Skip to content

Commit

Permalink
Add support for selecting nodes as egress peers
Browse files Browse the repository at this point in the history 
Some FTR things:

1) As an egress peer a user can selector either namespaces, or pods or
   nodes.
In a given rule more than 1 type of selection is not allowed.
2) An empty node selector means it selects all nodes in the cluster.
3) nodes can be referred only from egress rule peers, since we only
support northbound use cases.

Signed-off-by: Surya Seetharaman <[email protected]>
  • Loading branch information
@tssurya
tssurya committed Nov 14, 2023
1 parent c3ea60b commit 23d3882
Show file tree
Hide file tree
Showing 6 changed files with 133 additions and 21 deletions.
11 changes: 10 additions & 1 deletion apis/v1alpha1/shared_types.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -144,7 +144,7 @@ type AdminNetworkPolicyIngressPeer struct {
Pods *NamespacedPodPeer `json:"pods,omitempty"`
}

// AdminNetworkPolicyEgressPeer defines an in-cluster peer to allow traffic to.
// AdminNetworkPolicyEgressPeer defines a peer to allow traffic to.
// Exactly one of the selector pointers must be set for a given peer. If a
// consumer observes none of its fields are set, they must assume an unknown
// option has been specified and fail closed.
Expand All @@ -166,6 +166,15 @@ type AdminNetworkPolicyEgressPeer struct {
//
// +optional
Pods *NamespacedPodPeer `json:"pods,omitempty"`
// Nodes defines a way to select a set of nodes in
// the cluster. This field follows standard label selector
// semantics; if present but empty, it selects all Nodes.
//
// Support: Extended
//
// <network-policy-api:experimental>
// +optional
Nodes *metav1.LabelSelector `json:"nodes,omitempty"`
}

// NamespacedPeer defines a flexible way to select Namespaces in a cluster.
Expand Down
5 changes: 5 additions & 0 deletions apis/v1alpha1/zz_generated.deepcopy.go
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

59 changes: 54 additions & 5 deletions config/crd/experimental/policy.networking.k8s.io_adminnetworkpolicies.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -156,11 +156,11 @@ spec:
is applied. This field must be defined and contain at least
one item. \n Support: Core"
items:
description: AdminNetworkPolicyEgressPeer defines an in-cluster
peer to allow traffic to. Exactly one of the selector pointers
must be set for a given peer. If a consumer observes none
of its fields are set, they must assume an unknown option
has been specified and fail closed.
description: AdminNetworkPolicyEgressPeer defines a peer to
allow traffic to. Exactly one of the selector pointers must
be set for a given peer. If a consumer observes none of
its fields are set, they must assume an unknown option has
been specified and fail closed.
maxProperties: 1
minProperties: 1
properties:
Expand Down Expand Up @@ -249,6 +249,55 @@ spec:
maxItems: 100
type: array
type: object
nodes:
description: "Nodes defines a way to select a set of nodes
in the cluster. This field follows standard label selector
semantics; if present but empty, it selects all Nodes.
\n Support: Extended \n <network-policy-api:experimental>"
properties:
matchExpressions:
description: matchExpressions is a list of label selector
requirements. The requirements are ANDed.
items:
description: A label selector requirement is a selector
that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key that the selector
applies to.
type: string
operator:
description: operator represents a key's relationship
to a set of values. Valid operators are In,
NotIn, Exists and DoesNotExist.
type: string
values:
description: values is an array of string values.
If the operator is In or NotIn, the values
array must be non-empty. If the operator is
Exists or DoesNotExist, the values array must
be empty. This array is replaced during a
strategic merge patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
description: matchLabels is a map of {key,value} pairs.
A single {key,value} in the matchLabels map is equivalent
to an element of matchExpressions, whose key field
is "key", the operator is "In", and the values array
contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
pods:
description: "Pods defines a way to select a set of pods
in a set of namespaces. Note that host-networked pods
Expand Down
59 changes: 54 additions & 5 deletions config/crd/experimental/policy.networking.k8s.io_baselineadminnetworkpolicies.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -148,11 +148,11 @@ spec:
is applied. This field must be defined and contain at least
one item. \n Support: Core"
items:
description: AdminNetworkPolicyEgressPeer defines an in-cluster
peer to allow traffic to. Exactly one of the selector pointers
must be set for a given peer. If a consumer observes none
of its fields are set, they must assume an unknown option
has been specified and fail closed.
description: AdminNetworkPolicyEgressPeer defines a peer to
allow traffic to. Exactly one of the selector pointers must
be set for a given peer. If a consumer observes none of
its fields are set, they must assume an unknown option has
been specified and fail closed.
maxProperties: 1
minProperties: 1
properties:
Expand Down Expand Up @@ -241,6 +241,55 @@ spec:
maxItems: 100
type: array
type: object
nodes:
description: "Nodes defines a way to select a set of nodes
in the cluster. This field follows standard label selector
semantics; if present but empty, it selects all Nodes.
\n Support: Extended \n <network-policy-api:experimental>"
properties:
matchExpressions:
description: matchExpressions is a list of label selector
requirements. The requirements are ANDed.
items:
description: A label selector requirement is a selector
that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key that the selector
applies to.
type: string
operator:
description: operator represents a key's relationship
to a set of values. Valid operators are In,
NotIn, Exists and DoesNotExist.
type: string
values:
description: values is an array of string values.
If the operator is In or NotIn, the values
array must be non-empty. If the operator is
Exists or DoesNotExist, the values array must
be empty. This array is replaced during a
strategic merge patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
description: matchLabels is a map of {key,value} pairs.
A single {key,value} in the matchLabels map is equivalent
to an element of matchExpressions, whose key field
is "key", the operator is "In", and the values array
contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
pods:
description: "Pods defines a way to select a set of pods
in a set of namespaces. Note that host-networked pods
Expand Down
10 changes: 5 additions & 5 deletions config/crd/standard/policy.networking.k8s.io_adminnetworkpolicies.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -152,11 +152,11 @@ spec:
is applied. This field must be defined and contain at least
one item. \n Support: Core"
items:
description: AdminNetworkPolicyEgressPeer defines an in-cluster
peer to allow traffic to. Exactly one of the selector pointers
must be set for a given peer. If a consumer observes none
of its fields are set, they must assume an unknown option
has been specified and fail closed.
description: AdminNetworkPolicyEgressPeer defines a peer to
allow traffic to. Exactly one of the selector pointers must
be set for a given peer. If a consumer observes none of
its fields are set, they must assume an unknown option has
been specified and fail closed.
maxProperties: 1
minProperties: 1
properties:
Expand Down
10 changes: 5 additions & 5 deletions config/crd/standard/policy.networking.k8s.io_baselineadminnetworkpolicies.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -144,11 +144,11 @@ spec:
is applied. This field must be defined and contain at least
one item. \n Support: Core"
items:
description: AdminNetworkPolicyEgressPeer defines an in-cluster
peer to allow traffic to. Exactly one of the selector pointers
must be set for a given peer. If a consumer observes none
of its fields are set, they must assume an unknown option
has been specified and fail closed.
description: AdminNetworkPolicyEgressPeer defines a peer to
allow traffic to. Exactly one of the selector pointers must
be set for a given peer. If a consumer observes none of
its fields are set, they must assume an unknown option has
been specified and fail closed.
maxProperties: 1
minProperties: 1
properties:
Expand Down

0 comments on commit 23d3882

Please sign in to comment.