diff --git a/apis/v1alpha1/adminnetworkpolicy_types.go b/apis/v1alpha1/adminnetworkpolicy_types.go index 6e903d67..6fcfe3e6 100644 --- a/apis/v1alpha1/adminnetworkpolicy_types.go +++ b/apis/v1alpha1/adminnetworkpolicy_types.go @@ -219,6 +219,104 @@ type AdminNetworkPolicyEgressRule struct { // +kubebuilder:validation:Enum={"Allow", "Deny", "Pass"} type AdminNetworkPolicyRuleAction string +// AdminNetworkPolicyEgressPeer defines a peer to allow traffic to. +// Exactly one of the selector pointers must be set for a given peer. If a +// consumer observes none of its fields are set, they must assume an unknown +// option has been specified and fail closed. +// +kubebuilder:validation:MaxProperties=1 +// +kubebuilder:validation:MinProperties=1 +type AdminNetworkPolicyEgressPeer struct { + // Namespaces defines a way to select all pods within a set of Namespaces. + // Note that host-networked pods are not included in this type of peer. + // + // Support: Core + // + // +optional + Namespaces *metav1.LabelSelector `json:"namespaces,omitempty"` + // Pods defines a way to select a set of pods in + // a set of namespaces. Note that host-networked pods + // are not included in this type of peer. + // + // Support: Core + // + // +optional + Pods *NamespacedPod `json:"pods,omitempty"` + // Nodes defines a way to select a set of nodes in + // the cluster. This field follows standard label selector + // semantics; if present but empty, it selects all Nodes. + // + // Support: Extended + // + // + // +optional + Nodes *metav1.LabelSelector `json:"nodes,omitempty"` + // Networks defines a way to select peers via CIDR blocks. + // This is intended for representing entities that live outside the cluster, + // which can't be selected by pods, namespaces and nodes peers, but note + // that cluster-internal traffic will be checked against the rule as + // well. So if you Allow or Deny traffic to `"0.0.0.0/0"`, that will allow + // or deny all IPv4 pod-to-pod traffic as well. If you don't want that, + // add a rule that Passes all pod traffic before the Networks rule. + // + // Each item in Networks should be provided in the CIDR format and should be + // IPv4 or IPv6, for example "10.0.0.0/8" or "fd00::/8". + // + // Networks can have upto 25 CIDRs specified. + // + // Support: Extended + // + // + // +optional + // +listType=set + // +kubebuilder:validation:MinItems=1 + // +kubebuilder:validation:MaxItems=25 + Networks []CIDR `json:"networks,omitempty"` + + // DomainNames provides a way to specify domain names as peers. + // + // DomainNames is only supported for ALLOW rules. In order to control + // access, DomainNames ALLOW rules should be used with a lower priority + // egress deny -- this allows the admin to maintain an explicit "allowlist" + // of reachable domains. + // + // Support: Extended + // + // + // +optional + // +listType=set + // +kubebuilder:validation:MinItems=1 + DomainNames []DomainName `json:"domainNames,omitempty"` +} + +// CIDR is an IP address range in CIDR notation (for example, "10.0.0.0/8" or "fd00::/8"). +// This string must be validated by implementations using net.ParseCIDR +// TODO: Introduce CEL CIDR validation regex isCIDR() in Kube 1.31 when it is available. +// +kubebuilder:validation:XValidation:rule="self.contains(':') != self.contains('.')",message="CIDR must be either an IPv4 or IPv6 address. IPv4 address embedded in IPv6 addresses are not supported" +// +kubebuilder:validation:MaxLength=43 +type CIDR string + +// DomainName describes one or more domain names to be used as a peer. +// +// DomainName can be an exact match, or use the wildcard specifier '*' to match +// one or more labels. +// +// '*', the wildcard specifier, matches one or more entire labels. It does not +// support partial matches. '*' may only be specified as a prefix. +// +// Examples: +// - `kubernetes.io` matches only `kubernetes.io`. +// It does not match "www.kubernetes.io", "blog.kubernetes.io", +// "my-kubernetes.io", or "wikipedia.org". +// - `blog.kubernetes.io` matches only "blog.kubernetes.io". +// It does not match "www.kubernetes.io" or "kubernetes.io". +// - `*.kubernetes.io` matches subdomains of kubernetes.io. +// "www.kubernetes.io", "blog.kubernetes.io", and +// "latest.blog.kubernetes.io" match, however "kubernetes.io", and +// "wikipedia.org" do not. +// +// +kubebuilder:validation:Pattern=`^(\*\.)?([a-zA-z0-9]([-a-zA-Z0-9_]*[a-zA-Z0-9])?\.)+[a-zA-z0-9]([-a-zA-Z0-9_]*[a-zA-Z0-9])?\.?$` +type DomainName string + const ( // AdminNetworkPolicyRuleActionAllow indicates that matching traffic will be // allowed regardless of NetworkPolicy and BaselineAdminNetworkPolicy diff --git a/apis/v1alpha1/baselineadminnetworkpolicy_types.go b/apis/v1alpha1/baselineadminnetworkpolicy_types.go index 120e2325..8caa088b 100644 --- a/apis/v1alpha1/baselineadminnetworkpolicy_types.go +++ b/apis/v1alpha1/baselineadminnetworkpolicy_types.go @@ -167,7 +167,7 @@ type BaselineAdminNetworkPolicyEgressRule struct { Action BaselineAdminNetworkPolicyRuleAction `json:"action"` // To is the list of destinations whose traffic this rule applies to. - // If any AdminNetworkPolicyEgressPeer matches the destination of outgoing + // If any BaselineAdminNetworkPolicyEgressPeer matches the destination of outgoing // traffic then the specified action is applied. // This field must be defined and contain at least one item. // +kubebuilder:validation:MinItems=1 @@ -175,7 +175,7 @@ type BaselineAdminNetworkPolicyEgressRule struct { // // Support: Core // - To []AdminNetworkPolicyEgressPeer `json:"to"` + To []BaselineAdminNetworkPolicyEgressPeer `json:"to"` // Ports allows for matching traffic based on port and protocols. // This field is a list of destination ports for the outgoing egress traffic. @@ -194,6 +194,67 @@ type BaselineAdminNetworkPolicyEgressRule struct { // +kubebuilder:validation:Enum={"Allow", "Deny"} type BaselineAdminNetworkPolicyRuleAction string +// BaselineAdminNetworkPolicyEgressPeer defines a peer to allow traffic to. +// Exactly one of the selector pointers must be set for a given peer. If a +// consumer observes none of its fields are set, they must assume an unknown +// option has been specified and fail closed. +// +kubebuilder:validation:MaxProperties=1 +// +kubebuilder:validation:MinProperties=1 +type BaselineAdminNetworkPolicyEgressPeer struct { + // Namespaces defines a way to select all pods within a set of Namespaces. + // Note that host-networked pods are not included in this type of peer. + // + // Support: Core + // + // +optional + Namespaces *metav1.LabelSelector `json:"namespaces,omitempty"` + // Pods defines a way to select a set of pods in + // a set of namespaces. Note that host-networked pods + // are not included in this type of peer. + // + // Support: Core + // + // +optional + Pods *NamespacedPod `json:"pods,omitempty"` + // Nodes defines a way to select a set of nodes in + // the cluster. This field follows standard label selector + // semantics; if present but empty, it selects all Nodes. + // + // Support: Extended + // + // + // +optional + Nodes *metav1.LabelSelector `json:"nodes,omitempty"` + // Networks defines a way to select peers via CIDR blocks. + // This is intended for representing entities that live outside the cluster, + // which can't be selected by pods, namespaces and nodes peers, but note + // that cluster-internal traffic will be checked against the rule as + // well. So if you Allow or Deny traffic to `"0.0.0.0/0"`, that will allow + // or deny all IPv4 pod-to-pod traffic as well. If you don't want that, + // add a rule that Passes all pod traffic before the Networks rule. + // + // Each item in Networks should be provided in the CIDR format and should be + // IPv4 or IPv6, for example "10.0.0.0/8" or "fd00::/8". + // + // Networks can have upto 25 CIDRs specified. + // + // Support: Extended + // + // + // +optional + // +listType=set + // +kubebuilder:validation:MinItems=1 + // +kubebuilder:validation:MaxItems=25 + Networks []CIDR `json:"networks,omitempty"` +} + +// CIDR is an IP address range in CIDR notation (for example, "10.0.0.0/8" or "fd00::/8"). +// This string must be validated by implementations using net.ParseCIDR +// TODO: Introduce CEL CIDR validation regex isCIDR() in Kube 1.31 when it is available. +// +kubebuilder:validation:XValidation:rule="self.contains(':') != self.contains('.')",message="CIDR must be either an IPv4 or IPv6 address. IPv4 address embedded in IPv6 addresses are not supported" +// +kubebuilder:validation:MaxLength=43 +type CIDR string + const ( // BaselineAdminNetworkPolicyRuleActionDeny enables admins to deny traffic. BaselineAdminNetworkPolicyRuleActionDeny BaselineAdminNetworkPolicyRuleAction = "Deny" diff --git a/apis/v1alpha1/shared_types.go b/apis/v1alpha1/shared_types.go index ac8bf905..3cdc6e7e 100644 --- a/apis/v1alpha1/shared_types.go +++ b/apis/v1alpha1/shared_types.go @@ -143,64 +143,3 @@ type AdminNetworkPolicyIngressPeer struct { // +optional Pods *NamespacedPod `json:"pods,omitempty"` } - -// AdminNetworkPolicyEgressPeer defines a peer to allow traffic to. -// Exactly one of the selector pointers must be set for a given peer. If a -// consumer observes none of its fields are set, they must assume an unknown -// option has been specified and fail closed. -// +kubebuilder:validation:MaxProperties=1 -// +kubebuilder:validation:MinProperties=1 -type AdminNetworkPolicyEgressPeer struct { - // Namespaces defines a way to select all pods within a set of Namespaces. - // Note that host-networked pods are not included in this type of peer. - // - // Support: Core - // - // +optional - Namespaces *metav1.LabelSelector `json:"namespaces,omitempty"` - // Pods defines a way to select a set of pods in - // a set of namespaces. Note that host-networked pods - // are not included in this type of peer. - // - // Support: Core - // - // +optional - Pods *NamespacedPod `json:"pods,omitempty"` - // Nodes defines a way to select a set of nodes in - // the cluster. This field follows standard label selector - // semantics; if present but empty, it selects all Nodes. - // - // Support: Extended - // - // - // +optional - Nodes *metav1.LabelSelector `json:"nodes,omitempty"` - // Networks defines a way to select peers via CIDR blocks. - // This is intended for representing entities that live outside the cluster, - // which can't be selected by pods, namespaces and nodes peers, but note - // that cluster-internal traffic will be checked against the rule as - // well. So if you Allow or Deny traffic to `"0.0.0.0/0"`, that will allow - // or deny all IPv4 pod-to-pod traffic as well. If you don't want that, - // add a rule that Passes all pod traffic before the Networks rule. - // - // Each item in Networks should be provided in the CIDR format and should be - // IPv4 or IPv6, for example "10.0.0.0/8" or "fd00::/8". - // - // Networks can have upto 25 CIDRs specified. - // - // Support: Extended - // - // - // +optional - // +listType=set - // +kubebuilder:validation:MinItems=1 - // +kubebuilder:validation:MaxItems=25 - Networks []CIDR `json:"networks,omitempty"` -} - -// CIDR is an IP address range in CIDR notation (for example, "10.0.0.0/8" or "fd00::/8"). -// This string must be validated by implementations using net.ParseCIDR -// TODO: Introduce CEL CIDR validation regex isCIDR() in Kube 1.31 when it is available. -// +kubebuilder:validation:XValidation:rule="self.contains(':') != self.contains('.')",message="CIDR must be either an IPv4 or IPv6 address. IPv4 address embedded in IPv6 addresses are not supported" -// +kubebuilder:validation:MaxLength=43 -type CIDR string diff --git a/npeps/npep-133-fqdn-egress-selector.md b/npeps/npep-133-fqdn-egress-selector.md index 44a53e9d..62e7df7d 100644 --- a/npeps/npep-133-fqdn-egress-selector.md +++ b/npeps/npep-133-fqdn-egress-selector.md @@ -2,7 +2,7 @@ * Issue: [#133](https://github.com/kubernetes-sigs/network-policy-api/issues/133) -* Status: Provisional +* Status: Implementable ## TLDR