Skip to content

Commit

Permalink
feat(CRD): introduce additionalNetworkPolicyIngress
Browse files Browse the repository at this point in the history
  • Loading branch information
@rkojedzinszky
rkojedzinszky committed Jul 9, 2024
1 parent 2df04eb commit 1b4dbe9
Show file tree
Hide file tree
Showing 5 changed files with 391 additions and 0 deletions.
5 changes: 5 additions & 0 deletions api/v1alpha1/patronipostgres_types.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -133,6 +133,11 @@ type PatroniPostgresSpec struct {
// More info: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.30/#networkpolicyingressrule-v1-networking-k8s-io
// +optional
AccessControl []networking.NetworkPolicyPeer `json:"accessControl,omitempty"`

// AdditionalNetworkPolicyIngress lists additional ingress rules to append to created
// NetworkPolicy object. Useful for opening ports for ExtraContainers.
// +optional
AdditionalNetworkPolicyIngress []networking.NetworkPolicyIngressRule `json:"additionalNetworkPolicyIngress,omitempty"`
}

// PatroniPostgresState represents overall cluster state
Expand Down
7 changes: 7 additions & 0 deletions api/v1alpha1/zz_generated.deepcopy.go
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

189 changes: 189 additions & 0 deletions config/crd/bases/kwebs.cloud_patronipostgres.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -178,6 +178,195 @@ spec:
x-kubernetes-map-type: atomic
type: object
type: array
additionalNetworkPolicyIngress:
description: AdditionalNetworkPolicyIngress lists additional ingress
rules to append to created NetworkPolicy object. Useful for opening
ports for ExtraContainers.
items:
description: NetworkPolicyIngressRule describes a particular set
of traffic that is allowed to the pods matched by a NetworkPolicySpec's
podSelector. The traffic must match both ports and from.
properties:
from:
description: from is a list of sources which should be able
to access the pods selected for this rule. Items in this list
are combined using a logical OR operation. If this field is
empty or missing, this rule matches all sources (traffic not
restricted by source). If this field is present and contains
at least one item, this rule allows traffic only if the traffic
matches at least one item in the from list.
items:
description: NetworkPolicyPeer describes a peer to allow traffic
to/from. Only certain combinations of fields are allowed
properties:
ipBlock:
description: ipBlock defines policy on a particular IPBlock.
If this field is set then neither of the other fields
can be.
properties:
cidr:
description: cidr is a string representing the IPBlock
Valid examples are "192.168.1.0/24" or "2001:db8::/64"
type: string
except:
description: except is a slice of CIDRs that should
not be included within an IPBlock Valid examples
are "192.168.1.0/24" or "2001:db8::/64" Except values
will be rejected if they are outside the cidr range
items:
type: string
type: array
required:
- cidr
type: object
namespaceSelector:
description: "namespaceSelector selects namespaces using
cluster-scoped labels. This field follows standard label
selector semantics; if present but empty, it selects
all namespaces. \n If podSelector is also set, then
the NetworkPolicyPeer as a whole selects the pods matching
podSelector in the namespaces selected by namespaceSelector.
Otherwise it selects all pods in the namespaces selected
by namespaceSelector."
properties:
matchExpressions:
description: matchExpressions is a list of label selector
requirements. The requirements are ANDed.
items:
description: A label selector requirement is a selector
that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key that the selector
applies to.
type: string
operator:
description: operator represents a key's relationship
to a set of values. Valid operators are In,
NotIn, Exists and DoesNotExist.
type: string
values:
description: values is an array of string values.
If the operator is In or NotIn, the values
array must be non-empty. If the operator is
Exists or DoesNotExist, the values array must
be empty. This array is replaced during a
strategic merge patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
description: matchLabels is a map of {key,value} pairs.
A single {key,value} in the matchLabels map is equivalent
to an element of matchExpressions, whose key field
is "key", the operator is "In", and the values array
contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
podSelector:
description: "podSelector is a label selector which selects
pods. This field follows standard label selector semantics;
if present but empty, it selects all pods. \n If namespaceSelector
is also set, then the NetworkPolicyPeer as a whole selects
the pods matching podSelector in the Namespaces selected
by NamespaceSelector. Otherwise it selects the pods
matching podSelector in the policy's own namespace."
properties:
matchExpressions:
description: matchExpressions is a list of label selector
requirements. The requirements are ANDed.
items:
description: A label selector requirement is a selector
that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key that the selector
applies to.
type: string
operator:
description: operator represents a key's relationship
to a set of values. Valid operators are In,
NotIn, Exists and DoesNotExist.
type: string
values:
description: values is an array of string values.
If the operator is In or NotIn, the values
array must be non-empty. If the operator is
Exists or DoesNotExist, the values array must
be empty. This array is replaced during a
strategic merge patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
description: matchLabels is a map of {key,value} pairs.
A single {key,value} in the matchLabels map is equivalent
to an element of matchExpressions, whose key field
is "key", the operator is "In", and the values array
contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
type: object
type: array
ports:
description: ports is a list of ports which should be made accessible
on the pods selected for this rule. Each item in this list
is combined using a logical OR. If this field is empty or
missing, this rule matches all ports (traffic not restricted
by port). If this field is present and contains at least one
item, then this rule allows traffic only if the traffic matches
at least one port in the list.
items:
description: NetworkPolicyPort describes a port to allow traffic
on
properties:
endPort:
description: endPort indicates that the range of ports
from port to endPort if set, inclusive, should be allowed
by the policy. This field cannot be defined if the port
field is not defined or if the port field is defined
as a named (string) port. The endPort must be equal
or greater than port.
format: int32
type: integer
port:
anyOf:
- type: integer
- type: string
description: port represents the port on the given protocol.
This can either be a numerical or named port on a pod.
If this field is not provided, this matches all port
names and numbers. If present, only traffic on the specified
protocol AND port will be matched.
x-kubernetes-int-or-string: true
protocol:
default: TCP
description: protocol represents the protocol (TCP, UDP,
or SCTP) which traffic must match. If not specified,
this field defaults to TCP.
type: string
type: object
type: array
type: object
type: array
affinity:
description: If specified, the pod's scheduling constraints
properties:
Expand Down
Loading

0 comments on commit 1b4dbe9

Please sign in to comment.