Add AppliedTo struct for internal NetworkPolicy (antrea-io#3678)

Currently AppliedTo shares the NetworkPolicyPeer with To/From fields, yet some members such as Namespaces and FQDN would not be set in AppliedTo, and Service would not be set in To/From. So, it is beneficial to use a separate struct for distinction, as well as future extensions. Current solution introduces the AppliedTo struct for appliedto fields, which does not share any member with NetworkPolicyPeer. Fixes antrea-io#2686. Signed-off-by: Qiyue Yao <yaoq@vmware.com>
tnqn · Oct 20, 2022 · c491ead · c491ead
1 parent 14e0dda
commit c491ead
Show file tree

Hide file tree

Showing 18 changed files with 214 additions and 145 deletions.
diff --git a/multicluster/controllers/multicluster/commonarea/acnp_resourceimport_controller_test.go b/multicluster/controllers/multicluster/commonarea/acnp_resourceimport_controller_test.go
@@ -73,7 +73,7 @@ var (
 			ClusterNetworkPolicy: &v1alpha1.ClusterNetworkPolicySpec{
 				Tier:     "securityops",
 				Priority: 1.0,
-				AppliedTo: []v1alpha1.NetworkPolicyPeer{
+				AppliedTo: []v1alpha1.AppliedTo{
 					{NamespaceSelector: &metav1.LabelSelector{}},
 				},
 				Ingress: []v1alpha1.Rule{
@@ -112,7 +112,7 @@ var (
 			ClusterNetworkPolicy: &v1alpha1.ClusterNetworkPolicySpec{
 				Tier:     "somerandomtier",
 				Priority: 1.0,
-				AppliedTo: []v1alpha1.NetworkPolicyPeer{
+				AppliedTo: []v1alpha1.AppliedTo{
 					{NamespaceSelector: &metav1.LabelSelector{}},
 				},
 			},
@@ -214,7 +214,7 @@ func TestResourceImportReconciler_handleCopySpanACNPUpdateEvent(t *testing.T) {
 		Spec: v1alpha1.ClusterNetworkPolicySpec{
 			Tier:     "securityops",
 			Priority: 1.0,
-			AppliedTo: []v1alpha1.NetworkPolicyPeer{
+			AppliedTo: []v1alpha1.AppliedTo{
 				{NamespaceSelector: &metav1.LabelSelector{}},
 			},
 			Ingress: []v1alpha1.Rule{
@@ -242,7 +242,7 @@ func TestResourceImportReconciler_handleCopySpanACNPUpdateEvent(t *testing.T) {
 			ClusterNetworkPolicy: &v1alpha1.ClusterNetworkPolicySpec{
 				Tier:     "securityops",
 				Priority: 1.0,
-				AppliedTo: []v1alpha1.NetworkPolicyPeer{
+				AppliedTo: []v1alpha1.AppliedTo{
 					{NamespaceSelector: &metav1.LabelSelector{}},
 				},
 			},
@@ -256,7 +256,7 @@ func TestResourceImportReconciler_handleCopySpanACNPUpdateEvent(t *testing.T) {
 		Spec: v1alpha1.ClusterNetworkPolicySpec{
 			Tier:     "securityops",
 			Priority: 1.0,
-			AppliedTo: []v1alpha1.NetworkPolicyPeer{
+			AppliedTo: []v1alpha1.AppliedTo{
 				{NamespaceSelector: &metav1.LabelSelector{}},
 			},
 		},
@@ -272,7 +272,7 @@ func TestResourceImportReconciler_handleCopySpanACNPUpdateEvent(t *testing.T) {
 			ClusterNetworkPolicy: &v1alpha1.ClusterNetworkPolicySpec{
 				Tier:     "somerandomtier",
 				Priority: 1.0,
-				AppliedTo: []v1alpha1.NetworkPolicyPeer{
+				AppliedTo: []v1alpha1.AppliedTo{
 					{NamespaceSelector: &metav1.LabelSelector{}},
 				},
 			},
@@ -293,7 +293,7 @@ func TestResourceImportReconciler_handleCopySpanACNPUpdateEvent(t *testing.T) {
 		Spec: v1alpha1.ClusterNetworkPolicySpec{
 			Tier:     "securityops",
 			Priority: 1.0,
-			AppliedTo: []v1alpha1.NetworkPolicyPeer{
+			AppliedTo: []v1alpha1.AppliedTo{
 				{NamespaceSelector: &metav1.LabelSelector{}},
 			},
 		},

diff --git a/multicluster/controllers/multicluster/resourceexport_controller_test.go b/multicluster/controllers/multicluster/resourceexport_controller_test.go
@@ -63,7 +63,7 @@ var (
 	isolationACNPSpec = &v1alpha1.ClusterNetworkPolicySpec{
 		Tier:     "securityops",
 		Priority: 1.0,
-		AppliedTo: []v1alpha1.NetworkPolicyPeer{
+		AppliedTo: []v1alpha1.AppliedTo{
 			{NamespaceSelector: &metav1.LabelSelector{}},
 		},
 		Ingress: []v1alpha1.Rule{

diff --git a/multicluster/controllers/multicluster/stale_controller_test.go b/multicluster/controllers/multicluster/stale_controller_test.go
@@ -139,7 +139,7 @@ func TestStaleController_CleanupACNP(t *testing.T) {
 			ClusterNetworkPolicy: &v1alpha1.ClusterNetworkPolicySpec{
 				Tier:     "securityops",
 				Priority: 1.0,
-				AppliedTo: []v1alpha1.NetworkPolicyPeer{
+				AppliedTo: []v1alpha1.AppliedTo{
 					{NamespaceSelector: &metav1.LabelSelector{}},
 				},
 			},

diff --git a/pkg/apis/crd/v1alpha1/types.go b/pkg/apis/crd/v1alpha1/types.go
@@ -311,7 +311,7 @@ type NetworkPolicySpec struct {
 	// Select workloads on which the rules will be applied to. Cannot be set in
 	// conjunction with AppliedTo in each rule.
 	// +optional
-	AppliedTo []NetworkPolicyPeer `json:"appliedTo,omitempty"`
+	AppliedTo []AppliedTo `json:"appliedTo,omitempty"`
 	// Set of ingress rules evaluated based on the order in which they are set.
 	// Currently Ingress rule supports setting the `From` field but not the `To`
 	// field within a Rule.
@@ -420,7 +420,7 @@ type Rule struct {
 	// Select workloads on which this rule will be applied to. Cannot be set in
 	// conjunction with NetworkPolicySpec/ClusterNetworkPolicySpec.AppliedTo.
 	// +optional
-	AppliedTo []NetworkPolicyPeer `json:"appliedTo,omitempty"`
+	AppliedTo []AppliedTo `json:"appliedTo,omitempty"`
 }
 
 // NetworkPolicyPeer describes the grouping selector of workloads.
@@ -431,7 +431,7 @@ type NetworkPolicyPeer struct {
 	// +optional
 	IPBlock *IPBlock `json:"ipBlock,omitempty"`
 	// Select Pods from NetworkPolicy's Namespace as workloads in
-	// AppliedTo/To/From fields. If set with NamespaceSelector, Pods are
+	// To/From fields. If set with NamespaceSelector, Pods are
 	// matched from Namespaces matched by the NamespaceSelector.
 	// Cannot be set with any other selector except NamespaceSelector.
 	// +optional
@@ -443,7 +443,7 @@ type NetworkPolicyPeer struct {
 	// ExternalEntitySelector. Cannot be set with Namespaces.
 	// +optional
 	NamespaceSelector *metav1.LabelSelector `json:"namespaceSelector,omitempty"`
-	// Select Pod/ExternalEntity from Namespaces matched by specifc criteria.
+	// Select Pod/ExternalEntity from Namespaces matched by specific criteria.
 	// Current supported criteria is match: Self, which selects from the same
 	// Namespace of the appliedTo workloads.
 	// Cannot be set with any other selector except PodSelector or
@@ -453,16 +453,15 @@ type NetworkPolicyPeer struct {
 	// +optional
 	Namespaces *PeerNamespaces `json:"namespaces,omitempty"`
 	// Select ExternalEntities from NetworkPolicy's Namespace as workloads
-	// in AppliedTo/To/From fields. If set with NamespaceSelector,
+	// in To/From fields. If set with NamespaceSelector,
 	// ExternalEntities are matched from Namespaces matched by the
 	// NamespaceSelector.
 	// Cannot be set with any other selector except NamespaceSelector.
 	// +optional
 	ExternalEntitySelector *metav1.LabelSelector `json:"externalEntitySelector,omitempty"`
-	// Group is the name of the ClusterGroup which can be set as an
-	// AppliedTo or within an Ingress or Egress rule in place of
-	// a stand-alone selector. A Group cannot be set with any other
-	// selector.
+	// Group is the name of the ClusterGroup which can be set within
+	// an Ingress or Egress rule in place of a stand-alone selector.
+	// A Group cannot be set with any other selector.
 	Group string `json:"group,omitempty"`
 	// Restrict egress access to the Fully Qualified Domain Names prescribed
 	// by name or by wildcard match patterns. This field can only be set for
@@ -472,14 +471,48 @@ type NetworkPolicyPeer struct {
 	//  Wildcard expressions, i.e. "*wayfair.com".
 	FQDN string `json:"fqdn,omitempty"`
 	// Select all Pods with the ServiceAccount matched by this field, as
-	// workloads in AppliedTo/To/From fields.
+	// workloads in To/From fields.
 	// Cannot be set with any other selector.
 	// +optional
 	ServiceAccount *NamespacedName `json:"serviceAccount,omitempty"`
 	// Select certain Nodes which match the label selector.
 	// A NodeSelector cannot be set in AppliedTo field or set with any other selector.
 	// +optional
 	NodeSelector *metav1.LabelSelector `json:"nodeSelector,omitempty"`
+}
+
+// AppliedTo describes the grouping selector of workloads in AppliedTo field.
+type AppliedTo struct {
+	// Select Pods from NetworkPolicy's Namespace as workloads in
+	// AppliedTo fields. If set with NamespaceSelector, Pods are
+	// matched from Namespaces matched by the NamespaceSelector.
+	// Cannot be set with any other selector except NamespaceSelector.
+	// +optional
+	PodSelector *metav1.LabelSelector `json:"podSelector,omitempty"`
+	// Select all Pods from Namespaces matched by this selector, as
+	// workloads in AppliedTo fields. If set with PodSelector,
+	// Pods are matched from Namespaces matched by the NamespaceSelector.
+	// Cannot be set with any other selector except PodSelector or
+	// ExternalEntitySelector. Cannot be set with Namespaces.
+	// +optional
+	NamespaceSelector *metav1.LabelSelector `json:"namespaceSelector,omitempty"`
+	// Select ExternalEntities from NetworkPolicy's Namespace as workloads
+	// in AppliedTo fields. If set with NamespaceSelector,
+	// ExternalEntities are matched from Namespaces matched by the
+	// NamespaceSelector.
+	// Cannot be set with any other selector except NamespaceSelector.
+	// +optional
+	ExternalEntitySelector *metav1.LabelSelector `json:"externalEntitySelector,omitempty"`
+	// Group is the name of the ClusterGroup which can be set as an
+	// AppliedTo in place of a stand-alone selector. A Group cannot
+	// be set with any other selector.
+	// +optional
+	Group string `json:"group,omitempty"`
+	// Select all Pods with the ServiceAccount matched by this field, as
+	// workloads in AppliedTo fields.
+	// Cannot be set with any other selector.
+	// +optional
+	ServiceAccount *NamespacedName `json:"serviceAccount,omitempty"`
 	// Select a certain Service which matches the NamespacedName.
 	// A Service can only be set in either policy level AppliedTo field in a policy
 	// that only has ingress rules or rule level AppliedTo field in an ingress rule.
@@ -586,7 +619,7 @@ type ClusterNetworkPolicySpec struct {
 	// Select workloads on which the rules will be applied to. Cannot be set in
 	// conjunction with AppliedTo in each rule.
 	// +optional
-	AppliedTo []NetworkPolicyPeer `json:"appliedTo,omitempty"`
+	AppliedTo []AppliedTo `json:"appliedTo,omitempty"`
 	// Set of ingress rules evaluated based on the order in which they are set.
 	// Currently Ingress rule supports setting the `From` field but not the `To`
 	// field within a Rule.

diff --git a/pkg/apis/crd/v1alpha1/zz_generated.deepcopy.go b/pkg/apis/crd/v1alpha1/zz_generated.deepcopy.go
diff --git a/pkg/controller/networkpolicy/antreanetworkpolicy.go b/pkg/controller/networkpolicy/antreanetworkpolicy.go
@@ -155,7 +155,7 @@ func (n *NetworkPolicyController) processAntreaNetworkPolicy(np *crdv1alpha1.Net
 	return internalNetworkPolicy, appliedToGroups, addressGroups
 }
 
-func (n *NetworkPolicyController) processAppliedTo(namespace string, appliedTo []crdv1alpha1.NetworkPolicyPeer) []*antreatypes.AppliedToGroup {
+func (n *NetworkPolicyController) processAppliedTo(namespace string, appliedTo []crdv1alpha1.AppliedTo) []*antreatypes.AppliedToGroup {
 	var appliedToGroups []*antreatypes.AppliedToGroup
 	for _, at := range appliedTo {
 		var atg *antreatypes.AppliedToGroup

diff --git a/pkg/controller/networkpolicy/antreanetworkpolicy_test.go b/pkg/controller/networkpolicy/antreanetworkpolicy_test.go
@@ -66,7 +66,7 @@ func TestProcessAntreaNetworkPolicy(t *testing.T) {
 			inputPolicy: &crdv1alpha1.NetworkPolicy{
 				ObjectMeta: metav1.ObjectMeta{Namespace: "ns1", Name: "npA", UID: "uidA"},
 				Spec: crdv1alpha1.NetworkPolicySpec{
-					AppliedTo: []crdv1alpha1.NetworkPolicyPeer{
+					AppliedTo: []crdv1alpha1.AppliedTo{
 						{PodSelector: &selectorA},
 					},
 					Priority: p10,
@@ -155,7 +155,7 @@ func TestProcessAntreaNetworkPolicy(t *testing.T) {
 			inputPolicy: &crdv1alpha1.NetworkPolicy{
 				ObjectMeta: metav1.ObjectMeta{Namespace: "ns2", Name: "npB", UID: "uidB"},
 				Spec: crdv1alpha1.NetworkPolicySpec{
-					AppliedTo: []crdv1alpha1.NetworkPolicyPeer{
+					AppliedTo: []crdv1alpha1.AppliedTo{
 						{PodSelector: &selectorA},
 					},
 					Priority: p10,
@@ -244,7 +244,7 @@ func TestProcessAntreaNetworkPolicy(t *testing.T) {
 					Priority:  p10,
 					Ingress: []crdv1alpha1.Rule{
 						{
-							AppliedTo: []crdv1alpha1.NetworkPolicyPeer{
+							AppliedTo: []crdv1alpha1.AppliedTo{
 								{
 									PodSelector: &selectorA,
 								},
@@ -262,7 +262,7 @@ func TestProcessAntreaNetworkPolicy(t *testing.T) {
 							Action: &allowAction,
 						},
 						{
-							AppliedTo: []crdv1alpha1.NetworkPolicyPeer{
+							AppliedTo: []crdv1alpha1.AppliedTo{
 								{
 									PodSelector: &selectorB,
 								},
@@ -339,7 +339,7 @@ func TestProcessAntreaNetworkPolicy(t *testing.T) {
 			inputPolicy: &crdv1alpha1.NetworkPolicy{
 				ObjectMeta: metav1.ObjectMeta{Namespace: "ns4", Name: "npD", UID: "uidD"},
 				Spec: crdv1alpha1.NetworkPolicySpec{
-					AppliedTo: []crdv1alpha1.NetworkPolicyPeer{
+					AppliedTo: []crdv1alpha1.AppliedTo{
 						{PodSelector: &selectorA},
 					},
 					Priority: p10,
@@ -401,7 +401,7 @@ func TestProcessAntreaNetworkPolicy(t *testing.T) {
 			inputPolicy: &crdv1alpha1.NetworkPolicy{
 				ObjectMeta: metav1.ObjectMeta{Namespace: "ns5", Name: "npE", UID: "uidE"},
 				Spec: crdv1alpha1.NetworkPolicySpec{
-					AppliedTo: []crdv1alpha1.NetworkPolicyPeer{
+					AppliedTo: []crdv1alpha1.AppliedTo{
 						{PodSelector: &selectorA},
 					},
 					Priority: p10,
@@ -454,7 +454,7 @@ func TestProcessAntreaNetworkPolicy(t *testing.T) {
 			inputPolicy: &crdv1alpha1.NetworkPolicy{
 				ObjectMeta: metav1.ObjectMeta{Namespace: "ns6", Name: "npF", UID: "uidF"},
 				Spec: crdv1alpha1.NetworkPolicySpec{
-					AppliedTo: []crdv1alpha1.NetworkPolicyPeer{
+					AppliedTo: []crdv1alpha1.AppliedTo{
 						{PodSelector: &selectorA},
 					},
 					Priority: p10,
@@ -512,7 +512,7 @@ func TestProcessAntreaNetworkPolicy(t *testing.T) {
 			inputPolicy: &crdv1alpha1.NetworkPolicy{
 				ObjectMeta: metav1.ObjectMeta{Namespace: "ns7", Name: "npG", UID: "uidG"},
 				Spec: crdv1alpha1.NetworkPolicySpec{
-					AppliedTo: []crdv1alpha1.NetworkPolicyPeer{
+					AppliedTo: []crdv1alpha1.AppliedTo{
 						{PodSelector: &selectorA},
 					},
 					Priority: p10,
@@ -648,7 +648,7 @@ func getANP() *crdv1alpha1.NetworkPolicy {
 	npObj := &crdv1alpha1.NetworkPolicy{
 		ObjectMeta: metav1.ObjectMeta{Namespace: "test-ns", Name: "test-anp"},
 		Spec: crdv1alpha1.NetworkPolicySpec{
-			AppliedTo: []crdv1alpha1.NetworkPolicyPeer{
+			AppliedTo: []crdv1alpha1.AppliedTo{
 				{PodSelector: &selectorA},
 			},
 			Priority: p10,

diff --git a/pkg/controller/networkpolicy/clustergroup_test.go b/pkg/controller/networkpolicy/clustergroup_test.go
@@ -932,7 +932,7 @@ func TestSyncInternalGroup(t *testing.T) {
 	cnp1 := &crdv1alpha1.ClusterNetworkPolicy{
 		ObjectMeta: metav1.ObjectMeta{Name: "cnp1", UID: "uid1"},
 		Spec: crdv1alpha1.ClusterNetworkPolicySpec{
-			AppliedTo: []crdv1alpha1.NetworkPolicyPeer{
+			AppliedTo: []crdv1alpha1.AppliedTo{
 				{PodSelector: &selectorB},
 			},
 			Priority: p10,
@@ -949,7 +949,7 @@ func TestSyncInternalGroup(t *testing.T) {
 	cnp2 := &crdv1alpha1.ClusterNetworkPolicy{
 		ObjectMeta: metav1.ObjectMeta{Name: "cnp2", UID: "uid2"},
 		Spec: crdv1alpha1.ClusterNetworkPolicySpec{
-			AppliedTo: []crdv1alpha1.NetworkPolicyPeer{
+			AppliedTo: []crdv1alpha1.AppliedTo{
 				{PodSelector: &selectorC},
 			},
 			Priority: p20,