diff --git a/api/v1alpha1/patronipostgres_types.go b/api/v1alpha1/patronipostgres_types.go index ed16f9c..b8c801f 100644 --- a/api/v1alpha1/patronipostgres_types.go +++ b/api/v1alpha1/patronipostgres_types.go @@ -133,6 +133,11 @@ type PatroniPostgresSpec struct { // More info: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.30/#networkpolicyingressrule-v1-networking-k8s-io // +optional AccessControl []networking.NetworkPolicyPeer `json:"accessControl,omitempty"` + + // AdditionalNetworkPolicyIngress lists additional ingress rules to append to created + // NetworkPolicy object. Useful for opening ports for ExtraContainers. + // +optional + AdditionalNetworkPolicyIngress []networking.NetworkPolicyIngressRule `json:"additionalNetworkPolicyIngress,omitempty"` } // PatroniPostgresState represents overall cluster state diff --git a/api/v1alpha1/zz_generated.deepcopy.go b/api/v1alpha1/zz_generated.deepcopy.go index f0ba73d..19174e3 100644 --- a/api/v1alpha1/zz_generated.deepcopy.go +++ b/api/v1alpha1/zz_generated.deepcopy.go @@ -180,6 +180,13 @@ func (in *PatroniPostgresSpec) DeepCopyInto(out *PatroniPostgresSpec) { (*in)[i].DeepCopyInto(&(*out)[i]) } } + if in.AdditionalNetworkPolicyIngress != nil { + in, out := &in.AdditionalNetworkPolicyIngress, &out.AdditionalNetworkPolicyIngress + *out = make([]networkingv1.NetworkPolicyIngressRule, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PatroniPostgresSpec. diff --git a/config/crd/bases/kwebs.cloud_patronipostgres.yaml b/config/crd/bases/kwebs.cloud_patronipostgres.yaml index 5833239..dbf2606 100644 --- a/config/crd/bases/kwebs.cloud_patronipostgres.yaml +++ b/config/crd/bases/kwebs.cloud_patronipostgres.yaml @@ -178,6 +178,195 @@ spec: x-kubernetes-map-type: atomic type: object type: array + additionalNetworkPolicyIngress: + description: AdditionalNetworkPolicyIngress lists additional ingress + rules to append to created NetworkPolicy object. Useful for opening + ports for ExtraContainers. + items: + description: NetworkPolicyIngressRule describes a particular set + of traffic that is allowed to the pods matched by a NetworkPolicySpec's + podSelector. The traffic must match both ports and from. + properties: + from: + description: from is a list of sources which should be able + to access the pods selected for this rule. Items in this list + are combined using a logical OR operation. If this field is + empty or missing, this rule matches all sources (traffic not + restricted by source). If this field is present and contains + at least one item, this rule allows traffic only if the traffic + matches at least one item in the from list. + items: + description: NetworkPolicyPeer describes a peer to allow traffic + to/from. Only certain combinations of fields are allowed + properties: + ipBlock: + description: ipBlock defines policy on a particular IPBlock. + If this field is set then neither of the other fields + can be. + properties: + cidr: + description: cidr is a string representing the IPBlock + Valid examples are "192.168.1.0/24" or "2001:db8::/64" + type: string + except: + description: except is a slice of CIDRs that should + not be included within an IPBlock Valid examples + are "192.168.1.0/24" or "2001:db8::/64" Except values + will be rejected if they are outside the cidr range + items: + type: string + type: array + required: + - cidr + type: object + namespaceSelector: + description: "namespaceSelector selects namespaces using + cluster-scoped labels. This field follows standard label + selector semantics; if present but empty, it selects + all namespaces. \n If podSelector is also set, then + the NetworkPolicyPeer as a whole selects the pods matching + podSelector in the namespaces selected by namespaceSelector. + Otherwise it selects all pods in the namespaces selected + by namespaceSelector." + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector + that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are In, + NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. + If the operator is In or NotIn, the values + array must be non-empty. If the operator is + Exists or DoesNotExist, the values array must + be empty. This array is replaced during a + strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. + A single {key,value} in the matchLabels map is equivalent + to an element of matchExpressions, whose key field + is "key", the operator is "In", and the values array + contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + podSelector: + description: "podSelector is a label selector which selects + pods. This field follows standard label selector semantics; + if present but empty, it selects all pods. \n If namespaceSelector + is also set, then the NetworkPolicyPeer as a whole selects + the pods matching podSelector in the Namespaces selected + by NamespaceSelector. Otherwise it selects the pods + matching podSelector in the policy's own namespace." + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector + that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are In, + NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. + If the operator is In or NotIn, the values + array must be non-empty. If the operator is + Exists or DoesNotExist, the values array must + be empty. This array is replaced during a + strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. + A single {key,value} in the matchLabels map is equivalent + to an element of matchExpressions, whose key field + is "key", the operator is "In", and the values array + contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + type: array + ports: + description: ports is a list of ports which should be made accessible + on the pods selected for this rule. Each item in this list + is combined using a logical OR. If this field is empty or + missing, this rule matches all ports (traffic not restricted + by port). If this field is present and contains at least one + item, then this rule allows traffic only if the traffic matches + at least one port in the list. + items: + description: NetworkPolicyPort describes a port to allow traffic + on + properties: + endPort: + description: endPort indicates that the range of ports + from port to endPort if set, inclusive, should be allowed + by the policy. This field cannot be defined if the port + field is not defined or if the port field is defined + as a named (string) port. The endPort must be equal + or greater than port. + format: int32 + type: integer + port: + anyOf: + - type: integer + - type: string + description: port represents the port on the given protocol. + This can either be a numerical or named port on a pod. + If this field is not provided, this matches all port + names and numbers. If present, only traffic on the specified + protocol AND port will be matched. + x-kubernetes-int-or-string: true + protocol: + default: TCP + description: protocol represents the protocol (TCP, UDP, + or SCTP) which traffic must match. If not specified, + this field defaults to TCP. + type: string + type: object + type: array + type: object + type: array affinity: description: If specified, the pod's scheduling constraints properties: diff --git a/config/deploy.yaml b/config/deploy.yaml index 97254fb..e087835 100644 --- a/config/deploy.yaml +++ b/config/deploy.yaml @@ -472,6 +472,195 @@ spec: x-kubernetes-map-type: atomic type: object type: array + additionalNetworkPolicyIngress: + description: AdditionalNetworkPolicyIngress lists additional ingress + rules to append to created NetworkPolicy object. Useful for opening + ports for ExtraContainers. + items: + description: NetworkPolicyIngressRule describes a particular set + of traffic that is allowed to the pods matched by a NetworkPolicySpec's + podSelector. The traffic must match both ports and from. + properties: + from: + description: from is a list of sources which should be able + to access the pods selected for this rule. Items in this list + are combined using a logical OR operation. If this field is + empty or missing, this rule matches all sources (traffic not + restricted by source). If this field is present and contains + at least one item, this rule allows traffic only if the traffic + matches at least one item in the from list. + items: + description: NetworkPolicyPeer describes a peer to allow traffic + to/from. Only certain combinations of fields are allowed + properties: + ipBlock: + description: ipBlock defines policy on a particular IPBlock. + If this field is set then neither of the other fields + can be. + properties: + cidr: + description: cidr is a string representing the IPBlock + Valid examples are "192.168.1.0/24" or "2001:db8::/64" + type: string + except: + description: except is a slice of CIDRs that should + not be included within an IPBlock Valid examples + are "192.168.1.0/24" or "2001:db8::/64" Except values + will be rejected if they are outside the cidr range + items: + type: string + type: array + required: + - cidr + type: object + namespaceSelector: + description: "namespaceSelector selects namespaces using + cluster-scoped labels. This field follows standard label + selector semantics; if present but empty, it selects + all namespaces. \n If podSelector is also set, then + the NetworkPolicyPeer as a whole selects the pods matching + podSelector in the namespaces selected by namespaceSelector. + Otherwise it selects all pods in the namespaces selected + by namespaceSelector." + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector + that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are In, + NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. + If the operator is In or NotIn, the values + array must be non-empty. If the operator is + Exists or DoesNotExist, the values array must + be empty. This array is replaced during a + strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. + A single {key,value} in the matchLabels map is equivalent + to an element of matchExpressions, whose key field + is "key", the operator is "In", and the values array + contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + podSelector: + description: "podSelector is a label selector which selects + pods. This field follows standard label selector semantics; + if present but empty, it selects all pods. \n If namespaceSelector + is also set, then the NetworkPolicyPeer as a whole selects + the pods matching podSelector in the Namespaces selected + by NamespaceSelector. Otherwise it selects the pods + matching podSelector in the policy's own namespace." + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector + that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are In, + NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. + If the operator is In or NotIn, the values + array must be non-empty. If the operator is + Exists or DoesNotExist, the values array must + be empty. This array is replaced during a + strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. + A single {key,value} in the matchLabels map is equivalent + to an element of matchExpressions, whose key field + is "key", the operator is "In", and the values array + contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + type: array + ports: + description: ports is a list of ports which should be made accessible + on the pods selected for this rule. Each item in this list + is combined using a logical OR. If this field is empty or + missing, this rule matches all ports (traffic not restricted + by port). If this field is present and contains at least one + item, then this rule allows traffic only if the traffic matches + at least one port in the list. + items: + description: NetworkPolicyPort describes a port to allow traffic + on + properties: + endPort: + description: endPort indicates that the range of ports + from port to endPort if set, inclusive, should be allowed + by the policy. This field cannot be defined if the port + field is not defined or if the port field is defined + as a named (string) port. The endPort must be equal + or greater than port. + format: int32 + type: integer + port: + anyOf: + - type: integer + - type: string + description: port represents the port on the given protocol. + This can either be a numerical or named port on a pod. + If this field is not provided, this matches all port + names and numbers. If present, only traffic on the specified + protocol AND port will be matched. + x-kubernetes-int-or-string: true + protocol: + default: TCP + description: protocol represents the protocol (TCP, UDP, + or SCTP) which traffic must match. If not specified, + this field defaults to TCP. + type: string + type: object + type: array + type: object + type: array affinity: description: If specified, the pod's scheduling constraints properties: diff --git a/private/controllers/networkpolicy/networkpolicy.go b/private/controllers/networkpolicy/networkpolicy.go index 984b7df..76e6750 100644 --- a/private/controllers/networkpolicy/networkpolicy.go +++ b/private/controllers/networkpolicy/networkpolicy.go @@ -91,6 +91,7 @@ func Reconcile(ctx context.Context, p *v1alpha1.PatroniPostgres) (err error) { }, }, } + policy.Spec.Ingress = append(policy.Spec.Ingress, p.Spec.AdditionalNetworkPolicyIngress...) if create { err = ctx.Create(ctx, policy)