From 4d8f8ea7a93b0468e3a9defd24ec96012249d5b4 Mon Sep 17 00:00:00 2001 From: Rahul Joshi Date: Tue, 4 Jun 2024 15:59:10 -0700 Subject: [PATCH] Add DomainName field to AdminNetworkPolicyEgressPeer --- apis/v1alpha1/adminnetworkpolicy_types.go | 94 +++++++++++++++++++ .../baselineadminnetworkpolicy_types.go | 58 +++++++++++- apis/v1alpha1/shared_types.go | 54 ----------- apis/v1alpha1/zz_generated.deepcopy.go | 42 ++++++++- ...etworking.k8s.io_adminnetworkpolicies.yaml | 47 ++++++++++ ...g.k8s.io_baselineadminnetworkpolicies.yaml | 4 +- ...g.k8s.io_baselineadminnetworkpolicies.yaml | 4 +- ...in-network-policy-extended-egress-rules.go | 2 +- npeps/npep-133-fqdn-egress-selector.md | 2 +- .../v1alpha1/adminnetworkpolicyegresspeer.go | 19 +++- .../baselineadminnetworkpolicyegresspeer.go | 73 ++++++++++++++ .../baselineadminnetworkpolicyegressrule.go | 10 +- pkg/client/applyconfiguration/utils.go | 2 + 13 files changed, 339 insertions(+), 72 deletions(-) create mode 100644 pkg/client/applyconfiguration/apis/v1alpha1/baselineadminnetworkpolicyegresspeer.go diff --git a/apis/v1alpha1/adminnetworkpolicy_types.go b/apis/v1alpha1/adminnetworkpolicy_types.go index 6e903d67..24ad5e6c 100644 --- a/apis/v1alpha1/adminnetworkpolicy_types.go +++ b/apis/v1alpha1/adminnetworkpolicy_types.go @@ -219,6 +219,100 @@ type AdminNetworkPolicyEgressRule struct { // +kubebuilder:validation:Enum={"Allow", "Deny", "Pass"} type AdminNetworkPolicyRuleAction string +// AdminNetworkPolicyEgressPeer defines a peer to allow traffic to. +// Exactly one of the selector pointers must be set for a given peer. If a +// consumer observes none of its fields are set, they must assume an unknown +// option has been specified and fail closed. +// +kubebuilder:validation:MaxProperties=1 +// +kubebuilder:validation:MinProperties=1 +type AdminNetworkPolicyEgressPeer struct { + // Namespaces defines a way to select all pods within a set of Namespaces. + // Note that host-networked pods are not included in this type of peer. + // + // Support: Core + // + // +optional + Namespaces *metav1.LabelSelector `json:"namespaces,omitempty"` + // Pods defines a way to select a set of pods in + // a set of namespaces. Note that host-networked pods + // are not included in this type of peer. + // + // Support: Core + // + // +optional + Pods *NamespacedPod `json:"pods,omitempty"` + // Nodes defines a way to select a set of nodes in + // the cluster. This field follows standard label selector + // semantics; if present but empty, it selects all Nodes. + // + // Support: Extended + // + // + // +optional + Nodes *metav1.LabelSelector `json:"nodes,omitempty"` + // Networks defines a way to select peers via CIDR blocks. + // This is intended for representing entities that live outside the cluster, + // which can't be selected by pods, namespaces and nodes peers, but note + // that cluster-internal traffic will be checked against the rule as + // well. So if you Allow or Deny traffic to `"0.0.0.0/0"`, that will allow + // or deny all IPv4 pod-to-pod traffic as well. If you don't want that, + // add a rule that Passes all pod traffic before the Networks rule. + // + // Each item in Networks should be provided in the CIDR format and should be + // IPv4 or IPv6, for example "10.0.0.0/8" or "fd00::/8". + // + // Networks can have upto 25 CIDRs specified. + // + // Support: Extended + // + // + // +optional + // +listType=set + // +kubebuilder:validation:MinItems=1 + // +kubebuilder:validation:MaxItems=25 + Networks []CIDR `json:"networks,omitempty"` + + // DomainNames provides a way to specify domain names as peers. + // + // DomainNames is only supported for ALLOW rules. In order to control + // access, DomainNames ALLOW rules should be used with a lower priority + // egress deny -- this allows the admin to maintain an explicit "allowlist" + // of reachable domains. + // + // DomainNames can have up to 25 domain names specified in one rule. + // + // Support: Extended + // + // + // +optional + // +listType=set + // +kubebuilder:validation:MinItems=1 + // +kubebuilder:validation:MaxItems=25 + DomainNames []DomainName `json:"domainNames,omitempty"` +} + +// DomainName describes one or more domain names to be used as a peer. +// +// DomainName can be an exact match, or use the wildcard specifier '*' to match +// one or more labels. +// +// '*', the wildcard specifier, matches one or more entire labels. It does not +// support partial matches. '*' may only be specified as a prefix. +// +// Examples: +// - `kubernetes.io` matches only `kubernetes.io`. +// It does not match "www.kubernetes.io", "blog.kubernetes.io", +// "my-kubernetes.io", or "wikipedia.org". +// - `blog.kubernetes.io` matches only "blog.kubernetes.io". +// It does not match "www.kubernetes.io" or "kubernetes.io". +// - `*.kubernetes.io` matches subdomains of kubernetes.io. +// "www.kubernetes.io", "blog.kubernetes.io", and +// "latest.blog.kubernetes.io" match, however "kubernetes.io", and +// "wikipedia.org" do not. +// +// +kubebuilder:validation:Pattern=`^(\*\.)?([a-zA-z0-9]([-a-zA-Z0-9_]*[a-zA-Z0-9])?\.)+[a-zA-z0-9]([-a-zA-Z0-9_]*[a-zA-Z0-9])?\.?$` +type DomainName string + const ( // AdminNetworkPolicyRuleActionAllow indicates that matching traffic will be // allowed regardless of NetworkPolicy and BaselineAdminNetworkPolicy diff --git a/apis/v1alpha1/baselineadminnetworkpolicy_types.go b/apis/v1alpha1/baselineadminnetworkpolicy_types.go index 120e2325..f89dac2c 100644 --- a/apis/v1alpha1/baselineadminnetworkpolicy_types.go +++ b/apis/v1alpha1/baselineadminnetworkpolicy_types.go @@ -167,7 +167,7 @@ type BaselineAdminNetworkPolicyEgressRule struct { Action BaselineAdminNetworkPolicyRuleAction `json:"action"` // To is the list of destinations whose traffic this rule applies to. - // If any AdminNetworkPolicyEgressPeer matches the destination of outgoing + // If any BaselineAdminNetworkPolicyEgressPeer matches the destination of outgoing // traffic then the specified action is applied. // This field must be defined and contain at least one item. // +kubebuilder:validation:MinItems=1 @@ -175,7 +175,7 @@ type BaselineAdminNetworkPolicyEgressRule struct { // // Support: Core // - To []AdminNetworkPolicyEgressPeer `json:"to"` + To []BaselineAdminNetworkPolicyEgressPeer `json:"to"` // Ports allows for matching traffic based on port and protocols. // This field is a list of destination ports for the outgoing egress traffic. @@ -194,6 +194,60 @@ type BaselineAdminNetworkPolicyEgressRule struct { // +kubebuilder:validation:Enum={"Allow", "Deny"} type BaselineAdminNetworkPolicyRuleAction string +// BaselineAdminNetworkPolicyEgressPeer defines a peer to allow traffic to. +// Exactly one of the selector pointers must be set for a given peer. If a +// consumer observes none of its fields are set, they must assume an unknown +// option has been specified and fail closed. +// +kubebuilder:validation:MaxProperties=1 +// +kubebuilder:validation:MinProperties=1 +type BaselineAdminNetworkPolicyEgressPeer struct { + // Namespaces defines a way to select all pods within a set of Namespaces. + // Note that host-networked pods are not included in this type of peer. + // + // Support: Core + // + // +optional + Namespaces *metav1.LabelSelector `json:"namespaces,omitempty"` + // Pods defines a way to select a set of pods in + // a set of namespaces. Note that host-networked pods + // are not included in this type of peer. + // + // Support: Core + // + // +optional + Pods *NamespacedPod `json:"pods,omitempty"` + // Nodes defines a way to select a set of nodes in + // the cluster. This field follows standard label selector + // semantics; if present but empty, it selects all Nodes. + // + // Support: Extended + // + // + // +optional + Nodes *metav1.LabelSelector `json:"nodes,omitempty"` + // Networks defines a way to select peers via CIDR blocks. + // This is intended for representing entities that live outside the cluster, + // which can't be selected by pods, namespaces and nodes peers, but note + // that cluster-internal traffic will be checked against the rule as + // well. So if you Allow or Deny traffic to `"0.0.0.0/0"`, that will allow + // or deny all IPv4 pod-to-pod traffic as well. If you don't want that, + // add a rule that Passes all pod traffic before the Networks rule. + // + // Each item in Networks should be provided in the CIDR format and should be + // IPv4 or IPv6, for example "10.0.0.0/8" or "fd00::/8". + // + // Networks can have upto 25 CIDRs specified. + // + // Support: Extended + // + // + // +optional + // +listType=set + // +kubebuilder:validation:MinItems=1 + // +kubebuilder:validation:MaxItems=25 + Networks []CIDR `json:"networks,omitempty"` +} + const ( // BaselineAdminNetworkPolicyRuleActionDeny enables admins to deny traffic. BaselineAdminNetworkPolicyRuleActionDeny BaselineAdminNetworkPolicyRuleAction = "Deny" diff --git a/apis/v1alpha1/shared_types.go b/apis/v1alpha1/shared_types.go index ac8bf905..9f231221 100644 --- a/apis/v1alpha1/shared_types.go +++ b/apis/v1alpha1/shared_types.go @@ -144,60 +144,6 @@ type AdminNetworkPolicyIngressPeer struct { Pods *NamespacedPod `json:"pods,omitempty"` } -// AdminNetworkPolicyEgressPeer defines a peer to allow traffic to. -// Exactly one of the selector pointers must be set for a given peer. If a -// consumer observes none of its fields are set, they must assume an unknown -// option has been specified and fail closed. -// +kubebuilder:validation:MaxProperties=1 -// +kubebuilder:validation:MinProperties=1 -type AdminNetworkPolicyEgressPeer struct { - // Namespaces defines a way to select all pods within a set of Namespaces. - // Note that host-networked pods are not included in this type of peer. - // - // Support: Core - // - // +optional - Namespaces *metav1.LabelSelector `json:"namespaces,omitempty"` - // Pods defines a way to select a set of pods in - // a set of namespaces. Note that host-networked pods - // are not included in this type of peer. - // - // Support: Core - // - // +optional - Pods *NamespacedPod `json:"pods,omitempty"` - // Nodes defines a way to select a set of nodes in - // the cluster. This field follows standard label selector - // semantics; if present but empty, it selects all Nodes. - // - // Support: Extended - // - // - // +optional - Nodes *metav1.LabelSelector `json:"nodes,omitempty"` - // Networks defines a way to select peers via CIDR blocks. - // This is intended for representing entities that live outside the cluster, - // which can't be selected by pods, namespaces and nodes peers, but note - // that cluster-internal traffic will be checked against the rule as - // well. So if you Allow or Deny traffic to `"0.0.0.0/0"`, that will allow - // or deny all IPv4 pod-to-pod traffic as well. If you don't want that, - // add a rule that Passes all pod traffic before the Networks rule. - // - // Each item in Networks should be provided in the CIDR format and should be - // IPv4 or IPv6, for example "10.0.0.0/8" or "fd00::/8". - // - // Networks can have upto 25 CIDRs specified. - // - // Support: Extended - // - // - // +optional - // +listType=set - // +kubebuilder:validation:MinItems=1 - // +kubebuilder:validation:MaxItems=25 - Networks []CIDR `json:"networks,omitempty"` -} - // CIDR is an IP address range in CIDR notation (for example, "10.0.0.0/8" or "fd00::/8"). // This string must be validated by implementations using net.ParseCIDR // TODO: Introduce CEL CIDR validation regex isCIDR() in Kube 1.31 when it is available. diff --git a/apis/v1alpha1/zz_generated.deepcopy.go b/apis/v1alpha1/zz_generated.deepcopy.go index d279c1ff..cd59b188 100644 --- a/apis/v1alpha1/zz_generated.deepcopy.go +++ b/apis/v1alpha1/zz_generated.deepcopy.go @@ -75,6 +75,11 @@ func (in *AdminNetworkPolicyEgressPeer) DeepCopyInto(out *AdminNetworkPolicyEgre *out = make([]CIDR, len(*in)) copy(*out, *in) } + if in.DomainNames != nil { + in, out := &in.DomainNames, &out.DomainNames + *out = make([]DomainName, len(*in)) + copy(*out, *in) + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AdminNetworkPolicyEgressPeer. @@ -344,12 +349,47 @@ func (in *BaselineAdminNetworkPolicy) DeepCopyObject() runtime.Object { return nil } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *BaselineAdminNetworkPolicyEgressPeer) DeepCopyInto(out *BaselineAdminNetworkPolicyEgressPeer) { + *out = *in + if in.Namespaces != nil { + in, out := &in.Namespaces, &out.Namespaces + *out = new(v1.LabelSelector) + (*in).DeepCopyInto(*out) + } + if in.Pods != nil { + in, out := &in.Pods, &out.Pods + *out = new(NamespacedPod) + (*in).DeepCopyInto(*out) + } + if in.Nodes != nil { + in, out := &in.Nodes, &out.Nodes + *out = new(v1.LabelSelector) + (*in).DeepCopyInto(*out) + } + if in.Networks != nil { + in, out := &in.Networks, &out.Networks + *out = make([]CIDR, len(*in)) + copy(*out, *in) + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new BaselineAdminNetworkPolicyEgressPeer. +func (in *BaselineAdminNetworkPolicyEgressPeer) DeepCopy() *BaselineAdminNetworkPolicyEgressPeer { + if in == nil { + return nil + } + out := new(BaselineAdminNetworkPolicyEgressPeer) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *BaselineAdminNetworkPolicyEgressRule) DeepCopyInto(out *BaselineAdminNetworkPolicyEgressRule) { *out = *in if in.To != nil { in, out := &in.To, &out.To - *out = make([]AdminNetworkPolicyEgressPeer, len(*in)) + *out = make([]BaselineAdminNetworkPolicyEgressPeer, len(*in)) for i := range *in { (*in)[i].DeepCopyInto(&(*out)[i]) } diff --git a/config/crd/experimental/policy.networking.k8s.io_adminnetworkpolicies.yaml b/config/crd/experimental/policy.networking.k8s.io_adminnetworkpolicies.yaml index cd511c84..b774d89d 100644 --- a/config/crd/experimental/policy.networking.k8s.io_adminnetworkpolicies.yaml +++ b/config/crd/experimental/policy.networking.k8s.io_adminnetworkpolicies.yaml @@ -219,6 +219,53 @@ spec: maxProperties: 1 minProperties: 1 properties: + domainNames: + description: |- + DomainNames provides a way to specify domain names as peers. + + + DomainNames is only supported for ALLOW rules. In order to control + access, DomainNames ALLOW rules should be used with a lower priority + egress deny -- this allows the admin to maintain an explicit "allowlist" + of reachable domains. + + + DomainNames can have up to 25 domain names specified in one rule. + + + Support: Extended + + + + items: + description: |- + DomainName describes one or more domain names to be used as a peer. + + + DomainName can be an exact match, or use the wildcard specifier '*' to match + one or more labels. + + + '*', the wildcard specifier, matches one or more entire labels. It does not + support partial matches. '*' may only be specified as a prefix. + + + Examples: + - `kubernetes.io` matches only `kubernetes.io`. + It does not match "www.kubernetes.io", "blog.kubernetes.io", + "my-kubernetes.io", or "wikipedia.org". + - `blog.kubernetes.io` matches only "blog.kubernetes.io". + It does not match "www.kubernetes.io" or "kubernetes.io". + - `*.kubernetes.io` matches subdomains of kubernetes.io. + "www.kubernetes.io", "blog.kubernetes.io", and + "latest.blog.kubernetes.io" match, however "kubernetes.io", and + "wikipedia.org" do not. + pattern: ^(\*\.)?([a-zA-z0-9]([-a-zA-Z0-9_]*[a-zA-Z0-9])?\.)+[a-zA-z0-9]([-a-zA-Z0-9_]*[a-zA-Z0-9])?\.?$ + type: string + maxItems: 25 + minItems: 1 + type: array + x-kubernetes-list-type: set namespaces: description: |- Namespaces defines a way to select all pods within a set of Namespaces. diff --git a/config/crd/experimental/policy.networking.k8s.io_baselineadminnetworkpolicies.yaml b/config/crd/experimental/policy.networking.k8s.io_baselineadminnetworkpolicies.yaml index 587e27ac..93dcdb3e 100644 --- a/config/crd/experimental/policy.networking.k8s.io_baselineadminnetworkpolicies.yaml +++ b/config/crd/experimental/policy.networking.k8s.io_baselineadminnetworkpolicies.yaml @@ -194,7 +194,7 @@ spec: to: description: |- To is the list of destinations whose traffic this rule applies to. - If any AdminNetworkPolicyEgressPeer matches the destination of outgoing + If any BaselineAdminNetworkPolicyEgressPeer matches the destination of outgoing traffic then the specified action is applied. This field must be defined and contain at least one item. @@ -202,7 +202,7 @@ spec: Support: Core items: description: |- - AdminNetworkPolicyEgressPeer defines a peer to allow traffic to. + BaselineAdminNetworkPolicyEgressPeer defines a peer to allow traffic to. Exactly one of the selector pointers must be set for a given peer. If a consumer observes none of its fields are set, they must assume an unknown option has been specified and fail closed. diff --git a/config/crd/standard/policy.networking.k8s.io_baselineadminnetworkpolicies.yaml b/config/crd/standard/policy.networking.k8s.io_baselineadminnetworkpolicies.yaml index 6d62098d..472b5865 100644 --- a/config/crd/standard/policy.networking.k8s.io_baselineadminnetworkpolicies.yaml +++ b/config/crd/standard/policy.networking.k8s.io_baselineadminnetworkpolicies.yaml @@ -184,7 +184,7 @@ spec: to: description: |- To is the list of destinations whose traffic this rule applies to. - If any AdminNetworkPolicyEgressPeer matches the destination of outgoing + If any BaselineAdminNetworkPolicyEgressPeer matches the destination of outgoing traffic then the specified action is applied. This field must be defined and contain at least one item. @@ -192,7 +192,7 @@ spec: Support: Core items: description: |- - AdminNetworkPolicyEgressPeer defines a peer to allow traffic to. + BaselineAdminNetworkPolicyEgressPeer defines a peer to allow traffic to. Exactly one of the selector pointers must be set for a given peer. If a consumer observes none of its fields are set, they must assume an unknown option has been specified and fail closed. diff --git a/conformance/tests/baseline-admin-network-policy-extended-egress-rules.go b/conformance/tests/baseline-admin-network-policy-extended-egress-rules.go index 857ee060..648c19b9 100644 --- a/conformance/tests/baseline-admin-network-policy-extended-egress-rules.go +++ b/conformance/tests/baseline-admin-network-policy-extended-egress-rules.go @@ -222,7 +222,7 @@ var BaselineAdminNetworkPolicyEgressInlineCIDRPeers = suite.ConformanceTest{ { Name: "allow-egress-to-specific-podIPs", Action: "Allow", - To: []v1alpha1.AdminNetworkPolicyEgressPeer{ + To: []v1alpha1.BaselineAdminNetworkPolicyEgressPeer{ { Networks: []v1alpha1.CIDR{ v1alpha1.CIDR(serverPodRavenclaw.Status.PodIP + mask), diff --git a/npeps/npep-133-fqdn-egress-selector.md b/npeps/npep-133-fqdn-egress-selector.md index 44a53e9d..62e7df7d 100644 --- a/npeps/npep-133-fqdn-egress-selector.md +++ b/npeps/npep-133-fqdn-egress-selector.md @@ -2,7 +2,7 @@ * Issue: [#133](https://github.com/kubernetes-sigs/network-policy-api/issues/133) -* Status: Provisional +* Status: Implementable ## TLDR diff --git a/pkg/client/applyconfiguration/apis/v1alpha1/adminnetworkpolicyegresspeer.go b/pkg/client/applyconfiguration/apis/v1alpha1/adminnetworkpolicyegresspeer.go index ed4d5e14..badfe045 100644 --- a/pkg/client/applyconfiguration/apis/v1alpha1/adminnetworkpolicyegresspeer.go +++ b/pkg/client/applyconfiguration/apis/v1alpha1/adminnetworkpolicyegresspeer.go @@ -26,10 +26,11 @@ import ( // AdminNetworkPolicyEgressPeerApplyConfiguration represents an declarative configuration of the AdminNetworkPolicyEgressPeer type for use // with apply. type AdminNetworkPolicyEgressPeerApplyConfiguration struct { - Namespaces *v1.LabelSelector `json:"namespaces,omitempty"` - Pods *NamespacedPodApplyConfiguration `json:"pods,omitempty"` - Nodes *v1.LabelSelector `json:"nodes,omitempty"` - Networks []apisv1alpha1.CIDR `json:"networks,omitempty"` + Namespaces *v1.LabelSelector `json:"namespaces,omitempty"` + Pods *NamespacedPodApplyConfiguration `json:"pods,omitempty"` + Nodes *v1.LabelSelector `json:"nodes,omitempty"` + Networks []apisv1alpha1.CIDR `json:"networks,omitempty"` + DomainNames []apisv1alpha1.DomainName `json:"domainNames,omitempty"` } // AdminNetworkPolicyEgressPeerApplyConfiguration constructs an declarative configuration of the AdminNetworkPolicyEgressPeer type for use with @@ -71,3 +72,13 @@ func (b *AdminNetworkPolicyEgressPeerApplyConfiguration) WithNetworks(values ... } return b } + +// WithDomainNames adds the given value to the DomainNames field in the declarative configuration +// and returns the receiver, so that objects can be build by chaining "With" function invocations. +// If called multiple times, values provided by each call will be appended to the DomainNames field. +func (b *AdminNetworkPolicyEgressPeerApplyConfiguration) WithDomainNames(values ...apisv1alpha1.DomainName) *AdminNetworkPolicyEgressPeerApplyConfiguration { + for i := range values { + b.DomainNames = append(b.DomainNames, values[i]) + } + return b +} diff --git a/pkg/client/applyconfiguration/apis/v1alpha1/baselineadminnetworkpolicyegresspeer.go b/pkg/client/applyconfiguration/apis/v1alpha1/baselineadminnetworkpolicyegresspeer.go new file mode 100644 index 00000000..0dd962d0 --- /dev/null +++ b/pkg/client/applyconfiguration/apis/v1alpha1/baselineadminnetworkpolicyegresspeer.go @@ -0,0 +1,73 @@ +/* +Copyright The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +// Code generated by applyconfiguration-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + apisv1alpha1 "sigs.k8s.io/network-policy-api/apis/v1alpha1" +) + +// BaselineAdminNetworkPolicyEgressPeerApplyConfiguration represents an declarative configuration of the BaselineAdminNetworkPolicyEgressPeer type for use +// with apply. +type BaselineAdminNetworkPolicyEgressPeerApplyConfiguration struct { + Namespaces *v1.LabelSelector `json:"namespaces,omitempty"` + Pods *NamespacedPodApplyConfiguration `json:"pods,omitempty"` + Nodes *v1.LabelSelector `json:"nodes,omitempty"` + Networks []apisv1alpha1.CIDR `json:"networks,omitempty"` +} + +// BaselineAdminNetworkPolicyEgressPeerApplyConfiguration constructs an declarative configuration of the BaselineAdminNetworkPolicyEgressPeer type for use with +// apply. +func BaselineAdminNetworkPolicyEgressPeer() *BaselineAdminNetworkPolicyEgressPeerApplyConfiguration { + return &BaselineAdminNetworkPolicyEgressPeerApplyConfiguration{} +} + +// WithNamespaces sets the Namespaces field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the Namespaces field is set to the value of the last call. +func (b *BaselineAdminNetworkPolicyEgressPeerApplyConfiguration) WithNamespaces(value v1.LabelSelector) *BaselineAdminNetworkPolicyEgressPeerApplyConfiguration { + b.Namespaces = &value + return b +} + +// WithPods sets the Pods field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the Pods field is set to the value of the last call. +func (b *BaselineAdminNetworkPolicyEgressPeerApplyConfiguration) WithPods(value *NamespacedPodApplyConfiguration) *BaselineAdminNetworkPolicyEgressPeerApplyConfiguration { + b.Pods = value + return b +} + +// WithNodes sets the Nodes field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the Nodes field is set to the value of the last call. +func (b *BaselineAdminNetworkPolicyEgressPeerApplyConfiguration) WithNodes(value v1.LabelSelector) *BaselineAdminNetworkPolicyEgressPeerApplyConfiguration { + b.Nodes = &value + return b +} + +// WithNetworks adds the given value to the Networks field in the declarative configuration +// and returns the receiver, so that objects can be build by chaining "With" function invocations. +// If called multiple times, values provided by each call will be appended to the Networks field. +func (b *BaselineAdminNetworkPolicyEgressPeerApplyConfiguration) WithNetworks(values ...apisv1alpha1.CIDR) *BaselineAdminNetworkPolicyEgressPeerApplyConfiguration { + for i := range values { + b.Networks = append(b.Networks, values[i]) + } + return b +} diff --git a/pkg/client/applyconfiguration/apis/v1alpha1/baselineadminnetworkpolicyegressrule.go b/pkg/client/applyconfiguration/apis/v1alpha1/baselineadminnetworkpolicyegressrule.go index cb5d0d83..137d56eb 100644 --- a/pkg/client/applyconfiguration/apis/v1alpha1/baselineadminnetworkpolicyegressrule.go +++ b/pkg/client/applyconfiguration/apis/v1alpha1/baselineadminnetworkpolicyegressrule.go @@ -25,10 +25,10 @@ import ( // BaselineAdminNetworkPolicyEgressRuleApplyConfiguration represents an declarative configuration of the BaselineAdminNetworkPolicyEgressRule type for use // with apply. type BaselineAdminNetworkPolicyEgressRuleApplyConfiguration struct { - Name *string `json:"name,omitempty"` - Action *v1alpha1.BaselineAdminNetworkPolicyRuleAction `json:"action,omitempty"` - To []AdminNetworkPolicyEgressPeerApplyConfiguration `json:"to,omitempty"` - Ports *[]AdminNetworkPolicyPortApplyConfiguration `json:"ports,omitempty"` + Name *string `json:"name,omitempty"` + Action *v1alpha1.BaselineAdminNetworkPolicyRuleAction `json:"action,omitempty"` + To []BaselineAdminNetworkPolicyEgressPeerApplyConfiguration `json:"to,omitempty"` + Ports *[]AdminNetworkPolicyPortApplyConfiguration `json:"ports,omitempty"` } // BaselineAdminNetworkPolicyEgressRuleApplyConfiguration constructs an declarative configuration of the BaselineAdminNetworkPolicyEgressRule type for use with @@ -56,7 +56,7 @@ func (b *BaselineAdminNetworkPolicyEgressRuleApplyConfiguration) WithAction(valu // WithTo adds the given value to the To field in the declarative configuration // and returns the receiver, so that objects can be build by chaining "With" function invocations. // If called multiple times, values provided by each call will be appended to the To field. -func (b *BaselineAdminNetworkPolicyEgressRuleApplyConfiguration) WithTo(values ...*AdminNetworkPolicyEgressPeerApplyConfiguration) *BaselineAdminNetworkPolicyEgressRuleApplyConfiguration { +func (b *BaselineAdminNetworkPolicyEgressRuleApplyConfiguration) WithTo(values ...*BaselineAdminNetworkPolicyEgressPeerApplyConfiguration) *BaselineAdminNetworkPolicyEgressRuleApplyConfiguration { for i := range values { if values[i] == nil { panic("nil value passed to WithTo") diff --git a/pkg/client/applyconfiguration/utils.go b/pkg/client/applyconfiguration/utils.go index 7e40bc1f..ca4e22e8 100644 --- a/pkg/client/applyconfiguration/utils.go +++ b/pkg/client/applyconfiguration/utils.go @@ -49,6 +49,8 @@ func ForKind(kind schema.GroupVersionKind) interface{} { return &apisv1alpha1.AdminNetworkPolicySubjectApplyConfiguration{} case v1alpha1.SchemeGroupVersion.WithKind("BaselineAdminNetworkPolicy"): return &apisv1alpha1.BaselineAdminNetworkPolicyApplyConfiguration{} + case v1alpha1.SchemeGroupVersion.WithKind("BaselineAdminNetworkPolicyEgressPeer"): + return &apisv1alpha1.BaselineAdminNetworkPolicyEgressPeerApplyConfiguration{} case v1alpha1.SchemeGroupVersion.WithKind("BaselineAdminNetworkPolicyEgressRule"): return &apisv1alpha1.BaselineAdminNetworkPolicyEgressRuleApplyConfiguration{} case v1alpha1.SchemeGroupVersion.WithKind("BaselineAdminNetworkPolicyIngressRule"):