Add feature gate

Signed-off-by: Dyanngg <[email protected]>

build/charts/antrea/conf/antrea-controller.conf

@@ -11,7 +11,7 @@ featureGates:
 
 # Enable Antrea ClusterNetworkPolicy feature to complement K8s NetworkPolicy for cluster admins
 # to define security policies which apply to the entire cluster, and Antrea NetworkPolicy
-# feature that supports priorities, rule actions and externalEntities in the future.
+# feature that supports priorities, externalEntities, fqdn rules and more.
 {{- include "featureGate" (dict "featureGates" .Values.featureGates "name" "AntreaPolicy" "default" true) }}
 
 # Enable collecting and exposing NetworkPolicy statistics.
@@ -50,6 +50,10 @@ featureGates:
 # into account application context.
 {{- include "featureGate" (dict "featureGates" .Values.featureGates "name" "L7NetworkPolicy" "default" false) }}
 
+# Enable the use of Network Policy APIs (https://network-policy-api.sigs.k8s.io/api-overview) which helps administrators
+# set security postures for their cluster.
+{{- include "featureGate" (dict "featureGates" .Values.featureGates "name" "AdminNetworkPolicy" "default" false) }}
+
 # The port for the antrea-controller APIServer to serve on.
 # Note that if it's set to another value, the `containerPort` of the `api` port of the
 # `antrea-controller` container must be set to the same value.

build/yamls/antrea-aks.yml

@@ -3359,7 +3359,7 @@ data:
 
     # Enable Antrea ClusterNetworkPolicy feature to complement K8s NetworkPolicy for cluster admins
     # to define security policies which apply to the entire cluster, and Antrea NetworkPolicy
-    # feature that supports priorities, rule actions and externalEntities in the future.
+    # feature that supports priorities, externalEntities, fqdn rules and more.
     #  AntreaPolicy: true
 
     # Enable collecting and exposing NetworkPolicy statistics.
@@ -3398,6 +3398,10 @@ data:
     # into account application context.
     #  L7NetworkPolicy: false
 
+    # Enable the use of Network Policy APIs (https://network-policy-api.sigs.k8s.io/api-overview) which helps administrators
+    # set security postures for their cluster.
+    #  AdminNetworkPolicy: false
+
     # The port for the antrea-controller APIServer to serve on.
     # Note that if it's set to another value, the `containerPort` of the `api` port of the
     # `antrea-controller` container must be set to the same value.
@@ -4389,7 +4393,7 @@ spec:
         kubectl.kubernetes.io/default-container: antrea-agent
         # Automatically restart Pods with a RollingUpdate if the ConfigMap changes
         # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
-        checksum/config: 994e75167f0126a535cea63fc65a5ab86361648a20bcacb06d3c588f06f6e5f6
+        checksum/config: af7fdb4a62e9ac35d32355615444ebc773d4206455a53e7b690805db233f39a7
       labels:
         app: antrea
         component: antrea-agent
@@ -4630,7 +4634,7 @@ spec:
       annotations:
         # Automatically restart Pod if the ConfigMap changes
         # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
-        checksum/config: 994e75167f0126a535cea63fc65a5ab86361648a20bcacb06d3c588f06f6e5f6
+        checksum/config: af7fdb4a62e9ac35d32355615444ebc773d4206455a53e7b690805db233f39a7
       labels:
         app: antrea
         component: antrea-controller

build/yamls/antrea-eks.yml

@@ -3359,7 +3359,7 @@ data:
 
     # Enable Antrea ClusterNetworkPolicy feature to complement K8s NetworkPolicy for cluster admins
     # to define security policies which apply to the entire cluster, and Antrea NetworkPolicy
-    # feature that supports priorities, rule actions and externalEntities in the future.
+    # feature that supports priorities, externalEntities, fqdn rules and more.
     #  AntreaPolicy: true
 
     # Enable collecting and exposing NetworkPolicy statistics.
@@ -3398,6 +3398,10 @@ data:
     # into account application context.
     #  L7NetworkPolicy: false
 
+    # Enable the use of Network Policy APIs (https://network-policy-api.sigs.k8s.io/api-overview) which helps administrators
+    # set security postures for their cluster.
+    #  AdminNetworkPolicy: false
+
     # The port for the antrea-controller APIServer to serve on.
     # Note that if it's set to another value, the `containerPort` of the `api` port of the
     # `antrea-controller` container must be set to the same value.
@@ -4389,7 +4393,7 @@ spec:
         kubectl.kubernetes.io/default-container: antrea-agent
         # Automatically restart Pods with a RollingUpdate if the ConfigMap changes
         # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
-        checksum/config: 994e75167f0126a535cea63fc65a5ab86361648a20bcacb06d3c588f06f6e5f6
+        checksum/config: af7fdb4a62e9ac35d32355615444ebc773d4206455a53e7b690805db233f39a7
       labels:
         app: antrea
         component: antrea-agent
@@ -4631,7 +4635,7 @@ spec:
       annotations:
         # Automatically restart Pod if the ConfigMap changes
         # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
-        checksum/config: 994e75167f0126a535cea63fc65a5ab86361648a20bcacb06d3c588f06f6e5f6
+        checksum/config: af7fdb4a62e9ac35d32355615444ebc773d4206455a53e7b690805db233f39a7
       labels:
         app: antrea
         component: antrea-controller

build/yamls/antrea-gke.yml

@@ -3359,7 +3359,7 @@ data:
 
     # Enable Antrea ClusterNetworkPolicy feature to complement K8s NetworkPolicy for cluster admins
     # to define security policies which apply to the entire cluster, and Antrea NetworkPolicy
-    # feature that supports priorities, rule actions and externalEntities in the future.
+    # feature that supports priorities, externalEntities, fqdn rules and more.
     #  AntreaPolicy: true
 
     # Enable collecting and exposing NetworkPolicy statistics.
@@ -3398,6 +3398,10 @@ data:
     # into account application context.
     #  L7NetworkPolicy: false
 
+    # Enable the use of Network Policy APIs (https://network-policy-api.sigs.k8s.io/api-overview) which helps administrators
+    # set security postures for their cluster.
+    #  AdminNetworkPolicy: false
+
     # The port for the antrea-controller APIServer to serve on.
     # Note that if it's set to another value, the `containerPort` of the `api` port of the
     # `antrea-controller` container must be set to the same value.
@@ -4389,7 +4393,7 @@ spec:
         kubectl.kubernetes.io/default-container: antrea-agent
         # Automatically restart Pods with a RollingUpdate if the ConfigMap changes
         # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
-        checksum/config: 04761c3e699fa0f59516b557f366049b0f1acf2f390d94e6753ee017cdffcfd9
+        checksum/config: 2f617b626f79fc9a917e893e95cc6c0cab9d82ae7873e916965ed7895a649e2c
       labels:
         app: antrea
         component: antrea-agent
@@ -4628,7 +4632,7 @@ spec:
       annotations:
         # Automatically restart Pod if the ConfigMap changes
         # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
-        checksum/config: 04761c3e699fa0f59516b557f366049b0f1acf2f390d94e6753ee017cdffcfd9
+        checksum/config: 2f617b626f79fc9a917e893e95cc6c0cab9d82ae7873e916965ed7895a649e2c
       labels:
         app: antrea
         component: antrea-controller

build/yamls/antrea-ipsec.yml

@@ -3372,7 +3372,7 @@ data:
 
     # Enable Antrea ClusterNetworkPolicy feature to complement K8s NetworkPolicy for cluster admins
     # to define security policies which apply to the entire cluster, and Antrea NetworkPolicy
-    # feature that supports priorities, rule actions and externalEntities in the future.
+    # feature that supports priorities, externalEntities, fqdn rules and more.
     #  AntreaPolicy: true
 
     # Enable collecting and exposing NetworkPolicy statistics.
@@ -3411,6 +3411,10 @@ data:
     # into account application context.
     #  L7NetworkPolicy: false
 
+    # Enable the use of Network Policy APIs (https://network-policy-api.sigs.k8s.io/api-overview) which helps administrators
+    # set security postures for their cluster.
+    #  AdminNetworkPolicy: false
+
     # The port for the antrea-controller APIServer to serve on.
     # Note that if it's set to another value, the `containerPort` of the `api` port of the
     # `antrea-controller` container must be set to the same value.
@@ -4402,7 +4406,7 @@ spec:
         kubectl.kubernetes.io/default-container: antrea-agent
         # Automatically restart Pods with a RollingUpdate if the ConfigMap changes
         # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
-        checksum/config: 6b902d5d6e9a2c0e2fde41aedf349eeee38d4530330381b01849815211ad1dd8
+        checksum/config: 56f97fb4b56bbc916eb68a030a98179fd5b3f50bfd1c03c3e05775a8b5bde42f
         checksum/ipsec-secret: d0eb9c52d0cd4311b6d252a951126bf9bea27ec05590bed8a394f0f792dcb2a4
       labels:
         app: antrea
@@ -4687,7 +4691,7 @@ spec:
       annotations:
         # Automatically restart Pod if the ConfigMap changes
         # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
-        checksum/config: 6b902d5d6e9a2c0e2fde41aedf349eeee38d4530330381b01849815211ad1dd8
+        checksum/config: 56f97fb4b56bbc916eb68a030a98179fd5b3f50bfd1c03c3e05775a8b5bde42f
       labels:
         app: antrea
         component: antrea-controller

build/yamls/antrea.yml

@@ -3359,7 +3359,7 @@ data:
 
     # Enable Antrea ClusterNetworkPolicy feature to complement K8s NetworkPolicy for cluster admins
     # to define security policies which apply to the entire cluster, and Antrea NetworkPolicy
-    # feature that supports priorities, rule actions and externalEntities in the future.
+    # feature that supports priorities, externalEntities, fqdn rules and more.
     #  AntreaPolicy: true
 
     # Enable collecting and exposing NetworkPolicy statistics.
@@ -3398,6 +3398,10 @@ data:
     # into account application context.
     #  L7NetworkPolicy: false
 
+    # Enable the use of Network Policy APIs (https://network-policy-api.sigs.k8s.io/api-overview) which helps administrators
+    # set security postures for their cluster.
+    #  AdminNetworkPolicy: false
+
     # The port for the antrea-controller APIServer to serve on.
     # Note that if it's set to another value, the `containerPort` of the `api` port of the
     # `antrea-controller` container must be set to the same value.
@@ -4389,7 +4393,7 @@ spec:
         kubectl.kubernetes.io/default-container: antrea-agent
         # Automatically restart Pods with a RollingUpdate if the ConfigMap changes
         # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
-        checksum/config: 1bc87d7d5b568beb91ad2b29510cb5cff3613c68e51fb82abdf545046767f679
+        checksum/config: f303e1eca98c25a28a6fc86ec608b49349b7e2eaf5a7fef7a4aa5af00d38e3d4
       labels:
         app: antrea
         component: antrea-agent
@@ -4628,7 +4632,7 @@ spec:
       annotations:
         # Automatically restart Pod if the ConfigMap changes
         # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
-        checksum/config: 1bc87d7d5b568beb91ad2b29510cb5cff3613c68e51fb82abdf545046767f679
+        checksum/config: f303e1eca98c25a28a6fc86ec608b49349b7e2eaf5a7fef7a4aa5af00d38e3d4
       labels:
         app: antrea
         component: antrea-controller

cmd/antrea-controller/controller.go

@@ -327,7 +327,9 @@ func run(o *Options) error {
 
 	informerFactory.Start(stopCh)
 	crdInformerFactory.Start(stopCh)
-	policyInformerFactory.Start(stopCh)
+	if features.DefaultFeatureGate.Enabled(features.AdminNetworkPolicy) {
+		policyInformerFactory.Start(stopCh)
+	}
 
 	go clusterIdentityAllocator.Run(stopCh)
 

docs/feature-gates.md

@@ -53,7 +53,7 @@ edit the Agent configuration in the
 | `ExternalNode`            | Agent              | `false` | Alpha | v1.8          | N/A          | N/A        | Yes                |       |
 | `SupportBundleCollection` | Agent + Controller | `false` | Alpha | v1.10         | N/A          | N/A        | Yes                |       |
 | `L7NetworkPolicy`         | Agent + Controller | `false` | Alpha | v1.10         | N/A          | N/A        | Yes                |       |
-| `AdminNetworkPolicy`      | Agent + Controller | `false` | Alpha | v1.13         | N/A          | N/A        | Yes                |       |
+| `AdminNetworkPolicy`      | Controller         | `false` | Alpha | v1.13         | N/A          | N/A        | Yes                |       |
 
 ## Description and Requirements of Features
 
@@ -368,8 +368,7 @@ transport protocol, and port. Refer to this [document](antrea-l7-network-policy.
 This feature is currently only supported for Nodes running Linux, and TX checksum offloading must be disabled. Refer to
 this [document](antrea-l7-network-policy.md#prerequisites) for more information and how it can be configured.
 
-
 ### AdminNetworkPolicy
 
 The `AdminNetworkPolicy` API (which currently includes the AdminNetworkPolicy and BaselineAdminNetworkPolicy objects)
-complements the Antrea-native policies and help cluster administrators to set security postures in a portable manner.
+complements the Antrea-native policies and help cluster administrators to set security postures in a portable manner.

pkg/controller/networkpolicy/networkpolicy_controller.go

@@ -221,7 +221,7 @@ type NetworkPolicyController struct {
 	// banpLister is able to list/get BaselineAdminNetworkPolicy objects.
 	banpLister policyv1a1listers.BaselineAdminNetworkPolicyLister
 	// banpListerSynced is a function which returns true if the BaselineAdminNetworkPolicy shared informer has
-	//	// been synced at least once.
+	// been synced at least once.
 	banpListerSynced cache.InformerSynced
 
 	// addressGroupStore is the storage where the populated Address Groups are stored.
@@ -448,22 +448,24 @@ func NewNetworkPolicyController(kubeClient clientset.Interface,
 		},
 		resyncPeriod,
 	)
-	adminNPInformer.Informer().AddEventHandlerWithResyncPeriod(
-		cache.ResourceEventHandlerFuncs{
-			AddFunc:    n.addAdminNP,
-			UpdateFunc: n.updateAdminNP,
-			DeleteFunc: n.deleteAdminNP,
-		},
-		resyncPeriod,
-	)
-	banpInformer.Informer().AddEventHandlerWithResyncPeriod(
-		cache.ResourceEventHandlerFuncs{
-			AddFunc:    n.addBANP,
-			UpdateFunc: n.updateBANP,
-			DeleteFunc: n.deleteBANP,
-		},
-		resyncPeriod,
-	)
+	if features.DefaultFeatureGate.Enabled(features.AdminNetworkPolicy) {
+		adminNPInformer.Informer().AddEventHandlerWithResyncPeriod(
+			cache.ResourceEventHandlerFuncs{
+				AddFunc:    n.addAdminNP,
+				UpdateFunc: n.updateAdminNP,
+				DeleteFunc: n.deleteAdminNP,
+			},
+			resyncPeriod,
+		)
+		banpInformer.Informer().AddEventHandlerWithResyncPeriod(
+			cache.ResourceEventHandlerFuncs{
+				AddFunc:    n.addBANP,
+				UpdateFunc: n.updateBANP,
+				DeleteFunc: n.deleteBANP,
+			},
+			resyncPeriod,
+		)
+	}
 	// Register Informer and add handlers for AntreaPolicy events only if the feature is enabled.
 	if features.DefaultFeatureGate.Enabled(features.AntreaPolicy) {
 		n.namespaceInformer = namespaceInformer

pkg/controller/networkpolicy/validate.go

@@ -127,7 +127,8 @@ type NetworkPolicyValidator struct {
 	// groupValidators maintains a list of validator objects which
 	// implement the validator interface for ClusterGroup resources.
 	groupValidators []validator
-
+	// adminNPValidators maintains a list of validator objects which
+	// implement the validator interface for ANP and BANP resources.
 	adminNPValidators []validator
 }
 

pkg/features/antrea_features.go

@@ -198,6 +198,7 @@ var (
 		NetworkPolicyStats:      {},
 		SupportBundleCollection: {},
 		L7NetworkPolicy:         {},
+		AdminNetworkPolicy:      {},
 	}
 )