Skip to content

Commit

Permalink
Add DomainName field to AdminNetworkPolicyEgressPeer
Browse files Browse the repository at this point in the history
  • Loading branch information
rahulkjoshi committed Jul 3, 2024
1 parent c7f1995 commit e75f11c
Show file tree
Hide file tree
Showing 4 changed files with 162 additions and 64 deletions.
98 changes: 98 additions & 0 deletions apis/v1alpha1/adminnetworkpolicy_types.go
Original file line number Diff line number Diff line change
Expand Up @@ -219,6 +219,104 @@ type AdminNetworkPolicyEgressRule struct {
// +kubebuilder:validation:Enum={"Allow", "Deny", "Pass"}
type AdminNetworkPolicyRuleAction string

// AdminNetworkPolicyEgressPeer defines a peer to allow traffic to.
// Exactly one of the selector pointers must be set for a given peer. If a
// consumer observes none of its fields are set, they must assume an unknown
// option has been specified and fail closed.
// +kubebuilder:validation:MaxProperties=1
// +kubebuilder:validation:MinProperties=1
type AdminNetworkPolicyEgressPeer struct {
// Namespaces defines a way to select all pods within a set of Namespaces.
// Note that host-networked pods are not included in this type of peer.
//
// Support: Core
//
// +optional
Namespaces *metav1.LabelSelector `json:"namespaces,omitempty"`
// Pods defines a way to select a set of pods in
// a set of namespaces. Note that host-networked pods
// are not included in this type of peer.
//
// Support: Core
//
// +optional
Pods *NamespacedPod `json:"pods,omitempty"`
// Nodes defines a way to select a set of nodes in
// the cluster. This field follows standard label selector
// semantics; if present but empty, it selects all Nodes.
//
// Support: Extended
//
// <network-policy-api:experimental>
// +optional
Nodes *metav1.LabelSelector `json:"nodes,omitempty"`
// Networks defines a way to select peers via CIDR blocks.
// This is intended for representing entities that live outside the cluster,
// which can't be selected by pods, namespaces and nodes peers, but note
// that cluster-internal traffic will be checked against the rule as
// well. So if you Allow or Deny traffic to `"0.0.0.0/0"`, that will allow
// or deny all IPv4 pod-to-pod traffic as well. If you don't want that,
// add a rule that Passes all pod traffic before the Networks rule.
//
// Each item in Networks should be provided in the CIDR format and should be
// IPv4 or IPv6, for example "10.0.0.0/8" or "fd00::/8".
//
// Networks can have upto 25 CIDRs specified.
//
// Support: Extended
//
// <network-policy-api:experimental>
// +optional
// +listType=set
// +kubebuilder:validation:MinItems=1
// +kubebuilder:validation:MaxItems=25
Networks []CIDR `json:"networks,omitempty"`

// DomainNames provides a way to specify domain names as peers.
//
// DomainNames is only supported for ALLOW rules. In order to control
// access, DomainNames ALLOW rules should be used with a lower priority
// egress deny -- this allows the admin to maintain an explicit "allowlist"
// of reachable domains.
//
// Support: Extended
//
// <network-policy-api:experimental>
// +optional
// +listType=set
// +kubebuilder:validation:MinItems=1
DomainNames []DomainName `json:"domainNames,omitempty"`
}

// CIDR is an IP address range in CIDR notation (for example, "10.0.0.0/8" or "fd00::/8").
// This string must be validated by implementations using net.ParseCIDR
// TODO: Introduce CEL CIDR validation regex isCIDR() in Kube 1.31 when it is available.
// +kubebuilder:validation:XValidation:rule="self.contains(':') != self.contains('.')",message="CIDR must be either an IPv4 or IPv6 address. IPv4 address embedded in IPv6 addresses are not supported"
// +kubebuilder:validation:MaxLength=43
type CIDR string

// DomainName describes one or more domain names to be used as a peer.
//
// DomainName can be an exact match, or use the wildcard specifier '*' to match
// one or more labels.
//
// '*', the wildcard specifier, matches one or more entire labels. It does not
// support partial matches. '*' may only be specified as a prefix.
//
// Examples:
// - `kubernetes.io` matches only `kubernetes.io`.
// It does not match "www.kubernetes.io", "blog.kubernetes.io",
// "my-kubernetes.io", or "wikipedia.org".
// - `blog.kubernetes.io` matches only "blog.kubernetes.io".
// It does not match "www.kubernetes.io" or "kubernetes.io".
// - `*.kubernetes.io` matches subdomains of kubernetes.io.
// "www.kubernetes.io", "blog.kubernetes.io", and
// "latest.blog.kubernetes.io" match, however "kubernetes.io", and
// "wikipedia.org" do not.
//
// +kubebuilder:validation:Pattern=`^(\*\.)?([a-zA-z0-9]([-a-zA-Z0-9_]*[a-zA-Z0-9])?\.)+[a-zA-z0-9]([-a-zA-Z0-9_]*[a-zA-Z0-9])?\.?$`
type DomainName string

const (
// AdminNetworkPolicyRuleActionAllow indicates that matching traffic will be
// allowed regardless of NetworkPolicy and BaselineAdminNetworkPolicy
Expand Down
65 changes: 63 additions & 2 deletions apis/v1alpha1/baselineadminnetworkpolicy_types.go
Original file line number Diff line number Diff line change
Expand Up @@ -167,15 +167,15 @@ type BaselineAdminNetworkPolicyEgressRule struct {
Action BaselineAdminNetworkPolicyRuleAction `json:"action"`

// To is the list of destinations whose traffic this rule applies to.
// If any AdminNetworkPolicyEgressPeer matches the destination of outgoing
// If any BaselineAdminNetworkPolicyEgressPeer matches the destination of outgoing
// traffic then the specified action is applied.
// This field must be defined and contain at least one item.
// +kubebuilder:validation:MinItems=1
// +kubebuilder:validation:MaxItems=100
//
// Support: Core
//
To []AdminNetworkPolicyEgressPeer `json:"to"`
To []BaselineAdminNetworkPolicyEgressPeer `json:"to"`

// Ports allows for matching traffic based on port and protocols.
// This field is a list of destination ports for the outgoing egress traffic.
Expand All @@ -194,6 +194,67 @@ type BaselineAdminNetworkPolicyEgressRule struct {
// +kubebuilder:validation:Enum={"Allow", "Deny"}
type BaselineAdminNetworkPolicyRuleAction string

// BaselineAdminNetworkPolicyEgressPeer defines a peer to allow traffic to.
// Exactly one of the selector pointers must be set for a given peer. If a
// consumer observes none of its fields are set, they must assume an unknown
// option has been specified and fail closed.
// +kubebuilder:validation:MaxProperties=1
// +kubebuilder:validation:MinProperties=1
type BaselineAdminNetworkPolicyEgressPeer struct {
// Namespaces defines a way to select all pods within a set of Namespaces.
// Note that host-networked pods are not included in this type of peer.
//
// Support: Core
//
// +optional
Namespaces *metav1.LabelSelector `json:"namespaces,omitempty"`
// Pods defines a way to select a set of pods in
// a set of namespaces. Note that host-networked pods
// are not included in this type of peer.
//
// Support: Core
//
// +optional
Pods *NamespacedPod `json:"pods,omitempty"`
// Nodes defines a way to select a set of nodes in
// the cluster. This field follows standard label selector
// semantics; if present but empty, it selects all Nodes.
//
// Support: Extended
//
// <network-policy-api:experimental>
// +optional
Nodes *metav1.LabelSelector `json:"nodes,omitempty"`
// Networks defines a way to select peers via CIDR blocks.
// This is intended for representing entities that live outside the cluster,
// which can't be selected by pods, namespaces and nodes peers, but note
// that cluster-internal traffic will be checked against the rule as
// well. So if you Allow or Deny traffic to `"0.0.0.0/0"`, that will allow
// or deny all IPv4 pod-to-pod traffic as well. If you don't want that,
// add a rule that Passes all pod traffic before the Networks rule.
//
// Each item in Networks should be provided in the CIDR format and should be
// IPv4 or IPv6, for example "10.0.0.0/8" or "fd00::/8".
//
// Networks can have upto 25 CIDRs specified.
//
// Support: Extended
//
// <network-policy-api:experimental>
// +optional
// +listType=set
// +kubebuilder:validation:MinItems=1
// +kubebuilder:validation:MaxItems=25
Networks []CIDR `json:"networks,omitempty"`
}

// CIDR is an IP address range in CIDR notation (for example, "10.0.0.0/8" or "fd00::/8").
// This string must be validated by implementations using net.ParseCIDR
// TODO: Introduce CEL CIDR validation regex isCIDR() in Kube 1.31 when it is available.
// +kubebuilder:validation:XValidation:rule="self.contains(':') != self.contains('.')",message="CIDR must be either an IPv4 or IPv6 address. IPv4 address embedded in IPv6 addresses are not supported"
// +kubebuilder:validation:MaxLength=43
type CIDR string

const (
// BaselineAdminNetworkPolicyRuleActionDeny enables admins to deny traffic.
BaselineAdminNetworkPolicyRuleActionDeny BaselineAdminNetworkPolicyRuleAction = "Deny"
Expand Down
61 changes: 0 additions & 61 deletions apis/v1alpha1/shared_types.go
Original file line number Diff line number Diff line change
Expand Up @@ -143,64 +143,3 @@ type AdminNetworkPolicyIngressPeer struct {
// +optional
Pods *NamespacedPod `json:"pods,omitempty"`
}

// AdminNetworkPolicyEgressPeer defines a peer to allow traffic to.
// Exactly one of the selector pointers must be set for a given peer. If a
// consumer observes none of its fields are set, they must assume an unknown
// option has been specified and fail closed.
// +kubebuilder:validation:MaxProperties=1
// +kubebuilder:validation:MinProperties=1
type AdminNetworkPolicyEgressPeer struct {
// Namespaces defines a way to select all pods within a set of Namespaces.
// Note that host-networked pods are not included in this type of peer.
//
// Support: Core
//
// +optional
Namespaces *metav1.LabelSelector `json:"namespaces,omitempty"`
// Pods defines a way to select a set of pods in
// a set of namespaces. Note that host-networked pods
// are not included in this type of peer.
//
// Support: Core
//
// +optional
Pods *NamespacedPod `json:"pods,omitempty"`
// Nodes defines a way to select a set of nodes in
// the cluster. This field follows standard label selector
// semantics; if present but empty, it selects all Nodes.
//
// Support: Extended
//
// <network-policy-api:experimental>
// +optional
Nodes *metav1.LabelSelector `json:"nodes,omitempty"`
// Networks defines a way to select peers via CIDR blocks.
// This is intended for representing entities that live outside the cluster,
// which can't be selected by pods, namespaces and nodes peers, but note
// that cluster-internal traffic will be checked against the rule as
// well. So if you Allow or Deny traffic to `"0.0.0.0/0"`, that will allow
// or deny all IPv4 pod-to-pod traffic as well. If you don't want that,
// add a rule that Passes all pod traffic before the Networks rule.
//
// Each item in Networks should be provided in the CIDR format and should be
// IPv4 or IPv6, for example "10.0.0.0/8" or "fd00::/8".
//
// Networks can have upto 25 CIDRs specified.
//
// Support: Extended
//
// <network-policy-api:experimental>
// +optional
// +listType=set
// +kubebuilder:validation:MinItems=1
// +kubebuilder:validation:MaxItems=25
Networks []CIDR `json:"networks,omitempty"`
}

// CIDR is an IP address range in CIDR notation (for example, "10.0.0.0/8" or "fd00::/8").
// This string must be validated by implementations using net.ParseCIDR
// TODO: Introduce CEL CIDR validation regex isCIDR() in Kube 1.31 when it is available.
// +kubebuilder:validation:XValidation:rule="self.contains(':') != self.contains('.')",message="CIDR must be either an IPv4 or IPv6 address. IPv4 address embedded in IPv6 addresses are not supported"
// +kubebuilder:validation:MaxLength=43
type CIDR string
2 changes: 1 addition & 1 deletion npeps/npep-133-fqdn-egress-selector.md
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@

* Issue:
[#133](https://github.com/kubernetes-sigs/network-policy-api/issues/133)
* Status: Provisional
* Status: Implementable

## TLDR

Expand Down

0 comments on commit e75f11c

Please sign in to comment.