Add DomainName field to AdminNetworkPolicyEgressPeer

apis/v1alpha1/adminnetworkpolicy_types.go

@@ -219,6 +219,104 @@ type AdminNetworkPolicyEgressRule struct {
 // +kubebuilder:validation:Enum={"Allow", "Deny", "Pass"}
 type AdminNetworkPolicyRuleAction string
 
+// AdminNetworkPolicyEgressPeer defines a peer to allow traffic to.
+// Exactly one of the selector pointers must be set for a given peer. If a
+// consumer observes none of its fields are set, they must assume an unknown
+// option has been specified and fail closed.
+// +kubebuilder:validation:MaxProperties=1
+// +kubebuilder:validation:MinProperties=1
+type AdminNetworkPolicyEgressPeer struct {
+	// Namespaces defines a way to select all pods within a set of Namespaces.
+	// Note that host-networked pods are not included in this type of peer.
+	//
+	// Support: Core
+	//
+	// +optional
+	Namespaces *metav1.LabelSelector `json:"namespaces,omitempty"`
+	// Pods defines a way to select a set of pods in
+	// a set of namespaces. Note that host-networked pods
+	// are not included in this type of peer.
+	//
+	// Support: Core
+	//
+	// +optional
+	Pods *NamespacedPod `json:"pods,omitempty"`
+	// Nodes defines a way to select a set of nodes in
+	// the cluster. This field follows standard label selector
+	// semantics; if present but empty, it selects all Nodes.
+	//
+	// Support: Extended
+	//
+	// <network-policy-api:experimental>
+	// +optional
+	Nodes *metav1.LabelSelector `json:"nodes,omitempty"`
+	// Networks defines a way to select peers via CIDR blocks.
+	// This is intended for representing entities that live outside the cluster,
+	// which can't be selected by pods, namespaces and nodes peers, but note
+	// that cluster-internal traffic will be checked against the rule as
+	// well. So if you Allow or Deny traffic to `"0.0.0.0/0"`, that will allow
+	// or deny all IPv4 pod-to-pod traffic as well. If you don't want that,
+	// add a rule that Passes all pod traffic before the Networks rule.
+	//
+	// Each item in Networks should be provided in the CIDR format and should be
+	// IPv4 or IPv6, for example "10.0.0.0/8" or "fd00::/8".
+	//
+	// Networks can have upto 25 CIDRs specified.
+	//
+	// Support: Extended
+	//
+	// <network-policy-api:experimental>
+	// +optional
+	// +listType=set
+	// +kubebuilder:validation:MinItems=1
+	// +kubebuilder:validation:MaxItems=25
+	Networks []CIDR `json:"networks,omitempty"`
+
+	// DomainNames provides a way to specify domain names as peers.
+	// 
+	// DomainNames is only supported for ALLOW rules. In order to control
+	// access, DomainNames ALLOW rules should be used with a lower priority
+	// egress deny -- this allows the admin to maintain an explicit "allowlist"
+	// of reachable domains.
+	// 
+	// Support: Extended
+	//
+	// <network-policy-api:experimental>
+	// +optional
+	// +listType=set
+	// +kubebuilder:validation:MinItems=1
+	DomainNames []DomainName `json:"domainNames,omitempty"`
+}
+
+// CIDR is an IP address range in CIDR notation (for example, "10.0.0.0/8" or "fd00::/8").
+// This string must be validated by implementations using net.ParseCIDR
+// TODO: Introduce CEL CIDR validation regex isCIDR() in Kube 1.31 when it is available.
+// +kubebuilder:validation:XValidation:rule="self.contains(':') != self.contains('.')",message="CIDR must be either an IPv4 or IPv6 address. IPv4 address embedded in IPv6 addresses are not supported"
+// +kubebuilder:validation:MaxLength=43
+type CIDR string
+
+// DomainName describes one or more domain names to be used as a peer.
+//
+// DomainName can be an exact match, or use the wildcard specifier '*' to match
+// one or more labels.
+//
+// '*', the wildcard specifier, matches one or more entire labels. It does not
+// support partial matches. '*' may only be specified as a prefix.
+// 
+// Examples:
+//	- `kubernetes.io` matches only `kubernetes.io`.
+//	  It does not match "www.kubernetes.io", "blog.kubernetes.io",
+//	  "my-kubernetes.io", or "wikipedia.org".
+//	- `blog.kubernetes.io` matches only "blog.kubernetes.io".
+//	  It does not match "www.kubernetes.io" or "kubernetes.io".
+//	- `*.kubernetes.io` matches subdomains of kubernetes.io.
+//	  "www.kubernetes.io", "blog.kubernetes.io", and
+//	  "latest.blog.kubernetes.io" match, however "kubernetes.io", and
+//	  "wikipedia.org" do not.
+//
+// +kubebuilder:validation:Pattern=`^(\*\.)?([a-zA-z0-9]([-a-zA-Z0-9_]*[a-zA-Z0-9])?\.)+[a-zA-z0-9]([-a-zA-Z0-9_]*[a-zA-Z0-9])?\.?$`
+type DomainName string
+
 const (
 	// AdminNetworkPolicyRuleActionAllow indicates that matching traffic will be
 	// allowed regardless of NetworkPolicy and BaselineAdminNetworkPolicy

apis/v1alpha1/baselineadminnetworkpolicy_types.go

@@ -167,15 +167,15 @@ type BaselineAdminNetworkPolicyEgressRule struct {
 	Action BaselineAdminNetworkPolicyRuleAction `json:"action"`
 
 	// To is the list of destinations whose traffic this rule applies to.
-	// If any AdminNetworkPolicyEgressPeer matches the destination of outgoing
+	// If any BaselineAdminNetworkPolicyEgressPeer matches the destination of outgoing
 	// traffic then the specified action is applied.
 	// This field must be defined and contain at least one item.
 	// +kubebuilder:validation:MinItems=1
 	// +kubebuilder:validation:MaxItems=100
 	//
 	// Support: Core
 	//
-	To []AdminNetworkPolicyEgressPeer `json:"to"`
+	To []BaselineAdminNetworkPolicyEgressPeer `json:"to"`
 
 	// Ports allows for matching traffic based on port and protocols.
 	// This field is a list of destination ports for the outgoing egress traffic.
@@ -194,6 +194,67 @@ type BaselineAdminNetworkPolicyEgressRule struct {
 // +kubebuilder:validation:Enum={"Allow", "Deny"}
 type BaselineAdminNetworkPolicyRuleAction string
 
+// BaselineAdminNetworkPolicyEgressPeer defines a peer to allow traffic to.
+// Exactly one of the selector pointers must be set for a given peer. If a
+// consumer observes none of its fields are set, they must assume an unknown
+// option has been specified and fail closed.
+// +kubebuilder:validation:MaxProperties=1
+// +kubebuilder:validation:MinProperties=1
+type BaselineAdminNetworkPolicyEgressPeer struct {
+	// Namespaces defines a way to select all pods within a set of Namespaces.
+	// Note that host-networked pods are not included in this type of peer.
+	//
+	// Support: Core
+	//
+	// +optional
+	Namespaces *metav1.LabelSelector `json:"namespaces,omitempty"`
+	// Pods defines a way to select a set of pods in
+	// a set of namespaces. Note that host-networked pods
+	// are not included in this type of peer.
+	//
+	// Support: Core
+	//
+	// +optional
+	Pods *NamespacedPod `json:"pods,omitempty"`
+	// Nodes defines a way to select a set of nodes in
+	// the cluster. This field follows standard label selector
+	// semantics; if present but empty, it selects all Nodes.
+	//
+	// Support: Extended
+	//
+	// <network-policy-api:experimental>
+	// +optional
+	Nodes *metav1.LabelSelector `json:"nodes,omitempty"`
+	// Networks defines a way to select peers via CIDR blocks.
+	// This is intended for representing entities that live outside the cluster,
+	// which can't be selected by pods, namespaces and nodes peers, but note
+	// that cluster-internal traffic will be checked against the rule as
+	// well. So if you Allow or Deny traffic to `"0.0.0.0/0"`, that will allow
+	// or deny all IPv4 pod-to-pod traffic as well. If you don't want that,
+	// add a rule that Passes all pod traffic before the Networks rule.
+	//
+	// Each item in Networks should be provided in the CIDR format and should be
+	// IPv4 or IPv6, for example "10.0.0.0/8" or "fd00::/8".
+	//
+	// Networks can have upto 25 CIDRs specified.
+	//
+	// Support: Extended
+	//
+	// <network-policy-api:experimental>
+	// +optional
+	// +listType=set
+	// +kubebuilder:validation:MinItems=1
+	// +kubebuilder:validation:MaxItems=25
+	Networks []CIDR `json:"networks,omitempty"`
+}
+
+// CIDR is an IP address range in CIDR notation (for example, "10.0.0.0/8" or "fd00::/8").
+// This string must be validated by implementations using net.ParseCIDR
+// TODO: Introduce CEL CIDR validation regex isCIDR() in Kube 1.31 when it is available.
+// +kubebuilder:validation:XValidation:rule="self.contains(':') != self.contains('.')",message="CIDR must be either an IPv4 or IPv6 address. IPv4 address embedded in IPv6 addresses are not supported"
+// +kubebuilder:validation:MaxLength=43
+type CIDR string
+
 const (
 	// BaselineAdminNetworkPolicyRuleActionDeny enables admins to deny traffic.
 	BaselineAdminNetworkPolicyRuleActionDeny BaselineAdminNetworkPolicyRuleAction = "Deny"

apis/v1alpha1/shared_types.go

@@ -143,64 +143,3 @@ type AdminNetworkPolicyIngressPeer struct {
 	// +optional
 	Pods *NamespacedPod `json:"pods,omitempty"`
 }
-
-// AdminNetworkPolicyEgressPeer defines a peer to allow traffic to.
-// Exactly one of the selector pointers must be set for a given peer. If a
-// consumer observes none of its fields are set, they must assume an unknown
-// option has been specified and fail closed.
-// +kubebuilder:validation:MaxProperties=1
-// +kubebuilder:validation:MinProperties=1
-type AdminNetworkPolicyEgressPeer struct {
-	// Namespaces defines a way to select all pods within a set of Namespaces.
-	// Note that host-networked pods are not included in this type of peer.
-	//
-	// Support: Core
-	//
-	// +optional
-	Namespaces *metav1.LabelSelector `json:"namespaces,omitempty"`
-	// Pods defines a way to select a set of pods in
-	// a set of namespaces. Note that host-networked pods
-	// are not included in this type of peer.
-	//
-	// Support: Core
-	//
-	// +optional
-	Pods *NamespacedPod `json:"pods,omitempty"`
-	// Nodes defines a way to select a set of nodes in
-	// the cluster. This field follows standard label selector
-	// semantics; if present but empty, it selects all Nodes.
-	//
-	// Support: Extended
-	//
-	// <network-policy-api:experimental>
-	// +optional
-	Nodes *metav1.LabelSelector `json:"nodes,omitempty"`
-	// Networks defines a way to select peers via CIDR blocks.
-	// This is intended for representing entities that live outside the cluster,
-	// which can't be selected by pods, namespaces and nodes peers, but note
-	// that cluster-internal traffic will be checked against the rule as
-	// well. So if you Allow or Deny traffic to `"0.0.0.0/0"`, that will allow
-	// or deny all IPv4 pod-to-pod traffic as well. If you don't want that,
-	// add a rule that Passes all pod traffic before the Networks rule.
-	//
-	// Each item in Networks should be provided in the CIDR format and should be
-	// IPv4 or IPv6, for example "10.0.0.0/8" or "fd00::/8".
-	//
-	// Networks can have upto 25 CIDRs specified.
-	//
-	// Support: Extended
-	//
-	// <network-policy-api:experimental>
-	// +optional
-	// +listType=set
-	// +kubebuilder:validation:MinItems=1
-	// +kubebuilder:validation:MaxItems=25
-	Networks []CIDR `json:"networks,omitempty"`
-}
-
-// CIDR is an IP address range in CIDR notation (for example, "10.0.0.0/8" or "fd00::/8").
-// This string must be validated by implementations using net.ParseCIDR
-// TODO: Introduce CEL CIDR validation regex isCIDR() in Kube 1.31 when it is available.
-// +kubebuilder:validation:XValidation:rule="self.contains(':') != self.contains('.')",message="CIDR must be either an IPv4 or IPv6 address. IPv4 address embedded in IPv6 addresses are not supported"
-// +kubebuilder:validation:MaxLength=43
-type CIDR string

npeps/npep-133-fqdn-egress-selector.md

@@ -2,7 +2,7 @@
 
 * Issue:
   [#133](https://github.com/kubernetes-sigs/network-policy-api/issues/133)
-* Status: Provisional
+* Status: Implementable
 
 ## TLDR