Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add 'namespaces' in ACNP for enhanced peer namespace selection #1961

Merged
merged 5 commits into from
May 26, 2021
Merged

Add 'namespaces' in ACNP for enhanced peer namespace selection #1961

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
f04d91e
Add 'namespaces' in ACNP for enhanced peer namespace selection
Dyanngg Mar 9, 2021
b54a014
Add E2E testcases
Dyanngg Mar 16, 2021
bc191d5
Address comments
Dyanngg Mar 22, 2021
b252f38
Address more comments
Dyanngg May 21, 2021
06e937e
Address updateCNP comments
Dyanngg May 25, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
20 changes: 20 additions & 0 deletions build/yamls/antrea-aks.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -700,6 +700,11 @@ spec:
matchLabels:
x-kubernetes-preserve-unknown-fields: true
type: object
namespaces:
properties:
match:
type: string
type: object
podSelector:
properties:
matchExpressions:
Expand Down Expand Up @@ -827,6 +832,11 @@ spec:
matchLabels:
x-kubernetes-preserve-unknown-fields: true
type: object
namespaces:
properties:
match:
type: string
type: object
podSelector:
properties:
matchExpressions:
Expand Down Expand Up @@ -1105,6 +1115,11 @@ spec:
matchLabels:
x-kubernetes-preserve-unknown-fields: true
type: object
namespaces:
properties:
match:
type: string
type: object
podSelector:
properties:
matchExpressions:
Expand Down Expand Up @@ -1232,6 +1247,11 @@ spec:
matchLabels:
x-kubernetes-preserve-unknown-fields: true
type: object
namespaces:
properties:
match:
type: string
type: object
podSelector:
properties:
matchExpressions:
Expand Down
20 changes: 20 additions & 0 deletions build/yamls/antrea-eks.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -700,6 +700,11 @@ spec:
matchLabels:
x-kubernetes-preserve-unknown-fields: true
type: object
namespaces:
properties:
match:
type: string
type: object
podSelector:
properties:
matchExpressions:
Expand Down Expand Up @@ -827,6 +832,11 @@ spec:
matchLabels:
x-kubernetes-preserve-unknown-fields: true
type: object
namespaces:
properties:
match:
type: string
type: object
podSelector:
properties:
matchExpressions:
Expand Down Expand Up @@ -1105,6 +1115,11 @@ spec:
matchLabels:
x-kubernetes-preserve-unknown-fields: true
type: object
namespaces:
properties:
match:
type: string
type: object
podSelector:
properties:
matchExpressions:
Expand Down Expand Up @@ -1232,6 +1247,11 @@ spec:
matchLabels:
x-kubernetes-preserve-unknown-fields: true
type: object
namespaces:
properties:
match:
type: string
type: object
podSelector:
properties:
matchExpressions:
Expand Down
20 changes: 20 additions & 0 deletions build/yamls/antrea-gke.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -700,6 +700,11 @@ spec:
matchLabels:
x-kubernetes-preserve-unknown-fields: true
type: object
namespaces:
properties:
match:
type: string
type: object
podSelector:
properties:
matchExpressions:
Expand Down Expand Up @@ -827,6 +832,11 @@ spec:
matchLabels:
x-kubernetes-preserve-unknown-fields: true
type: object
namespaces:
properties:
match:
type: string
type: object
podSelector:
properties:
matchExpressions:
Expand Down Expand Up @@ -1105,6 +1115,11 @@ spec:
matchLabels:
x-kubernetes-preserve-unknown-fields: true
type: object
namespaces:
properties:
match:
type: string
type: object
podSelector:
properties:
matchExpressions:
Expand Down Expand Up @@ -1232,6 +1247,11 @@ spec:
matchLabels:
x-kubernetes-preserve-unknown-fields: true
type: object
namespaces:
properties:
match:
type: string
type: object
podSelector:
properties:
matchExpressions:
Expand Down
20 changes: 20 additions & 0 deletions build/yamls/antrea-ipsec.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -700,6 +700,11 @@ spec:
matchLabels:
x-kubernetes-preserve-unknown-fields: true
type: object
namespaces:
properties:
match:
type: string
type: object
podSelector:
properties:
matchExpressions:
Expand Down Expand Up @@ -827,6 +832,11 @@ spec:
matchLabels:
x-kubernetes-preserve-unknown-fields: true
type: object
namespaces:
properties:
match:
type: string
type: object
podSelector:
properties:
matchExpressions:
Expand Down Expand Up @@ -1105,6 +1115,11 @@ spec:
matchLabels:
x-kubernetes-preserve-unknown-fields: true
type: object
namespaces:
properties:
match:
type: string
type: object
podSelector:
properties:
matchExpressions:
Expand Down Expand Up @@ -1232,6 +1247,11 @@ spec:
matchLabels:
x-kubernetes-preserve-unknown-fields: true
type: object
namespaces:
properties:
match:
type: string
type: object
podSelector:
properties:
matchExpressions:
Expand Down
20 changes: 20 additions & 0 deletions build/yamls/antrea.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -700,6 +700,11 @@ spec:
matchLabels:
x-kubernetes-preserve-unknown-fields: true
type: object
namespaces:
properties:
match:
type: string
type: object
podSelector:
properties:
matchExpressions:
Expand Down Expand Up @@ -827,6 +832,11 @@ spec:
matchLabels:
x-kubernetes-preserve-unknown-fields: true
type: object
namespaces:
properties:
match:
type: string
type: object
podSelector:
properties:
matchExpressions:
Expand Down Expand Up @@ -1105,6 +1115,11 @@ spec:
matchLabels:
x-kubernetes-preserve-unknown-fields: true
type: object
namespaces:
properties:
match:
type: string
type: object
podSelector:
properties:
matchExpressions:
Expand Down Expand Up @@ -1232,6 +1247,11 @@ spec:
matchLabels:
x-kubernetes-preserve-unknown-fields: true
type: object
namespaces:
properties:
match:
type: string
type: object
podSelector:
properties:
matchExpressions:
Expand Down
20 changes: 20 additions & 0 deletions build/yamls/base/crds.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -656,6 +656,11 @@ spec:
type: string
matchLabels:
x-kubernetes-preserve-unknown-fields: true
namespaces:
type: object
properties:
match:
type: string
ipBlock:
type: object
properties:
Expand Down Expand Up @@ -795,6 +800,11 @@ spec:
type: string
matchLabels:
x-kubernetes-preserve-unknown-fields: true
namespaces:
type: object
properties:
match:
type: string
ipBlock:
type: object
properties:
Expand Down Expand Up @@ -2009,6 +2019,11 @@ spec:
type: string
matchLabels:
x-kubernetes-preserve-unknown-fields: true
namespaces:
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

any particular reason why we add this in the deprecated version?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not really... I guess it isn't necessary. This PR was opened before the security api group was deprecated, and the API change was meant for this version of ACNP resource.

type: object
properties:
match:
type: string
ipBlock:
type: object
properties:
Expand Down Expand Up @@ -2148,6 +2163,11 @@ spec:
type: string
matchLabels:
x-kubernetes-preserve-unknown-fields: true
namespaces:
type: object
properties:
match:
type: string
ipBlock:
type: object
properties:
Expand Down
1 change: 1 addition & 0 deletions cmd/antrea-controller/controller.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -149,6 +149,7 @@ func run(o *Options) error {
networkPolicyController := networkpolicy.NewNetworkPolicyController(client,
crdClient,
groupEntityIndex,
namespaceInformer,
serviceInformer,
networkPolicyInformer,
cnpInformer,
Expand Down
22 changes: 21 additions & 1 deletion pkg/apis/crd/v1alpha1/types.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -388,9 +388,18 @@ type NetworkPolicyPeer struct {
// workloads in To/From fields. If set with PodSelector,
// Pods are matched from Namespaces matched by the NamespaceSelector.
// Cannot be set with any other selector except PodSelector or
// ExternalEntitySelector.
// ExternalEntitySelector. Cannot be set with Namespaces.
// +optional
NamespaceSelector *metav1.LabelSelector `json:"namespaceSelector,omitempty"`
// Select Pod/ExternalEntity from Namespaces matched by specifc criteria.
// Current supported criteria is match: Self, which selects from the same
// Namespace of the appliedTo workloads.
// Cannot be set with any other selector except PodSelector or
// ExternalEntitySelector. This field can only be set when NetworkPolicyPeer
// is created for ClusterNetworkPolicy ingress/egress rules.
// Cannot be set with NamespaceSelector.
// +optional
Namespaces *PeerNamespaces `json:"namespaces,omitempty"`
// Select ExternalEntities from NetworkPolicy's Namespace as workloads
// in AppliedTo/To/From fields. If set with NamespaceSelector,
// ExternalEntities are matched from Namespaces matched by the
Expand All @@ -405,6 +414,17 @@ type NetworkPolicyPeer struct {
Group string `json:"group,omitempty"`
}

type PeerNamespaces struct {
Match NamespaceMatchType `json:"match,omitempty"`
}

// NamespaceMatchType describes Namespace matching strategy.
type NamespaceMatchType string

const (
NamespaceMatchSelf NamespaceMatchType = "Self"
)

// IPBlock describes a particular CIDR (Ex. "192.168.1.1/24") that is allowed
// or denied to/from the workloads matched by a Spec.AppliedTo.
type IPBlock struct {
Expand Down
21 changes: 21 additions & 0 deletions pkg/apis/crd/v1alpha1/zz_generated.deepcopy.go
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Loading