure there is at least one PolicyRule, otherwise the Pods won't be // isolated, so we create a PolicyRule with the original services if it doesn't exist. // If there are IPBlocks or Pods that cannot resolve any named port, they will share - // this PolicyRule. ClusterNetworkPolicy does not need this default isolation. + // this PolicyRule. Antrea policies do not need this default isolation. if !rule.isAntreaNetworkPolicyRule() || len(rule.To.IPBlocks) > 0 { svcKey := normalizeServices(rule.Services) ofRule, exists := ofRuleByServicesMap[svcKey] @@ -423,6 +423,7 @@ func (r *reconciler) computeOFRulesForAdd(rule *CompletedRule, ofPriority *uint1 Action: rule.Action, Priority: nil, TableID: table, + PolicyRef: rule.SourceRef, } ofRuleByServicesMap[svcKey] = ofRule } @@ -453,8 +454,6 @@ func (r *reconciler) batchAdd(rules []*CompletedRule, ofPriorities []*uint16) er return fmt.Errorf("error allocating Openflow ID") } ofRule.FlowID = ofID - ofRule.PolicyName = lastRealized.CompletedRule.PolicyName - ofRule.PolicyNamespace = lastRealized.CompletedRule.PolicyNamespace allOFRules = append(allOFRules, ofRule) if ofIDUpdateMaps[idx] == nil { ofIDUpdateMaps[idx] = make(map[servicesKey]uint32) @@ -507,16 +506,15 @@ func (r *reconciler) update(lastRealized *lastRealized, newRule *CompletedRule, return fmt.Errorf("error allocating Openflow ID") } ofRule := &types.PolicyRule{ - Direction: v1beta1.DirectionIn, - From: append(from1, from2...), - To: ofPortsToOFAddresses(newOFPorts), - Service: filterUnresolvablePort(servicesMap[svcKey]), - Action: newRule.Action, - Priority: ofPriority, - FlowID: ofID, - TableID: table, - PolicyName: newRule.PolicyName, - PolicyNamespace: newRule.PolicyNamespace, + Direction: v1beta1.DirectionIn, + From: append(from1, from2...), + To: ofPortsToOFAddresses(newOFPorts), + Service: filterUnresolvablePort(servicesMap[svcKey]), + Action: newRule.Action, + Priority: ofPriority, + FlowID: ofID, + TableID: table, + PolicyRef: newRule.SourceRef, } if err = r.installOFRule(ofRule); err != nil { return err @@ -556,16 +554,15 @@ func (r *reconciler) update(lastRealized *lastRealized, newRule *CompletedRule, return fmt.Errorf("error allocating Openflow ID") } ofRule := &types.PolicyRule{ - Direction: v1beta1.DirectionOut, - From: from, - To: groupMembersToOFAddresses(members), - Service: filterUnresolvablePort(servicesMap[svcKey]), - Action: newRule.Action, - Priority: ofPriority, - FlowID: ofID, - TableID: table, - PolicyName: newRule.PolicyName, - PolicyNamespace: newRule.PolicyNamespace, + Direction: v1beta1.DirectionOut, + From: from, + To: groupMembersToOFAddresses(members), + Service: filterUnresolvablePort(servicesMap[svcKey]), + Action: newRule.Action, + Priority: ofPriority, + FlowID: ofID, + TableID: table, + PolicyRef: newRule.SourceRef, } if err = r.installOFRule(ofRule); err != nil { return err diff --git a/pkg/agent/controller/networkpolicy/reconciler_test.go b/pkg/agent/controller/networkpolicy/reconciler_test.go index 387bf7d4e27..52e5440b02c 100644 --- a/pkg/agent/controller/networkpolicy/reconciler_test.go +++ b/pkg/agent/controller/networkpolicy/reconciler_test.go @@ -72,6 +72,18 @@ var ( policyPriority = float64(1) tierPriority = v1beta1.TierPriority(1) + + np1 = v1beta1.NetworkPolicyReference{ + Type: v1beta1.K8sNetworkPolicy, + Namespace: "ns1", + Name: "name1", + UID: "uid1", + } + cnp1 = v1beta1.NetworkPolicyReference{ + Type: v1beta1.AntreaClusterNetworkPolicy, + Name: "name1", + UID: "uid1", + } ) func newCIDR(cidrStr string) *net.IPNet { @@ -93,7 +105,7 @@ func TestReconcilerForget(t *testing.T) { "foo": { ofIDs: map[servicesKey]uint32{servicesKey1: 8}, CompletedRule: &CompletedRule{ - rule: &rule{Direction: v1beta1.DirectionIn, PolicyPriority: nil}, + rule: &rule{Direction: v1beta1.DirectionIn, SourceRef: &np1}, }, }, }, @@ -107,7 +119,7 @@ func TestReconcilerForget(t *testing.T) { "foo": { ofIDs: map[servicesKey]uint32{servicesKey1: 8}, CompletedRule: &CompletedRule{ - rule: &rule{Direction: v1beta1.DirectionIn, PolicyPriority: nil}, + rule: &rule{Direction: v1beta1.DirectionIn, SourceRef: &np1}, }, }, }, @@ -121,7 +133,7 @@ func TestReconcilerForget(t *testing.T) { "foo": { ofIDs: map[servicesKey]uint32{servicesKey1: 8, servicesKey2: 9}, CompletedRule: &CompletedRule{ - rule: &rule{Direction: v1beta1.DirectionIn, PolicyPriority: nil}, + rule: &rule{Direction: v1beta1.DirectionIn, SourceRef: &np1}, }, }, }, @@ -135,7 +147,7 @@ func TestReconcilerForget(t *testing.T) { "foo": { ofIDs: map[servicesKey]uint32{servicesKey1: 8, servicesKey2: 9}, CompletedRule: &CompletedRule{ - rule: &rule{Direction: v1beta1.DirectionIn, PolicyPriority: &policyPriority, TierPriority: &tierPriority}, + rule: &rule{Direction: v1beta1.DirectionIn, PolicyPriority: &policyPriority, TierPriority: &tierPriority, SourceRef: &cnp1}, }, }, }, @@ -219,7 +231,7 @@ func TestReconcilerReconcile(t *testing.T) { { "ingress-rule", &CompletedRule{ - rule: &rule{ID: "ingress-rule", Direction: v1beta1.DirectionIn, Services: []v1beta1.Service{serviceTCP80, serviceTCP}}, + rule: &rule{ID: "ingress-rule", Direction: v1beta1.DirectionIn, Services: []v1beta1.Service{serviceTCP80, serviceTCP}, SourceRef: &np1}, FromAddresses: addressGroup1, ToAddresses: nil, Pods: appliedToGroup1, @@ -230,6 +242,7 @@ func TestReconcilerReconcile(t *testing.T) { From: ipsToOFAddresses(sets.NewString("1.1.1.1")), To: ofPortsToOFAddresses(sets.NewInt32(1)), Service: []v1beta1.Service{serviceTCP80, serviceTCP}, + PolicyRef: &np1, }, }, false, @@ -237,7 +250,7 @@ func TestReconcilerReconcile(t *testing.T) { { "ingress-rule-with-missing-ofport", &CompletedRule{ - rule: &rule{ID: "ingress-rule", Direction: v1beta1.DirectionIn}, + rule: &rule{ID: "ingress-rule", Direction: v1beta1.DirectionIn, SourceRef: &np1}, FromAddresses: addressGroup1, ToAddresses: nil, Pods: appliedToGroup2, @@ -248,6 +261,7 @@ func TestReconcilerReconcile(t *testing.T) { From: ipsToOFAddresses(sets.NewString("1.1.1.1")), To: []types.Address{}, Service: nil, + PolicyRef: &np1, }, }, false, @@ -260,6 +274,7 @@ func TestReconcilerReconcile(t *testing.T) { Direction: v1beta1.DirectionIn, From: v1beta1.NetworkPolicyPeer{IPBlocks: []v1beta1.IPBlock{ipBlock1, ipBlock2}}, Services: []v1beta1.Service{serviceTCP80, serviceTCP}, + SourceRef: &np1, }, FromAddresses: addressGroup1, ToAddresses: nil, @@ -284,8 +299,9 @@ func TestReconcilerReconcile(t *testing.T) { openflow.NewIPNetAddress(*diffNet11), openflow.NewIPNetAddress(*diffNet12), }, - To: ofPortsToOFAddresses(sets.NewInt32(1)), - Service: []v1beta1.Service{serviceTCP80, serviceTCP}, + To: ofPortsToOFAddresses(sets.NewInt32(1)), + Service: []v1beta1.Service{serviceTCP80, serviceTCP}, + PolicyRef: &np1, }, }, false, @@ -297,6 +313,7 @@ func TestReconcilerReconcile(t *testing.T) { ID: "ingress-rule", Direction: v1beta1.DirectionIn, Services: []v1beta1.Service{}, + SourceRef: &np1, }, Pods: appliedToGroup1, }, @@ -306,6 +323,7 @@ func TestReconcilerReconcile(t *testing.T) { From: []types.Address{}, To: ofPortsToOFAddresses(sets.NewInt32(1)), Service: nil, + PolicyRef: &np1, }, }, false, @@ -317,6 +335,7 @@ func TestReconcilerReconcile(t *testing.T) { ID: "ingress-rule", Direction: v1beta1.DirectionIn, Services: []v1beta1.Service{serviceHTTP}, + SourceRef: &np1, }, Pods: appliedToGroup1, }, @@ -326,6 +345,7 @@ func TestReconcilerReconcile(t *testing.T) { From: []types.Address{}, To: ofPortsToOFAddresses(sets.NewInt32(1)), Service: []v1beta1.Service{}, + PolicyRef: &np1, }, }, false, @@ -337,6 +357,7 @@ func TestReconcilerReconcile(t *testing.T) { ID: "ingress-rule", Direction: v1beta1.DirectionIn, Services: []v1beta1.Service{serviceHTTP}, + SourceRef: &np1, }, Pods: appliedToGroupWithSameContainerPort, }, @@ -346,6 +367,7 @@ func TestReconcilerReconcile(t *testing.T) { From: []types.Address{}, To: ofPortsToOFAddresses(sets.NewInt32(1, 3)), Service: []v1beta1.Service{serviceTCP80}, + PolicyRef: &np1, }, }, false, @@ -357,6 +379,7 @@ func TestReconcilerReconcile(t *testing.T) { ID: "ingress-rule", Direction: v1beta1.DirectionIn, Services: []v1beta1.Service{serviceHTTP}, + SourceRef: &np1, }, Pods: appliedToGroupWithDiffContainerPort, }, @@ -366,12 +389,14 @@ func TestReconcilerReconcile(t *testing.T) { From: []types.Address{}, To: ofPortsToOFAddresses(sets.NewInt32(1)), Service: []v1beta1.Service{serviceTCP80}, + PolicyRef: &np1, }, { Direction: v1beta1.DirectionIn, From: []types.Address{}, To: ofPortsToOFAddresses(sets.NewInt32(3)), Service: []v1beta1.Service{serviceTCP443}, + PolicyRef: &np1, }, }, false, @@ -379,7 +404,7 @@ func TestReconcilerReconcile(t *testing.T) { { "ingress-rule-deny-all", &CompletedRule{ - rule: &rule{ID: "ingress-rule", Direction: v1beta1.DirectionIn}, + rule: &rule{ID: "ingress-rule", Direction: v1beta1.DirectionIn, SourceRef: &np1}, FromAddresses: nil, ToAddresses: nil, Pods: appliedToGroup1, @@ -390,6 +415,7 @@ func TestReconcilerReconcile(t *testing.T) { From: []types.Address{}, To: ofPortsToOFAddresses(sets.NewInt32(1)), Service: nil, + PolicyRef: &np1, }, }, false, @@ -397,7 +423,7 @@ func TestReconcilerReconcile(t *testing.T) { { "egress-rule", &CompletedRule{ - rule: &rule{ID: "egress-rule", Direction: v1beta1.DirectionOut}, + rule: &rule{ID: "egress-rule", Direction: v1beta1.DirectionOut, SourceRef: &np1}, FromAddresses: nil, ToAddresses: addressGroup1, Pods: appliedToGroup1, @@ -408,6 +434,7 @@ func TestReconcilerReconcile(t *testing.T) { From: ipsToOFAddresses(sets.NewString("2.2.2.2")), To: ipsToOFAddresses(sets.NewString("1.1.1.1")), Service: nil, + PolicyRef: &np1, }, }, false, @@ -419,6 +446,7 @@ func TestReconcilerReconcile(t *testing.T) { ID: "egress-rule", Direction: v1beta1.DirectionOut, To: v1beta1.NetworkPolicyPeer{IPBlocks: []v1beta1.IPBlock{ipBlock1, ipBlock2}}, + SourceRef: &np1, }, FromAddresses: nil, ToAddresses: addressGroup1, @@ -444,7 +472,8 @@ func TestReconcilerReconcile(t *testing.T) { openflow.NewIPNetAddress(*diffNet11), openflow.NewIPNetAddress(*diffNet12), }, - Service: nil, + Service: nil, + PolicyRef: &np1, }, }, false, @@ -455,6 +484,7 @@ func TestReconcilerReconcile(t *testing.T) { rule: &rule{ ID: "egress-rule", Direction: v1beta1.DirectionOut, + SourceRef: &np1, }, FromAddresses: nil, ToAddresses: nil, @@ -466,6 +496,7 @@ func TestReconcilerReconcile(t *testing.T) { From: ipsToOFAddresses(sets.NewString("2.2.2.2")), To: []types.Address{}, Service: nil, + PolicyRef: &np1, }, }, false, @@ -504,21 +535,21 @@ func TestReconcilerBatchReconcile(t *testing.T) { }) completedRules := []*CompletedRule{ { - rule: &rule{ID: "ingress-rule", Direction: v1beta1.DirectionIn, Services: []v1beta1.Service{serviceTCP80, serviceTCP}}, + rule: &rule{ID: "ingress-rule", Direction: v1beta1.DirectionIn, Services: []v1beta1.Service{serviceTCP80, serviceTCP}, SourceRef: &np1}, FromAddresses: addressGroup1, ToAddresses: nil, Pods: appliedToGroup1, }, { - rule: &rule{ID: "ingress-rule-no-ports", Direction: v1beta1.DirectionIn, Services: []v1beta1.Service{}}, + rule: &rule{ID: "ingress-rule-no-ports", Direction: v1beta1.DirectionIn, Services: []v1beta1.Service{}, SourceRef: &np1}, Pods: appliedToGroup1, }, { - rule: &rule{ID: "ingress-rule-diff-named-port", Direction: v1beta1.DirectionIn, Services: []v1beta1.Service{serviceHTTP}}, + rule: &rule{ID: "ingress-rule-diff-named-port", Direction: v1beta1.DirectionIn, Services: []v1beta1.Service{serviceHTTP}, SourceRef: &np1}, Pods: appliedToGroupWithDiffContainerPort, }, { - rule: &rule{ID: "egress-rule", Direction: v1beta1.DirectionOut}, + rule: &rule{ID: "egress-rule", Direction: v1beta1.DirectionOut, SourceRef: &np1}, FromAddresses: nil, ToAddresses: addressGroup1, Pods: appliedToGroup1, @@ -530,30 +561,35 @@ func TestReconcilerBatchReconcile(t *testing.T) { From: ipsToOFAddresses(sets.NewString("1.1.1.1")), To: ofPortsToOFAddresses(sets.NewInt32(1)), Service: []v1beta1.Service{serviceTCP80, serviceTCP}, + PolicyRef: &np1, }, { Direction: v1beta1.DirectionIn, From: []types.Address{}, To: ofPortsToOFAddresses(sets.NewInt32(1)), Service: nil, + PolicyRef: &np1, }, { Direction: v1beta1.DirectionIn, From: []types.Address{}, To: ofPortsToOFAddresses(sets.NewInt32(1)), Service: []v1beta1.Service{serviceTCP80}, + PolicyRef: &np1, }, { Direction: v1beta1.DirectionIn, From: []types.Address{}, To: ofPortsToOFAddresses(sets.NewInt32(3)), Service: []v1beta1.Service{serviceTCP443}, + PolicyRef: &np1, }, { Direction: v1beta1.DirectionOut, From: ipsToOFAddresses(sets.NewString("2.2.2.2")), To: ipsToOFAddresses(sets.NewString("1.1.1.1")), Service: nil, + PolicyRef: &np1, }, } tests := []struct { @@ -641,12 +677,12 @@ func TestReconcilerUpdate(t *testing.T) { { "updating-ingress-rule", &CompletedRule{ - rule: &rule{ID: "ingress-rule", Direction: v1beta1.DirectionIn}, + rule: &rule{ID: "ingress-rule", Direction: v1beta1.DirectionIn, SourceRef: &np1}, FromAddresses: addressGroup1, Pods: appliedToGroup1, }, &CompletedRule{ - rule: &rule{ID: "ingress-rule", Direction: v1beta1.DirectionIn}, + rule: &rule{ID: "ingress-rule", Direction: v1beta1.DirectionIn, SourceRef: &np1}, FromAddresses: addressGroup2, Pods: appliedToGroup2, }, @@ -660,12 +696,12 @@ func TestReconcilerUpdate(t *testing.T) { { "updating-egress-rule", &CompletedRule{ - rule: &rule{ID: "egress-rule", Direction: v1beta1.DirectionOut}, + rule: &rule{ID: "egress-rule", Direction: v1beta1.DirectionOut, SourceRef: &np1}, ToAddresses: addressGroup1, Pods: appliedToGroup1, }, &CompletedRule{ - rule: &rule{ID: "egress-rule", Direction: v1beta1.DirectionOut}, + rule: &rule{ID: "egress-rule", Direction: v1beta1.DirectionOut, SourceRef: &np1}, ToAddresses: addressGroup2, Pods: appliedToGroup2, }, @@ -679,12 +715,12 @@ func TestReconcilerUpdate(t *testing.T) { { "updating-ingress-rule-with-missing-ofport", &CompletedRule{ - rule: &rule{ID: "ingress-rule", Direction: v1beta1.DirectionIn}, + rule: &rule{ID: "ingress-rule", Direction: v1beta1.DirectionIn, SourceRef: &np1}, FromAddresses: addressGroup1, Pods: appliedToGroup1, }, &CompletedRule{ - rule: &rule{ID: "ingress-rule", Direction: v1beta1.DirectionIn}, + rule: &rule{ID: "ingress-rule", Direction: v1beta1.DirectionIn, SourceRef: &np1}, FromAddresses: addressGroup2, Pods: appliedToGroup3, }, @@ -698,12 +734,12 @@ func TestReconcilerUpdate(t *testing.T) { { "updating-egress-rule-with-missing-ip", &CompletedRule{ - rule: &rule{ID: "egress-rule", Direction: v1beta1.DirectionOut}, + rule: &rule{ID: "egress-rule", Direction: v1beta1.DirectionOut, SourceRef: &np1}, ToAddresses: addressGroup1, Pods: appliedToGroup1, }, &CompletedRule{ - rule: &rule{ID: "egress-rule", Direction: v1beta1.DirectionOut}, + rule: &rule{ID: "egress-rule", Direction: v1beta1.DirectionOut, SourceRef: &np1}, ToAddresses: addressGroup2, Pods: appliedToGroup3, }, @@ -717,12 +753,12 @@ func TestReconcilerUpdate(t *testing.T) { { "updating-egress-rule-deny-all", &CompletedRule{ - rule: &rule{ID: "egress-rule", Direction: v1beta1.DirectionOut}, + rule: &rule{ID: "egress-rule", Direction: v1beta1.DirectionOut, SourceRef: &np1}, ToAddresses: nil, Pods: appliedToGroup1, }, &CompletedRule{ - rule: &rule{ID: "egress-rule", Direction: v1beta1.DirectionOut}, + rule: &rule{ID: "egress-rule", Direction: v1beta1.DirectionOut, SourceRef: &np1}, ToAddresses: nil, Pods: appliedToGroup2, }, @@ -736,12 +772,12 @@ func TestReconcilerUpdate(t *testing.T) { { "updating-cnp-ingress-rule", &CompletedRule{ - rule: &rule{ID: "ingress-rule", Direction: v1beta1.DirectionIn, PolicyPriority: &policyPriority, TierPriority: &tierPriority}, + rule: &rule{ID: "ingress-rule", Direction: v1beta1.DirectionIn, PolicyPriority: &policyPriority, TierPriority: &tierPriority, SourceRef: &cnp1}, FromAddresses: addressGroup1, Pods: appliedToGroup1, }, &CompletedRule{ - rule: &rule{ID: "ingress-rule", Direction: v1beta1.DirectionIn, PolicyPriority: &policyPriority, TierPriority: &tierPriority}, + rule: &rule{ID: "ingress-rule", Direction: v1beta1.DirectionIn, PolicyPriority: &policyPriority, TierPriority: &tierPriority, SourceRef: &cnp1}, FromAddresses: addressGroup2, Pods: appliedToGroup2, }, @@ -755,12 +791,12 @@ func TestReconcilerUpdate(t *testing.T) { { "updating-cnp-ingress-rule-uninstall", &CompletedRule{ - rule: &rule{ID: "ingress-rule", Direction: v1beta1.DirectionIn, PolicyPriority: &policyPriority, TierPriority: &tierPriority, Services: []v1beta1.Service{serviceHTTP}}, + rule: &rule{ID: "ingress-rule", Direction: v1beta1.DirectionIn, PolicyPriority: &policyPriority, TierPriority: &tierPriority, Services: []v1beta1.Service{serviceHTTP}, SourceRef: &cnp1}, FromAddresses: addressGroup1, Pods: appliedToGroupWithDiffContainerPort, }, &CompletedRule{ - rule: &rule{ID: "ingress-rule", Direction: v1beta1.DirectionIn, PolicyPriority: &policyPriority, TierPriority: &tierPriority, Services: []v1beta1.Service{serviceHTTP}}, + rule: &rule{ID: "ingress-rule", Direction: v1beta1.DirectionIn, PolicyPriority: &policyPriority, TierPriority: &tierPriority, Services: []v1beta1.Service{serviceHTTP}, SourceRef: &cnp1}, FromAddresses: addressGroup1, Pods: appliedToGroupWithSingleContainerPort, }, diff --git a/pkg/agent/controller/traceflow/packetin.go b/pkg/agent/controller/traceflow/packetin.go index 7f02446f878..e3644dc8b29 100644 --- a/pkg/agent/controller/traceflow/packetin.go +++ b/pkg/agent/controller/traceflow/packetin.go @@ -133,9 +133,9 @@ func (c *Controller) parsePacketIn(pktIn *ofctrl.PacketIn) (*opsv1alpha1.Tracefl ob.Component = opsv1alpha1.NetworkPolicy ob.ComponentInfo = openflow.GetFlowTableName(openflow.EgressRuleTable) ob.Action = opsv1alpha1.Forwarded - npName, npNamespace := c.ofClient.GetPolicyFromConjunction(egressInfo) - if npName != "" { - ob.NetworkPolicy = fmt.Sprintf("%s/%s", npNamespace, npName) + npRef := c.ofClient.GetPolicyFromConjunction(egressInfo) + if npRef != nil { + ob.NetworkPolicy = npRef.ToString() } obs = append(obs, *ob) } @@ -150,9 +150,9 @@ func (c *Controller) parsePacketIn(pktIn *ofctrl.PacketIn) (*opsv1alpha1.Tracefl ob.Component = opsv1alpha1.NetworkPolicy ob.ComponentInfo = openflow.GetFlowTableName(openflow.IngressRuleTable) ob.Action = opsv1alpha1.Forwarded - npName, npNamespace := c.ofClient.GetPolicyFromConjunction(ingressInfo) - if npName != "" { - ob.NetworkPolicy = fmt.Sprintf("%s/%s", npNamespace, npName) + npRef := c.ofClient.GetPolicyFromConjunction(ingressInfo) + if npRef != nil { + ob.NetworkPolicy = npRef.ToString() } obs = append(obs, *ob) } diff --git a/pkg/agent/openflow/client.go b/pkg/agent/openflow/client.go index 159ef0cd851..3565f8a3946 100644 --- a/pkg/agent/openflow/client.go +++ b/pkg/agent/openflow/client.go @@ -25,6 +25,7 @@ import ( "github.com/vmware-tanzu/antrea/pkg/agent/config" "github.com/vmware-tanzu/antrea/pkg/agent/openflow/cookie" "github.com/vmware-tanzu/antrea/pkg/agent/types" + "github.com/vmware-tanzu/antrea/pkg/apis/controlplane/v1beta1" binding "github.com/vmware-tanzu/antrea/pkg/ovs/openflow" "github.com/vmware-tanzu/antrea/third_party/proxy" ) @@ -217,7 +218,7 @@ type Client interface { InitialTLVMap() error // Find network policy and namespace by conjunction ID. - GetPolicyFromConjunction(ruleID uint32) (string, string) + GetPolicyFromConjunction(ruleID uint32) *v1beta1.NetworkPolicyReference // RegisterPacketInHandler registers PacketIn handler to process PacketIn event. RegisterPacketInHandler(packetHandlerName string, packetInHandler interface{}) diff --git a/pkg/agent/openflow/network_policy.go b/pkg/agent/openflow/network_policy.go index be4f00e8647..93339c0613c 100644 --- a/pkg/agent/openflow/network_policy.go +++ b/pkg/agent/openflow/network_policy.go @@ -453,9 +453,8 @@ type policyRuleConjunction struct { serviceClause *clause actionFlows []binding.Flow metricFlows []binding.Flow - // NetworkPolicy name and Namespace information for debugging usage. - npName string - npNamespace string + // NetworkPolicy reference information for debugging usage. + npRef *v1beta1.NetworkPolicyReference ruleTableID binding.TableIDType } @@ -749,9 +748,9 @@ func (c *client) calculateActionFlowChangesForRule(rule *types.PolicyRule) *poli return nil } conj = &policyRuleConjunction{ - id: ruleID, - npName: rule.PolicyName, - npNamespace: rule.PolicyNamespace} + id: ruleID, + npRef: rule.PolicyRef, + } nClause, ruleTable, dropTable := conj.calculateClauses(rule, c) conj.ruleTableID = rule.TableID _, isEgress := egressTables[rule.TableID] @@ -1008,12 +1007,12 @@ func (c *client) getPolicyRuleConjunction(ruleID uint32) *policyRuleConjunction return conj.(*policyRuleConjunction) } -func (c *client) GetPolicyFromConjunction(ruleID uint32) (string, string) { +func (c *client) GetPolicyFromConjunction(ruleID uint32) *v1beta1.NetworkPolicyReference { conjunction := c.getPolicyRuleConjunction(ruleID) if conjunction == nil { - return "", "" + return nil } - return conjunction.npName, conjunction.npNamespace + return conjunction.npRef } // UninstallPolicyRuleFlows removes the Openflow entry relevant to the specified NetworkPolicy rule. @@ -1183,7 +1182,7 @@ func (c *client) GetNetworkPolicyFlowKeys(npName, npNamespace string) []string { for _, conjObj := range c.policyCache.List() { conj := conjObj.(*policyRuleConjunction) - if conj.npName == npName && conj.npNamespace == npNamespace { + if conj.npRef.Name == npName && conj.npRef.Namespace == npNamespace { // There can be duplicated flows added due to conjunctive matches // shared by multiple policy rules (clauses). flowKeys = append(flowKeys, conj.getAllFlowKeys()...) @@ -1254,8 +1253,7 @@ func (c *client) updateConjunctionActionFlows(conj *policyRuleConjunction, updat toClause: conj.toClause, serviceClause: conj.serviceClause, actionFlows: newActionFlows, - npName: conj.npName, - npNamespace: conj.npNamespace, + npRef: conj.npRef, ruleTableID: conj.ruleTableID, } return newConj diff --git a/pkg/agent/openflow/network_policy_test.go b/pkg/agent/openflow/network_policy_test.go index 7caf5d9d640..6f6ac8c8e1e 100644 --- a/pkg/agent/openflow/network_policy_test.go +++ b/pkg/agent/openflow/network_policy_test.go @@ -142,14 +142,18 @@ func TestInstallPolicyRuleFlows(t *testing.T) { defaultAction := secv1alpha1.RuleActionAllow ruleID1 := uint32(101) rule1 := &types.PolicyRule{ - Direction: v1beta1.DirectionOut, - From: parseAddresses([]string{"192.168.1.30", "192.168.1.50"}), - Action: &defaultAction, - Priority: nil, - FlowID: ruleID1, - TableID: EgressRuleTable, - PolicyName: "np1", - PolicyNamespace: "ns1", + Direction: v1beta1.DirectionOut, + From: parseAddresses([]string{"192.168.1.30", "192.168.1.50"}), + Action: &defaultAction, + Priority: nil, + FlowID: ruleID1, + TableID: EgressRuleTable, + PolicyRef: &v1beta1.NetworkPolicyReference{ + Type: v1beta1.K8sNetworkPolicy, + Namespace: "ns1", + Name: "np1", + UID: "id1", + }, } outDropTable.EXPECT().BuildFlow(gomock.Any()).Return(newMockDropFlowBuilder(ctrl)).AnyTimes() @@ -171,14 +175,18 @@ func TestInstallPolicyRuleFlows(t *testing.T) { ruleID2 := uint32(102) rule2 := &types.PolicyRule{ - Direction: v1beta1.DirectionOut, - From: parseAddresses([]string{"192.168.1.40", "192.168.1.50"}), - Action: &defaultAction, - To: parseAddresses([]string{"0.0.0.0/0"}), - FlowID: ruleID2, - TableID: EgressRuleTable, - PolicyName: "np1", - PolicyNamespace: "ns1", + Direction: v1beta1.DirectionOut, + From: parseAddresses([]string{"192.168.1.40", "192.168.1.50"}), + Action: &defaultAction, + To: parseAddresses([]string{"0.0.0.0/0"}), + FlowID: ruleID2, + TableID: EgressRuleTable, + PolicyRef: &v1beta1.NetworkPolicyReference{ + Type: v1beta1.K8sNetworkPolicy, + Namespace: "ns1", + Name: "np1", + UID: "id1", + }, } conj2 := &policyRuleConjunction{id: ruleID2} conj2.calculateClauses(rule2, c) @@ -209,15 +217,19 @@ func TestInstallPolicyRuleFlows(t *testing.T) { npPort1 := v1beta1.Service{Protocol: &tcpProtocol, Port: &port1} npPort2 := v1beta1.Service{Protocol: &tcpProtocol, Port: &port2} rule3 := &types.PolicyRule{ - Direction: v1beta1.DirectionOut, - From: parseAddresses([]string{"192.168.1.40", "192.168.1.60"}), - To: parseAddresses([]string{"192.168.2.0/24"}), - Action: &defaultAction, - Service: []v1beta1.Service{npPort1, npPort2}, - FlowID: ruleID3, - TableID: EgressRuleTable, - PolicyName: "np1", - PolicyNamespace: "ns1", + Direction: v1beta1.DirectionOut, + From: parseAddresses([]string{"192.168.1.40", "192.168.1.60"}), + To: parseAddresses([]string{"192.168.2.0/24"}), + Action: &defaultAction, + Service: []v1beta1.Service{npPort1, npPort2}, + FlowID: ruleID3, + TableID: EgressRuleTable, + PolicyRef: &v1beta1.NetworkPolicyReference{ + Type: v1beta1.K8sNetworkPolicy, + Namespace: "ns1", + Name: "np1", + UID: "id1", + }, } conj3 := &policyRuleConjunction{id: ruleID3} conj3.calculateClauses(rule3, c) @@ -270,26 +282,34 @@ func TestBatchInstallPolicyRuleFlows(t *testing.T) { ruleID1 := uint32(10) rule1 := &types.PolicyRule{ - Direction: v1beta1.DirectionOut, - From: parseAddresses([]string{"192.168.1.40", "192.168.1.50"}), - Action: &defaultAction, - To: parseAddresses([]string{"0.0.0.0/0"}), - FlowID: ruleID1, - TableID: EgressRuleTable, - PolicyName: "np1", - PolicyNamespace: "ns1", + Direction: v1beta1.DirectionOut, + From: parseAddresses([]string{"192.168.1.40", "192.168.1.50"}), + Action: &defaultAction, + To: parseAddresses([]string{"0.0.0.0/0"}), + FlowID: ruleID1, + TableID: EgressRuleTable, + PolicyRef: &v1beta1.NetworkPolicyReference{ + Type: v1beta1.K8sNetworkPolicy, + Namespace: "ns1", + Name: "np1", + UID: "id1", + }, } ruleID2 := uint32(20) rule2 := &types.PolicyRule{ - Direction: v1beta1.DirectionOut, - From: parseAddresses([]string{"192.168.1.60"}), - Action: &defaultAction, - Priority: &priorityRule2, - To: parseAddresses([]string{"192.168.1.70"}), - FlowID: ruleID2, - TableID: ApplicationEgressRuleTable, - PolicyName: "np2", - PolicyNamespace: "ns1", + Direction: v1beta1.DirectionOut, + From: parseAddresses([]string{"192.168.1.60"}), + Action: &defaultAction, + Priority: &priorityRule2, + To: parseAddresses([]string{"192.168.1.70"}), + FlowID: ruleID2, + TableID: ApplicationEgressRuleTable, + PolicyRef: &v1beta1.NetworkPolicyReference{ + Type: v1beta1.AntreaNetworkPolicy, + Namespace: "ns1", + Name: "np2", + UID: "id2", + }, } outDropTable.EXPECT().BuildFlow(gomock.Any()).Return(newMockDropFlowBuilder(ctrl)).AnyTimes() diff --git a/pkg/agent/openflow/testing/mock_openflow.go b/pkg/agent/openflow/testing/mock_openflow.go index 2ad8c655661..8b95bdfe140 100644 --- a/pkg/agent/openflow/testing/mock_openflow.go +++ b/pkg/agent/openflow/testing/mock_openflow.go @@ -24,6 +24,7 @@ import ( gomock "github.com/golang/mock/gomock" config "github.com/vmware-tanzu/antrea/pkg/agent/config" types "github.com/vmware-tanzu/antrea/pkg/agent/types" + v1beta1 "github.com/vmware-tanzu/antrea/pkg/apis/controlplane/v1beta1" openflow "github.com/vmware-tanzu/antrea/pkg/ovs/openflow" proxy "github.com/vmware-tanzu/antrea/third_party/proxy" net "net" @@ -166,12 +167,11 @@ func (mr *MockClientMockRecorder) GetPodFlowKeys(arg0 interface{}) *gomock.Call } // GetPolicyFromConjunction mocks base method -func (m *MockClient) GetPolicyFromConjunction(arg0 uint32) (string, string) { +func (m *MockClient) GetPolicyFromConjunction(arg0 uint32) *v1beta1.NetworkPolicyReference { m.ctrl.T.Helper() ret := m.ctrl.Call(m, "GetPolicyFromConjunction", arg0) - ret0, _ := ret[0].(string) - ret1, _ := ret[1].(string) - return ret0, ret1 + ret0, _ := ret[0].(*v1beta1.NetworkPolicyReference) + return ret0 } // GetPolicyFromConjunction indicates an expected call of GetPolicyFromConjunction diff --git a/pkg/agent/types/networkpolicy.go b/pkg/agent/types/networkpolicy.go index 487d30e4299..82239079399 100644 --- a/pkg/agent/types/networkpolicy.go +++ b/pkg/agent/types/networkpolicy.go @@ -43,21 +43,20 @@ type Address interface { // PolicyRule groups configurations to set up conjunctive match for egress/ingress policy rules. type PolicyRule struct { - Direction v1beta1.Direction - From []Address - To []Address - Service []v1beta1.Service - Action *secv1alpha1.RuleAction - Priority *uint16 - FlowID uint32 - TableID binding.TableIDType - PolicyName string - PolicyNamespace string + Direction v1beta1.Direction + From []Address + To []Address + Service []v1beta1.Service + Action *secv1alpha1.RuleAction + Priority *uint16 + FlowID uint32 + TableID binding.TableIDType + PolicyRef *v1beta1.NetworkPolicyReference } // IsAntreaNetworkPolicyRule returns if a PolicyRule is created for Antrea NetworkPolicy types. func (r *PolicyRule) IsAntreaNetworkPolicyRule() bool { - return r.Priority != nil + return r.PolicyRef.Type != v1beta1.K8sNetworkPolicy } // Priority is a struct that is composed of Antrea NetworkPolicy priority, rule priority and Tier priority. diff --git a/pkg/apis/controlplane/helper.go b/pkg/apis/controlplane/helper.go index 20ddb4d9c0f..47521b20489 100644 --- a/pkg/apis/controlplane/helper.go +++ b/pkg/apis/controlplane/helper.go @@ -14,6 +14,8 @@ package controlplane +import "fmt" + // Conversion functions between GroupMember and GroupMemberPod func (g *GroupMember) ToGroupMemberPod() *GroupMemberPod { return &GroupMemberPod{ @@ -31,3 +33,11 @@ func (p *GroupMemberPod) ToGroupMember() *GroupMember { }, } } + +func (r *NetworkPolicyReference) ToString() string { + if r.Type == AntreaClusterNetworkPolicy { + return fmt.Sprintf("%s:%s", r.Type, r.Name) + } else { + return fmt.Sprintf("%s:%s/%s", r.Type, r.Namespace, r.Name) + } +} diff --git a/pkg/apis/controlplane/types.go b/pkg/apis/controlplane/types.go index c4392a8d456..2a3449230e5 100644 --- a/pkg/apis/controlplane/types.go +++ b/pkg/apis/controlplane/types.go @@ -16,6 +16,7 @@ package controlplane import ( metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/types" "k8s.io/apimachinery/pkg/util/intstr" secv1alpha1 "github.com/vmware-tanzu/antrea/pkg/apis/security/v1alpha1" @@ -150,6 +151,25 @@ type AddressGroupList struct { // TierPriority indicates higher precedence. type TierPriority uint32 +type NetworkPolicyType string + +const ( + K8sNetworkPolicy NetworkPolicyType = "K8sNetworkPolicy" + AntreaClusterNetworkPolicy NetworkPolicyType = "AntreaClusterNetworkPolicy" + AntreaNetworkPolicy NetworkPolicyType = "AntreaNetworkPolicy" +) + +type NetworkPolicyReference struct { + // Type of the NetworkPolicy. + Type NetworkPolicyType + // Namespace of the NetworkPolicy. It's empty for Antrea ClusterNetworkPolicy. + Namespace string + // Name of the NetworkPolicy. + Name string + // UID of the NetworkPolicy. + UID types.UID +} + // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object // NetworkPolicy is the message format of antrea/pkg/controller/types.NetworkPolicy in an API response. type NetworkPolicy struct { @@ -165,6 +185,8 @@ type NetworkPolicy struct { // TierPriority represents the priority of the Tier associated with this NetworkPolicy. // The TierPriority will remain nil for K8s NetworkPolicy. TierPriority *TierPriority + // Reference to the original NetworkPolicy that the internal NetworkPolicy is created for. + SourceRef *NetworkPolicyReference } // Direction defines traffic direction of NetworkPolicyRule. diff --git a/pkg/apis/controlplane/v1beta1/generated.pb.go b/pkg/apis/controlplane/v1beta1/generated.pb.go index 5497e6979a5..20401b4849d 100644 --- a/pkg/apis/controlplane/v1beta1/generated.pb.go +++ b/pkg/apis/controlplane/v1beta1/generated.pb.go @@ -30,6 +30,7 @@ import ( reflect "reflect" strings "strings" + k8s_io_apimachinery_pkg_types "k8s.io/apimachinery/pkg/types" intstr "k8s.io/apimachinery/pkg/util/intstr" ) @@ -492,10 +493,38 @@ func (m *NetworkPolicyPeer) XXX_DiscardUnknown() { var xxx_messageInfo_NetworkPolicyPeer proto.InternalMessageInfo +func (m *NetworkPolicyReference) Reset() { *m = NetworkPolicyReference{} } +func (*NetworkPolicyReference) ProtoMessage() {} +func (*NetworkPolicyReference) Descriptor() ([]byte, []int) { + return fileDescriptor_345cd0a9074e5729, []int{16} +} +func (m *NetworkPolicyReference) XXX_Unmarshal(b []byte) error { + return m.Unmarshal(b) +} +func (m *NetworkPolicyReference) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) { + b = b[:cap(b)] + n, err := m.MarshalToSizedBuffer(b) + if err != nil { + return nil, err + } + return b[:n], nil +} +func (m *NetworkPolicyReference) XXX_Merge(src proto.Message) { + xxx_messageInfo_NetworkPolicyReference.Merge(m, src) +} +func (m *NetworkPolicyReference) XXX_Size() int { + return m.Size() +} +func (m *NetworkPolicyReference) XXX_DiscardUnknown() { + xxx_messageInfo_NetworkPolicyReference.DiscardUnknown(m) +} + +var xxx_messageInfo_NetworkPolicyReference proto.InternalMessageInfo + func (m *NetworkPolicyRule) Reset() { *m = NetworkPolicyRule{} } func (*NetworkPolicyRule) ProtoMessage() {} func (*NetworkPolicyRule) Descriptor() ([]byte, []int) { - return fileDescriptor_345cd0a9074e5729, []int{16} + return fileDescriptor_345cd0a9074e5729, []int{17} } func (m *NetworkPolicyRule) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) @@ -523,7 +552,7 @@ var xxx_messageInfo_NetworkPolicyRule proto.InternalMessageInfo func (m *PodReference) Reset() { *m = PodReference{} } func (*PodReference) ProtoMessage() {} func (*PodReference) Descriptor() ([]byte, []int) { - return fileDescriptor_345cd0a9074e5729, []int{17} + return fileDescriptor_345cd0a9074e5729, []int{18} } func (m *PodReference) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) @@ -551,7 +580,7 @@ var xxx_messageInfo_PodReference proto.InternalMessageInfo func (m *Service) Reset() { *m = Service{} } func (*Service) ProtoMessage() {} func (*Service) Descriptor() ([]byte, []int) { - return fileDescriptor_345cd0a9074e5729, []int{18} + return fileDescriptor_345cd0a9074e5729, []int{19} } func (m *Service) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) @@ -593,6 +622,7 @@ func init() { proto.RegisterType((*NetworkPolicy)(nil), "github.aaakk.us.kg.vmware_tanzu.antrea.pkg.apis.controlplane.v1beta1.NetworkPolicy") proto.RegisterType((*NetworkPolicyList)(nil), "github.aaakk.us.kg.vmware_tanzu.antrea.pkg.apis.controlplane.v1beta1.NetworkPolicyList") proto.RegisterType((*NetworkPolicyPeer)(nil), "github.aaakk.us.kg.vmware_tanzu.antrea.pkg.apis.controlplane.v1beta1.NetworkPolicyPeer") + proto.RegisterType((*NetworkPolicyReference)(nil), "github.aaakk.us.kg.vmware_tanzu.antrea.pkg.apis.controlplane.v1beta1.NetworkPolicyReference") proto.RegisterType((*NetworkPolicyRule)(nil), "github.aaakk.us.kg.vmware_tanzu.antrea.pkg.apis.controlplane.v1beta1.NetworkPolicyRule") proto.RegisterType((*PodReference)(nil), "github.aaakk.us.kg.vmware_tanzu.antrea.pkg.apis.controlplane.v1beta1.PodReference") proto.RegisterType((*Service)(nil), "github.aaakk.us.kg.vmware_tanzu.antrea.pkg.apis.controlplane.v1beta1.Service") @@ -603,92 +633,99 @@ func init() { } var fileDescriptor_345cd0a9074e5729 = []byte{ - // 1359 bytes of a gzipped FileDescriptorProto - 0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xec, 0x58, 0xcf, 0x6f, 0x1b, 0xc5, - 0x17, 0xcf, 0xae, 0xed, 0x24, 0x9e, 0x38, 0x69, 0x33, 0xf9, 0x4a, 0x5f, 0x53, 0x90, 0x1d, 0x2d, - 0x97, 0x1c, 0xe8, 0x2e, 0x29, 0x15, 0xf4, 0x50, 0x0e, 0x71, 0x93, 0x56, 0x86, 0x34, 0x5d, 0x4d, - 0xcb, 0x05, 0x21, 0xc1, 0x64, 0x77, 0xe2, 0x6c, 0xbd, 0xbb, 0xb3, 0x9d, 0x1d, 0xbb, 0x2d, 0x12, - 0x12, 0x88, 0x13, 0x5c, 0xf8, 0x71, 0x40, 0x5c, 0xf8, 0x07, 0x10, 0x7f, 0x04, 0xdc, 0x7a, 0xec, - 0xb1, 0x17, 0x2c, 0xe2, 0x0a, 0xc4, 0xdf, 0x90, 0x13, 0x9a, 0xd9, 0x59, 0xef, 0xae, 0x4d, 0xd4, - 0x48, 0x4e, 0x2c, 0x0e, 0x3d, 0x25, 0x33, 0xf3, 0xe6, 0x7d, 0x3e, 0xf3, 0xde, 0x9b, 0xcf, 0xbc, - 0x35, 0xd8, 0xed, 0x78, 0xfc, 0xb0, 0xb7, 0x6f, 0x3a, 0x34, 0xb0, 0xfa, 0xc1, 0x43, 0xcc, 0xc8, - 0x65, 0x8e, 0xc3, 0x4f, 0x7b, 0x16, 0x0e, 0x39, 0x23, 0xd8, 0x8a, 0xba, 0x1d, 0x0b, 0x47, 0x5e, - 0x6c, 0x39, 0x34, 0xe4, 0x8c, 0xfa, 0x91, 0x8f, 0x43, 0x62, 0xf5, 0x37, 0xf7, 0x09, 0xc7, 0x9b, - 0x56, 0x87, 0x84, 0x84, 0x61, 0x4e, 0x5c, 0x33, 0x62, 0x94, 0x53, 0x78, 0x3d, 0xf3, 0x66, 0x26, - 0xde, 0x3e, 0x96, 0xde, 0xcc, 0xc4, 0x9b, 0x19, 0x75, 0x3b, 0xa6, 0xf0, 0x66, 0xe6, 0xbd, 0x99, - 0xca, 0xdb, 0xa5, 0xcb, 0x39, 0x2e, 0x1d, 0xda, 0xa1, 0x96, 0x74, 0xba, 0xdf, 0x3b, 0x90, 0x23, - 0x39, 0x90, 0xff, 0x25, 0x60, 0x97, 0xae, 0x76, 0xaf, 0xc5, 0xa6, 0x47, 0x05, 0xbd, 0x00, 0x3b, - 0x87, 0x5e, 0x48, 0xd8, 0xe3, 0x8c, 0x6f, 0x40, 0x38, 0xb6, 0xfa, 0x13, 0x14, 0x2f, 0x59, 0x27, - 0xed, 0x62, 0xbd, 0x90, 0x7b, 0x01, 0x99, 0xd8, 0xf0, 0xf6, 0x8b, 0x36, 0xc4, 0xce, 0x21, 0x09, - 0xf0, 0xc4, 0xbe, 0xb7, 0x4e, 0xda, 0xd7, 0xe3, 0x9e, 0x6f, 0x79, 0x21, 0x8f, 0x39, 0x1b, 0xdf, - 0x64, 0xfc, 0xa5, 0x83, 0xda, 0x96, 0xeb, 0x32, 0x12, 0xc7, 0xb7, 0x18, 0xed, 0x45, 0xf0, 0x13, - 0xb0, 0x28, 0x4e, 0xe2, 0x62, 0x8e, 0xeb, 0xda, 0xba, 0xb6, 0xb1, 0x74, 0xe5, 0x4d, 0x33, 0x71, - 0x6c, 0xe6, 0x1d, 0x67, 0x91, 0x15, 0xd6, 0x66, 0x7f, 0xd3, 0xbc, 0xb3, 0x7f, 0x9f, 0x38, 0xfc, - 0x36, 0xe1, 0xb8, 0x05, 0x9f, 0x0c, 0x9a, 0x73, 0xc3, 0x41, 0x13, 0x64, 0x73, 0x68, 0xe4, 0x15, - 0x86, 0xa0, 0x1c, 0x51, 0x37, 0xae, 0xeb, 0xeb, 0xa5, 0x8d, 0xa5, 0x2b, 0xbb, 0xe6, 0x34, 0x29, - 0x34, 0x25, 0xe9, 0xdb, 0x24, 0xd8, 0x27, 0xcc, 0xa6, 0x6e, 0xab, 0xa6, 0x90, 0xcb, 0x36, 0x75, - 0x63, 0x24, 0x71, 0xe0, 0x97, 0x1a, 0xa8, 0x75, 0x32, 0xb3, 0xb8, 0x5e, 0x92, 0xc0, 0xed, 0x33, - 0x03, 0x6e, 0xfd, 0x4f, 0xa1, 0xd6, 0x72, 0x93, 0x31, 0x2a, 0x80, 0x1a, 0x47, 0x1a, 0xb8, 0x98, - 0x0f, 0xf4, 0xae, 0x17, 0x73, 0xf8, 0xd1, 0x44, 0xb0, 0xcd, 0xd3, 0x05, 0x5b, 0xec, 0x96, 0xa1, - 0xbe, 0xa8, 0xa0, 0x17, 0xd3, 0x99, 0x5c, 0xa0, 0x29, 0xa8, 0x78, 0x9c, 0x04, 0x69, 0xa4, 0xdf, - 0x9b, 0xee, 0xc0, 0x79, 0xf2, 0xad, 0x65, 0x05, 0x5b, 0x69, 0x0b, 0x00, 0x94, 0xe0, 0x18, 0x3f, - 0x57, 0xc0, 0x6a, 0xde, 0xcc, 0xc6, 0xdc, 0x39, 0x9c, 0x41, 0x45, 0x7d, 0x06, 0xaa, 0xd8, 0x75, - 0x89, 0x6b, 0x9f, 0x57, 0x59, 0xad, 0x2a, 0xf8, 0xea, 0x56, 0x0a, 0x83, 0x32, 0x44, 0x51, 0x60, - 0x4b, 0x8c, 0x04, 0xb4, 0xaf, 0x18, 0x94, 0xce, 0x81, 0xc1, 0x9a, 0x62, 0xb0, 0x84, 0x32, 0x20, - 0x94, 0x47, 0x85, 0xdf, 0x6b, 0x60, 0x55, 0x72, 0xca, 0x17, 0x61, 0xbd, 0x7c, 0xd6, 0xb5, 0xfe, - 0x8a, 0x22, 0xb2, 0xba, 0x35, 0x8e, 0x85, 0x26, 0xe1, 0xe1, 0x8f, 0x1a, 0x58, 0x53, 0x24, 0x0b, - 0xb4, 0x2a, 0x67, 0x4d, 0xeb, 0x55, 0x45, 0x6b, 0x0d, 0x4d, 0xa2, 0xa1, 0x7f, 0xa3, 0x60, 0xfc, - 0xad, 0x83, 0x95, 0xad, 0x28, 0xf2, 0x3d, 0xe2, 0xde, 0xa3, 0x2f, 0xb5, 0xef, 0x3c, 0xb5, 0xef, - 0x4f, 0x0d, 0xc0, 0x62, 0xa8, 0x67, 0xa0, 0x7e, 0x0f, 0x8a, 0xea, 0x37, 0x65, 0xac, 0x8b, 0xf4, - 0x4f, 0xd0, 0xbf, 0x5f, 0x2a, 0x60, 0xad, 0x68, 0xf8, 0x52, 0x01, 0x5f, 0x2a, 0xe0, 0x7f, 0x56, - 0x01, 0x7f, 0xd2, 0xc0, 0xe2, 0x4e, 0xe8, 0x46, 0xd4, 0x0b, 0x39, 0x7c, 0x1d, 0xe8, 0x5e, 0x24, - 0xab, 0xb3, 0xd6, 0x5a, 0x1b, 0x0e, 0x9a, 0x7a, 0xdb, 0x3e, 0x1e, 0x34, 0xab, 0x6d, 0x5b, 0x3d, - 0xe8, 0x48, 0xf7, 0x22, 0xe8, 0x83, 0x4a, 0x44, 0x19, 0x4f, 0x4b, 0xec, 0xd6, 0x74, 0xec, 0xf7, - 0x70, 0x20, 0x32, 0xc7, 0x78, 0x76, 0x9d, 0xc4, 0x28, 0x46, 0x09, 0x88, 0xe1, 0x83, 0xff, 0xef, - 0x3c, 0xe2, 0x84, 0x85, 0xd8, 0xdf, 0x09, 0xb9, 0xc7, 0x1f, 0x23, 0x72, 0x40, 0x18, 0x09, 0x1d, - 0x02, 0xd7, 0x41, 0x39, 0xc4, 0x01, 0x91, 0x7c, 0xab, 0x99, 0xf2, 0x09, 0x8f, 0x48, 0xae, 0x40, - 0x0b, 0x54, 0xc5, 0xdf, 0x38, 0xc2, 0x0e, 0xa9, 0xeb, 0xd2, 0x6c, 0x54, 0xc3, 0x7b, 0xe9, 0x02, - 0xca, 0x6c, 0x8c, 0x2f, 0x4a, 0x60, 0x29, 0x17, 0x1e, 0x48, 0x40, 0x29, 0xa2, 0xae, 0xba, 0xaf, - 0x53, 0xf6, 0x4e, 0x36, 0x75, 0x47, 0xdc, 0x5b, 0x0b, 0xc3, 0x41, 0xb3, 0x24, 0x66, 0x84, 0x7f, - 0xf8, 0x9d, 0x06, 0x56, 0x48, 0xe1, 0x94, 0x92, 0xed, 0xd2, 0x95, 0x0f, 0xa6, 0x83, 0x3c, 0x21, - 0x72, 0x2d, 0x38, 0x1c, 0x34, 0x57, 0xc6, 0x16, 0xc7, 0x08, 0xc0, 0x87, 0xa0, 0x4a, 0x54, 0x5d, - 0xa4, 0x77, 0xf9, 0xe6, 0x94, 0x6c, 0x94, 0xbb, 0x2c, 0x07, 0xe9, 0x4c, 0x8c, 0x32, 0x2c, 0xe3, - 0x6b, 0x1d, 0xac, 0x14, 0xaf, 0xfd, 0xac, 0xd2, 0x90, 0x94, 0xbf, 0x7e, 0xca, 0xf2, 0x2f, 0xcd, - 0xa2, 0xfc, 0x7f, 0xd7, 0xc0, 0x42, 0xdb, 0x6e, 0xf9, 0xd4, 0xe9, 0x42, 0x02, 0xca, 0x8e, 0xe7, - 0x32, 0x15, 0x86, 0x1b, 0xd3, 0x01, 0xb7, 0xed, 0x3d, 0xc2, 0xb3, 0x4b, 0x73, 0xa3, 0xbd, 0x8d, - 0x90, 0x74, 0x0f, 0xbb, 0x60, 0x9e, 0x3c, 0x72, 0x48, 0xc4, 0xd5, 0x05, 0x3f, 0x13, 0xa0, 0x15, - 0x05, 0x34, 0xbf, 0x23, 0x5d, 0x23, 0x05, 0x61, 0x1c, 0x80, 0x8a, 0x34, 0x38, 0x9d, 0xf4, 0x5c, - 0x03, 0xb5, 0x88, 0x91, 0x03, 0xef, 0xd1, 0x2e, 0x09, 0x3b, 0xfc, 0x50, 0xa6, 0xaa, 0x92, 0x75, - 0x1f, 0x76, 0x6e, 0x0d, 0x15, 0x2c, 0x8d, 0xaf, 0x34, 0x50, 0x1d, 0xc5, 0x5a, 0x28, 0x87, 0x08, - 0xaf, 0x84, 0xab, 0xe4, 0x7b, 0x26, 0xc6, 0x91, 0x5c, 0x19, 0x69, 0x8b, 0x7e, 0xa2, 0xb6, 0x5c, - 0x03, 0x8b, 0xf2, 0xeb, 0xd9, 0xa1, 0x7e, 0xbd, 0x24, 0xad, 0x5e, 0x4b, 0x1b, 0x11, 0x5b, 0xcd, - 0x1f, 0xe7, 0xfe, 0x47, 0x23, 0x6b, 0xe3, 0x87, 0x12, 0x58, 0xde, 0x23, 0xfc, 0x21, 0x65, 0x5d, - 0x9b, 0xfa, 0x9e, 0xf3, 0x78, 0x06, 0xbd, 0x01, 0x07, 0x15, 0xd6, 0xf3, 0x49, 0x2a, 0xda, 0x77, - 0xa6, 0xac, 0xda, 0x3c, 0x7b, 0xd4, 0xf3, 0x49, 0x56, 0xbd, 0x62, 0x14, 0xa3, 0x04, 0x0c, 0xbe, - 0x0b, 0x2e, 0xe0, 0x42, 0x2b, 0x94, 0xdc, 0x9a, 0xaa, 0xcc, 0xf0, 0x85, 0x62, 0x97, 0x14, 0xa3, - 0x71, 0x5b, 0xb8, 0x21, 0x42, 0xec, 0x51, 0x26, 0xf4, 0xb0, 0xbc, 0xae, 0x6d, 0x68, 0xad, 0x5a, - 0x12, 0xde, 0x64, 0x0e, 0x8d, 0x56, 0xe1, 0x36, 0xa8, 0x71, 0x8f, 0xb0, 0x74, 0xa5, 0x5e, 0x59, - 0xd7, 0x36, 0x96, 0x5b, 0xeb, 0xa2, 0x28, 0xee, 0xe5, 0xe6, 0x8f, 0xc7, 0xc6, 0xa8, 0xb0, 0xcb, - 0x78, 0xae, 0x81, 0xd5, 0xc2, 0xd1, 0x66, 0xd0, 0xa1, 0x46, 0xc5, 0x0e, 0xf5, 0xfd, 0x33, 0x4c, - 0xcc, 0x09, 0x0d, 0xea, 0x6f, 0xe3, 0xa7, 0xb4, 0x09, 0x61, 0xf0, 0x1d, 0xb0, 0x8c, 0x73, 0x5f, - 0xed, 0x71, 0x5d, 0x93, 0x89, 0x5a, 0x1d, 0x0e, 0x9a, 0xcb, 0xf9, 0xcf, 0xf9, 0x18, 0x15, 0xed, - 0x60, 0x0c, 0x16, 0xbd, 0x48, 0x0a, 0x54, 0x7a, 0x86, 0x9d, 0x69, 0x05, 0x43, 0x7a, 0xcb, 0xa2, - 0xa6, 0x26, 0x62, 0x34, 0x02, 0x32, 0x7e, 0x2d, 0x8f, 0x9d, 0x41, 0x94, 0x1d, 0xbc, 0x0e, 0xaa, - 0xae, 0xc7, 0x88, 0xc3, 0x3d, 0x1a, 0xaa, 0xae, 0xa0, 0x91, 0x3e, 0x35, 0xdb, 0xe9, 0xc2, 0x71, - 0x7e, 0x80, 0xb2, 0x0d, 0xf0, 0x01, 0x28, 0x1f, 0x30, 0x1a, 0xa8, 0x97, 0xf7, 0x2c, 0x6f, 0x88, - 0x08, 0x70, 0xa6, 0x21, 0x37, 0x19, 0x0d, 0x90, 0x84, 0x82, 0x5d, 0xa0, 0x73, 0x2a, 0xd5, 0xe3, - 0x1c, 0x00, 0x81, 0x02, 0xd4, 0xef, 0x51, 0xa4, 0x73, 0x2a, 0x12, 0x15, 0x13, 0xd6, 0xf7, 0x1c, - 0x92, 0xf6, 0xc3, 0x53, 0x26, 0xea, 0x6e, 0xe2, 0x2d, 0x4b, 0x94, 0x9a, 0x88, 0xd1, 0x08, 0x08, - 0xbe, 0x91, 0xbb, 0xc2, 0x15, 0xa9, 0xb6, 0x17, 0x33, 0x95, 0x9c, 0xb8, 0xc6, 0xf7, 0xc1, 0x3c, - 0x4e, 0xb2, 0x37, 0x2f, 0xb3, 0x87, 0xc4, 0x8b, 0xb1, 0x95, 0xa6, 0x6d, 0xfb, 0xb4, 0xbf, 0x1a, - 0xc7, 0xc4, 0xe9, 0x09, 0x7f, 0x56, 0x7f, 0x13, 0xfb, 0xd1, 0x21, 0xde, 0x34, 0x45, 0x79, 0x24, - 0x7e, 0x90, 0x42, 0x30, 0x30, 0xa8, 0xe5, 0x5b, 0x81, 0xf3, 0xe8, 0x26, 0xbf, 0xd1, 0xc0, 0x82, - 0x8a, 0x09, 0xbc, 0x9a, 0x7b, 0x2e, 0x12, 0x88, 0xfa, 0x8b, 0x9f, 0x0a, 0xb8, 0xa7, 0x1e, 0x2a, - 0xfd, 0x05, 0x8f, 0x42, 0x8f, 0x7b, 0xbe, 0x99, 0xfc, 0xba, 0x6b, 0xb6, 0x43, 0x7e, 0x87, 0xdd, - 0xe5, 0xcc, 0x0b, 0x3b, 0xad, 0xc5, 0xe2, 0xb3, 0xd6, 0xba, 0xfc, 0xe4, 0xa8, 0x31, 0xf7, 0xf4, - 0xa8, 0x31, 0xf7, 0xec, 0xa8, 0x31, 0xf7, 0xf9, 0xb0, 0xa1, 0x3d, 0x19, 0x36, 0xb4, 0xa7, 0xc3, - 0x86, 0xf6, 0x6c, 0xd8, 0xd0, 0xfe, 0x18, 0x36, 0xb4, 0x6f, 0x9f, 0x37, 0xe6, 0x3e, 0x5c, 0x50, - 0x19, 0xfe, 0x27, 0x00, 0x00, 0xff, 0xff, 0x3b, 0x01, 0xe0, 0x3e, 0xa8, 0x17, 0x00, 0x00, + // 1463 bytes of a gzipped FileDescriptorProto + 0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xec, 0x58, 0xcd, 0x6e, 0xdb, 0xc6, + 0x16, 0x36, 0x29, 0xc9, 0xb6, 0xc6, 0xb2, 0x13, 0x8f, 0x2f, 0xee, 0xd5, 0xcd, 0xbd, 0x90, 0x1c, + 0x76, 0xe3, 0x45, 0x43, 0xc5, 0x69, 0xda, 0x66, 0x91, 0x2e, 0xcc, 0xd8, 0x09, 0xd4, 0x3a, 0x8e, + 0x30, 0x71, 0x36, 0x45, 0x81, 0x96, 0x26, 0xc7, 0xf2, 0x44, 0x14, 0x87, 0x19, 0x8e, 0x94, 0xb8, + 0x40, 0x81, 0x06, 0x5d, 0xb5, 0x9b, 0xfe, 0xac, 0x8a, 0x02, 0x7d, 0x81, 0xa2, 0x0f, 0xd1, 0xee, + 0xb2, 0xcc, 0x32, 0x9b, 0x0a, 0xb5, 0x82, 0x06, 0x7d, 0x06, 0xaf, 0x8a, 0x19, 0x0e, 0x45, 0x52, + 0x8a, 0x10, 0x17, 0x92, 0x8d, 0x2e, 0xb2, 0xb2, 0x67, 0xe6, 0xcc, 0xf9, 0xbe, 0x39, 0xe7, 0xcc, + 0x37, 0x47, 0x04, 0xdb, 0x4d, 0xc2, 0x0f, 0x3a, 0x7b, 0xa6, 0x43, 0xdb, 0xb5, 0x6e, 0xfb, 0xa1, + 0xcd, 0xf0, 0x25, 0x6e, 0xfb, 0x9f, 0x76, 0x6a, 0xb6, 0xcf, 0x19, 0xb6, 0x6b, 0x41, 0xab, 0x59, + 0xb3, 0x03, 0x12, 0xd6, 0x1c, 0xea, 0x73, 0x46, 0xbd, 0xc0, 0xb3, 0x7d, 0x5c, 0xeb, 0xae, 0xef, + 0x61, 0x6e, 0xaf, 0xd7, 0x9a, 0xd8, 0xc7, 0xcc, 0xe6, 0xd8, 0x35, 0x03, 0x46, 0x39, 0x85, 0xd7, + 0x13, 0x6f, 0x66, 0xe4, 0xed, 0x63, 0xe9, 0xcd, 0x8c, 0xbc, 0x99, 0x41, 0xab, 0x69, 0x0a, 0x6f, + 0x66, 0xda, 0x9b, 0xa9, 0xbc, 0x5d, 0xb8, 0x94, 0xe2, 0xd2, 0xa4, 0x4d, 0x5a, 0x93, 0x4e, 0xf7, + 0x3a, 0xfb, 0x72, 0x24, 0x07, 0xf2, 0xbf, 0x08, 0xec, 0xc2, 0xd5, 0xd6, 0xb5, 0xd0, 0x24, 0x54, + 0xd0, 0x6b, 0xdb, 0xce, 0x01, 0xf1, 0x31, 0x3b, 0x4c, 0xf8, 0xb6, 0x31, 0xb7, 0x6b, 0xdd, 0x11, + 0x8a, 0x17, 0x6a, 0xe3, 0x76, 0xb1, 0x8e, 0xcf, 0x49, 0x1b, 0x8f, 0x6c, 0x78, 0xe7, 0x55, 0x1b, + 0x42, 0xe7, 0x00, 0xb7, 0xed, 0x91, 0x7d, 0x6f, 0x8d, 0xdb, 0xd7, 0xe1, 0xc4, 0xab, 0x11, 0x9f, + 0x87, 0x9c, 0x0d, 0x6f, 0x32, 0x5e, 0xe8, 0xa0, 0xb4, 0xe1, 0xba, 0x0c, 0x87, 0xe1, 0x2d, 0x46, + 0x3b, 0x01, 0xfc, 0x04, 0xcc, 0x8b, 0x93, 0xb8, 0x36, 0xb7, 0xcb, 0xda, 0xaa, 0xb6, 0xb6, 0x70, + 0xe5, 0xb2, 0x19, 0x39, 0x36, 0xd3, 0x8e, 0x93, 0xc8, 0x0a, 0x6b, 0xb3, 0xbb, 0x6e, 0xde, 0xd9, + 0xbb, 0x8f, 0x1d, 0x7e, 0x1b, 0x73, 0xdb, 0x82, 0x4f, 0x7a, 0xd5, 0x99, 0x7e, 0xaf, 0x0a, 0x92, + 0x39, 0x34, 0xf0, 0x0a, 0x7d, 0x90, 0x0f, 0xa8, 0x1b, 0x96, 0xf5, 0xd5, 0xdc, 0xda, 0xc2, 0x95, + 0x6d, 0x73, 0x92, 0x14, 0x9a, 0x92, 0xf4, 0x6d, 0xdc, 0xde, 0xc3, 0xac, 0x41, 0x5d, 0xab, 0xa4, + 0x90, 0xf3, 0x0d, 0xea, 0x86, 0x48, 0xe2, 0xc0, 0x2f, 0x34, 0x50, 0x6a, 0x26, 0x66, 0x61, 0x39, + 0x27, 0x81, 0xeb, 0x53, 0x03, 0xb6, 0xfe, 0xa5, 0x50, 0x4b, 0xa9, 0xc9, 0x10, 0x65, 0x40, 0x8d, + 0x23, 0x0d, 0x9c, 0x4f, 0x07, 0x7a, 0x9b, 0x84, 0x1c, 0x7e, 0x34, 0x12, 0x6c, 0xf3, 0x64, 0xc1, + 0x16, 0xbb, 0x65, 0xa8, 0xcf, 0x2b, 0xe8, 0xf9, 0x78, 0x26, 0x15, 0x68, 0x0a, 0x0a, 0x84, 0xe3, + 0x76, 0x1c, 0xe9, 0xf7, 0x27, 0x3b, 0x70, 0x9a, 0xbc, 0xb5, 0xa8, 0x60, 0x0b, 0x75, 0x01, 0x80, + 0x22, 0x1c, 0xe3, 0xa7, 0x02, 0x58, 0x4e, 0x9b, 0x35, 0x6c, 0xee, 0x1c, 0x9c, 0x41, 0x45, 0x7d, + 0x06, 0x8a, 0xb6, 0xeb, 0x62, 0xb7, 0x71, 0x5a, 0x65, 0xb5, 0xac, 0xe0, 0x8b, 0x1b, 0x31, 0x0c, + 0x4a, 0x10, 0x45, 0x81, 0x2d, 0x30, 0xdc, 0xa6, 0x5d, 0xc5, 0x20, 0x77, 0x0a, 0x0c, 0x56, 0x14, + 0x83, 0x05, 0x94, 0x00, 0xa1, 0x34, 0x2a, 0xfc, 0x4e, 0x03, 0xcb, 0x92, 0x53, 0xba, 0x08, 0xcb, + 0xf9, 0x69, 0xd7, 0xfa, 0x7f, 0x15, 0x91, 0xe5, 0x8d, 0x61, 0x2c, 0x34, 0x0a, 0x0f, 0xbf, 0xd7, + 0xc0, 0x8a, 0x22, 0x99, 0xa1, 0x55, 0x98, 0x36, 0xad, 0xff, 0x29, 0x5a, 0x2b, 0x68, 0x14, 0x0d, + 0xbd, 0x8c, 0x82, 0xf1, 0xa7, 0x0e, 0x96, 0x36, 0x82, 0xc0, 0x23, 0xd8, 0xdd, 0xa5, 0xaf, 0xb5, + 0xef, 0x34, 0xb5, 0xef, 0x0f, 0x0d, 0xc0, 0x6c, 0xa8, 0xcf, 0x40, 0xfd, 0x1e, 0x64, 0xd5, 0x6f, + 0xc2, 0x58, 0x67, 0xe9, 0x8f, 0xd1, 0xbf, 0x9f, 0x0b, 0x60, 0x25, 0x6b, 0xf8, 0x5a, 0x01, 0x5f, + 0x2b, 0xe0, 0x3f, 0x56, 0x01, 0x7f, 0xd4, 0xc0, 0xfc, 0x96, 0xef, 0x06, 0x94, 0xf8, 0x1c, 0xbe, + 0x01, 0x74, 0x12, 0xc8, 0xea, 0x2c, 0x59, 0x2b, 0xfd, 0x5e, 0x55, 0xaf, 0x37, 0x8e, 0x7b, 0xd5, + 0x62, 0xbd, 0xa1, 0x1e, 0x74, 0xa4, 0x93, 0x00, 0x7a, 0xa0, 0x10, 0x50, 0xc6, 0xe3, 0x12, 0xbb, + 0x35, 0x19, 0xfb, 0x1d, 0xbb, 0x2d, 0x32, 0xc7, 0x78, 0x72, 0x9d, 0xc4, 0x28, 0x44, 0x11, 0x88, + 0xe1, 0x81, 0xff, 0x6c, 0x3d, 0xe2, 0x98, 0xf9, 0xb6, 0xb7, 0xe5, 0x73, 0xc2, 0x0f, 0x11, 0xde, + 0xc7, 0x0c, 0xfb, 0x0e, 0x86, 0xab, 0x20, 0xef, 0xdb, 0x6d, 0x2c, 0xf9, 0x16, 0x13, 0xe5, 0x13, + 0x1e, 0x91, 0x5c, 0x81, 0x35, 0x50, 0x14, 0x7f, 0xc3, 0xc0, 0x76, 0x70, 0x59, 0x97, 0x66, 0x83, + 0x1a, 0xde, 0x89, 0x17, 0x50, 0x62, 0x63, 0x3c, 0xce, 0x81, 0x85, 0x54, 0x78, 0x20, 0x06, 0xb9, + 0x80, 0xba, 0xea, 0xbe, 0x4e, 0xd8, 0x3b, 0x35, 0xa8, 0x3b, 0xe0, 0x6e, 0xcd, 0xf5, 0x7b, 0xd5, + 0x9c, 0x98, 0x11, 0xfe, 0xe1, 0xb7, 0x1a, 0x58, 0xc2, 0x99, 0x53, 0x4a, 0xb6, 0x0b, 0x57, 0xee, + 0x4d, 0x06, 0x39, 0x26, 0x72, 0x16, 0xec, 0xf7, 0xaa, 0x4b, 0x43, 0x8b, 0x43, 0x04, 0xe0, 0x43, + 0x50, 0xc4, 0xaa, 0x2e, 0xe2, 0xbb, 0x7c, 0x73, 0x42, 0x36, 0xca, 0x5d, 0x92, 0x83, 0x78, 0x26, + 0x44, 0x09, 0x96, 0xf1, 0x95, 0x0e, 0x96, 0xb2, 0xd7, 0xfe, 0xac, 0xd2, 0x10, 0x95, 0xbf, 0x7e, + 0xc2, 0xf2, 0xcf, 0x9d, 0x45, 0xf9, 0xff, 0xa6, 0x81, 0xb9, 0x7a, 0xc3, 0xf2, 0xa8, 0xd3, 0x82, + 0x18, 0xe4, 0x1d, 0xe2, 0x32, 0x15, 0x86, 0x1b, 0x93, 0x01, 0xd7, 0x1b, 0x3b, 0x98, 0x27, 0x97, + 0xe6, 0x46, 0x7d, 0x13, 0x21, 0xe9, 0x1e, 0xb6, 0xc0, 0x2c, 0x7e, 0xe4, 0xe0, 0x80, 0xab, 0x0b, + 0x3e, 0x15, 0xa0, 0x25, 0x05, 0x34, 0xbb, 0x25, 0x5d, 0x23, 0x05, 0x61, 0xec, 0x83, 0x82, 0x34, + 0x38, 0x99, 0xf4, 0x5c, 0x03, 0xa5, 0x80, 0xe1, 0x7d, 0xf2, 0x68, 0x1b, 0xfb, 0x4d, 0x7e, 0x20, + 0x53, 0x55, 0x48, 0xba, 0x8f, 0x46, 0x6a, 0x0d, 0x65, 0x2c, 0x8d, 0x2f, 0x35, 0x50, 0x1c, 0xc4, + 0x5a, 0x28, 0x87, 0x08, 0xaf, 0x84, 0x2b, 0xa4, 0x7b, 0x26, 0xc6, 0x91, 0x5c, 0x19, 0x68, 0x8b, + 0x3e, 0x56, 0x5b, 0xae, 0x81, 0x79, 0xf9, 0xeb, 0xd9, 0xa1, 0x5e, 0x39, 0x27, 0xad, 0xfe, 0x1f, + 0x37, 0x22, 0x0d, 0x35, 0x7f, 0x9c, 0xfa, 0x1f, 0x0d, 0xac, 0x8d, 0x1f, 0xf2, 0x60, 0x71, 0x07, + 0xf3, 0x87, 0x94, 0xb5, 0x1a, 0xd4, 0x23, 0xce, 0xe1, 0x19, 0xf4, 0x06, 0x1c, 0x14, 0x58, 0xc7, + 0xc3, 0xb1, 0x68, 0xdf, 0x99, 0xb0, 0x6a, 0xd3, 0xec, 0x51, 0xc7, 0xc3, 0x49, 0xf5, 0x8a, 0x51, + 0x88, 0x22, 0x30, 0xf8, 0x1e, 0x38, 0x67, 0x67, 0x5a, 0xa1, 0xe8, 0xd6, 0x14, 0x65, 0x86, 0xcf, + 0x65, 0xbb, 0xa4, 0x10, 0x0d, 0xdb, 0xc2, 0x35, 0x11, 0x62, 0x42, 0x99, 0xd0, 0xc3, 0xfc, 0xaa, + 0xb6, 0xa6, 0x59, 0xa5, 0x28, 0xbc, 0xd1, 0x1c, 0x1a, 0xac, 0xc2, 0x4d, 0x50, 0xe2, 0x04, 0xb3, + 0x78, 0xa5, 0x5c, 0x58, 0xd5, 0xd6, 0x16, 0xad, 0x55, 0x51, 0x14, 0xbb, 0xa9, 0xf9, 0xe3, 0xa1, + 0x31, 0xca, 0xec, 0x82, 0x8f, 0x35, 0x50, 0x0c, 0x69, 0x87, 0x39, 0x18, 0xe1, 0xfd, 0xf2, 0xac, + 0x4c, 0xc4, 0xee, 0x34, 0x23, 0x35, 0xd0, 0x9d, 0x45, 0xa1, 0x7e, 0x77, 0x63, 0x28, 0x94, 0xa0, + 0x1a, 0xcf, 0x35, 0xb0, 0x9c, 0xd9, 0x74, 0x06, 0x5d, 0x72, 0x90, 0xed, 0x92, 0x3f, 0x98, 0xe2, + 0x91, 0xc7, 0x34, 0xc9, 0xbf, 0x0e, 0x9f, 0xb2, 0x81, 0x31, 0x83, 0xef, 0x82, 0x45, 0x3b, 0xf5, + 0xe5, 0x20, 0x2c, 0x6b, 0xb2, 0x58, 0x96, 0xfb, 0xbd, 0xea, 0x62, 0xfa, 0x93, 0x42, 0x88, 0xb2, + 0x76, 0x30, 0x04, 0xf3, 0x24, 0x90, 0x22, 0x19, 0x9f, 0x61, 0x6b, 0x52, 0xd1, 0x92, 0xde, 0x92, + 0xa8, 0xa9, 0x89, 0x10, 0x0d, 0x80, 0x8c, 0x17, 0x1a, 0xf8, 0xf7, 0xcb, 0xd3, 0x0b, 0xdf, 0x06, + 0x79, 0x7e, 0x18, 0xc4, 0x9d, 0xc9, 0xc5, 0x58, 0x3d, 0x76, 0x0f, 0x03, 0x7c, 0xdc, 0xab, 0x66, + 0x4f, 0x2e, 0x26, 0x91, 0x34, 0xff, 0xdb, 0xed, 0xca, 0x40, 0xa5, 0x72, 0x63, 0x55, 0xca, 0x02, + 0xb9, 0x0e, 0x71, 0xe5, 0xed, 0x29, 0x5a, 0x97, 0x95, 0x41, 0xee, 0x5e, 0x7d, 0xf3, 0xb8, 0x57, + 0xbd, 0x38, 0xee, 0x5b, 0xa1, 0x20, 0x13, 0x9a, 0xf7, 0xea, 0x9b, 0x48, 0x6c, 0x36, 0x7e, 0xc9, + 0x0f, 0x25, 0x4b, 0xdc, 0x71, 0x78, 0x1d, 0x14, 0x5d, 0xc2, 0xb0, 0xc3, 0x09, 0xf5, 0xd5, 0x41, + 0x2b, 0x31, 0xd9, 0xcd, 0x78, 0xe1, 0x38, 0x3d, 0x40, 0xc9, 0x06, 0xf8, 0x00, 0xe4, 0xf7, 0x19, + 0x6d, 0xab, 0x36, 0x67, 0x9a, 0x72, 0x24, 0x2a, 0x29, 0x09, 0xc5, 0x4d, 0x46, 0xdb, 0x48, 0x42, + 0xc1, 0x16, 0xd0, 0x39, 0x95, 0xa1, 0x3a, 0x05, 0x40, 0xa0, 0x00, 0xf5, 0x5d, 0x8a, 0x74, 0x4e, + 0x45, 0x45, 0x86, 0x98, 0x75, 0x89, 0x83, 0xe3, 0x1f, 0x1f, 0x13, 0x56, 0xe4, 0xdd, 0xc8, 0x5b, + 0x52, 0x91, 0x6a, 0x22, 0x44, 0x03, 0x20, 0xf8, 0x66, 0x4a, 0x2f, 0x0b, 0xf2, 0x69, 0x3b, 0x9f, + 0x3c, 0x49, 0x23, 0x9a, 0x79, 0x1f, 0xcc, 0xda, 0x51, 0xf6, 0x66, 0x65, 0xf6, 0x90, 0x78, 0x9e, + 0x37, 0xe2, 0xb4, 0x6d, 0x9e, 0xf4, 0x13, 0x7d, 0x88, 0x9d, 0x8e, 0xf0, 0x57, 0xeb, 0xae, 0xdb, + 0x5e, 0x70, 0x60, 0xaf, 0x9b, 0xa2, 0x3c, 0x22, 0x3f, 0x48, 0x21, 0x18, 0x36, 0x28, 0xa5, 0xfb, + 0xae, 0xd3, 0x68, 0xdd, 0xbf, 0xd6, 0xc0, 0x9c, 0x8a, 0x09, 0xbc, 0x9a, 0x7a, 0x9b, 0x23, 0x88, + 0xf2, 0xab, 0xdf, 0x65, 0xb8, 0xa3, 0xba, 0x02, 0xfd, 0x15, 0x2f, 0x70, 0x87, 0x13, 0xcf, 0x8c, + 0x3e, 0xa5, 0x9b, 0x75, 0x9f, 0xdf, 0x61, 0x77, 0x39, 0x23, 0x7e, 0xd3, 0x9a, 0xcf, 0xf6, 0x10, + 0xd6, 0xa5, 0x27, 0x47, 0x95, 0x99, 0xa7, 0x47, 0x95, 0x99, 0x67, 0x47, 0x95, 0x99, 0xcf, 0xfb, + 0x15, 0xed, 0x49, 0xbf, 0xa2, 0x3d, 0xed, 0x57, 0xb4, 0x67, 0xfd, 0x8a, 0xf6, 0x7b, 0xbf, 0xa2, + 0x7d, 0xf3, 0xbc, 0x32, 0xf3, 0xe1, 0x9c, 0xca, 0xf0, 0x5f, 0x01, 0x00, 0x00, 0xff, 0xff, 0x2a, + 0xac, 0x0d, 0xfe, 0x15, 0x19, 0x00, 0x00, } func (m *AddressGroup) Marshal() (dAtA []byte, err error) { @@ -1415,6 +1452,18 @@ func (m *NetworkPolicy) MarshalToSizedBuffer(dAtA []byte) (int, error) { _ = i var l int _ = l + if m.SourceRef != nil { + { + size, err := m.SourceRef.MarshalToSizedBuffer(dAtA[:i]) + if err != nil { + return 0, err + } + i -= size + i = encodeVarintGenerated(dAtA, i, uint64(size)) + } + i-- + dAtA[i] = 0x32 + } if m.TierPriority != nil { i = encodeVarintGenerated(dAtA, i, uint64(*m.TierPriority)) i-- @@ -1555,6 +1604,49 @@ func (m *NetworkPolicyPeer) MarshalToSizedBuffer(dAtA []byte) (int, error) { return len(dAtA) - i, nil } +func (m *NetworkPolicyReference) Marshal() (dAtA []byte, err error) { + size := m.Size() + dAtA = make([]byte, size) + n, err := m.MarshalToSizedBuffer(dAtA[:size]) + if err != nil { + return nil, err + } + return dAtA[:n], nil +} + +func (m *NetworkPolicyReference) MarshalTo(dAtA []byte) (int, error) { + size := m.Size() + return m.MarshalToSizedBuffer(dAtA[:size]) +} + +func (m *NetworkPolicyReference) MarshalToSizedBuffer(dAtA []byte) (int, error) { + i := len(dAtA) + _ = i + var l int + _ = l + i -= len(m.UID) + copy(dAtA[i:], m.UID) + i = encodeVarintGenerated(dAtA, i, uint64(len(m.UID))) + i-- + dAtA[i] = 0x22 + i -= len(m.Name) + copy(dAtA[i:], m.Name) + i = encodeVarintGenerated(dAtA, i, uint64(len(m.Name))) + i-- + dAtA[i] = 0x1a + i -= len(m.Namespace) + copy(dAtA[i:], m.Namespace) + i = encodeVarintGenerated(dAtA, i, uint64(len(m.Namespace))) + i-- + dAtA[i] = 0x12 + i -= len(m.Type) + copy(dAtA[i:], m.Type) + i = encodeVarintGenerated(dAtA, i, uint64(len(m.Type))) + i-- + dAtA[i] = 0xa + return len(dAtA) - i, nil +} + func (m *NetworkPolicyRule) Marshal() (dAtA []byte, err error) { size := m.Size() dAtA = make([]byte, size) @@ -2012,6 +2104,10 @@ func (m *NetworkPolicy) Size() (n int) { if m.TierPriority != nil { n += 1 + sovGenerated(uint64(*m.TierPriority)) } + if m.SourceRef != nil { + l = m.SourceRef.Size() + n += 1 + l + sovGenerated(uint64(l)) + } return n } @@ -2053,6 +2149,23 @@ func (m *NetworkPolicyPeer) Size() (n int) { return n } +func (m *NetworkPolicyReference) Size() (n int) { + if m == nil { + return 0 + } + var l int + _ = l + l = len(m.Type) + n += 1 + l + sovGenerated(uint64(l)) + l = len(m.Namespace) + n += 1 + l + sovGenerated(uint64(l)) + l = len(m.Name) + n += 1 + l + sovGenerated(uint64(l)) + l = len(m.UID) + n += 1 + l + sovGenerated(uint64(l)) + return n +} + func (m *NetworkPolicyRule) Size() (n int) { if m == nil { return 0 @@ -2374,6 +2487,7 @@ func (this *NetworkPolicy) String() string { `AppliedToGroups:` + fmt.Sprintf("%v", this.AppliedToGroups) + `,`, `Priority:` + valueToStringGenerated(this.Priority) + `,`, `TierPriority:` + valueToStringGenerated(this.TierPriority) + `,`, + `SourceRef:` + strings.Replace(this.SourceRef.String(), "NetworkPolicyReference", "NetworkPolicyReference", 1) + `,`, `}`, }, "") return s @@ -2410,6 +2524,19 @@ func (this *NetworkPolicyPeer) String() string { }, "") return s } +func (this *NetworkPolicyReference) String() string { + if this == nil { + return "nil" + } + s := strings.Join([]string{`&NetworkPolicyReference{`, + `Type:` + fmt.Sprintf("%v", this.Type) + `,`, + `Namespace:` + fmt.Sprintf("%v", this.Namespace) + `,`, + `Name:` + fmt.Sprintf("%v", this.Name) + `,`, + `UID:` + fmt.Sprintf("%v", this.UID) + `,`, + `}`, + }, "") + return s +} func (this *NetworkPolicyRule) String() string { if this == nil { return "nil" @@ -4528,6 +4655,42 @@ func (m *NetworkPolicy) Unmarshal(dAtA []byte) error { } } m.TierPriority = &v + case 6: + if wireType != 2 { + return fmt.Errorf("proto: wrong wireType = %d for field SourceRef", wireType) + } + var msglen int + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowGenerated + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + msglen |= int(b&0x7F) << shift + if b < 0x80 { + break + } + } + if msglen < 0 { + return ErrInvalidLengthGenerated + } + postIndex := iNdEx + msglen + if postIndex < 0 { + return ErrInvalidLengthGenerated + } + if postIndex > l { + return io.ErrUnexpectedEOF + } + if m.SourceRef == nil { + m.SourceRef = &NetworkPolicyReference{} + } + if err := m.SourceRef.Unmarshal(dAtA[iNdEx:postIndex]); err != nil { + return err + } + iNdEx = postIndex default: iNdEx = preIndex skippy, err := skipGenerated(dAtA[iNdEx:]) @@ -4791,6 +4954,187 @@ func (m *NetworkPolicyPeer) Unmarshal(dAtA []byte) error { } return nil } +func (m *NetworkPolicyReference) Unmarshal(dAtA []byte) error { + l := len(dAtA) + iNdEx := 0 + for iNdEx < l { + preIndex := iNdEx + var wire uint64 + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowGenerated + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + wire |= uint64(b&0x7F) << shift + if b < 0x80 { + break + } + } + fieldNum := int32(wire >> 3) + wireType := int(wire & 0x7) + if wireType == 4 { + return fmt.Errorf("proto: NetworkPolicyReference: wiretype end group for non-group") + } + if fieldNum <= 0 { + return fmt.Errorf("proto: NetworkPolicyReference: illegal tag %d (wire type %d)", fieldNum, wire) + } + switch fieldNum { + case 1: + if wireType != 2 { + return fmt.Errorf("proto: wrong wireType = %d for field Type", wireType) + } + var stringLen uint64 + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowGenerated + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + stringLen |= uint64(b&0x7F) << shift + if b < 0x80 { + break + } + } + intStringLen := int(stringLen) + if intStringLen < 0 { + return ErrInvalidLengthGenerated + } + postIndex := iNdEx + intStringLen + if postIndex < 0 { + return ErrInvalidLengthGenerated + } + if postIndex > l { + return io.ErrUnexpectedEOF + } + m.Type = NetworkPolicyType(dAtA[iNdEx:postIndex]) + iNdEx = postIndex + case 2: + if wireType != 2 { + return fmt.Errorf("proto: wrong wireType = %d for field Namespace", wireType) + } + var stringLen uint64 + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowGenerated + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + stringLen |= uint64(b&0x7F) << shift + if b < 0x80 { + break + } + } + intStringLen := int(stringLen) + if intStringLen < 0 { + return ErrInvalidLengthGenerated + } + postIndex := iNdEx + intStringLen + if postIndex < 0 { + return ErrInvalidLengthGenerated + } + if postIndex > l { + return io.ErrUnexpectedEOF + } + m.Namespace = string(dAtA[iNdEx:postIndex]) + iNdEx = postIndex + case 3: + if wireType != 2 { + return fmt.Errorf("proto: wrong wireType = %d for field Name", wireType) + } + var stringLen uint64 + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowGenerated + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + stringLen |= uint64(b&0x7F) << shift + if b < 0x80 { + break + } + } + intStringLen := int(stringLen) + if intStringLen < 0 { + return ErrInvalidLengthGenerated + } + postIndex := iNdEx + intStringLen + if postIndex < 0 { + return ErrInvalidLengthGenerated + } + if postIndex > l { + return io.ErrUnexpectedEOF + } + m.Name = string(dAtA[iNdEx:postIndex]) + iNdEx = postIndex + case 4: + if wireType != 2 { + return fmt.Errorf("proto: wrong wireType = %d for field UID", wireType) + } + var stringLen uint64 + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowGenerated + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + stringLen |= uint64(b&0x7F) << shift + if b < 0x80 { + break + } + } + intStringLen := int(stringLen) + if intStringLen < 0 { + return ErrInvalidLengthGenerated + } + postIndex := iNdEx + intStringLen + if postIndex < 0 { + return ErrInvalidLengthGenerated + } + if postIndex > l { + return io.ErrUnexpectedEOF + } + m.UID = k8s_io_apimachinery_pkg_types.UID(dAtA[iNdEx:postIndex]) + iNdEx = postIndex + default: + iNdEx = preIndex + skippy, err := skipGenerated(dAtA[iNdEx:]) + if err != nil { + return err + } + if skippy < 0 { + return ErrInvalidLengthGenerated + } + if (iNdEx + skippy) < 0 { + return ErrInvalidLengthGenerated + } + if (iNdEx + skippy) > l { + return io.ErrUnexpectedEOF + } + iNdEx += skippy + } + } + + if iNdEx > l { + return io.ErrUnexpectedEOF + } + return nil +} func (m *NetworkPolicyRule) Unmarshal(dAtA []byte) error { l := len(dAtA) iNdEx := 0 diff --git a/pkg/apis/controlplane/v1beta1/generated.proto b/pkg/apis/controlplane/v1beta1/generated.proto index 5b3f05b0f1c..039b289a7ec 100644 --- a/pkg/apis/controlplane/v1beta1/generated.proto +++ b/pkg/apis/controlplane/v1beta1/generated.proto @@ -192,6 +192,9 @@ message NetworkPolicy { // TierPriority represents the priority of the Tier associated with this Network // Policy. The TierPriority will remain nil for K8s NetworkPolicy. optional uint32 tierPriority = 5; + + // Reference to the original NetworkPolicy that the internal NetworkPolicy is created for. + optional NetworkPolicyReference sourceRef = 6; } // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object @@ -212,6 +215,20 @@ message NetworkPolicyPeer { repeated IPBlock ipBlocks = 2; } +message NetworkPolicyReference { + // Type of the NetworkPolicy. + optional string type = 1; + + // Namespace of the NetworkPolicy. It's empty for Antrea ClusterNetworkPolicy. + optional string namespace = 2; + + // Name of the NetworkPolicy. + optional string name = 3; + + // UID of the NetworkPolicy. + optional string uid = 4; +} + // NetworkPolicyRule describes a particular set of traffic that is allowed. message NetworkPolicyRule { // The direction of this rule. diff --git a/pkg/apis/controlplane/v1beta1/helper.go b/pkg/apis/controlplane/v1beta1/helper.go index 5a3d4c2dd2c..7d7b18fb6ec 100644 --- a/pkg/apis/controlplane/v1beta1/helper.go +++ b/pkg/apis/controlplane/v1beta1/helper.go @@ -14,6 +14,8 @@ package v1beta1 +import "fmt" + // Conversion functions between GroupMember and GroupMemberPod func (g *GroupMember) ToGroupMemberPod() *GroupMemberPod { return &GroupMemberPod{ @@ -31,3 +33,11 @@ func (p *GroupMemberPod) ToGroupMember() *GroupMember { }, } } + +func (r *NetworkPolicyReference) ToString() string { + if r.Type == AntreaClusterNetworkPolicy { + return fmt.Sprintf("%s:%s", r.Type, r.Name) + } else { + return fmt.Sprintf("%s:%s/%s", r.Type, r.Namespace, r.Name) + } +} diff --git a/pkg/apis/controlplane/v1beta1/types.go b/pkg/apis/controlplane/v1beta1/types.go index 437aa1619dd..3f01edb1495 100644 --- a/pkg/apis/controlplane/v1beta1/types.go +++ b/pkg/apis/controlplane/v1beta1/types.go @@ -16,6 +16,7 @@ package v1beta1 import ( metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/types" "k8s.io/apimachinery/pkg/util/intstr" secv1alpha1 "github.com/vmware-tanzu/antrea/pkg/apis/security/v1alpha1" @@ -155,6 +156,25 @@ type AddressGroupList struct { // TierPriority indicates higher precedence. type TierPriority uint32 +type NetworkPolicyType string + +const ( + K8sNetworkPolicy NetworkPolicyType = "K8sNetworkPolicy" + AntreaClusterNetworkPolicy NetworkPolicyType = "AntreaClusterNetworkPolicy" + AntreaNetworkPolicy NetworkPolicyType = "AntreaNetworkPolicy" +) + +type NetworkPolicyReference struct { + // Type of the NetworkPolicy. + Type NetworkPolicyType `json:"type,omitempty" protobuf:"bytes,1,opt,name=type,casttype=NetworkPolicyType"` + // Namespace of the NetworkPolicy. It's empty for Antrea ClusterNetworkPolicy. + Namespace string `json:"namespace,omitempty" protobuf:"bytes,2,opt,name=namespace"` + // Name of the NetworkPolicy. + Name string `json:"name,omitempty" protobuf:"bytes,3,opt,name=name"` + // UID of the NetworkPolicy. + UID types.UID `json:"uid,omitempty" protobuf:"bytes,4,opt,name=uid,casttype=k8s.io/apimachinery/pkg/types.UID"` +} + // +genclient // +genclient:onlyVerbs=list,get,watch // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object @@ -172,6 +192,8 @@ type NetworkPolicy struct { // TierPriority represents the priority of the Tier associated with this Network // Policy. The TierPriority will remain nil for K8s NetworkPolicy. TierPriority *TierPriority `json:"tierPriority,omitempty" protobuf:"varint,5,opt,name=tierPriority"` + // Reference to the original NetworkPolicy that the internal NetworkPolicy is created for. + SourceRef *NetworkPolicyReference `json:"sourceRef,omitempty" protobuf:"bytes,6,opt,name=sourceRef"` } // Direction defines traffic direction of NetworkPolicyRule. diff --git a/pkg/apis/controlplane/v1beta1/zz_generated.conversion.go b/pkg/apis/controlplane/v1beta1/zz_generated.conversion.go index abf52d54b7e..e66541de3f0 100644 --- a/pkg/apis/controlplane/v1beta1/zz_generated.conversion.go +++ b/pkg/apis/controlplane/v1beta1/zz_generated.conversion.go @@ -25,6 +25,7 @@ import ( v1alpha1 "github.com/vmware-tanzu/antrea/pkg/apis/security/v1alpha1" conversion "k8s.io/apimachinery/pkg/conversion" runtime "k8s.io/apimachinery/pkg/runtime" + types "k8s.io/apimachinery/pkg/types" intstr "k8s.io/apimachinery/pkg/util/intstr" ) @@ -195,6 +196,16 @@ func RegisterConversions(s *runtime.Scheme) error { }); err != nil { return err } + if err := s.AddGeneratedConversionFunc((*NetworkPolicyReference)(nil), (*controlplane.NetworkPolicyReference)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_v1beta1_NetworkPolicyReference_To_controlplane_NetworkPolicyReference(a.(*NetworkPolicyReference), b.(*controlplane.NetworkPolicyReference), scope) + }); err != nil { + return err + } + if err := s.AddGeneratedConversionFunc((*controlplane.NetworkPolicyReference)(nil), (*NetworkPolicyReference)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_controlplane_NetworkPolicyReference_To_v1beta1_NetworkPolicyReference(a.(*controlplane.NetworkPolicyReference), b.(*NetworkPolicyReference), scope) + }); err != nil { + return err + } if err := s.AddGeneratedConversionFunc((*NetworkPolicyRule)(nil), (*controlplane.NetworkPolicyRule)(nil), func(a, b interface{}, scope conversion.Scope) error { return Convert_v1beta1_NetworkPolicyRule_To_controlplane_NetworkPolicyRule(a.(*NetworkPolicyRule), b.(*controlplane.NetworkPolicyRule), scope) }); err != nil { @@ -546,6 +557,7 @@ func autoConvert_v1beta1_NetworkPolicy_To_controlplane_NetworkPolicy(in *Network out.AppliedToGroups = *(*[]string)(unsafe.Pointer(&in.AppliedToGroups)) out.Priority = (*float64)(unsafe.Pointer(in.Priority)) out.TierPriority = (*controlplane.TierPriority)(unsafe.Pointer(in.TierPriority)) + out.SourceRef = (*controlplane.NetworkPolicyReference)(unsafe.Pointer(in.SourceRef)) return nil } @@ -560,6 +572,7 @@ func autoConvert_controlplane_NetworkPolicy_To_v1beta1_NetworkPolicy(in *control out.AppliedToGroups = *(*[]string)(unsafe.Pointer(&in.AppliedToGroups)) out.Priority = (*float64)(unsafe.Pointer(in.Priority)) out.TierPriority = (*TierPriority)(unsafe.Pointer(in.TierPriority)) + out.SourceRef = (*NetworkPolicyReference)(unsafe.Pointer(in.SourceRef)) return nil } @@ -612,6 +625,32 @@ func Convert_controlplane_NetworkPolicyPeer_To_v1beta1_NetworkPolicyPeer(in *con return autoConvert_controlplane_NetworkPolicyPeer_To_v1beta1_NetworkPolicyPeer(in, out, s) } +func autoConvert_v1beta1_NetworkPolicyReference_To_controlplane_NetworkPolicyReference(in *NetworkPolicyReference, out *controlplane.NetworkPolicyReference, s conversion.Scope) error { + out.Type = controlplane.NetworkPolicyType(in.Type) + out.Namespace = in.Namespace + out.Name = in.Name + out.UID = types.UID(in.UID) + return nil +} + +// Convert_v1beta1_NetworkPolicyReference_To_controlplane_NetworkPolicyReference is an autogenerated conversion function. +func Convert_v1beta1_NetworkPolicyReference_To_controlplane_NetworkPolicyReference(in *NetworkPolicyReference, out *controlplane.NetworkPolicyReference, s conversion.Scope) error { + return autoConvert_v1beta1_NetworkPolicyReference_To_controlplane_NetworkPolicyReference(in, out, s) +} + +func autoConvert_controlplane_NetworkPolicyReference_To_v1beta1_NetworkPolicyReference(in *controlplane.NetworkPolicyReference, out *NetworkPolicyReference, s conversion.Scope) error { + out.Type = NetworkPolicyType(in.Type) + out.Namespace = in.Namespace + out.Name = in.Name + out.UID = types.UID(in.UID) + return nil +} + +// Convert_controlplane_NetworkPolicyReference_To_v1beta1_NetworkPolicyReference is an autogenerated conversion function. +func Convert_controlplane_NetworkPolicyReference_To_v1beta1_NetworkPolicyReference(in *controlplane.NetworkPolicyReference, out *NetworkPolicyReference, s conversion.Scope) error { + return autoConvert_controlplane_NetworkPolicyReference_To_v1beta1_NetworkPolicyReference(in, out, s) +} + func autoConvert_v1beta1_NetworkPolicyRule_To_controlplane_NetworkPolicyRule(in *NetworkPolicyRule, out *controlplane.NetworkPolicyRule, s conversion.Scope) error { out.Direction = controlplane.Direction(in.Direction) if err := Convert_v1beta1_NetworkPolicyPeer_To_controlplane_NetworkPolicyPeer(&in.From, &out.From, s); err != nil { diff --git a/pkg/apis/controlplane/v1beta1/zz_generated.deepcopy.go b/pkg/apis/controlplane/v1beta1/zz_generated.deepcopy.go index 8d10a6a863a..ce3e86afd3b 100644 --- a/pkg/apis/controlplane/v1beta1/zz_generated.deepcopy.go +++ b/pkg/apis/controlplane/v1beta1/zz_generated.deepcopy.go @@ -522,6 +522,11 @@ func (in *NetworkPolicy) DeepCopyInto(out *NetworkPolicy) { *out = new(TierPriority) **out = **in } + if in.SourceRef != nil { + in, out := &in.SourceRef, &out.SourceRef + *out = new(NetworkPolicyReference) + **out = **in + } return } @@ -604,6 +609,22 @@ func (in *NetworkPolicyPeer) DeepCopy() *NetworkPolicyPeer { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *NetworkPolicyReference) DeepCopyInto(out *NetworkPolicyReference) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NetworkPolicyReference. +func (in *NetworkPolicyReference) DeepCopy() *NetworkPolicyReference { + if in == nil { + return nil + } + out := new(NetworkPolicyReference) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *NetworkPolicyRule) DeepCopyInto(out *NetworkPolicyRule) { *out = *in diff --git a/pkg/apis/controlplane/zz_generated.deepcopy.go b/pkg/apis/controlplane/zz_generated.deepcopy.go index 58723dab101..de1b3cc6885 100644 --- a/pkg/apis/controlplane/zz_generated.deepcopy.go +++ b/pkg/apis/controlplane/zz_generated.deepcopy.go @@ -522,6 +522,11 @@ func (in *NetworkPolicy) DeepCopyInto(out *NetworkPolicy) { *out = new(TierPriority) **out = **in } + if in.SourceRef != nil { + in, out := &in.SourceRef, &out.SourceRef + *out = new(NetworkPolicyReference) + **out = **in + } return } @@ -604,6 +609,22 @@ func (in *NetworkPolicyPeer) DeepCopy() *NetworkPolicyPeer { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *NetworkPolicyReference) DeepCopyInto(out *NetworkPolicyReference) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NetworkPolicyReference. +func (in *NetworkPolicyReference) DeepCopy() *NetworkPolicyReference { + if in == nil { + return nil + } + out := new(NetworkPolicyReference) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *NetworkPolicyRule) DeepCopyInto(out *NetworkPolicyRule) { *out = *in diff --git a/pkg/apiserver/openapi/zz_generated.openapi.go b/pkg/apiserver/openapi/zz_generated.openapi.go index d42a74ec1e7..3292fb18923 100644 --- a/pkg/apiserver/openapi/zz_generated.openapi.go +++ b/pkg/apiserver/openapi/zz_generated.openapi.go @@ -53,6 +53,7 @@ func GetOpenAPIDefinitions(ref common.ReferenceCallback) map[string]common.OpenA "github.com/vmware-tanzu/antrea/pkg/apis/controlplane/v1beta1.NetworkPolicy": schema_pkg_apis_controlplane_v1beta1_NetworkPolicy(ref), "github.com/vmware-tanzu/antrea/pkg/apis/controlplane/v1beta1.NetworkPolicyList": schema_pkg_apis_controlplane_v1beta1_NetworkPolicyList(ref), "github.com/vmware-tanzu/antrea/pkg/apis/controlplane/v1beta1.NetworkPolicyPeer": schema_pkg_apis_controlplane_v1beta1_NetworkPolicyPeer(ref), + "github.com/vmware-tanzu/antrea/pkg/apis/controlplane/v1beta1.NetworkPolicyReference": schema_pkg_apis_controlplane_v1beta1_NetworkPolicyReference(ref), "github.com/vmware-tanzu/antrea/pkg/apis/controlplane/v1beta1.NetworkPolicyRule": schema_pkg_apis_controlplane_v1beta1_NetworkPolicyRule(ref), "github.com/vmware-tanzu/antrea/pkg/apis/controlplane/v1beta1.PodReference": schema_pkg_apis_controlplane_v1beta1_PodReference(ref), "github.com/vmware-tanzu/antrea/pkg/apis/controlplane/v1beta1.Service": schema_pkg_apis_controlplane_v1beta1_Service(ref), @@ -1444,11 +1445,17 @@ func schema_pkg_apis_controlplane_v1beta1_NetworkPolicy(ref common.ReferenceCall Format: "int64", }, }, + "sourceRef": { + SchemaProps: spec.SchemaProps{ + Description: "Reference to the original NetworkPolicy that the internal NetworkPolicy is created for.", + Ref: ref("github.com/vmware-tanzu/antrea/pkg/apis/controlplane/v1beta1.NetworkPolicyReference"), + }, + }, }, }, }, Dependencies: []string{ - "github.com/vmware-tanzu/antrea/pkg/apis/controlplane/v1beta1.NetworkPolicyRule", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"}, + "github.com/vmware-tanzu/antrea/pkg/apis/controlplane/v1beta1.NetworkPolicyReference", "github.com/vmware-tanzu/antrea/pkg/apis/controlplane/v1beta1.NetworkPolicyRule", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"}, } } @@ -1541,6 +1548,46 @@ func schema_pkg_apis_controlplane_v1beta1_NetworkPolicyPeer(ref common.Reference } } +func schema_pkg_apis_controlplane_v1beta1_NetworkPolicyReference(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "type": { + SchemaProps: spec.SchemaProps{ + Description: "Type of the NetworkPolicy.", + Type: []string{"string"}, + Format: "", + }, + }, + "namespace": { + SchemaProps: spec.SchemaProps{ + Description: "Namespace of the NetworkPolicy. It's empty for Antrea ClusterNetworkPolicy.", + Type: []string{"string"}, + Format: "", + }, + }, + "name": { + SchemaProps: spec.SchemaProps{ + Description: "Name of the NetworkPolicy.", + Type: []string{"string"}, + Format: "", + }, + }, + "uid": { + SchemaProps: spec.SchemaProps{ + Description: "UID of the NetworkPolicy.", + Type: []string{"string"}, + Format: "", + }, + }, + }, + }, + }, + } +} + func schema_pkg_apis_controlplane_v1beta1_NetworkPolicyRule(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ diff --git a/pkg/controller/networkpolicy/antreanetworkpolicy.go b/pkg/controller/networkpolicy/antreanetworkpolicy.go index f5fa10d6750..f94d5b9d29b 100644 --- a/pkg/controller/networkpolicy/antreanetworkpolicy.go +++ b/pkg/controller/networkpolicy/antreanetworkpolicy.go @@ -157,6 +157,12 @@ func (n *NetworkPolicyController) processAntreaNetworkPolicy(np *secv1alpha1.Net } tierPriority := getTierPriority(np.Spec.Tier) internalNetworkPolicy := &antreatypes.NetworkPolicy{ + SourceRef: &controlplane.NetworkPolicyReference{ + Type: controlplane.AntreaNetworkPolicy, + Namespace: np.Namespace, + Name: np.Name, + UID: np.UID, + }, Name: np.Name, Namespace: np.Namespace, UID: np.UID, diff --git a/pkg/controller/networkpolicy/antreanetworkpolicy_test.go b/pkg/controller/networkpolicy/antreanetworkpolicy_test.go index 34458a0aa6a..9f69fcec560 100644 --- a/pkg/controller/networkpolicy/antreanetworkpolicy_test.go +++ b/pkg/controller/networkpolicy/antreanetworkpolicy_test.go @@ -15,7 +15,6 @@ package networkpolicy import ( - "reflect" "testing" "github.com/stretchr/testify/assert" @@ -91,9 +90,15 @@ func TestProcessAntreaNetworkPolicy(t *testing.T) { }, }, expectedPolicy: &antreatypes.NetworkPolicy{ - UID: "uidA", - Name: "npA", - Namespace: "ns1", + UID: "uidA", + Name: "npA", + Namespace: "ns1", + SourceRef: &controlplane.NetworkPolicyReference{ + Type: controlplane.AntreaNetworkPolicy, + Namespace: "ns1", + Name: "npA", + UID: "uidA", + }, Priority: &p10, TierPriority: &appTier, Rules: []controlplane.NetworkPolicyRule{ @@ -171,9 +176,15 @@ func TestProcessAntreaNetworkPolicy(t *testing.T) { }, }, expectedPolicy: &antreatypes.NetworkPolicy{ - UID: "uidB", - Name: "npB", - Namespace: "ns2", + UID: "uidB", + Name: "npB", + Namespace: "ns2", + SourceRef: &controlplane.NetworkPolicyReference{ + Type: controlplane.AntreaNetworkPolicy, + Namespace: "ns2", + Name: "npB", + UID: "uidB", + }, Priority: &p10, TierPriority: &appTier, Rules: []controlplane.NetworkPolicyRule{ @@ -216,17 +227,9 @@ func TestProcessAntreaNetworkPolicy(t *testing.T) { t.Run(tt.name, func(t *testing.T) { _, c := newController() - if actualPolicy := c.processAntreaNetworkPolicy(tt.inputPolicy); !reflect.DeepEqual(actualPolicy, tt.expectedPolicy) { - t.Errorf("processClusterNetworkPolicy() got %v, want %v", actualPolicy, tt.expectedPolicy) - } - - if actualAddressGroups := len(c.addressGroupStore.List()); actualAddressGroups != tt.expectedAddressGroups { - t.Errorf("len(addressGroupStore.List()) got %v, want %v", actualAddressGroups, tt.expectedAddressGroups) - } - - if actualAppliedToGroups := len(c.appliedToGroupStore.List()); actualAppliedToGroups != tt.expectedAppliedToGroups { - t.Errorf("len(appliedToGroupStore.List()) got %v, want %v", actualAppliedToGroups, tt.expectedAppliedToGroups) - } + assert.Equal(t, tt.expectedPolicy, c.processAntreaNetworkPolicy(tt.inputPolicy)) + assert.Equal(t, tt.expectedAddressGroups, len(c.addressGroupStore.List())) + assert.Equal(t, tt.expectedAppliedToGroups, len(c.appliedToGroupStore.List())) }) } } @@ -278,9 +281,15 @@ func TestAddANP(t *testing.T) { }, }, expPolicy: &antreatypes.NetworkPolicy{ - UID: "uidA", - Name: "anpA", - Namespace: "nsA", + UID: "uidA", + Name: "anpA", + Namespace: "nsA", + SourceRef: &controlplane.NetworkPolicyReference{ + Type: controlplane.AntreaNetworkPolicy, + Namespace: "nsA", + Name: "anpA", + UID: "uidA", + }, Priority: &p10, TierPriority: &appTier, Rules: []controlplane.NetworkPolicyRule{ @@ -312,17 +321,10 @@ func TestAddANP(t *testing.T) { key, _ := keyFunc(tt.inputPolicy) actualPolicyObj, _, _ := npc.internalNetworkPolicyStore.Get(key) actualPolicy := actualPolicyObj.(*antreatypes.NetworkPolicy) - if !reflect.DeepEqual(actualPolicy, tt.expPolicy) { - t.Errorf("addANP() got %v, want %v", actualPolicy, tt.expPolicy) - } - - if actualAddressGroups := len(npc.addressGroupStore.List()); actualAddressGroups != tt.expAddressGroups { - t.Errorf("len(addressGroupStore.List()) got %v, want %v", actualAddressGroups, tt.expAddressGroups) - } - if actualAppliedToGroups := len(npc.appliedToGroupStore.List()); actualAppliedToGroups != tt.expAppliedToGroups { - t.Errorf("len(appliedToGroupStore.List()) got %v, want %v", actualAppliedToGroups, tt.expAppliedToGroups) - } + assert.Equal(t, tt.expPolicy, actualPolicy) + assert.Equal(t, tt.expAddressGroups, len(npc.addressGroupStore.List())) + assert.Equal(t, tt.expAppliedToGroups, len(npc.appliedToGroupStore.List())) }) } } diff --git a/pkg/controller/networkpolicy/clusternetworkpolicy.go b/pkg/controller/networkpolicy/clusternetworkpolicy.go index 4012b97b08b..7937146c4bf 100644 --- a/pkg/controller/networkpolicy/clusternetworkpolicy.go +++ b/pkg/controller/networkpolicy/clusternetworkpolicy.go @@ -167,8 +167,13 @@ func (n *NetworkPolicyController) processClusterNetworkPolicy(cnp *secv1alpha1.C } tierPriority := getTierPriority(cnp.Spec.Tier) internalNetworkPolicy := &antreatypes.NetworkPolicy{ - Name: cnp.Name, - Namespace: "", + Name: cnp.Name, + Namespace: "", + SourceRef: &controlplane.NetworkPolicyReference{ + Type: controlplane.AntreaClusterNetworkPolicy, + Name: cnp.Name, + UID: cnp.UID, + }, UID: cnp.UID, AppliedToGroups: appliedToGroupNames, Rules: rules, diff --git a/pkg/controller/networkpolicy/clusternetworkpolicy_test.go b/pkg/controller/networkpolicy/clusternetworkpolicy_test.go index a1045ad4b09..cd5d54bf888 100644 --- a/pkg/controller/networkpolicy/clusternetworkpolicy_test.go +++ b/pkg/controller/networkpolicy/clusternetworkpolicy_test.go @@ -15,7 +15,6 @@ package networkpolicy import ( - "reflect" "testing" "github.com/stretchr/testify/assert" @@ -87,9 +86,14 @@ func TestProcessClusterNetworkPolicy(t *testing.T) { }, }, expectedPolicy: &antreatypes.NetworkPolicy{ - UID: "uidA", - Name: "cnpA", - Namespace: "", + UID: "uidA", + Name: "cnpA", + Namespace: "", + SourceRef: &controlplane.NetworkPolicyReference{ + Type: controlplane.AntreaClusterNetworkPolicy, + Name: "cnpA", + UID: "uidA", + }, Priority: &p10, TierPriority: &appTier, Rules: []controlplane.NetworkPolicyRule{ @@ -167,9 +171,14 @@ func TestProcessClusterNetworkPolicy(t *testing.T) { }, }, expectedPolicy: &antreatypes.NetworkPolicy{ - UID: "uidA", - Name: "cnpA", - Namespace: "", + UID: "uidA", + Name: "cnpA", + Namespace: "", + SourceRef: &controlplane.NetworkPolicyReference{ + Type: controlplane.AntreaClusterNetworkPolicy, + Name: "cnpA", + UID: "uidA", + }, Priority: &p10, TierPriority: &appTier, Rules: []controlplane.NetworkPolicyRule{ @@ -212,17 +221,9 @@ func TestProcessClusterNetworkPolicy(t *testing.T) { t.Run(tt.name, func(t *testing.T) { _, c := newController() - if actualPolicy := c.processClusterNetworkPolicy(tt.inputPolicy); !reflect.DeepEqual(actualPolicy, tt.expectedPolicy) { - t.Errorf("processClusterNetworkPolicy() got %v, want %v", actualPolicy, tt.expectedPolicy) - } - - if actualAddressGroups := len(c.addressGroupStore.List()); actualAddressGroups != tt.expectedAddressGroups { - t.Errorf("len(addressGroupStore.List()) got %v, want %v", actualAddressGroups, tt.expectedAddressGroups) - } - - if actualAppliedToGroups := len(c.appliedToGroupStore.List()); actualAppliedToGroups != tt.expectedAppliedToGroups { - t.Errorf("len(appliedToGroupStore.List()) got %v, want %v", actualAppliedToGroups, tt.expectedAppliedToGroups) - } + assert.Equal(t, tt.expectedPolicy, c.processClusterNetworkPolicy(tt.inputPolicy)) + assert.Equal(t, tt.expectedAddressGroups, len(c.addressGroupStore.List())) + assert.Equal(t, tt.expectedAppliedToGroups, len(c.appliedToGroupStore.List())) }) } } @@ -280,9 +281,14 @@ func TestAddCNP(t *testing.T) { }, }, expPolicy: &antreatypes.NetworkPolicy{ - UID: "uidA", - Name: "cnpA", - Namespace: "", + UID: "uidA", + Name: "cnpA", + Namespace: "", + SourceRef: &controlplane.NetworkPolicyReference{ + Type: controlplane.AntreaClusterNetworkPolicy, + Name: "cnpA", + UID: "uidA", + }, Priority: &p10, TierPriority: &appTier, Rules: []controlplane.NetworkPolicyRule{ @@ -335,9 +341,13 @@ func TestAddCNP(t *testing.T) { }, }, expPolicy: &antreatypes.NetworkPolicy{ - UID: "uidB", - Name: "cnpB", - Namespace: "", + UID: "uidB", + Name: "cnpB", + SourceRef: &controlplane.NetworkPolicyReference{ + Type: controlplane.AntreaClusterNetworkPolicy, + Name: "cnpB", + UID: "uidB", + }, Priority: &p10, TierPriority: &secOpsTier, Rules: []controlplane.NetworkPolicyRule{ @@ -390,9 +400,14 @@ func TestAddCNP(t *testing.T) { }, }, expPolicy: &antreatypes.NetworkPolicy{ - UID: "uidC", - Name: "cnpC", - Namespace: "", + UID: "uidC", + Name: "cnpC", + Namespace: "", + SourceRef: &controlplane.NetworkPolicyReference{ + Type: controlplane.AntreaClusterNetworkPolicy, + Name: "cnpC", + UID: "uidC", + }, Priority: &p10, TierPriority: &netOpsTier, Rules: []controlplane.NetworkPolicyRule{ @@ -445,9 +460,14 @@ func TestAddCNP(t *testing.T) { }, }, expPolicy: &antreatypes.NetworkPolicy{ - UID: "uidD", - Name: "cnpD", - Namespace: "", + UID: "uidD", + Name: "cnpD", + Namespace: "", + SourceRef: &controlplane.NetworkPolicyReference{ + Type: controlplane.AntreaClusterNetworkPolicy, + Name: "cnpD", + UID: "uidD", + }, Priority: &p10, TierPriority: &emergencyTier, Rules: []controlplane.NetworkPolicyRule{ @@ -500,9 +520,14 @@ func TestAddCNP(t *testing.T) { }, }, expPolicy: &antreatypes.NetworkPolicy{ - UID: "uidE", - Name: "cnpE", - Namespace: "", + UID: "uidE", + Name: "cnpE", + Namespace: "", + SourceRef: &controlplane.NetworkPolicyReference{ + Type: controlplane.AntreaClusterNetworkPolicy, + Name: "cnpE", + UID: "uidE", + }, Priority: &p10, TierPriority: &platformTier, Rules: []controlplane.NetworkPolicyRule{ @@ -570,9 +595,14 @@ func TestAddCNP(t *testing.T) { }, }, expPolicy: &antreatypes.NetworkPolicy{ - UID: "uidF", - Name: "cnpF", - Namespace: "", + UID: "uidF", + Name: "cnpF", + Namespace: "", + SourceRef: &controlplane.NetworkPolicyReference{ + Type: controlplane.AntreaClusterNetworkPolicy, + Name: "cnpF", + UID: "uidF", + }, Priority: &p10, TierPriority: &appTier, Rules: []controlplane.NetworkPolicyRule{ @@ -650,9 +680,14 @@ func TestAddCNP(t *testing.T) { }, }, expPolicy: &antreatypes.NetworkPolicy{ - UID: "uidG", - Name: "cnpG", - Namespace: "", + UID: "uidG", + Name: "cnpG", + Namespace: "", + SourceRef: &controlplane.NetworkPolicyReference{ + Type: controlplane.AntreaClusterNetworkPolicy, + Name: "cnpG", + UID: "uidG", + }, Priority: &p10, TierPriority: &appTier, Rules: []controlplane.NetworkPolicyRule{ @@ -698,17 +733,9 @@ func TestAddCNP(t *testing.T) { key, _ := keyFunc(tt.inputPolicy) actualPolicyObj, _, _ := npc.internalNetworkPolicyStore.Get(key) actualPolicy := actualPolicyObj.(*antreatypes.NetworkPolicy) - if !reflect.DeepEqual(actualPolicy, tt.expPolicy) { - t.Errorf("addCNP() got %v, want %v", actualPolicy, tt.expPolicy) - } - - if actualAddressGroups := len(npc.addressGroupStore.List()); actualAddressGroups != tt.expAddressGroups { - t.Errorf("len(addressGroupStore.List()) got %v, want %v", actualAddressGroups, tt.expAddressGroups) - } - - if actualAppliedToGroups := len(npc.appliedToGroupStore.List()); actualAppliedToGroups != tt.expAppliedToGroups { - t.Errorf("len(appliedToGroupStore.List()) got %v, want %v", actualAppliedToGroups, tt.expAppliedToGroups) - } + assert.Equal(t, tt.expPolicy, actualPolicy) + assert.Equal(t, tt.expAddressGroups, len(npc.addressGroupStore.List())) + assert.Equal(t, tt.expAppliedToGroups, len(npc.appliedToGroupStore.List())) }) } _, npc := newController() diff --git a/pkg/controller/networkpolicy/networkpolicy_controller.go b/pkg/controller/networkpolicy/networkpolicy_controller.go index d6f94e149fd..9d37072e776 100644 --- a/pkg/controller/networkpolicy/networkpolicy_controller.go +++ b/pkg/controller/networkpolicy/networkpolicy_controller.go @@ -627,9 +627,15 @@ func (n *NetworkPolicyController) processNetworkPolicy(np *networkingv1.NetworkP } internalNetworkPolicy := &antreatypes.NetworkPolicy{ - Name: np.ObjectMeta.Name, - Namespace: np.ObjectMeta.Namespace, - UID: np.ObjectMeta.UID, + Name: np.Name, + Namespace: np.Namespace, + UID: np.UID, + SourceRef: &controlplane.NetworkPolicyReference{ + Type: controlplane.K8sNetworkPolicy, + Namespace: np.Namespace, + Name: np.Name, + UID: np.UID, + }, AppliedToGroups: appliedToGroupNames, Rules: rules, } @@ -1534,6 +1540,7 @@ func (n *NetworkPolicyController) syncInternalNetworkPolicy(key string) error { UID: internalNP.UID, Name: internalNP.Name, Namespace: internalNP.Namespace, + SourceRef: internalNP.SourceRef, Rules: internalNP.Rules, AppliedToGroups: internalNP.AppliedToGroups, Priority: internalNP.Priority, diff --git a/pkg/controller/networkpolicy/networkpolicy_controller_test.go b/pkg/controller/networkpolicy/networkpolicy_controller_test.go index b3cee0aa46f..0b4a2f34117 100644 --- a/pkg/controller/networkpolicy/networkpolicy_controller_test.go +++ b/pkg/controller/networkpolicy/networkpolicy_controller_test.go @@ -160,6 +160,12 @@ func TestAddNetworkPolicy(t *testing.T) { UID: "uidA", Name: "npA", Namespace: "nsA", + SourceRef: &controlplane.NetworkPolicyReference{ + Type: controlplane.K8sNetworkPolicy, + Namespace: "nsA", + Name: "npA", + UID: "uidA", + }, Rules: []controlplane.NetworkPolicyRule{{ Direction: controlplane.DirectionIn, From: matchAllPeer, @@ -186,6 +192,12 @@ func TestAddNetworkPolicy(t *testing.T) { UID: "uidB", Name: "npB", Namespace: "nsA", + SourceRef: &controlplane.NetworkPolicyReference{ + Type: controlplane.K8sNetworkPolicy, + Namespace: "nsA", + Name: "npB", + UID: "uidB", + }, Rules: []controlplane.NetworkPolicyRule{{ Direction: controlplane.DirectionOut, To: matchAllPeer, @@ -221,6 +233,12 @@ func TestAddNetworkPolicy(t *testing.T) { UID: "uidB", Name: "npB", Namespace: "nsA", + SourceRef: &controlplane.NetworkPolicyReference{ + Type: controlplane.K8sNetworkPolicy, + Namespace: "nsA", + Name: "npB", + UID: "uidB", + }, Rules: []controlplane.NetworkPolicyRule{{ Direction: controlplane.DirectionOut, To: matchAllPeerEgress, @@ -251,6 +269,12 @@ func TestAddNetworkPolicy(t *testing.T) { UID: "uidC", Name: "npC", Namespace: "nsA", + SourceRef: &controlplane.NetworkPolicyReference{ + Type: controlplane.K8sNetworkPolicy, + Namespace: "nsA", + Name: "npC", + UID: "uidC", + }, Rules: []controlplane.NetworkPolicyRule{ denyAllIngressRule, }, @@ -272,6 +296,12 @@ func TestAddNetworkPolicy(t *testing.T) { UID: "uidD", Name: "npD", Namespace: "nsA", + SourceRef: &controlplane.NetworkPolicyReference{ + Type: controlplane.K8sNetworkPolicy, + Namespace: "nsA", + Name: "npD", + UID: "uidD", + }, Rules: []controlplane.NetworkPolicyRule{ denyAllEgressRule, }, @@ -322,6 +352,12 @@ func TestAddNetworkPolicy(t *testing.T) { UID: "uidE", Name: "npE", Namespace: "nsA", + SourceRef: &controlplane.NetworkPolicyReference{ + Type: controlplane.K8sNetworkPolicy, + Namespace: "nsA", + Name: "npE", + UID: "uidE", + }, Rules: []controlplane.NetworkPolicyRule{ { Direction: controlplane.DirectionIn, @@ -395,6 +431,12 @@ func TestAddNetworkPolicy(t *testing.T) { UID: "uidF", Name: "npF", Namespace: "nsA", + SourceRef: &controlplane.NetworkPolicyReference{ + Type: controlplane.K8sNetworkPolicy, + Namespace: "nsA", + Name: "npF", + UID: "uidF", + }, Rules: []controlplane.NetworkPolicyRule{ { Direction: controlplane.DirectionIn, @@ -438,17 +480,9 @@ func TestAddNetworkPolicy(t *testing.T) { key, _ := keyFunc(tt.inputPolicy) actualPolicyObj, _, _ := npc.internalNetworkPolicyStore.Get(key) actualPolicy := actualPolicyObj.(*antreatypes.NetworkPolicy) - if !reflect.DeepEqual(actualPolicy, tt.expPolicy) { - t.Errorf("addNetworkPolicy() got %v, want %v", actualPolicy, tt.expPolicy) - } - - if actualAddressGroups := len(npc.addressGroupStore.List()); actualAddressGroups != tt.expAddressGroups { - t.Errorf("len(addressGroupStore.List()) got %v, want %v", actualAddressGroups, tt.expAddressGroups) - } - - if actualAppliedToGroups := len(npc.appliedToGroupStore.List()); actualAppliedToGroups != tt.expAppliedToGroups { - t.Errorf("len(appliedToGroupStore.List()) got %v, want %v", actualAppliedToGroups, tt.expAppliedToGroups) - } + assert.Equal(t, tt.expPolicy, actualPolicy) + assert.Equal(t, tt.expAddressGroups, len(npc.addressGroupStore.List())) + assert.Equal(t, tt.expAppliedToGroups, len(npc.appliedToGroupStore.List())) }) } _, npc := newController() @@ -545,6 +579,12 @@ func TestUpdateNetworkPolicy(t *testing.T) { UID: "uidA", Name: "npA", Namespace: "nsA", + SourceRef: &controlplane.NetworkPolicyReference{ + Type: controlplane.K8sNetworkPolicy, + Namespace: "nsA", + Name: "npA", + UID: "uidA", + }, Rules: []controlplane.NetworkPolicyRule{ { Direction: controlplane.DirectionIn, @@ -590,6 +630,12 @@ func TestUpdateNetworkPolicy(t *testing.T) { UID: "uidA", Name: "npA", Namespace: "nsA", + SourceRef: &controlplane.NetworkPolicyReference{ + Type: controlplane.K8sNetworkPolicy, + Namespace: "nsA", + Name: "npA", + UID: "uidA", + }, Rules: []controlplane.NetworkPolicyRule{ { Direction: controlplane.DirectionOut, @@ -627,6 +673,12 @@ func TestUpdateNetworkPolicy(t *testing.T) { UID: "uidA", Name: "npA", Namespace: "nsA", + SourceRef: &controlplane.NetworkPolicyReference{ + Type: controlplane.K8sNetworkPolicy, + Namespace: "nsA", + Name: "npA", + UID: "uidA", + }, Rules: []controlplane.NetworkPolicyRule{ { Direction: controlplane.DirectionIn, @@ -651,9 +703,15 @@ func TestUpdateNetworkPolicy(t *testing.T) { }, }, expNetworkPolicy: &antreatypes.NetworkPolicy{ - UID: "uidA", - Name: "npA", - Namespace: "nsA", + UID: "uidA", + Name: "npA", + Namespace: "nsA", + SourceRef: &controlplane.NetworkPolicyReference{ + Type: controlplane.K8sNetworkPolicy, + Namespace: "nsA", + Name: "npA", + UID: "uidA", + }, Rules: []controlplane.NetworkPolicyRule{}, AppliedToGroups: []string{getNormalizedUID(toGroupSelector("nsA", &metav1.LabelSelector{}, nil, nil).NormalizedName)}, }, @@ -698,6 +756,12 @@ func TestUpdateNetworkPolicy(t *testing.T) { UID: "uidA", Name: "npA", Namespace: "nsA", + SourceRef: &controlplane.NetworkPolicyReference{ + Type: controlplane.K8sNetworkPolicy, + Namespace: "nsA", + Name: "npA", + UID: "uidA", + }, Rules: []controlplane.NetworkPolicyRule{ { Direction: controlplane.DirectionIn, @@ -760,6 +824,12 @@ func TestUpdateNetworkPolicy(t *testing.T) { UID: "uidA", Name: "npA", Namespace: "nsA", + SourceRef: &controlplane.NetworkPolicyReference{ + Type: controlplane.K8sNetworkPolicy, + Namespace: "nsA", + Name: "npA", + UID: "uidA", + }, Rules: []controlplane.NetworkPolicyRule{ { Direction: controlplane.DirectionIn, @@ -2386,6 +2456,12 @@ func TestProcessNetworkPolicy(t *testing.T) { UID: "uidA", Name: "npA", Namespace: "nsA", + SourceRef: &controlplane.NetworkPolicyReference{ + Type: controlplane.K8sNetworkPolicy, + Namespace: "nsA", + Name: "npA", + UID: "uidA", + }, Rules: []controlplane.NetworkPolicyRule{{ Direction: controlplane.DirectionIn, From: matchAllPeer, @@ -2408,9 +2484,15 @@ func TestProcessNetworkPolicy(t *testing.T) { }, }, expectedPolicy: &antreatypes.NetworkPolicy{ - UID: "uidA", - Name: "npA", - Namespace: "nsA", + UID: "uidA", + Name: "npA", + Namespace: "nsA", + SourceRef: &controlplane.NetworkPolicyReference{ + Type: controlplane.K8sNetworkPolicy, + Namespace: "nsA", + Name: "npA", + UID: "uidA", + }, Rules: []controlplane.NetworkPolicyRule{denyAllEgressRule}, AppliedToGroups: []string{getNormalizedUID(toGroupSelector("nsA", &metav1.LabelSelector{}, nil, nil).NormalizedName)}, }, @@ -2459,6 +2541,12 @@ func TestProcessNetworkPolicy(t *testing.T) { UID: "uidA", Name: "npA", Namespace: "nsA", + SourceRef: &controlplane.NetworkPolicyReference{ + Type: controlplane.K8sNetworkPolicy, + Namespace: "nsA", + Name: "npA", + UID: "uidA", + }, Rules: []controlplane.NetworkPolicyRule{ { Direction: controlplane.DirectionIn, @@ -2532,6 +2620,12 @@ func TestProcessNetworkPolicy(t *testing.T) { UID: "uidA", Name: "npA", Namespace: "nsA", + SourceRef: &controlplane.NetworkPolicyReference{ + Type: controlplane.K8sNetworkPolicy, + Namespace: "nsA", + Name: "npA", + UID: "uidA", + }, Rules: []controlplane.NetworkPolicyRule{ { Direction: controlplane.DirectionIn, diff --git a/pkg/controller/networkpolicy/store/networkpolicy.go b/pkg/controller/networkpolicy/store/networkpolicy.go index 0b17f900951..c17a89db5aa 100644 --- a/pkg/controller/networkpolicy/store/networkpolicy.go +++ b/pkg/controller/networkpolicy/store/networkpolicy.go @@ -106,6 +106,7 @@ func ToNetworkPolicyMsg(in *types.NetworkPolicy, out *controlplane.NetworkPolicy out.Namespace = in.Namespace out.Name = in.Name out.UID = in.UID + out.SourceRef = in.SourceRef if !includeBody { return } diff --git a/pkg/controller/networkpolicy/store/networkpolicy_test.go b/pkg/controller/networkpolicy/store/networkpolicy_test.go index fd09bf1ffd6..9bafc64e81a 100644 --- a/pkg/controller/networkpolicy/store/networkpolicy_test.go +++ b/pkg/controller/networkpolicy/store/networkpolicy_test.go @@ -22,7 +22,6 @@ import ( metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/fields" "k8s.io/apimachinery/pkg/labels" - apitypes "k8s.io/apimachinery/pkg/types" "k8s.io/apimachinery/pkg/util/sets" "k8s.io/apimachinery/pkg/watch" @@ -33,9 +32,16 @@ import ( func TestWatchNetworkPolicyEvent(t *testing.T) { protocolTCP := controlplane.ProtocolTCP + npRef := controlplane.NetworkPolicyReference{ + Type: controlplane.K8sNetworkPolicy, + Namespace: "foo", + Name: "bar", + UID: "id1", + } policyV1 := &types.NetworkPolicy{ Namespace: "foo", Name: "bar", + SourceRef: &npRef, SpanMeta: types.SpanMeta{NodeNames: sets.NewString("node1", "node2")}, Rules: []controlplane.NetworkPolicyRule{{ Direction: controlplane.DirectionIn, @@ -48,6 +54,7 @@ func TestWatchNetworkPolicyEvent(t *testing.T) { policyV2 := &types.NetworkPolicy{ Namespace: "foo", Name: "bar", + SourceRef: &npRef, SpanMeta: types.SpanMeta{NodeNames: sets.NewString("node1", "node3")}, Rules: []controlplane.NetworkPolicyRule{{ Direction: controlplane.DirectionIn, @@ -60,6 +67,7 @@ func TestWatchNetworkPolicyEvent(t *testing.T) { policyV3 := &types.NetworkPolicy{ Namespace: "foo", Name: "bar", + SourceRef: &npRef, SpanMeta: types.SpanMeta{NodeNames: sets.NewString("node1", "node3")}, Rules: []controlplane.NetworkPolicyRule{{ Direction: controlplane.DirectionIn, @@ -88,11 +96,13 @@ func TestWatchNetworkPolicyEvent(t *testing.T) { {Type: watch.Bookmark, Object: &controlplane.NetworkPolicy{}}, {Type: watch.Added, Object: &controlplane.NetworkPolicy{ ObjectMeta: metav1.ObjectMeta{Namespace: "foo", Name: "bar"}, + SourceRef: &npRef, Rules: policyV1.Rules, AppliedToGroups: policyV1.AppliedToGroups, }}, {Type: watch.Modified, Object: &controlplane.NetworkPolicy{ ObjectMeta: metav1.ObjectMeta{Namespace: "foo", Name: "bar"}, + SourceRef: &npRef, Rules: policyV2.Rules, AppliedToGroups: policyV2.AppliedToGroups, }}, @@ -115,16 +125,19 @@ func TestWatchNetworkPolicyEvent(t *testing.T) { {Type: watch.Bookmark, Object: &controlplane.NetworkPolicy{}}, {Type: watch.Added, Object: &controlplane.NetworkPolicy{ ObjectMeta: metav1.ObjectMeta{Namespace: "foo", Name: "bar"}, + SourceRef: &npRef, Rules: policyV2.Rules, AppliedToGroups: policyV2.AppliedToGroups, }}, {Type: watch.Modified, Object: &controlplane.NetworkPolicy{ ObjectMeta: metav1.ObjectMeta{Namespace: "foo", Name: "bar"}, + SourceRef: &npRef, Rules: policyV3.Rules, AppliedToGroups: policyV3.AppliedToGroups, }}, {Type: watch.Deleted, Object: &controlplane.NetworkPolicy{ ObjectMeta: metav1.ObjectMeta{Namespace: "foo", Name: "bar"}, + SourceRef: &npRef, }}, }, }, @@ -157,7 +170,13 @@ func TestGetNetworkPolicyByIndex(t *testing.T) { policy1 := &types.NetworkPolicy{ Namespace: "foo", Name: "bar", - UID: apitypes.UID("uid-1"), + UID: "uid-1", + SourceRef: &controlplane.NetworkPolicyReference{ + Type: controlplane.K8sNetworkPolicy, + Namespace: "foo", + Name: "bar", + UID: "uid-1", + }, Rules: []controlplane.NetworkPolicyRule{{ Direction: controlplane.DirectionIn, From: controlplane.NetworkPolicyPeer{AddressGroups: []string{"addressGroup1"}}, @@ -168,7 +187,13 @@ func TestGetNetworkPolicyByIndex(t *testing.T) { policy2 := &types.NetworkPolicy{ Namespace: "foo2", Name: "bar2", - UID: apitypes.UID("uid-2"), + UID: "uid-2", + SourceRef: &controlplane.NetworkPolicyReference{ + Type: controlplane.K8sNetworkPolicy, + Namespace: "foo2", + Name: "bar2", + UID: "uid-2", + }, Rules: []controlplane.NetworkPolicyRule{{ Direction: controlplane.DirectionIn, From: controlplane.NetworkPolicyPeer{AddressGroups: []string{"addressGroup1", "addressGroup2"}}, diff --git a/pkg/controller/types/networkpolicy.go b/pkg/controller/types/networkpolicy.go index 8ac68f38f8b..922b863cb7b 100644 --- a/pkg/controller/types/networkpolicy.go +++ b/pkg/controller/types/networkpolicy.go @@ -105,13 +105,15 @@ type AddressGroup struct { // NetworkPolicy describes what network traffic is allowed for a set of Pods. type NetworkPolicy struct { SpanMeta - // UID of the original K8s Network Policy. + // UID of the internal Network Policy. UID types.UID - // Name of the original K8s Network Policy. + // Name of the internal Network Policy. Name string // Namespace of the original K8s Network Policy. // An empty value indicates that the Network Policy is Cluster scoped. Namespace string + // Reference to the original Network Policy. + SourceRef *controlplane.NetworkPolicyReference // Priority represents the relative priority of this Network Policy as compared to // other Network Policies. Priority will be unset (nil) for K8s Network Policy. Priority *float64 diff --git a/test/integration/agent/openflow_test.go b/test/integration/agent/openflow_test.go index 03f9223fcb8..e81221fd37b 100644 --- a/test/integration/agent/openflow_test.go +++ b/test/integration/agent/openflow_test.go @@ -168,15 +168,19 @@ func TestReplayFlowsNetworkPolicyFlows(t *testing.T) { npPort1 := v1beta1.Service{Protocol: &tcpProtocol, Port: &port2} toIPList := prepareIPAddresses(toList) rule := &types.PolicyRule{ - Direction: v1beta1.DirectionIn, - From: prepareIPAddresses(fromList), - To: toIPList, - Service: []v1beta1.Service{npPort1}, - Action: &defaultAction, - FlowID: ruleID, - TableID: ofClient.IngressRuleTable, - PolicyName: "np1", - PolicyNamespace: "ns1", + Direction: v1beta1.DirectionIn, + From: prepareIPAddresses(fromList), + To: toIPList, + Service: []v1beta1.Service{npPort1}, + Action: &defaultAction, + FlowID: ruleID, + TableID: ofClient.IngressRuleTable, + PolicyRef: &v1beta1.NetworkPolicyReference{ + Type: v1beta1.K8sNetworkPolicy, + Namespace: "ns1", + Name: "np1", + UID: "uid1", + }, } err = c.InstallPolicyRuleFlows(rule) @@ -333,15 +337,19 @@ func TestNetworkPolicyFlows(t *testing.T) { npPort1 := v1beta1.Service{Protocol: &tcpProtocol, Port: &port2} toIPList := prepareIPAddresses(toList) rule := &types.PolicyRule{ - Direction: v1beta1.DirectionIn, - From: prepareIPAddresses(fromList), - To: toIPList, - Service: []v1beta1.Service{npPort1}, - Action: &defaultAction, - FlowID: ruleID, - TableID: ofClient.IngressRuleTable, - PolicyName: "np1", - PolicyNamespace: "ns1", + Direction: v1beta1.DirectionIn, + From: prepareIPAddresses(fromList), + To: toIPList, + Service: []v1beta1.Service{npPort1}, + Action: &defaultAction, + FlowID: ruleID, + TableID: ofClient.IngressRuleTable, + PolicyRef: &v1beta1.NetworkPolicyReference{ + Type: v1beta1.K8sNetworkPolicy, + Namespace: "ns1", + Name: "np1", + UID: "uid1", + }, } err = c.InstallPolicyRuleFlows(rule) require.Nil(t, err, "Failed to InstallPolicyRuleFlows") @@ -373,14 +381,18 @@ func TestNetworkPolicyFlows(t *testing.T) { udpProtocol := v1beta1.ProtocolUDP npPort2 := v1beta1.Service{Protocol: &udpProtocol} rule2 := &types.PolicyRule{ - Direction: v1beta1.DirectionIn, - To: toIPList2, - Service: []v1beta1.Service{npPort2}, - Action: &defaultAction, - FlowID: ruleID2, - TableID: ofClient.IngressRuleTable, - PolicyName: "np1", - PolicyNamespace: "ns1", + Direction: v1beta1.DirectionIn, + To: toIPList2, + Service: []v1beta1.Service{npPort2}, + Action: &defaultAction, + FlowID: ruleID2, + TableID: ofClient.IngressRuleTable, + PolicyRef: &v1beta1.NetworkPolicyReference{ + Type: v1beta1.K8sNetworkPolicy, + Namespace: "ns1", + Name: "np1", + UID: "uid1", + }, } err = c.InstallPolicyRuleFlows(rule2) require.Nil(t, err, "Failed to InstallPolicyRuleFlows")