Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add GKE NetworkPolicy support #1133

Closed
Closed
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 3 additions & 0 deletions .gitignore
Original file line number Diff line number Diff line change
Expand Up @@ -52,6 +52,9 @@ manager_pull_policy.yaml-e
# junit files
junit.*.xml

# asdf
.tool-versions

.DS_Store

# Tilt files.
Expand Down
18 changes: 17 additions & 1 deletion cloud/services/container/clusters/reconcile.go
Original file line number Diff line number Diff line change
Expand Up @@ -268,6 +268,9 @@ func (s *Service) createCluster(ctx context.Context, log *logr.Logger) error {
if !s.scope.IsAutopilotCluster() {
cluster.NodePools = scope.ConvertToSdkNodePools(nodePools, machinePools, isRegional, cluster.Name)
}
if s.scope.GCPManagedControlPlane.Spec.NetworkPolicy != nil {
cluster.NetworkPolicy = convertToSdkNetworkPolicy(s.scope.GCPManagedControlPlane.Spec.NetworkPolicy)
}

createClusterRequest := &containerpb.CreateClusterRequest{
Cluster: cluster,
Expand Down Expand Up @@ -366,6 +369,20 @@ func convertToSdkMasterAuthorizedNetworksConfig(config *infrav1exp.MasterAuthori
}
}

// convertToSdkNetworkPolicy converts NetworkPolicy config to a value that is used by GCP SDK.
func convertToSdkNetworkPolicy(networkPolicy *infrav1exp.NetworkPolicy) *containerpb.NetworkPolicy {
sdkNetworkPolicy := containerpb.NetworkPolicy{
Enabled: true,
}
switch networkPolicy.Provider {
case "calico":
sdkNetworkPolicy.Provider = containerpb.NetworkPolicy_CALICO
default:
sdkNetworkPolicy.Provider = containerpb.NetworkPolicy_PROVIDER_UNSPECIFIED
}
return &sdkNetworkPolicy
}

func (s *Service) checkDiffAndPrepareUpdate(existingCluster *containerpb.Cluster, log *logr.Logger) (bool, *containerpb.UpdateClusterRequest) {
log.V(4).Info("Checking diff and preparing update.")

Expand All @@ -390,7 +407,6 @@ func (s *Service) checkDiffAndPrepareUpdate(existingCluster *containerpb.Cluster
log.V(2).Info("Master version update required", "current", existingClusterMasterVersion, "desired", desiredMasterVersion)
}
}

// DesiredMasterAuthorizedNetworksConfig
// When desiredMasterAuthorizedNetworksConfig is nil, it means that the user wants to disable the feature.
desiredMasterAuthorizedNetworksConfig := convertToSdkMasterAuthorizedNetworksConfig(s.scope.GCPManagedControlPlane.Spec.MasterAuthorizedNetworksConfig)
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -117,6 +117,17 @@ spec:
Public IP addresses.
type: boolean
type: object
networkPolicy:
description: NetworkPolicy represents configuration options for NetworkPolicy
feature of the GKE cluster. This feature is disabled if this field
is not specified.
properties:
provider:
description: The selected network policy provider.
enum:
- calico
type: string
type: object
project:
description: Project is the name of the project to deploy the cluster
to.
Expand Down
12 changes: 12 additions & 0 deletions exp/api/v1beta1/gcpmanagedcontrolplane_types.go
Original file line number Diff line number Diff line change
Expand Up @@ -57,6 +57,10 @@ type GCPManagedControlPlaneSpec struct {
// This feature is disabled if this field is not specified.
// +optional
MasterAuthorizedNetworksConfig *MasterAuthorizedNetworksConfig `json:"master_authorized_networks_config,omitempty"`
// NetworkPolicy represents configuration options for NetworkPolicy feature of the GKE cluster.
// This feature is disabled if this field is not specified.
// +optional
NetworkPolicy *NetworkPolicy `json:"networkPolicy,omitempty"`
}

// GCPManagedControlPlaneStatus defines the observed state of GCPManagedControlPlane.
Expand Down Expand Up @@ -142,6 +146,14 @@ type MasterAuthorizedNetworksConfigCidrBlock struct {
CidrBlock string `json:"cidr_block,omitempty"`
}

// NetworkPolicy represents configuration options for NetworkPolicy feature of the GKE cluster.
type NetworkPolicy struct {
kahun marked this conversation as resolved.
Show resolved Hide resolved
// The selected network policy provider.
// +kubebuilder:validation:Enum=calico
// +optional
Provider string `json:"provider,omitempty"`
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If NetworkPolicy is supplied by the user should we require that they supply Provider. It feels like they should.

}

// GetConditions returns the control planes conditions.
func (r *GCPManagedControlPlane) GetConditions() clusterv1.Conditions {
return r.Status.Conditions
Expand Down
7 changes: 7 additions & 0 deletions exp/api/v1beta1/gcpmanagedcontrolplane_webhook.go
Original file line number Diff line number Diff line change
Expand Up @@ -130,6 +130,13 @@ func (r *GCPManagedControlPlane) ValidateUpdate(oldRaw runtime.Object) (admissio
)
}

if !cmp.Equal(r.Spec.NetworkPolicy, old.Spec.NetworkPolicy) {
kahun marked this conversation as resolved.
Show resolved Hide resolved
allErrs = append(allErrs,
field.Invalid(field.NewPath("spec", "NetworkPolicy"),
r.Spec.NetworkPolicy, "field is immutable"),
)
}

if len(allErrs) == 0 {
return nil, nil
}
Expand Down
20 changes: 20 additions & 0 deletions exp/api/v1beta1/zz_generated.deepcopy.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Loading