Skip to content

Commit

Permalink
Add support for selecting external destinations as egress peers
Browse files Browse the repository at this point in the history 
Some FTR things:

    1) As an egress peer a user can selector either namespaces, or pods or
       nodes or externalNetworks.
    In a given rule more than 1 type of selection is not allowed.
    2) An empty externalNetworks selector means it selects all externalNetworkSets in the cluster.
    3) externalNetworks can be set only from to.Peer

Signed-off-by: Surya Seetharaman <[email protected]>
  • Loading branch information
@tssurya
tssurya committed Oct 26, 2023
1 parent d61fdc7 commit 43ef2d3
Show file tree
Hide file tree
Showing 6 changed files with 74 additions and 0 deletions.
13 changes: 13 additions & 0 deletions apis/v1alpha1/shared_types.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -170,6 +170,19 @@ type AdminNetworkPolicyEgressPeer struct {
//
// +optional
Nodes *metav1.LabelSelector `json:"nodes,omitempty"`
// ExternalNetworks defines a way to select ExternalNetworkSets
// that consist of network CIDRs that live outside the cluster as a peer.
// It is the list of NetworkCIDR (both v4 & v6) that can be used to define
// external destinations.
// This field follows standard label selector semantics; if present
// but empty, it selects all ExternalNetworkSets defined in the cluster.
//
// Support: Core
//
// +optional
// +kubebuilder:validation:MinItems=1
// +kubebuilder:validation:MaxItems=100
ExternalNetworks []string `json:"externalNetworks,omitempty" validate:"omitempty,dive,cidr"`
}

// NamespacedPeer defines a flexible way to select Namespaces in a cluster.
Expand Down
5 changes: 5 additions & 0 deletions apis/v1alpha1/zz_generated.deepcopy.go
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

14 changes: 14 additions & 0 deletions config/crd/experimental/policy.networking.k8s.io_adminnetworkpolicies.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -164,6 +164,20 @@ spec:
maxProperties: 1
minProperties: 1
properties:
externalNetworks:
description: "ExternalNetworks defines a way to select
ExternalNetworkSets that consist of network CIDRs that
live outside the cluster as a peer. It is the list of
NetworkCIDR (both v4 & v6) that can be used to define
external destinations. This field follows standard label
selector semantics; if present but empty, it selects
all ExternalNetworkSets defined in the cluster. \n Support:
Core"
items:
type: string
maxItems: 100
minItems: 1
type: array
namespaces:
description: "Namespaces defines a way to select a set
of Namespaces. \n Support: Core"
Expand Down
14 changes: 14 additions & 0 deletions config/crd/experimental/policy.networking.k8s.io_baselineadminnetworkpolicies.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -156,6 +156,20 @@ spec:
maxProperties: 1
minProperties: 1
properties:
externalNetworks:
description: "ExternalNetworks defines a way to select
ExternalNetworkSets that consist of network CIDRs that
live outside the cluster as a peer. It is the list of
NetworkCIDR (both v4 & v6) that can be used to define
external destinations. This field follows standard label
selector semantics; if present but empty, it selects
all ExternalNetworkSets defined in the cluster. \n Support:
Core"
items:
type: string
maxItems: 100
minItems: 1
type: array
namespaces:
description: "Namespaces defines a way to select a set
of Namespaces. \n Support: Core"
Expand Down
14 changes: 14 additions & 0 deletions config/crd/standard/policy.networking.k8s.io_adminnetworkpolicies.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -160,6 +160,20 @@ spec:
maxProperties: 1
minProperties: 1
properties:
externalNetworks:
description: "ExternalNetworks defines a way to select
ExternalNetworkSets that consist of network CIDRs that
live outside the cluster as a peer. It is the list of
NetworkCIDR (both v4 & v6) that can be used to define
external destinations. This field follows standard label
selector semantics; if present but empty, it selects
all ExternalNetworkSets defined in the cluster. \n Support:
Core"
items:
type: string
maxItems: 100
minItems: 1
type: array
namespaces:
description: "Namespaces defines a way to select a set
of Namespaces. \n Support: Core"
Expand Down
14 changes: 14 additions & 0 deletions config/crd/standard/policy.networking.k8s.io_baselineadminnetworkpolicies.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -152,6 +152,20 @@ spec:
maxProperties: 1
minProperties: 1
properties:
externalNetworks:
description: "ExternalNetworks defines a way to select
ExternalNetworkSets that consist of network CIDRs that
live outside the cluster as a peer. It is the list of
NetworkCIDR (both v4 & v6) that can be used to define
external destinations. This field follows standard label
selector semantics; if present but empty, it selects
all ExternalNetworkSets defined in the cluster. \n Support:
Core"
items:
type: string
maxItems: 100
minItems: 1
type: array
namespaces:
description: "Namespaces defines a way to select a set
of Namespaces. \n Support: Core"
Expand Down

0 comments on commit 43ef2d3

Please sign in to comment.