Skip to content

Commit

Permalink
Add 'namespaces' in ACNP for enhanced peer namespace selection (#1961)
Browse files Browse the repository at this point in the history 
* Add 'namespaces' in ACNP for enhanced peer namespace selection

Signed-off-by: Yang Ding <[email protected]>

* Add E2E testcases

Signed-off-by: Yang Ding <[email protected]>

* Address comments

Signed-off-by: Yang Ding <[email protected]>

* Address more comments

Signed-off-by: Yang Ding <[email protected]>

* Address updateCNP comments

Signed-off-by: Yang Ding <[email protected]>
  • Loading branch information
@Dyanngg
Dyanngg authored May 26, 2021
1 parent cddfccd commit e7051c0
Show file tree
Hide file tree
Showing 23 changed files with 1,153 additions and 418 deletions.
20 changes: 20 additions & 0 deletions build/yamls/antrea-aks.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -700,6 +700,11 @@ spec:
matchLabels:
x-kubernetes-preserve-unknown-fields: true
type: object
namespaces:
properties:
match:
type: string
type: object
podSelector:
properties:
matchExpressions:
Expand Down Expand Up @@ -827,6 +832,11 @@ spec:
matchLabels:
x-kubernetes-preserve-unknown-fields: true
type: object
namespaces:
properties:
match:
type: string
type: object
podSelector:
properties:
matchExpressions:
Expand Down Expand Up @@ -1105,6 +1115,11 @@ spec:
matchLabels:
x-kubernetes-preserve-unknown-fields: true
type: object
namespaces:
properties:
match:
type: string
type: object
podSelector:
properties:
matchExpressions:
Expand Down Expand Up @@ -1232,6 +1247,11 @@ spec:
matchLabels:
x-kubernetes-preserve-unknown-fields: true
type: object
namespaces:
properties:
match:
type: string
type: object
podSelector:
properties:
matchExpressions:
Expand Down
20 changes: 20 additions & 0 deletions build/yamls/antrea-eks.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -700,6 +700,11 @@ spec:
matchLabels:
x-kubernetes-preserve-unknown-fields: true
type: object
namespaces:
properties:
match:
type: string
type: object
podSelector:
properties:
matchExpressions:
Expand Down Expand Up @@ -827,6 +832,11 @@ spec:
matchLabels:
x-kubernetes-preserve-unknown-fields: true
type: object
namespaces:
properties:
match:
type: string
type: object
podSelector:
properties:
matchExpressions:
Expand Down Expand Up @@ -1105,6 +1115,11 @@ spec:
matchLabels:
x-kubernetes-preserve-unknown-fields: true
type: object
namespaces:
properties:
match:
type: string
type: object
podSelector:
properties:
matchExpressions:
Expand Down Expand Up @@ -1232,6 +1247,11 @@ spec:
matchLabels:
x-kubernetes-preserve-unknown-fields: true
type: object
namespaces:
properties:
match:
type: string
type: object
podSelector:
properties:
matchExpressions:
Expand Down
20 changes: 20 additions & 0 deletions build/yamls/antrea-gke.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -700,6 +700,11 @@ spec:
matchLabels:
x-kubernetes-preserve-unknown-fields: true
type: object
namespaces:
properties:
match:
type: string
type: object
podSelector:
properties:
matchExpressions:
Expand Down Expand Up @@ -827,6 +832,11 @@ spec:
matchLabels:
x-kubernetes-preserve-unknown-fields: true
type: object
namespaces:
properties:
match:
type: string
type: object
podSelector:
properties:
matchExpressions:
Expand Down Expand Up @@ -1105,6 +1115,11 @@ spec:
matchLabels:
x-kubernetes-preserve-unknown-fields: true
type: object
namespaces:
properties:
match:
type: string
type: object
podSelector:
properties:
matchExpressions:
Expand Down Expand Up @@ -1232,6 +1247,11 @@ spec:
matchLabels:
x-kubernetes-preserve-unknown-fields: true
type: object
namespaces:
properties:
match:
type: string
type: object
podSelector:
properties:
matchExpressions:
Expand Down
20 changes: 20 additions & 0 deletions build/yamls/antrea-ipsec.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -700,6 +700,11 @@ spec:
matchLabels:
x-kubernetes-preserve-unknown-fields: true
type: object
namespaces:
properties:
match:
type: string
type: object
podSelector:
properties:
matchExpressions:
Expand Down Expand Up @@ -827,6 +832,11 @@ spec:
matchLabels:
x-kubernetes-preserve-unknown-fields: true
type: object
namespaces:
properties:
match:
type: string
type: object
podSelector:
properties:
matchExpressions:
Expand Down Expand Up @@ -1105,6 +1115,11 @@ spec:
matchLabels:
x-kubernetes-preserve-unknown-fields: true
type: object
namespaces:
properties:
match:
type: string
type: object
podSelector:
properties:
matchExpressions:
Expand Down Expand Up @@ -1232,6 +1247,11 @@ spec:
matchLabels:
x-kubernetes-preserve-unknown-fields: true
type: object
namespaces:
properties:
match:
type: string
type: object
podSelector:
properties:
matchExpressions:
Expand Down
20 changes: 20 additions & 0 deletions build/yamls/antrea.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -700,6 +700,11 @@ spec:
matchLabels:
x-kubernetes-preserve-unknown-fields: true
type: object
namespaces:
properties:
match:
type: string
type: object
podSelector:
properties:
matchExpressions:
Expand Down Expand Up @@ -827,6 +832,11 @@ spec:
matchLabels:
x-kubernetes-preserve-unknown-fields: true
type: object
namespaces:
properties:
match:
type: string
type: object
podSelector:
properties:
matchExpressions:
Expand Down Expand Up @@ -1105,6 +1115,11 @@ spec:
matchLabels:
x-kubernetes-preserve-unknown-fields: true
type: object
namespaces:
properties:
match:
type: string
type: object
podSelector:
properties:
matchExpressions:
Expand Down Expand Up @@ -1232,6 +1247,11 @@ spec:
matchLabels:
x-kubernetes-preserve-unknown-fields: true
type: object
namespaces:
properties:
match:
type: string
type: object
podSelector:
properties:
matchExpressions:
Expand Down
20 changes: 20 additions & 0 deletions build/yamls/base/crds.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -656,6 +656,11 @@ spec:
type: string
matchLabels:
x-kubernetes-preserve-unknown-fields: true
namespaces:
type: object
properties:
match:
type: string
ipBlock:
type: object
properties:
Expand Down Expand Up @@ -795,6 +800,11 @@ spec:
type: string
matchLabels:
x-kubernetes-preserve-unknown-fields: true
namespaces:
type: object
properties:
match:
type: string
ipBlock:
type: object
properties:
Expand Down Expand Up @@ -2009,6 +2019,11 @@ spec:
type: string
matchLabels:
x-kubernetes-preserve-unknown-fields: true
namespaces:
type: object
properties:
match:
type: string
ipBlock:
type: object
properties:
Expand Down Expand Up @@ -2148,6 +2163,11 @@ spec:
type: string
matchLabels:
x-kubernetes-preserve-unknown-fields: true
namespaces:
type: object
properties:
match:
type: string
ipBlock:
type: object
properties:
Expand Down
1 change: 1 addition & 0 deletions cmd/antrea-controller/controller.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -149,6 +149,7 @@ func run(o *Options) error {
networkPolicyController := networkpolicy.NewNetworkPolicyController(client,
crdClient,
groupEntityIndex,
namespaceInformer,
serviceInformer,
networkPolicyInformer,
cnpInformer,
Expand Down
22 changes: 21 additions & 1 deletion pkg/apis/crd/v1alpha1/types.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -388,9 +388,18 @@ type NetworkPolicyPeer struct {
// workloads in To/From fields. If set with PodSelector,
// Pods are matched from Namespaces matched by the NamespaceSelector.
// Cannot be set with any other selector except PodSelector or
// ExternalEntitySelector.
// ExternalEntitySelector. Cannot be set with Namespaces.
// +optional
NamespaceSelector *metav1.LabelSelector `json:"namespaceSelector,omitempty"`
// Select Pod/ExternalEntity from Namespaces matched by specifc criteria.
// Current supported criteria is match: Self, which selects from the same
// Namespace of the appliedTo workloads.
// Cannot be set with any other selector except PodSelector or
// ExternalEntitySelector. This field can only be set when NetworkPolicyPeer
// is created for ClusterNetworkPolicy ingress/egress rules.
// Cannot be set with NamespaceSelector.
// +optional
Namespaces *PeerNamespaces `json:"namespaces,omitempty"`
// Select ExternalEntities from NetworkPolicy's Namespace as workloads
// in AppliedTo/To/From fields. If set with NamespaceSelector,
// ExternalEntities are matched from Namespaces matched by the
Expand All @@ -405,6 +414,17 @@ type NetworkPolicyPeer struct {
Group string `json:"group,omitempty"`
}

type PeerNamespaces struct {
Match NamespaceMatchType `json:"match,omitempty"`
}

// NamespaceMatchType describes Namespace matching strategy.
type NamespaceMatchType string

const (
NamespaceMatchSelf NamespaceMatchType = "Self"
)

// IPBlock describes a particular CIDR (Ex. "192.168.1.1/24") that is allowed
// or denied to/from the workloads matched by a Spec.AppliedTo.
type IPBlock struct {
Expand Down
21 changes: 21 additions & 0 deletions pkg/apis/crd/v1alpha1/zz_generated.deepcopy.go
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Loading

0 comments on commit e7051c0

Please sign in to comment.