diff --git a/apis/v1alpha1/shared_types.go b/apis/v1alpha1/shared_types.go index ba37b92c..1684e6ff 100644 --- a/apis/v1alpha1/shared_types.go +++ b/apis/v1alpha1/shared_types.go @@ -175,6 +175,26 @@ type AdminNetworkPolicyEgressPeer struct { // // +optional Nodes *metav1.LabelSelector `json:"nodes,omitempty"` + // Networks defines a way to select peers via CIDR blocks. + // This is intended for representing entities that live outside the cluster, + // which can't be selected by pods, namespaces and nodes peers, but note + // that cluster-internal traffic will be checked against the rule as + // well. So if you Allow or Deny traffic to `"0.0.0.0/0"`, that will allow + // or deny all IPv4 pod-to-pod traffic as well. If you don't want that, + // add a rule that Passes all pod traffic before the Networks rule. + // + // Each item in Networks should be provided in the CIDR format and should be + // IPv4 or IPv6, for example "10.0.0.0/8" or "fd00::/8". + // + // Networks can have upto 25 CIDRs specified. + // + // Support: Extended + // + // + // +optional + // +kubebuilder:validation:MinItems=1 + // +kubebuilder:validation:MaxItems=25 + Networks []CIDR `json:"networks,omitempty"` } // NamespacedPeer defines a flexible way to select Namespaces in a cluster. @@ -237,3 +257,13 @@ type NamespacedPodPeer struct { // PodSelector metav1.LabelSelector `json:"podSelector"` } + +// CIDR is an IP address range in CIDR notation (for example, "10.0.0.0/8" or "fd00::/8"). +// The regex for the IPv4 and IPv6 CIDR range was taken from +// https://blog.markhatton.co.uk/2011/03/15/regular-expressions-for-ip-addresses-cidr-ranges-and-hostnames/ +// The resulting regex is an OR of both regexes. IPv4 address embedded in IPv6 addresses are not supported. +// TODO: Change the CIDR's validation regex to use CEL isCIDR() in Kube 1.31 when it is available. +// +kubebuilder:validation:Pattern=`(^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(3[0-2]|[1-2][0-9]|[0-9]))$)|(^s*((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3})|:))|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){1,2})|:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3})|:))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1,3})|((:[0-9A-Fa-f]{1,4})?:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){1,4})|((:[0-9A-Fa-f]{1,4}){0,2}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){1,5})|((:[0-9A-Fa-f]{1,4}){0,3}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){1,6})|((:[0-9A-Fa-f]{1,4}){0,4}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(:(((:[0-9A-Fa-f]{1,4}){1,7})|((:[0-9A-Fa-f]{1,4}){0,5}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:)))(%.+)?s*(\/(12[0-8]|1[0-1][0-9]|[1-9][0-9]|[0-9]))$)` +// +kubebuilder:validation:XValidation:rule="self.contains(':') != self.contains('.')",message="CIDR must be either an IPv4 or IPv6 address. IPv4 address embedded in IPv6 addresses are not supported" +// +kubebuilder:validation:MaxLength=43 +type CIDR string diff --git a/apis/v1alpha1/zz_generated.deepcopy.go b/apis/v1alpha1/zz_generated.deepcopy.go index 5518baca..82b1b61d 100644 --- a/apis/v1alpha1/zz_generated.deepcopy.go +++ b/apis/v1alpha1/zz_generated.deepcopy.go @@ -70,6 +70,11 @@ func (in *AdminNetworkPolicyEgressPeer) DeepCopyInto(out *AdminNetworkPolicyEgre *out = new(v1.LabelSelector) (*in).DeepCopyInto(*out) } + if in.Networks != nil { + in, out := &in.Networks, &out.Networks + *out = make([]CIDR, len(*in)) + copy(*out, *in) + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AdminNetworkPolicyEgressPeer. diff --git a/config/crd/experimental/policy.networking.k8s.io_adminnetworkpolicies.yaml b/config/crd/experimental/policy.networking.k8s.io_adminnetworkpolicies.yaml index c1900148..0d583e55 100644 --- a/config/crd/experimental/policy.networking.k8s.io_adminnetworkpolicies.yaml +++ b/config/crd/experimental/policy.networking.k8s.io_adminnetworkpolicies.yaml @@ -310,6 +310,46 @@ spec: maxItems: 100 type: array type: object + networks: + description: |- + Networks defines a way to select peers via CIDR blocks. + This is intended for representing entities that live outside the cluster, + which can't be selected by pods, namespaces and nodes peers, but note + that cluster-internal traffic will be checked against the rule as + well. So if you Allow or Deny traffic to `"0.0.0.0/0"`, that will allow + or deny all IPv4 pod-to-pod traffic as well. If you don't want that, + add a rule that Passes all pod traffic before the Networks rule. + + + Each item in Networks should be provided in the CIDR format and should be + IPv4 or IPv6, for example "10.0.0.0/8" or "fd00::/8". + + + Networks can have upto 25 CIDRs specified. + + + Support: Extended + + + + items: + description: |- + CIDR is an IP address range in CIDR notation (for example, "10.0.0.0/8" or "fd00::/8"). + The regex for the IPv4 and IPv6 CIDR range was taken from + https://blog.markhatton.co.uk/2011/03/15/regular-expressions-for-ip-addresses-cidr-ranges-and-hostnames/ + The resulting regex is an OR of both regexes. IPv4 address embedded in IPv6 addresses are not supported. + TODO: Change the CIDR's validation regex to use CEL isCIDR() in Kube 1.31 when it is available. + maxLength: 43 + pattern: (^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(3[0-2]|[1-2][0-9]|[0-9]))$)|(^s*((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3})|:))|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){1,2})|:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3})|:))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1,3})|((:[0-9A-Fa-f]{1,4})?:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){1,4})|((:[0-9A-Fa-f]{1,4}){0,2}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){1,5})|((:[0-9A-Fa-f]{1,4}){0,3}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){1,6})|((:[0-9A-Fa-f]{1,4}){0,4}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(:(((:[0-9A-Fa-f]{1,4}){1,7})|((:[0-9A-Fa-f]{1,4}){0,5}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:)))(%.+)?s*(\/(12[0-8]|1[0-1][0-9]|[1-9][0-9]|[0-9]))$) + type: string + x-kubernetes-validations: + - message: CIDR must be either an IPv4 or IPv6 address. + IPv4 address embedded in IPv6 addresses are not + supported + rule: self.contains(':') != self.contains('.') + maxItems: 25 + minItems: 1 + type: array nodes: description: |- Nodes defines a way to select a set of nodes in diff --git a/config/crd/experimental/policy.networking.k8s.io_baselineadminnetworkpolicies.yaml b/config/crd/experimental/policy.networking.k8s.io_baselineadminnetworkpolicies.yaml index 6ebb436e..5befa344 100644 --- a/config/crd/experimental/policy.networking.k8s.io_baselineadminnetworkpolicies.yaml +++ b/config/crd/experimental/policy.networking.k8s.io_baselineadminnetworkpolicies.yaml @@ -301,6 +301,46 @@ spec: maxItems: 100 type: array type: object + networks: + description: |- + Networks defines a way to select peers via CIDR blocks. + This is intended for representing entities that live outside the cluster, + which can't be selected by pods, namespaces and nodes peers, but note + that cluster-internal traffic will be checked against the rule as + well. So if you Allow or Deny traffic to `"0.0.0.0/0"`, that will allow + or deny all IPv4 pod-to-pod traffic as well. If you don't want that, + add a rule that Passes all pod traffic before the Networks rule. + + + Each item in Networks should be provided in the CIDR format and should be + IPv4 or IPv6, for example "10.0.0.0/8" or "fd00::/8". + + + Networks can have upto 25 CIDRs specified. + + + Support: Extended + + + + items: + description: |- + CIDR is an IP address range in CIDR notation (for example, "10.0.0.0/8" or "fd00::/8"). + The regex for the IPv4 and IPv6 CIDR range was taken from + https://blog.markhatton.co.uk/2011/03/15/regular-expressions-for-ip-addresses-cidr-ranges-and-hostnames/ + The resulting regex is an OR of both regexes. IPv4 address embedded in IPv6 addresses are not supported. + TODO: Change the CIDR's validation regex to use CEL isCIDR() in Kube 1.31 when it is available. + maxLength: 43 + pattern: (^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(3[0-2]|[1-2][0-9]|[0-9]))$)|(^s*((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3})|:))|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){1,2})|:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3})|:))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1,3})|((:[0-9A-Fa-f]{1,4})?:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){1,4})|((:[0-9A-Fa-f]{1,4}){0,2}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){1,5})|((:[0-9A-Fa-f]{1,4}){0,3}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){1,6})|((:[0-9A-Fa-f]{1,4}){0,4}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(:(((:[0-9A-Fa-f]{1,4}){1,7})|((:[0-9A-Fa-f]{1,4}){0,5}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:)))(%.+)?s*(\/(12[0-8]|1[0-1][0-9]|[1-9][0-9]|[0-9]))$) + type: string + x-kubernetes-validations: + - message: CIDR must be either an IPv4 or IPv6 address. + IPv4 address embedded in IPv6 addresses are not + supported + rule: self.contains(':') != self.contains('.') + maxItems: 25 + minItems: 1 + type: array nodes: description: |- Nodes defines a way to select a set of nodes in diff --git a/mkdocs.yml b/mkdocs.yml index 6008b385..82fe9f8f 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -65,11 +65,11 @@ nav: - Provisional: - npeps/npep-122.md - npeps/npep-133.md - - Implementable: - - npeps/npep-137-conformance-profiles.md + # - Implementable: + - Experimental: - npeps/npep-126-egress-traffic-control.md - # - Experimental: - # - Standard: + - Standard: + - npeps/npep-137-conformance-profiles.md # - Declined: - Blog: - blog/index.md diff --git a/npeps/npep-126-egress-traffic-control.md b/npeps/npep-126-egress-traffic-control.md index 199f5358..c6a3b659 100644 --- a/npeps/npep-126-egress-traffic-control.md +++ b/npeps/npep-126-egress-traffic-control.md @@ -1,7 +1,7 @@ # NPEP-126: Add northbound traffic support in (B)ANP API * Issue: [#126](https://github.com/kubernetes-sigs/network-policy-api/issues/126) -* Status: Implementable +* Status: Experimental ## TLDR diff --git a/npeps/npep-137-conformance-profiles.md b/npeps/npep-137-conformance-profiles.md index 76f1ad08..3b1f2676 100644 --- a/npeps/npep-137-conformance-profiles.md +++ b/npeps/npep-137-conformance-profiles.md @@ -1,7 +1,7 @@ # NPEP-137: Conformance Profiles * Issue: [#137](https://github.com/kubernetes-sigs/network-policy-api/issues/137) -* Status: Implementable +* Status: Standard ## TLDR diff --git a/site-src/npeps/npep-126-egress-traffic-control.md b/site-src/npeps/npep-126-egress-traffic-control.md index 199f5358..c6a3b659 100644 --- a/site-src/npeps/npep-126-egress-traffic-control.md +++ b/site-src/npeps/npep-126-egress-traffic-control.md @@ -1,7 +1,7 @@ # NPEP-126: Add northbound traffic support in (B)ANP API * Issue: [#126](https://github.com/kubernetes-sigs/network-policy-api/issues/126) -* Status: Implementable +* Status: Experimental ## TLDR diff --git a/site-src/npeps/npep-137-conformance-profiles.md b/site-src/npeps/npep-137-conformance-profiles.md index 76f1ad08..3b1f2676 100644 --- a/site-src/npeps/npep-137-conformance-profiles.md +++ b/site-src/npeps/npep-137-conformance-profiles.md @@ -1,7 +1,7 @@ # NPEP-137: Conformance Profiles * Issue: [#137](https://github.com/kubernetes-sigs/network-policy-api/issues/137) -* Status: Implementable +* Status: Standard ## TLDR