From 38c19ef40f8793cba927a060b3664151a36cacd8 Mon Sep 17 00:00:00 2001 From: Yang Ding Date: Tue, 25 Jan 2022 10:38:47 -0800 Subject: [PATCH] Add ACNP copy span for multi-cluster --- ci/jenkins/clean-mc.sh | 148 ++ ci/jenkins/test-mc.sh | 38 +- multicluster/Makefile | 2 +- .../apis/multicluster/v1alpha1/acnpimport.go | 80 + .../v1alpha1/resourceexport_types.go | 3 + .../v1alpha1/resourceexport_webhook.go | 22 + .../v1alpha1/resourceimport_types.go | 3 + .../v1alpha1/zz_generated.deepcopy.go | 121 +- .../antrea-multicluster-leader-global.yml | 1979 ++++++++++++++++ .../antrea-multicluster-leader-namespaced.yml | 40 + .../yamls/antrea-multicluster-member.yml | 2019 +++++++++++++++++ .../cmd/multicluster-controller/controller.go | 2 + ...ulticluster.crd.antrea.io_acnpimports.yaml | 77 + ...cluster.crd.antrea.io_resourceexports.yaml | 1610 +++++++++++++ ...cluster.crd.antrea.io_resourceimports.yaml | 1610 +++++++++++++ multicluster/config/crd/kustomization.yaml | 1 + multicluster/config/rbac/role.yaml | 40 + .../controllers/multicluster/common/helper.go | 10 +- .../commonarea/remote_common_area_manager.go | 2 +- .../commonarea/resourceimport_controller.go | 189 +- .../resourceimport_controller_test.go | 388 +++- .../multicluster/resourceexport_controller.go | 47 +- .../resourceexport_controller_test.go | 63 +- .../typed/multicluster/v1alpha1/acnpimport.go | 183 ++ .../v1alpha1/fake/fake_acnpimport.go | 132 ++ .../v1alpha1/fake/fake_multicluster_client.go | 4 + .../v1alpha1/generated_expansion.go | 2 + .../v1alpha1/multicluster_client.go | 5 + .../informers/externalversions/generic.go | 2 + .../multicluster/v1alpha1/acnpimport.go | 88 + .../multicluster/v1alpha1/interface.go | 7 + .../multicluster/v1alpha1/acnpimport.go | 67 + .../v1alpha1/expansion_generated.go | 4 + pkg/apis/crd/v1alpha1/types.go | 15 +- 34 files changed, 8956 insertions(+), 47 deletions(-) create mode 100644 ci/jenkins/clean-mc.sh create mode 100644 multicluster/apis/multicluster/v1alpha1/acnpimport.go create mode 100644 multicluster/config/crd/bases/multicluster.crd.antrea.io_acnpimports.yaml create mode 100644 multicluster/pkg/client/clientset/versioned/typed/multicluster/v1alpha1/acnpimport.go create mode 100644 multicluster/pkg/client/clientset/versioned/typed/multicluster/v1alpha1/fake/fake_acnpimport.go create mode 100644 multicluster/pkg/client/informers/externalversions/multicluster/v1alpha1/acnpimport.go create mode 100644 multicluster/pkg/client/listers/multicluster/v1alpha1/acnpimport.go diff --git a/ci/jenkins/clean-mc.sh b/ci/jenkins/clean-mc.sh new file mode 100644 index 00000000000..1e07681c09d --- /dev/null +++ b/ci/jenkins/clean-mc.sh @@ -0,0 +1,148 @@ +#!/usr/bin/env bash + +# Copyright 2021 Antrea Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +set -eo pipefail + +DEFAULT_WORKDIR="/var/lib/jenkins" +DEFAULT_KUBECONFIG_PATH=$DEFAULT_WORKDIR/kube.conf +WORKDIR=$DEFAULT_WORKDIR +TESTCASE="" +TEST_FAILURE=false +DOCKER_REGISTRY=$(head -n1 "/var/lib/jenkins/antrea/ci/docker-registry") +GO_VERSION=$(head -n1 "/var/lib/jenkins/antrea/build/images/deps/go-version") +IMAGE_PULL_POLICY="Always" +MULTICLUSTER_KUBECONFIG_PATH=$WORKDIR/.kube +LEADER_CLUSTER_CONFIG="--kubeconfig=$MULTICLUSTER_KUBECONFIG_PATH/leader" +EAST_CLUSTER_CONFIG="--kubeconfig=$MULTICLUSTER_KUBECONFIG_PATH/east" +WEST_CLUSTER_CONFIG="--kubeconfig=$MULTICLUSTER_KUBECONFIG_PATH/west" + +NGINX_IMAGE=projects.registry.vmware.com/antrea/nginx:1.21.6-alpine + +CONTROL_PLANE_NODE_ROLE="control-plane,master" + +multicluster_kubeconfigs=($EAST_CLUSTER_CONFIG $LEADER_CLUSTER_CONFIG $WEST_CLUSTER_CONFIG) +membercluter_kubeconfigs=($EAST_CLUSTER_CONFIG $WEST_CLUSTER_CONFIG) + +CLEAN_STALE_IMAGES="docker system prune --force --all --filter until=48h" + +_usage="Usage: $0 [--kubeconfigs-path ] [--workdir ] + [--testcase ] + +Run Antrea multi-cluster e2e tests on a remote (Jenkins) Linux Cluster Set. + + --kubeconfigs-path Path of cluster set kubeconfigs. + --workdir Home path for Go, vSphere information and antrea_logs during cluster setup. Default is $WORKDIR. + --testcase Antrea multi-cluster e2e test cases on a Linux cluster set. + --registry The docker registry to use instead of dockerhub." + +function print_usage { + echoerr "$_usage" +} + + +while [[ $# -gt 0 ]] +do +key="$1" + +case $key in + --kubeconfigs-path) + MULTICLUSTER_KUBECONFIG_PATH="$2" + shift 2 + ;; + --workdir) + WORKDIR="$2" + shift 2 + ;; + --testcase) + TESTCASE="$2" + shift 2 + ;; + --registry) + DOCKER_REGISTRY="$2" + shift 2 + ;; + -h|--help) + print_usage + exit 0 + ;; + *) # unknown option + echoerr "Unknown option $1" + exit 1 + ;; +esac +done + + +function clean_tmp() { + echo "===== Clean up stale files & folders older than 7 days under /tmp =====" + CLEAN_LIST=( + "*codecov*" + "kustomize-*" + "*antrea*" + "go-build*" + ) + for item in "${CLEAN_LIST[@]}"; do + find /tmp -name "${item}" -mtime +7 -exec rm -rf {} \; 2>&1 | grep -v "Permission denied" || true + done + find ${WORKDIR} -name "support-bundles*" -mtime +7 -exec rm -rf {} \; 2>&1 | grep -v "Permission denied" || true +} + + +function cleanup_multicluster_ns { + ns=$1 + kubeconfig=$2 + + kubectl delete ns "${ns}" --ignore-not-found=true ${kubeconfig} --timeout=30s || true +} + +function cleanup_multicluster_controller { + echo "====== Cleanup Multicluster Controller Installation ======" + kubeconfig=$1 + for multicluster_yml in /var/lib/jenkins/antrea/multicluster/test/yamls/*.yml; do + kubectl delete -f $multicluster_yml $kubeconfig --ignore-not-found=true --timeout=30s || true + done + + for multicluster_yml in /var/lib/jenkins/antrea/multicluster/build/yamls/*.yml; do + kubectl delete -f $multicluster_yml $kubeconfig --ignore-not-found=true --timeout=30s || true + done +} + +function cleanup_multicluster_antrea { + echo "====== Cleanup Antrea controller and agent ======" + kubeconfig=$1 + kubectl get pod -n kube-system -l component=antrea-agent --no-headers=true $kubeconfig | awk '{print $1}' | while read AGENTNAME; do + kubectl exec $AGENTNAME -c antrea-agent -n kube-system ${kubeconfig} ovs-vsctl del-port br-int gw0 || true + done + + for antrea_yml in ${WORKDIR}/*.yml; do + kubectl delete -f $antrea_yml --ignore-not-found=true ${kubeconfig} --timeout=30s || true + done +} + +function clean_multicluster { + echo "====== Cleanup Multicluster Antrea Installation in clusters ======" + for kubeconfig in "${multicluster_kubeconfigs[@]}" + do + cleanup_multicluster_ns "antrea-multicluster-test" $kubeconfig + cleanup_multicluster_ns "antrea-mcs-ns" $kubeconfig + cleanup_multicluster_controller $kubeconfig + cleanup_multicluster_antrea $kubeconfig + done +} + +trap clean_multicluster EXIT +clean_tmp + diff --git a/ci/jenkins/test-mc.sh b/ci/jenkins/test-mc.sh index d794146c262..968db1f54c2 100755 --- a/ci/jenkins/test-mc.sh +++ b/ci/jenkins/test-mc.sh @@ -25,8 +25,8 @@ DEFAULT_KUBECONFIG_PATH=$DEFAULT_WORKDIR/kube.conf WORKDIR=$DEFAULT_WORKDIR TESTCASE="" TEST_FAILURE=false -DOCKER_REGISTRY=$(head -n1 "${WORKSPACE}/ci/docker-registry") -GO_VERSION=$(head -n1 "${WORKSPACE}/build/images/deps/go-version") +DOCKER_REGISTRY=$(head -n1 "/var/lib/jenkins/antrea/ci/docker-registry") +GO_VERSION=$(head -n1 "/var/lib/jenkins/antrea/build/images/deps/go-version") IMAGE_PULL_POLICY="Always" MULTICLUSTER_KUBECONFIG_PATH=$WORKDIR/.kube LEADER_CLUSTER_CONFIG="--kubeconfig=$MULTICLUSTER_KUBECONFIG_PATH/leader" @@ -115,11 +115,11 @@ function cleanup_multicluster_ns { function cleanup_multicluster_controller { echo "====== Cleanup Multicluster Controller Installation ======" kubeconfig=$1 - for multicluster_yml in ${WORKSPACE}/multicluster/test/yamls/*.yml; do + for multicluster_yml in /var/lib/jenkins/antrea/multicluster/test/yamls/*.yml; do kubectl delete -f $multicluster_yml $kubeconfig --ignore-not-found=true --timeout=30s || true done - for multicluster_yml in ${WORKSPACE}/multicluster/build/yamls/*.yml; do + for multicluster_yml in /var/lib/jenkins/antrea/multicluster/build/yamls/*.yml; do kubectl delete -f $multicluster_yml $kubeconfig --ignore-not-found=true --timeout=30s || true done } @@ -138,7 +138,7 @@ function cleanup_multicluster_antrea { function clean_multicluster { echo "====== Cleanup Multicluster Antrea Installation in clusters ======" - for kubeconfig in ${multicluster_kubeconfigs[@]} + for kubeconfig in "${multicluster_kubeconfigs[@]}" do cleanup_multicluster_ns "antrea-multicluster-test" $kubeconfig cleanup_multicluster_ns "antrea-mcs-ns" $kubeconfig @@ -174,7 +174,7 @@ function wait_for_multicluster_controller_ready { sed -i 's/antrea-mcs-ns/kube-system/g' ./multicluster/test/yamls/leader-access-token.yml echo "type: Opaque" >>./multicluster/test/yamls/leader-access-token.yml - for config in ${membercluter_kubeconfigs[@]}; + for config in "${membercluter_kubeconfigs[@]}"; do kubectl apply -f ./multicluster/build/yamls/antrea-multicluster-member.yml ${config} kubectl rollout status deployment/antrea-mc-controller -n kube-system ${config} @@ -203,7 +203,7 @@ function deliver_antrea_multicluster { docker save -o ${WORKDIR}/antrea-ubuntu.tar $DOCKER_REGISTRY/antrea/antrea-ubuntu:latest - for kubeconfig in ${multicluster_kubeconfigs[@]} + for kubeconfig in "${multicluster_kubeconfigs[@]}" do kubectl get nodes -o wide --no-headers=true ${kubeconfig}| awk '{print $6}' | while read IP; do rsync -avr --progress --inplace -e "ssh -o StrictHostKeyChecking=no" "${WORKDIR}"/antrea-ubuntu.tar jenkins@[${IP}]:${WORKDIR}/antrea-ubuntu.tar @@ -226,7 +226,7 @@ function deliver_multicluster_controller { docker save antrea/antrea-mc-controller:latest -o "${WORKDIR}"/antrea-mcs.tar ./multicluster/hack/generate-manifest.sh -l antrea-mcs-ns >./multicluster/test/yamls/manifest.yml - for kubeconfig in ${multicluster_kubeconfigs[@]} + for kubeconfig in "${multicluster_kubeconfigs[@]}" do kubectl get nodes -o wide --no-headers=true "${kubeconfig}"| awk '{print $6}' | while read IP; do rsync -avr --progress --inplace -e "ssh -o StrictHostKeyChecking=no" "${WORKDIR}"/antrea-mcs.tar jenkins@[${IP}]:${WORKDIR}/antrea-mcs.tar @@ -238,7 +238,7 @@ function deliver_multicluster_controller { sed -i "s||${leader_ip}|" ./multicluster/test/yamls/east-member-cluster.yml sed -i "s||${leader_ip}|" ./multicluster/test/yamls/west-member-cluster.yml - for kubeconfig in ${membercluter_kubeconfigs[@]} + for kubeconfig in "${membercluter_kubeconfigs[@]}" do ip=$(kubectl get nodes -o wide --no-headers=true ${EAST_CLUSTER_CONFIG} | awk -v role="$CONTROL_PLANE_NODE_ROLE" '$3 == role {print $6}') rsync -avr --progress --inplace -e "ssh -o StrictHostKeyChecking=no" ./multicluster/test/yamls/test-east-serviceexport.yml jenkins@[${ip}]:${WORKDIR}/serviceexport.yml @@ -266,7 +266,7 @@ function run_multicluster_e2e { docker tag "${DOCKER_REGISTRY}/antrea/agnhost:2.26" "agnhost:2.26" docker save agnhost:2.26 -o "${WORKDIR}"/agnhost.tar - for kubeconfig in ${membercluter_kubeconfigs[@]} + for kubeconfig in "${membercluter_kubeconfigs[@]}" do kubectl get nodes -o wide --no-headers=true "${kubeconfig}"| awk '{print $6}' | while read IP; do rsync -avr --progress --inplace -e "ssh -o StrictHostKeyChecking=no" "${WORKDIR}"/nginx.tar jenkins@["${IP}"]:"${WORKDIR}"/nginx.tar @@ -278,17 +278,17 @@ function run_multicluster_e2e { done - set +e - mkdir -p `pwd`/antrea-multicluster-test-logs - go test -v antrea.io/antrea/multicluster/test/e2e --logs-export-dir `pwd`/antrea-multicluster-test-logs - if [[ "$?" != "0" ]]; then - TEST_FAILURE=true - fi - set -e +# set +e +# mkdir -p `pwd`/antrea-multicluster-test-logs +# go test -v antrea.io/antrea/multicluster/test/e2e --logs-export-dir `pwd`/antrea-multicluster-test-logs +# if [[ "$?" != "0" ]]; then +# TEST_FAILURE=true +# fi +# set -e } -trap clean_multicluster EXIT -clean_tmp +#trap clean_multicluster EXIT +#clean_tmp if [[ ${TESTCASE} =~ "e2e" ]]; then deliver_antrea_multicluster diff --git a/multicluster/Makefile b/multicluster/Makefile index 2ad46409f67..e68bfaabb2c 100644 --- a/multicluster/Makefile +++ b/multicluster/Makefile @@ -2,7 +2,7 @@ # Image URL to use all building/pushing image targets IMG ?= antrea/antrea-mc-controller:latest # Produce CRDs that work back to Kubernetes 1.11 (no version conversion) -CRD_OPTIONS ?= "crd:trivialVersions=true,preserveUnknownFields=false" +CRD_OPTIONS ?= "crd:trivialVersions=true,allowDangerousTypes=true,preserveUnknownFields=false" # Get the currently used golang install path (in GOPATH/bin, unless GOBIN is set) ifeq (,$(shell go env GOBIN)) diff --git a/multicluster/apis/multicluster/v1alpha1/acnpimport.go b/multicluster/apis/multicluster/v1alpha1/acnpimport.go new file mode 100644 index 00000000000..479455326b2 --- /dev/null +++ b/multicluster/apis/multicluster/v1alpha1/acnpimport.go @@ -0,0 +1,80 @@ +/* +Copyright 2022 Antrea Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package v1alpha1 + +import ( + v1 "k8s.io/api/core/v1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" +) + +// +genclient +// +genclient:nonNamespaced +// +kubebuilder:object:root=true +// +kubebuilder:resource:path=acnpimports,scope=Cluster +// +kubebuilder:subresource:status +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object + +// ACNPImport describes an ACNP imported from the leader cluster in a ClusterSet. +type ACNPImport struct { + metav1.TypeMeta `json:",inline"` + // +optional + metav1.ObjectMeta `json:"metadata,omitempty"` + // +optional + Status ACNPImportStatus `json:"status,omitempty"` +} + +// +kubebuilder:object:root=true +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object + +// ACNPImportList contains a list of ACNPImport. +type ACNPImportList struct { + metav1.TypeMeta `json:",inline"` + metav1.ListMeta `json:"metadata,omitempty"` + Items []ACNPImport `json:"items"` +} + +type ACNPImportStatus struct { + // +optional + // +patchStrategy=merge + // +patchMergeKey=type + // +listType=map + // +listMapKey=type + Conditions []ACNPImportCondition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type"` +} + +type ACNPImportConditionType string + +const ( + ACNPImportRealizable ACNPImportConditionType = "Realizable" +) + +type ACNPImportCondition struct { + Type ACNPImportConditionType `json:"type"` + // Status is one of {"True", "False", "Unknown"} + // +kubebuilder:validation:Enum=True;False;Unknown + Status v1.ConditionStatus `json:"status"` + // +optional + LastTransitionTime *metav1.Time `json:"lastTransitionTime,omitempty"` + // +optional + Reason *string `json:"reason,omitempty"` + // +optional + Message *string `json:"message,omitempty"` +} + +func init() { + SchemeBuilder.Register(&ACNPImport{}, &ACNPImportList{}) +} diff --git a/multicluster/apis/multicluster/v1alpha1/resourceexport_types.go b/multicluster/apis/multicluster/v1alpha1/resourceexport_types.go index 6d58cfb5b79..fe0afdb9e36 100644 --- a/multicluster/apis/multicluster/v1alpha1/resourceexport_types.go +++ b/multicluster/apis/multicluster/v1alpha1/resourceexport_types.go @@ -20,6 +20,7 @@ import ( v1 "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "antrea.io/antrea/pkg/apis/crd/v1alpha1" "antrea.io/antrea/pkg/apis/crd/v1alpha2" ) @@ -63,6 +64,8 @@ type ResourceExportSpec struct { Endpoints *EndpointsExport `json:"endpoints,omitempty"` // If exported resource is ExternalEntity. ExternalEntity *ExternalEntityExport `json:"externalentity,omitempty"` + // If exported resource is AntreaClusterNetworkPolicy. + ClusterNetworkPolicy *v1alpha1.ClusterNetworkPolicySpec `json:"clusternetworkpolicy,omitempty"` // If exported resource Kind is unknown. Raw RawResourceExport `json:"raw,omitempty"` } diff --git a/multicluster/apis/multicluster/v1alpha1/resourceexport_webhook.go b/multicluster/apis/multicluster/v1alpha1/resourceexport_webhook.go index 132e8f5c8d1..5b78713eee6 100644 --- a/multicluster/apis/multicluster/v1alpha1/resourceexport_webhook.go +++ b/multicluster/apis/multicluster/v1alpha1/resourceexport_webhook.go @@ -21,6 +21,8 @@ import ( ctrl "sigs.k8s.io/controller-runtime" logf "sigs.k8s.io/controller-runtime/pkg/log" "sigs.k8s.io/controller-runtime/pkg/webhook" + + "antrea.io/antrea/multicluster/controllers/multicluster/common" ) // log is for logging in this package. @@ -39,6 +41,26 @@ var _ webhook.Defaulter = &ResourceExport{} // Default implements webhook.Defaulter so a webhook will be registered for the type func (r *ResourceExport) Default() { resourceexportlog.Info("default", "name", r.Name) + if r.Spec.ClusterNetworkPolicy == nil { + // Only mutate ResourceExport created for ClusterNetworkPolicy resources + return + } + if len(r.Labels) == 0 { + r.Labels = map[string]string{} + } + if nameLabelVal, exists := r.Labels[common.SourceName]; !exists || nameLabelVal != r.Spec.Name { + r.Labels[common.SourceName] = r.Spec.Name + } + if namespaceLabelVal, exists := r.Labels[common.SourceNamespace]; !exists || namespaceLabelVal != "" { + r.Labels[common.SourceNamespace] = "" + } + // TODO: put sourceClusterID for leader cluster? + if kindLabelVal, exists := r.Labels[common.SourceKind]; !exists || kindLabelVal != common.AntreaClusterNetworkPolicyKind { + r.Labels[common.SourceKind] = common.AntreaClusterNetworkPolicyKind + } + if r.DeletionTimestamp.IsZero() && !common.StringExistsInSlice(r.Finalizers, common.ResourceExportFinalizer) { + r.Finalizers = []string{common.ResourceExportFinalizer} + } } //+kubebuilder:webhook:path=/validate-multicluster-crd-antrea-io-v1alpha1-resourceexport,mutating=false,failurePolicy=fail,sideEffects=None,groups=multicluster.crd.antrea.io,resources=resourceexports,verbs=create;update,versions=v1alpha1,name=vresourceexport.kb.io,admissionReviewVersions={v1,v1beta1} diff --git a/multicluster/apis/multicluster/v1alpha1/resourceimport_types.go b/multicluster/apis/multicluster/v1alpha1/resourceimport_types.go index d2223f6895c..de0b8eb1c23 100644 --- a/multicluster/apis/multicluster/v1alpha1/resourceimport_types.go +++ b/multicluster/apis/multicluster/v1alpha1/resourceimport_types.go @@ -21,6 +21,7 @@ import ( metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" mcs "sigs.k8s.io/mcs-api/pkg/apis/v1alpha1" + "antrea.io/antrea/pkg/apis/crd/v1alpha1" "antrea.io/antrea/pkg/apis/crd/v1alpha2" ) @@ -57,6 +58,8 @@ type ResourceImportSpec struct { Endpoints *EndpointsImport `json:"endpoints,omitempty"` // If imported resource is ExternalEntity. ExternalEntity *ExternalEntityImport `json:"externalentity,omitempty"` + // If imported resource is AntreaClusterNetworkPolicy. + ClusterNetworkPolicy *v1alpha1.ClusterNetworkPolicySpec `json:"clusternetworkpolicy,omitempty"` // If imported resource is ANP. // TODO: // ANP uses float64 as priority. Type float64 is discouraged by k8s, and is not supported by controller-gen tools. diff --git a/multicluster/apis/multicluster/v1alpha1/zz_generated.deepcopy.go b/multicluster/apis/multicluster/v1alpha1/zz_generated.deepcopy.go index 822b6fbb25c..f6b81169c62 100644 --- a/multicluster/apis/multicluster/v1alpha1/zz_generated.deepcopy.go +++ b/multicluster/apis/multicluster/v1alpha1/zz_generated.deepcopy.go @@ -1,4 +1,3 @@ -//go:build !ignore_autogenerated // +build !ignore_autogenerated /* @@ -22,12 +21,122 @@ limitations under the License. package v1alpha1 import ( + crdv1alpha1 "antrea.io/antrea/pkg/apis/crd/v1alpha1" "antrea.io/antrea/pkg/apis/crd/v1alpha2" "k8s.io/api/core/v1" "k8s.io/apimachinery/pkg/runtime" apisv1alpha1 "sigs.k8s.io/mcs-api/pkg/apis/v1alpha1" ) +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ACNPImport) DeepCopyInto(out *ACNPImport) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) + in.Status.DeepCopyInto(&out.Status) +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ACNPImport. +func (in *ACNPImport) DeepCopy() *ACNPImport { + if in == nil { + return nil + } + out := new(ACNPImport) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *ACNPImport) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ACNPImportCondition) DeepCopyInto(out *ACNPImportCondition) { + *out = *in + if in.LastTransitionTime != nil { + in, out := &in.LastTransitionTime, &out.LastTransitionTime + *out = (*in).DeepCopy() + } + if in.Reason != nil { + in, out := &in.Reason, &out.Reason + *out = new(string) + **out = **in + } + if in.Message != nil { + in, out := &in.Message, &out.Message + *out = new(string) + **out = **in + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ACNPImportCondition. +func (in *ACNPImportCondition) DeepCopy() *ACNPImportCondition { + if in == nil { + return nil + } + out := new(ACNPImportCondition) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ACNPImportList) DeepCopyInto(out *ACNPImportList) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ListMeta.DeepCopyInto(&out.ListMeta) + if in.Items != nil { + in, out := &in.Items, &out.Items + *out = make([]ACNPImport, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ACNPImportList. +func (in *ACNPImportList) DeepCopy() *ACNPImportList { + if in == nil { + return nil + } + out := new(ACNPImportList) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *ACNPImportList) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ACNPImportStatus) DeepCopyInto(out *ACNPImportStatus) { + *out = *in + if in.Conditions != nil { + in, out := &in.Conditions, &out.Conditions + *out = make([]ACNPImportCondition, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ACNPImportStatus. +func (in *ACNPImportStatus) DeepCopy() *ACNPImportStatus { + if in == nil { + return nil + } + out := new(ACNPImportStatus) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *ClusterClaim) DeepCopyInto(out *ClusterClaim) { *out = *in @@ -651,6 +760,11 @@ func (in *ResourceExportSpec) DeepCopyInto(out *ResourceExportSpec) { *out = new(ExternalEntityExport) (*in).DeepCopyInto(*out) } + if in.ClusterNetworkPolicy != nil { + in, out := &in.ClusterNetworkPolicy, &out.ClusterNetworkPolicy + *out = new(crdv1alpha1.ClusterNetworkPolicySpec) + (*in).DeepCopyInto(*out) + } in.Raw.DeepCopyInto(&out.Raw) } @@ -895,6 +1009,11 @@ func (in *ResourceImportSpec) DeepCopyInto(out *ResourceImportSpec) { *out = new(ExternalEntityImport) (*in).DeepCopyInto(*out) } + if in.ClusterNetworkPolicy != nil { + in, out := &in.ClusterNetworkPolicy, &out.ClusterNetworkPolicy + *out = new(crdv1alpha1.ClusterNetworkPolicySpec) + (*in).DeepCopyInto(*out) + } if in.Raw != nil { in, out := &in.Raw, &out.Raw *out = new(RawResourceImport) diff --git a/multicluster/build/yamls/antrea-multicluster-leader-global.yml b/multicluster/build/yamls/antrea-multicluster-leader-global.yml index fdbc016c210..a77af88cd0e 100644 --- a/multicluster/build/yamls/antrea-multicluster-leader-global.yml +++ b/multicluster/build/yamls/antrea-multicluster-leader-global.yml @@ -1,5 +1,78 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.4.1 + creationTimestamp: null + labels: + app: antrea + name: acnpimports.multicluster.crd.antrea.io +spec: + group: multicluster.crd.antrea.io + names: + kind: ACNPImport + listKind: ACNPImportList + plural: acnpimports + singular: acnpimport + scope: Cluster + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: ACNPImport describes an ACNP imported from the leader cluster in a ClusterSet. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + status: + properties: + conditions: + items: + properties: + lastTransitionTime: + format: date-time + type: string + message: + type: string + reason: + type: string + status: + description: Status is one of {"True", "False", "Unknown"} + enum: + - "True" + - "False" + - Unknown + type: string + type: + type: string + required: + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition metadata: annotations: controller-gen.kubebuilder.io/version: v0.4.1 @@ -337,6 +410,959 @@ spec: clusterID: description: ClusterID specifies the member cluster this resource exported from. type: string + clusternetworkpolicy: + description: If exported resource is AntreaClusterNetworkPolicy. + properties: + appliedTo: + description: Select workloads on which the rules will be applied to. Cannot be set in conjunction with AppliedTo in each rule. + items: + description: NetworkPolicyPeer describes the grouping selector of workloads. + properties: + externalEntitySelector: + description: Select ExternalEntities from NetworkPolicy's Namespace as workloads in AppliedTo/To/From fields. If set with NamespaceSelector, ExternalEntities are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + fqdn: + description: 'Restrict egress access to the Fully Qualified Domain Names prescribed by name or by wildcard match patterns. This field can only be set for NetworkPolicyPeer of egress rules. Supported formats are: Exact FQDNs, i.e. "google.com", "db-svc.default.svc.cluster.local" Wildcard expressions, i.e. "*wayfair.com".' + type: string + group: + description: Group is the name of the ClusterGroup which can be set as an AppliedTo or within an Ingress or Egress rule in place of a stand-alone selector. A Group cannot be set with any other selector. + type: string + ipBlock: + description: IPBlock describes the IPAddresses/IPBlocks that is matched in to/from. IPBlock cannot be set as part of the AppliedTo field. Cannot be set with any other selector. + properties: + cidr: + description: CIDR is a string representing the IP Block Valid examples are "192.168.1.1/24". + type: string + required: + - cidr + type: object + namespaceSelector: + description: Select all Pods from Namespaces matched by this selector, as workloads in To/From fields. If set with PodSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except PodSelector or ExternalEntitySelector. Cannot be set with Namespaces. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + namespaces: + description: 'Select Pod/ExternalEntity from Namespaces matched by specifc criteria. Current supported criteria is match: Self, which selects from the same Namespace of the appliedTo workloads. Cannot be set with any other selector except PodSelector or ExternalEntitySelector. This field can only be set when NetworkPolicyPeer is created for ClusterNetworkPolicy ingress/egress rules. Cannot be set with NamespaceSelector.' + properties: + match: + description: NamespaceMatchType describes Namespace matching strategy. + type: string + type: object + podSelector: + description: Select Pods from NetworkPolicy's Namespace as workloads in AppliedTo/To/From fields. If set with NamespaceSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + type: object + type: array + egress: + description: Set of egress rules evaluated based on the order in which they are set. Currently Egress rule supports setting the `To` field but not the `From` field within a Rule. + items: + description: Rule describes the traffic allowed to/from the workloads selected by Spec.AppliedTo. Based on the action specified in the rule, traffic is either allowed or denied which exactly match the specified ports and protocol. + properties: + action: + description: Action specifies the action to be applied on the rule. + type: string + appliedTo: + description: Select workloads on which this rule will be applied to. Cannot be set in conjunction with NetworkPolicySpec/ClusterNetworkPolicySpec.AppliedTo. + items: + description: NetworkPolicyPeer describes the grouping selector of workloads. + properties: + externalEntitySelector: + description: Select ExternalEntities from NetworkPolicy's Namespace as workloads in AppliedTo/To/From fields. If set with NamespaceSelector, ExternalEntities are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + fqdn: + description: 'Restrict egress access to the Fully Qualified Domain Names prescribed by name or by wildcard match patterns. This field can only be set for NetworkPolicyPeer of egress rules. Supported formats are: Exact FQDNs, i.e. "google.com", "db-svc.default.svc.cluster.local" Wildcard expressions, i.e. "*wayfair.com".' + type: string + group: + description: Group is the name of the ClusterGroup which can be set as an AppliedTo or within an Ingress or Egress rule in place of a stand-alone selector. A Group cannot be set with any other selector. + type: string + ipBlock: + description: IPBlock describes the IPAddresses/IPBlocks that is matched in to/from. IPBlock cannot be set as part of the AppliedTo field. Cannot be set with any other selector. + properties: + cidr: + description: CIDR is a string representing the IP Block Valid examples are "192.168.1.1/24". + type: string + required: + - cidr + type: object + namespaceSelector: + description: Select all Pods from Namespaces matched by this selector, as workloads in To/From fields. If set with PodSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except PodSelector or ExternalEntitySelector. Cannot be set with Namespaces. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + namespaces: + description: 'Select Pod/ExternalEntity from Namespaces matched by specifc criteria. Current supported criteria is match: Self, which selects from the same Namespace of the appliedTo workloads. Cannot be set with any other selector except PodSelector or ExternalEntitySelector. This field can only be set when NetworkPolicyPeer is created for ClusterNetworkPolicy ingress/egress rules. Cannot be set with NamespaceSelector.' + properties: + match: + description: NamespaceMatchType describes Namespace matching strategy. + type: string + type: object + podSelector: + description: Select Pods from NetworkPolicy's Namespace as workloads in AppliedTo/To/From fields. If set with NamespaceSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + type: object + type: array + enableLogging: + description: EnableLogging is used to indicate if agent should generate logs when rules are matched. Should be default to false. + type: boolean + from: + description: Rule is matched if traffic originates from workloads selected by this field. If this field is empty, this rule matches all sources. + items: + description: NetworkPolicyPeer describes the grouping selector of workloads. + properties: + externalEntitySelector: + description: Select ExternalEntities from NetworkPolicy's Namespace as workloads in AppliedTo/To/From fields. If set with NamespaceSelector, ExternalEntities are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + fqdn: + description: 'Restrict egress access to the Fully Qualified Domain Names prescribed by name or by wildcard match patterns. This field can only be set for NetworkPolicyPeer of egress rules. Supported formats are: Exact FQDNs, i.e. "google.com", "db-svc.default.svc.cluster.local" Wildcard expressions, i.e. "*wayfair.com".' + type: string + group: + description: Group is the name of the ClusterGroup which can be set as an AppliedTo or within an Ingress or Egress rule in place of a stand-alone selector. A Group cannot be set with any other selector. + type: string + ipBlock: + description: IPBlock describes the IPAddresses/IPBlocks that is matched in to/from. IPBlock cannot be set as part of the AppliedTo field. Cannot be set with any other selector. + properties: + cidr: + description: CIDR is a string representing the IP Block Valid examples are "192.168.1.1/24". + type: string + required: + - cidr + type: object + namespaceSelector: + description: Select all Pods from Namespaces matched by this selector, as workloads in To/From fields. If set with PodSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except PodSelector or ExternalEntitySelector. Cannot be set with Namespaces. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + namespaces: + description: 'Select Pod/ExternalEntity from Namespaces matched by specifc criteria. Current supported criteria is match: Self, which selects from the same Namespace of the appliedTo workloads. Cannot be set with any other selector except PodSelector or ExternalEntitySelector. This field can only be set when NetworkPolicyPeer is created for ClusterNetworkPolicy ingress/egress rules. Cannot be set with NamespaceSelector.' + properties: + match: + description: NamespaceMatchType describes Namespace matching strategy. + type: string + type: object + podSelector: + description: Select Pods from NetworkPolicy's Namespace as workloads in AppliedTo/To/From fields. If set with NamespaceSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + type: object + type: array + name: + description: Name describes the intention of this rule. Name should be unique within the policy. + type: string + ports: + description: Set of port and protocol allowed/denied by the rule. If this field is unset or empty, this rule matches all ports. + items: + description: NetworkPolicyPort describes the port and protocol to match in a rule. + properties: + endPort: + description: EndPort defines the end of the port range, being the end included within the range. It can only be specified when a numerical `port` is specified. + format: int32 + type: integer + port: + anyOf: + - type: integer + - type: string + description: The port on the given protocol. This can be either a numerical or named port on a Pod. If this field is not provided, this matches all port names and numbers. + x-kubernetes-int-or-string: true + protocol: + default: TCP + description: The protocol (TCP, UDP, or SCTP) which traffic must match. If not specified, this field defaults to TCP. + type: string + type: object + type: array + to: + description: Rule is matched if traffic is intended for workloads selected by this field. This field can't be used with ToServices. If this field and ToServices are both empty or missing this rule matches all destinations. + items: + description: NetworkPolicyPeer describes the grouping selector of workloads. + properties: + externalEntitySelector: + description: Select ExternalEntities from NetworkPolicy's Namespace as workloads in AppliedTo/To/From fields. If set with NamespaceSelector, ExternalEntities are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + fqdn: + description: 'Restrict egress access to the Fully Qualified Domain Names prescribed by name or by wildcard match patterns. This field can only be set for NetworkPolicyPeer of egress rules. Supported formats are: Exact FQDNs, i.e. "google.com", "db-svc.default.svc.cluster.local" Wildcard expressions, i.e. "*wayfair.com".' + type: string + group: + description: Group is the name of the ClusterGroup which can be set as an AppliedTo or within an Ingress or Egress rule in place of a stand-alone selector. A Group cannot be set with any other selector. + type: string + ipBlock: + description: IPBlock describes the IPAddresses/IPBlocks that is matched in to/from. IPBlock cannot be set as part of the AppliedTo field. Cannot be set with any other selector. + properties: + cidr: + description: CIDR is a string representing the IP Block Valid examples are "192.168.1.1/24". + type: string + required: + - cidr + type: object + namespaceSelector: + description: Select all Pods from Namespaces matched by this selector, as workloads in To/From fields. If set with PodSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except PodSelector or ExternalEntitySelector. Cannot be set with Namespaces. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + namespaces: + description: 'Select Pod/ExternalEntity from Namespaces matched by specifc criteria. Current supported criteria is match: Self, which selects from the same Namespace of the appliedTo workloads. Cannot be set with any other selector except PodSelector or ExternalEntitySelector. This field can only be set when NetworkPolicyPeer is created for ClusterNetworkPolicy ingress/egress rules. Cannot be set with NamespaceSelector.' + properties: + match: + description: NamespaceMatchType describes Namespace matching strategy. + type: string + type: object + podSelector: + description: Select Pods from NetworkPolicy's Namespace as workloads in AppliedTo/To/From fields. If set with NamespaceSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + type: object + type: array + toServices: + description: Rule is matched if traffic is intended for a Service listed in this field. Currently only ClusterIP types Services are supported in this field. This field can only be used when AntreaProxy is enabled. This field can't be used with To or Ports. If this field and To are both empty or missing, this rule matches all destinations. + items: + description: ServiceReference represents a reference to a v1.Service. + properties: + name: + description: Name of the Service + type: string + namespace: + description: Namespace of the Service + type: string + required: + - name + type: object + type: array + required: + - action + type: object + type: array + ingress: + description: Set of ingress rules evaluated based on the order in which they are set. Currently Ingress rule supports setting the `From` field but not the `To` field within a Rule. + items: + description: Rule describes the traffic allowed to/from the workloads selected by Spec.AppliedTo. Based on the action specified in the rule, traffic is either allowed or denied which exactly match the specified ports and protocol. + properties: + action: + description: Action specifies the action to be applied on the rule. + type: string + appliedTo: + description: Select workloads on which this rule will be applied to. Cannot be set in conjunction with NetworkPolicySpec/ClusterNetworkPolicySpec.AppliedTo. + items: + description: NetworkPolicyPeer describes the grouping selector of workloads. + properties: + externalEntitySelector: + description: Select ExternalEntities from NetworkPolicy's Namespace as workloads in AppliedTo/To/From fields. If set with NamespaceSelector, ExternalEntities are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + fqdn: + description: 'Restrict egress access to the Fully Qualified Domain Names prescribed by name or by wildcard match patterns. This field can only be set for NetworkPolicyPeer of egress rules. Supported formats are: Exact FQDNs, i.e. "google.com", "db-svc.default.svc.cluster.local" Wildcard expressions, i.e. "*wayfair.com".' + type: string + group: + description: Group is the name of the ClusterGroup which can be set as an AppliedTo or within an Ingress or Egress rule in place of a stand-alone selector. A Group cannot be set with any other selector. + type: string + ipBlock: + description: IPBlock describes the IPAddresses/IPBlocks that is matched in to/from. IPBlock cannot be set as part of the AppliedTo field. Cannot be set with any other selector. + properties: + cidr: + description: CIDR is a string representing the IP Block Valid examples are "192.168.1.1/24". + type: string + required: + - cidr + type: object + namespaceSelector: + description: Select all Pods from Namespaces matched by this selector, as workloads in To/From fields. If set with PodSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except PodSelector or ExternalEntitySelector. Cannot be set with Namespaces. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + namespaces: + description: 'Select Pod/ExternalEntity from Namespaces matched by specifc criteria. Current supported criteria is match: Self, which selects from the same Namespace of the appliedTo workloads. Cannot be set with any other selector except PodSelector or ExternalEntitySelector. This field can only be set when NetworkPolicyPeer is created for ClusterNetworkPolicy ingress/egress rules. Cannot be set with NamespaceSelector.' + properties: + match: + description: NamespaceMatchType describes Namespace matching strategy. + type: string + type: object + podSelector: + description: Select Pods from NetworkPolicy's Namespace as workloads in AppliedTo/To/From fields. If set with NamespaceSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + type: object + type: array + enableLogging: + description: EnableLogging is used to indicate if agent should generate logs when rules are matched. Should be default to false. + type: boolean + from: + description: Rule is matched if traffic originates from workloads selected by this field. If this field is empty, this rule matches all sources. + items: + description: NetworkPolicyPeer describes the grouping selector of workloads. + properties: + externalEntitySelector: + description: Select ExternalEntities from NetworkPolicy's Namespace as workloads in AppliedTo/To/From fields. If set with NamespaceSelector, ExternalEntities are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + fqdn: + description: 'Restrict egress access to the Fully Qualified Domain Names prescribed by name or by wildcard match patterns. This field can only be set for NetworkPolicyPeer of egress rules. Supported formats are: Exact FQDNs, i.e. "google.com", "db-svc.default.svc.cluster.local" Wildcard expressions, i.e. "*wayfair.com".' + type: string + group: + description: Group is the name of the ClusterGroup which can be set as an AppliedTo or within an Ingress or Egress rule in place of a stand-alone selector. A Group cannot be set with any other selector. + type: string + ipBlock: + description: IPBlock describes the IPAddresses/IPBlocks that is matched in to/from. IPBlock cannot be set as part of the AppliedTo field. Cannot be set with any other selector. + properties: + cidr: + description: CIDR is a string representing the IP Block Valid examples are "192.168.1.1/24". + type: string + required: + - cidr + type: object + namespaceSelector: + description: Select all Pods from Namespaces matched by this selector, as workloads in To/From fields. If set with PodSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except PodSelector or ExternalEntitySelector. Cannot be set with Namespaces. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + namespaces: + description: 'Select Pod/ExternalEntity from Namespaces matched by specifc criteria. Current supported criteria is match: Self, which selects from the same Namespace of the appliedTo workloads. Cannot be set with any other selector except PodSelector or ExternalEntitySelector. This field can only be set when NetworkPolicyPeer is created for ClusterNetworkPolicy ingress/egress rules. Cannot be set with NamespaceSelector.' + properties: + match: + description: NamespaceMatchType describes Namespace matching strategy. + type: string + type: object + podSelector: + description: Select Pods from NetworkPolicy's Namespace as workloads in AppliedTo/To/From fields. If set with NamespaceSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + type: object + type: array + name: + description: Name describes the intention of this rule. Name should be unique within the policy. + type: string + ports: + description: Set of port and protocol allowed/denied by the rule. If this field is unset or empty, this rule matches all ports. + items: + description: NetworkPolicyPort describes the port and protocol to match in a rule. + properties: + endPort: + description: EndPort defines the end of the port range, being the end included within the range. It can only be specified when a numerical `port` is specified. + format: int32 + type: integer + port: + anyOf: + - type: integer + - type: string + description: The port on the given protocol. This can be either a numerical or named port on a Pod. If this field is not provided, this matches all port names and numbers. + x-kubernetes-int-or-string: true + protocol: + default: TCP + description: The protocol (TCP, UDP, or SCTP) which traffic must match. If not specified, this field defaults to TCP. + type: string + type: object + type: array + to: + description: Rule is matched if traffic is intended for workloads selected by this field. This field can't be used with ToServices. If this field and ToServices are both empty or missing this rule matches all destinations. + items: + description: NetworkPolicyPeer describes the grouping selector of workloads. + properties: + externalEntitySelector: + description: Select ExternalEntities from NetworkPolicy's Namespace as workloads in AppliedTo/To/From fields. If set with NamespaceSelector, ExternalEntities are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + fqdn: + description: 'Restrict egress access to the Fully Qualified Domain Names prescribed by name or by wildcard match patterns. This field can only be set for NetworkPolicyPeer of egress rules. Supported formats are: Exact FQDNs, i.e. "google.com", "db-svc.default.svc.cluster.local" Wildcard expressions, i.e. "*wayfair.com".' + type: string + group: + description: Group is the name of the ClusterGroup which can be set as an AppliedTo or within an Ingress or Egress rule in place of a stand-alone selector. A Group cannot be set with any other selector. + type: string + ipBlock: + description: IPBlock describes the IPAddresses/IPBlocks that is matched in to/from. IPBlock cannot be set as part of the AppliedTo field. Cannot be set with any other selector. + properties: + cidr: + description: CIDR is a string representing the IP Block Valid examples are "192.168.1.1/24". + type: string + required: + - cidr + type: object + namespaceSelector: + description: Select all Pods from Namespaces matched by this selector, as workloads in To/From fields. If set with PodSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except PodSelector or ExternalEntitySelector. Cannot be set with Namespaces. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + namespaces: + description: 'Select Pod/ExternalEntity from Namespaces matched by specifc criteria. Current supported criteria is match: Self, which selects from the same Namespace of the appliedTo workloads. Cannot be set with any other selector except PodSelector or ExternalEntitySelector. This field can only be set when NetworkPolicyPeer is created for ClusterNetworkPolicy ingress/egress rules. Cannot be set with NamespaceSelector.' + properties: + match: + description: NamespaceMatchType describes Namespace matching strategy. + type: string + type: object + podSelector: + description: Select Pods from NetworkPolicy's Namespace as workloads in AppliedTo/To/From fields. If set with NamespaceSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + type: object + type: array + toServices: + description: Rule is matched if traffic is intended for a Service listed in this field. Currently only ClusterIP types Services are supported in this field. This field can only be used when AntreaProxy is enabled. This field can't be used with To or Ports. If this field and To are both empty or missing, this rule matches all destinations. + items: + description: ServiceReference represents a reference to a v1.Service. + properties: + name: + description: Name of the Service + type: string + namespace: + description: Namespace of the Service + type: string + required: + - name + type: object + type: array + required: + - action + type: object + type: array + priority: + description: Priority specfies the order of the ClusterNetworkPolicy relative to other AntreaClusterNetworkPolicies. + type: number + tier: + description: Tier specifies the tier to which this ClusterNetworkPolicy belongs to. The ClusterNetworkPolicy order will be determined based on the combination of the Tier's Priority and the ClusterNetworkPolicy's own Priority. If not specified, this policy will be created in the Application Tier right above the K8s NetworkPolicy which resides at the bottom. + type: string + required: + - priority + type: object endpoints: description: If exported resource is EndPoints. properties: @@ -767,6 +1793,959 @@ spec: items: type: string type: array + clusternetworkpolicy: + description: If imported resource is AntreaClusterNetworkPolicy. + properties: + appliedTo: + description: Select workloads on which the rules will be applied to. Cannot be set in conjunction with AppliedTo in each rule. + items: + description: NetworkPolicyPeer describes the grouping selector of workloads. + properties: + externalEntitySelector: + description: Select ExternalEntities from NetworkPolicy's Namespace as workloads in AppliedTo/To/From fields. If set with NamespaceSelector, ExternalEntities are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + fqdn: + description: 'Restrict egress access to the Fully Qualified Domain Names prescribed by name or by wildcard match patterns. This field can only be set for NetworkPolicyPeer of egress rules. Supported formats are: Exact FQDNs, i.e. "google.com", "db-svc.default.svc.cluster.local" Wildcard expressions, i.e. "*wayfair.com".' + type: string + group: + description: Group is the name of the ClusterGroup which can be set as an AppliedTo or within an Ingress or Egress rule in place of a stand-alone selector. A Group cannot be set with any other selector. + type: string + ipBlock: + description: IPBlock describes the IPAddresses/IPBlocks that is matched in to/from. IPBlock cannot be set as part of the AppliedTo field. Cannot be set with any other selector. + properties: + cidr: + description: CIDR is a string representing the IP Block Valid examples are "192.168.1.1/24". + type: string + required: + - cidr + type: object + namespaceSelector: + description: Select all Pods from Namespaces matched by this selector, as workloads in To/From fields. If set with PodSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except PodSelector or ExternalEntitySelector. Cannot be set with Namespaces. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + namespaces: + description: 'Select Pod/ExternalEntity from Namespaces matched by specifc criteria. Current supported criteria is match: Self, which selects from the same Namespace of the appliedTo workloads. Cannot be set with any other selector except PodSelector or ExternalEntitySelector. This field can only be set when NetworkPolicyPeer is created for ClusterNetworkPolicy ingress/egress rules. Cannot be set with NamespaceSelector.' + properties: + match: + description: NamespaceMatchType describes Namespace matching strategy. + type: string + type: object + podSelector: + description: Select Pods from NetworkPolicy's Namespace as workloads in AppliedTo/To/From fields. If set with NamespaceSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + type: object + type: array + egress: + description: Set of egress rules evaluated based on the order in which they are set. Currently Egress rule supports setting the `To` field but not the `From` field within a Rule. + items: + description: Rule describes the traffic allowed to/from the workloads selected by Spec.AppliedTo. Based on the action specified in the rule, traffic is either allowed or denied which exactly match the specified ports and protocol. + properties: + action: + description: Action specifies the action to be applied on the rule. + type: string + appliedTo: + description: Select workloads on which this rule will be applied to. Cannot be set in conjunction with NetworkPolicySpec/ClusterNetworkPolicySpec.AppliedTo. + items: + description: NetworkPolicyPeer describes the grouping selector of workloads. + properties: + externalEntitySelector: + description: Select ExternalEntities from NetworkPolicy's Namespace as workloads in AppliedTo/To/From fields. If set with NamespaceSelector, ExternalEntities are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + fqdn: + description: 'Restrict egress access to the Fully Qualified Domain Names prescribed by name or by wildcard match patterns. This field can only be set for NetworkPolicyPeer of egress rules. Supported formats are: Exact FQDNs, i.e. "google.com", "db-svc.default.svc.cluster.local" Wildcard expressions, i.e. "*wayfair.com".' + type: string + group: + description: Group is the name of the ClusterGroup which can be set as an AppliedTo or within an Ingress or Egress rule in place of a stand-alone selector. A Group cannot be set with any other selector. + type: string + ipBlock: + description: IPBlock describes the IPAddresses/IPBlocks that is matched in to/from. IPBlock cannot be set as part of the AppliedTo field. Cannot be set with any other selector. + properties: + cidr: + description: CIDR is a string representing the IP Block Valid examples are "192.168.1.1/24". + type: string + required: + - cidr + type: object + namespaceSelector: + description: Select all Pods from Namespaces matched by this selector, as workloads in To/From fields. If set with PodSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except PodSelector or ExternalEntitySelector. Cannot be set with Namespaces. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + namespaces: + description: 'Select Pod/ExternalEntity from Namespaces matched by specifc criteria. Current supported criteria is match: Self, which selects from the same Namespace of the appliedTo workloads. Cannot be set with any other selector except PodSelector or ExternalEntitySelector. This field can only be set when NetworkPolicyPeer is created for ClusterNetworkPolicy ingress/egress rules. Cannot be set with NamespaceSelector.' + properties: + match: + description: NamespaceMatchType describes Namespace matching strategy. + type: string + type: object + podSelector: + description: Select Pods from NetworkPolicy's Namespace as workloads in AppliedTo/To/From fields. If set with NamespaceSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + type: object + type: array + enableLogging: + description: EnableLogging is used to indicate if agent should generate logs when rules are matched. Should be default to false. + type: boolean + from: + description: Rule is matched if traffic originates from workloads selected by this field. If this field is empty, this rule matches all sources. + items: + description: NetworkPolicyPeer describes the grouping selector of workloads. + properties: + externalEntitySelector: + description: Select ExternalEntities from NetworkPolicy's Namespace as workloads in AppliedTo/To/From fields. If set with NamespaceSelector, ExternalEntities are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + fqdn: + description: 'Restrict egress access to the Fully Qualified Domain Names prescribed by name or by wildcard match patterns. This field can only be set for NetworkPolicyPeer of egress rules. Supported formats are: Exact FQDNs, i.e. "google.com", "db-svc.default.svc.cluster.local" Wildcard expressions, i.e. "*wayfair.com".' + type: string + group: + description: Group is the name of the ClusterGroup which can be set as an AppliedTo or within an Ingress or Egress rule in place of a stand-alone selector. A Group cannot be set with any other selector. + type: string + ipBlock: + description: IPBlock describes the IPAddresses/IPBlocks that is matched in to/from. IPBlock cannot be set as part of the AppliedTo field. Cannot be set with any other selector. + properties: + cidr: + description: CIDR is a string representing the IP Block Valid examples are "192.168.1.1/24". + type: string + required: + - cidr + type: object + namespaceSelector: + description: Select all Pods from Namespaces matched by this selector, as workloads in To/From fields. If set with PodSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except PodSelector or ExternalEntitySelector. Cannot be set with Namespaces. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + namespaces: + description: 'Select Pod/ExternalEntity from Namespaces matched by specifc criteria. Current supported criteria is match: Self, which selects from the same Namespace of the appliedTo workloads. Cannot be set with any other selector except PodSelector or ExternalEntitySelector. This field can only be set when NetworkPolicyPeer is created for ClusterNetworkPolicy ingress/egress rules. Cannot be set with NamespaceSelector.' + properties: + match: + description: NamespaceMatchType describes Namespace matching strategy. + type: string + type: object + podSelector: + description: Select Pods from NetworkPolicy's Namespace as workloads in AppliedTo/To/From fields. If set with NamespaceSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + type: object + type: array + name: + description: Name describes the intention of this rule. Name should be unique within the policy. + type: string + ports: + description: Set of port and protocol allowed/denied by the rule. If this field is unset or empty, this rule matches all ports. + items: + description: NetworkPolicyPort describes the port and protocol to match in a rule. + properties: + endPort: + description: EndPort defines the end of the port range, being the end included within the range. It can only be specified when a numerical `port` is specified. + format: int32 + type: integer + port: + anyOf: + - type: integer + - type: string + description: The port on the given protocol. This can be either a numerical or named port on a Pod. If this field is not provided, this matches all port names and numbers. + x-kubernetes-int-or-string: true + protocol: + default: TCP + description: The protocol (TCP, UDP, or SCTP) which traffic must match. If not specified, this field defaults to TCP. + type: string + type: object + type: array + to: + description: Rule is matched if traffic is intended for workloads selected by this field. This field can't be used with ToServices. If this field and ToServices are both empty or missing this rule matches all destinations. + items: + description: NetworkPolicyPeer describes the grouping selector of workloads. + properties: + externalEntitySelector: + description: Select ExternalEntities from NetworkPolicy's Namespace as workloads in AppliedTo/To/From fields. If set with NamespaceSelector, ExternalEntities are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + fqdn: + description: 'Restrict egress access to the Fully Qualified Domain Names prescribed by name or by wildcard match patterns. This field can only be set for NetworkPolicyPeer of egress rules. Supported formats are: Exact FQDNs, i.e. "google.com", "db-svc.default.svc.cluster.local" Wildcard expressions, i.e. "*wayfair.com".' + type: string + group: + description: Group is the name of the ClusterGroup which can be set as an AppliedTo or within an Ingress or Egress rule in place of a stand-alone selector. A Group cannot be set with any other selector. + type: string + ipBlock: + description: IPBlock describes the IPAddresses/IPBlocks that is matched in to/from. IPBlock cannot be set as part of the AppliedTo field. Cannot be set with any other selector. + properties: + cidr: + description: CIDR is a string representing the IP Block Valid examples are "192.168.1.1/24". + type: string + required: + - cidr + type: object + namespaceSelector: + description: Select all Pods from Namespaces matched by this selector, as workloads in To/From fields. If set with PodSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except PodSelector or ExternalEntitySelector. Cannot be set with Namespaces. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + namespaces: + description: 'Select Pod/ExternalEntity from Namespaces matched by specifc criteria. Current supported criteria is match: Self, which selects from the same Namespace of the appliedTo workloads. Cannot be set with any other selector except PodSelector or ExternalEntitySelector. This field can only be set when NetworkPolicyPeer is created for ClusterNetworkPolicy ingress/egress rules. Cannot be set with NamespaceSelector.' + properties: + match: + description: NamespaceMatchType describes Namespace matching strategy. + type: string + type: object + podSelector: + description: Select Pods from NetworkPolicy's Namespace as workloads in AppliedTo/To/From fields. If set with NamespaceSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + type: object + type: array + toServices: + description: Rule is matched if traffic is intended for a Service listed in this field. Currently only ClusterIP types Services are supported in this field. This field can only be used when AntreaProxy is enabled. This field can't be used with To or Ports. If this field and To are both empty or missing, this rule matches all destinations. + items: + description: ServiceReference represents a reference to a v1.Service. + properties: + name: + description: Name of the Service + type: string + namespace: + description: Namespace of the Service + type: string + required: + - name + type: object + type: array + required: + - action + type: object + type: array + ingress: + description: Set of ingress rules evaluated based on the order in which they are set. Currently Ingress rule supports setting the `From` field but not the `To` field within a Rule. + items: + description: Rule describes the traffic allowed to/from the workloads selected by Spec.AppliedTo. Based on the action specified in the rule, traffic is either allowed or denied which exactly match the specified ports and protocol. + properties: + action: + description: Action specifies the action to be applied on the rule. + type: string + appliedTo: + description: Select workloads on which this rule will be applied to. Cannot be set in conjunction with NetworkPolicySpec/ClusterNetworkPolicySpec.AppliedTo. + items: + description: NetworkPolicyPeer describes the grouping selector of workloads. + properties: + externalEntitySelector: + description: Select ExternalEntities from NetworkPolicy's Namespace as workloads in AppliedTo/To/From fields. If set with NamespaceSelector, ExternalEntities are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + fqdn: + description: 'Restrict egress access to the Fully Qualified Domain Names prescribed by name or by wildcard match patterns. This field can only be set for NetworkPolicyPeer of egress rules. Supported formats are: Exact FQDNs, i.e. "google.com", "db-svc.default.svc.cluster.local" Wildcard expressions, i.e. "*wayfair.com".' + type: string + group: + description: Group is the name of the ClusterGroup which can be set as an AppliedTo or within an Ingress or Egress rule in place of a stand-alone selector. A Group cannot be set with any other selector. + type: string + ipBlock: + description: IPBlock describes the IPAddresses/IPBlocks that is matched in to/from. IPBlock cannot be set as part of the AppliedTo field. Cannot be set with any other selector. + properties: + cidr: + description: CIDR is a string representing the IP Block Valid examples are "192.168.1.1/24". + type: string + required: + - cidr + type: object + namespaceSelector: + description: Select all Pods from Namespaces matched by this selector, as workloads in To/From fields. If set with PodSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except PodSelector or ExternalEntitySelector. Cannot be set with Namespaces. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + namespaces: + description: 'Select Pod/ExternalEntity from Namespaces matched by specifc criteria. Current supported criteria is match: Self, which selects from the same Namespace of the appliedTo workloads. Cannot be set with any other selector except PodSelector or ExternalEntitySelector. This field can only be set when NetworkPolicyPeer is created for ClusterNetworkPolicy ingress/egress rules. Cannot be set with NamespaceSelector.' + properties: + match: + description: NamespaceMatchType describes Namespace matching strategy. + type: string + type: object + podSelector: + description: Select Pods from NetworkPolicy's Namespace as workloads in AppliedTo/To/From fields. If set with NamespaceSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + type: object + type: array + enableLogging: + description: EnableLogging is used to indicate if agent should generate logs when rules are matched. Should be default to false. + type: boolean + from: + description: Rule is matched if traffic originates from workloads selected by this field. If this field is empty, this rule matches all sources. + items: + description: NetworkPolicyPeer describes the grouping selector of workloads. + properties: + externalEntitySelector: + description: Select ExternalEntities from NetworkPolicy's Namespace as workloads in AppliedTo/To/From fields. If set with NamespaceSelector, ExternalEntities are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + fqdn: + description: 'Restrict egress access to the Fully Qualified Domain Names prescribed by name or by wildcard match patterns. This field can only be set for NetworkPolicyPeer of egress rules. Supported formats are: Exact FQDNs, i.e. "google.com", "db-svc.default.svc.cluster.local" Wildcard expressions, i.e. "*wayfair.com".' + type: string + group: + description: Group is the name of the ClusterGroup which can be set as an AppliedTo or within an Ingress or Egress rule in place of a stand-alone selector. A Group cannot be set with any other selector. + type: string + ipBlock: + description: IPBlock describes the IPAddresses/IPBlocks that is matched in to/from. IPBlock cannot be set as part of the AppliedTo field. Cannot be set with any other selector. + properties: + cidr: + description: CIDR is a string representing the IP Block Valid examples are "192.168.1.1/24". + type: string + required: + - cidr + type: object + namespaceSelector: + description: Select all Pods from Namespaces matched by this selector, as workloads in To/From fields. If set with PodSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except PodSelector or ExternalEntitySelector. Cannot be set with Namespaces. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + namespaces: + description: 'Select Pod/ExternalEntity from Namespaces matched by specifc criteria. Current supported criteria is match: Self, which selects from the same Namespace of the appliedTo workloads. Cannot be set with any other selector except PodSelector or ExternalEntitySelector. This field can only be set when NetworkPolicyPeer is created for ClusterNetworkPolicy ingress/egress rules. Cannot be set with NamespaceSelector.' + properties: + match: + description: NamespaceMatchType describes Namespace matching strategy. + type: string + type: object + podSelector: + description: Select Pods from NetworkPolicy's Namespace as workloads in AppliedTo/To/From fields. If set with NamespaceSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + type: object + type: array + name: + description: Name describes the intention of this rule. Name should be unique within the policy. + type: string + ports: + description: Set of port and protocol allowed/denied by the rule. If this field is unset or empty, this rule matches all ports. + items: + description: NetworkPolicyPort describes the port and protocol to match in a rule. + properties: + endPort: + description: EndPort defines the end of the port range, being the end included within the range. It can only be specified when a numerical `port` is specified. + format: int32 + type: integer + port: + anyOf: + - type: integer + - type: string + description: The port on the given protocol. This can be either a numerical or named port on a Pod. If this field is not provided, this matches all port names and numbers. + x-kubernetes-int-or-string: true + protocol: + default: TCP + description: The protocol (TCP, UDP, or SCTP) which traffic must match. If not specified, this field defaults to TCP. + type: string + type: object + type: array + to: + description: Rule is matched if traffic is intended for workloads selected by this field. This field can't be used with ToServices. If this field and ToServices are both empty or missing this rule matches all destinations. + items: + description: NetworkPolicyPeer describes the grouping selector of workloads. + properties: + externalEntitySelector: + description: Select ExternalEntities from NetworkPolicy's Namespace as workloads in AppliedTo/To/From fields. If set with NamespaceSelector, ExternalEntities are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + fqdn: + description: 'Restrict egress access to the Fully Qualified Domain Names prescribed by name or by wildcard match patterns. This field can only be set for NetworkPolicyPeer of egress rules. Supported formats are: Exact FQDNs, i.e. "google.com", "db-svc.default.svc.cluster.local" Wildcard expressions, i.e. "*wayfair.com".' + type: string + group: + description: Group is the name of the ClusterGroup which can be set as an AppliedTo or within an Ingress or Egress rule in place of a stand-alone selector. A Group cannot be set with any other selector. + type: string + ipBlock: + description: IPBlock describes the IPAddresses/IPBlocks that is matched in to/from. IPBlock cannot be set as part of the AppliedTo field. Cannot be set with any other selector. + properties: + cidr: + description: CIDR is a string representing the IP Block Valid examples are "192.168.1.1/24". + type: string + required: + - cidr + type: object + namespaceSelector: + description: Select all Pods from Namespaces matched by this selector, as workloads in To/From fields. If set with PodSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except PodSelector or ExternalEntitySelector. Cannot be set with Namespaces. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + namespaces: + description: 'Select Pod/ExternalEntity from Namespaces matched by specifc criteria. Current supported criteria is match: Self, which selects from the same Namespace of the appliedTo workloads. Cannot be set with any other selector except PodSelector or ExternalEntitySelector. This field can only be set when NetworkPolicyPeer is created for ClusterNetworkPolicy ingress/egress rules. Cannot be set with NamespaceSelector.' + properties: + match: + description: NamespaceMatchType describes Namespace matching strategy. + type: string + type: object + podSelector: + description: Select Pods from NetworkPolicy's Namespace as workloads in AppliedTo/To/From fields. If set with NamespaceSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + type: object + type: array + toServices: + description: Rule is matched if traffic is intended for a Service listed in this field. Currently only ClusterIP types Services are supported in this field. This field can only be used when AntreaProxy is enabled. This field can't be used with To or Ports. If this field and To are both empty or missing, this rule matches all destinations. + items: + description: ServiceReference represents a reference to a v1.Service. + properties: + name: + description: Name of the Service + type: string + namespace: + description: Namespace of the Service + type: string + required: + - name + type: object + type: array + required: + - action + type: object + type: array + priority: + description: Priority specfies the order of the ClusterNetworkPolicy relative to other AntreaClusterNetworkPolicies. + type: number + tier: + description: Tier specifies the tier to which this ClusterNetworkPolicy belongs to. The ClusterNetworkPolicy order will be determined based on the combination of the Tier's Priority and the ClusterNetworkPolicy's own Priority. If not specified, this policy will be created in the Application Tier right above the K8s NetworkPolicy which resides at the bottom. + type: string + required: + - priority + type: object endpoints: description: If imported resource is EndPoints. properties: diff --git a/multicluster/build/yamls/antrea-multicluster-leader-namespaced.yml b/multicluster/build/yamls/antrea-multicluster-leader-namespaced.yml index eaf53082cfc..3d74e21880f 100644 --- a/multicluster/build/yamls/antrea-multicluster-leader-namespaced.yml +++ b/multicluster/build/yamls/antrea-multicluster-leader-namespaced.yml @@ -45,6 +45,46 @@ rules: - patch - update - watch +- apiGroups: + - crd.antrea.io + resources: + - clusternetworkpolicies + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - crd.antrea.io + resources: + - tiers + verbs: + - get + - list + - watch +- apiGroups: + - multicluster.crd.antrea.io + resources: + - acnpimports + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - multicluster.crd.antrea.io + resources: + - acnpimports/status + verbs: + - get + - patch + - update - apiGroups: - multicluster.crd.antrea.io resources: diff --git a/multicluster/build/yamls/antrea-multicluster-member.yml b/multicluster/build/yamls/antrea-multicluster-member.yml index 46ae7d71a24..55cbe9cda7c 100644 --- a/multicluster/build/yamls/antrea-multicluster-member.yml +++ b/multicluster/build/yamls/antrea-multicluster-member.yml @@ -1,5 +1,78 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.4.1 + creationTimestamp: null + labels: + app: antrea + name: acnpimports.multicluster.crd.antrea.io +spec: + group: multicluster.crd.antrea.io + names: + kind: ACNPImport + listKind: ACNPImportList + plural: acnpimports + singular: acnpimport + scope: Cluster + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: ACNPImport describes an ACNP imported from the leader cluster in a ClusterSet. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + status: + properties: + conditions: + items: + properties: + lastTransitionTime: + format: date-time + type: string + message: + type: string + reason: + type: string + status: + description: Status is one of {"True", "False", "Unknown"} + enum: + - "True" + - "False" + - Unknown + type: string + type: + type: string + required: + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition metadata: annotations: controller-gen.kubebuilder.io/version: v0.4.1 @@ -337,6 +410,959 @@ spec: clusterID: description: ClusterID specifies the member cluster this resource exported from. type: string + clusternetworkpolicy: + description: If exported resource is AntreaClusterNetworkPolicy. + properties: + appliedTo: + description: Select workloads on which the rules will be applied to. Cannot be set in conjunction with AppliedTo in each rule. + items: + description: NetworkPolicyPeer describes the grouping selector of workloads. + properties: + externalEntitySelector: + description: Select ExternalEntities from NetworkPolicy's Namespace as workloads in AppliedTo/To/From fields. If set with NamespaceSelector, ExternalEntities are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + fqdn: + description: 'Restrict egress access to the Fully Qualified Domain Names prescribed by name or by wildcard match patterns. This field can only be set for NetworkPolicyPeer of egress rules. Supported formats are: Exact FQDNs, i.e. "google.com", "db-svc.default.svc.cluster.local" Wildcard expressions, i.e. "*wayfair.com".' + type: string + group: + description: Group is the name of the ClusterGroup which can be set as an AppliedTo or within an Ingress or Egress rule in place of a stand-alone selector. A Group cannot be set with any other selector. + type: string + ipBlock: + description: IPBlock describes the IPAddresses/IPBlocks that is matched in to/from. IPBlock cannot be set as part of the AppliedTo field. Cannot be set with any other selector. + properties: + cidr: + description: CIDR is a string representing the IP Block Valid examples are "192.168.1.1/24". + type: string + required: + - cidr + type: object + namespaceSelector: + description: Select all Pods from Namespaces matched by this selector, as workloads in To/From fields. If set with PodSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except PodSelector or ExternalEntitySelector. Cannot be set with Namespaces. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + namespaces: + description: 'Select Pod/ExternalEntity from Namespaces matched by specifc criteria. Current supported criteria is match: Self, which selects from the same Namespace of the appliedTo workloads. Cannot be set with any other selector except PodSelector or ExternalEntitySelector. This field can only be set when NetworkPolicyPeer is created for ClusterNetworkPolicy ingress/egress rules. Cannot be set with NamespaceSelector.' + properties: + match: + description: NamespaceMatchType describes Namespace matching strategy. + type: string + type: object + podSelector: + description: Select Pods from NetworkPolicy's Namespace as workloads in AppliedTo/To/From fields. If set with NamespaceSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + type: object + type: array + egress: + description: Set of egress rules evaluated based on the order in which they are set. Currently Egress rule supports setting the `To` field but not the `From` field within a Rule. + items: + description: Rule describes the traffic allowed to/from the workloads selected by Spec.AppliedTo. Based on the action specified in the rule, traffic is either allowed or denied which exactly match the specified ports and protocol. + properties: + action: + description: Action specifies the action to be applied on the rule. + type: string + appliedTo: + description: Select workloads on which this rule will be applied to. Cannot be set in conjunction with NetworkPolicySpec/ClusterNetworkPolicySpec.AppliedTo. + items: + description: NetworkPolicyPeer describes the grouping selector of workloads. + properties: + externalEntitySelector: + description: Select ExternalEntities from NetworkPolicy's Namespace as workloads in AppliedTo/To/From fields. If set with NamespaceSelector, ExternalEntities are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + fqdn: + description: 'Restrict egress access to the Fully Qualified Domain Names prescribed by name or by wildcard match patterns. This field can only be set for NetworkPolicyPeer of egress rules. Supported formats are: Exact FQDNs, i.e. "google.com", "db-svc.default.svc.cluster.local" Wildcard expressions, i.e. "*wayfair.com".' + type: string + group: + description: Group is the name of the ClusterGroup which can be set as an AppliedTo or within an Ingress or Egress rule in place of a stand-alone selector. A Group cannot be set with any other selector. + type: string + ipBlock: + description: IPBlock describes the IPAddresses/IPBlocks that is matched in to/from. IPBlock cannot be set as part of the AppliedTo field. Cannot be set with any other selector. + properties: + cidr: + description: CIDR is a string representing the IP Block Valid examples are "192.168.1.1/24". + type: string + required: + - cidr + type: object + namespaceSelector: + description: Select all Pods from Namespaces matched by this selector, as workloads in To/From fields. If set with PodSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except PodSelector or ExternalEntitySelector. Cannot be set with Namespaces. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + namespaces: + description: 'Select Pod/ExternalEntity from Namespaces matched by specifc criteria. Current supported criteria is match: Self, which selects from the same Namespace of the appliedTo workloads. Cannot be set with any other selector except PodSelector or ExternalEntitySelector. This field can only be set when NetworkPolicyPeer is created for ClusterNetworkPolicy ingress/egress rules. Cannot be set with NamespaceSelector.' + properties: + match: + description: NamespaceMatchType describes Namespace matching strategy. + type: string + type: object + podSelector: + description: Select Pods from NetworkPolicy's Namespace as workloads in AppliedTo/To/From fields. If set with NamespaceSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + type: object + type: array + enableLogging: + description: EnableLogging is used to indicate if agent should generate logs when rules are matched. Should be default to false. + type: boolean + from: + description: Rule is matched if traffic originates from workloads selected by this field. If this field is empty, this rule matches all sources. + items: + description: NetworkPolicyPeer describes the grouping selector of workloads. + properties: + externalEntitySelector: + description: Select ExternalEntities from NetworkPolicy's Namespace as workloads in AppliedTo/To/From fields. If set with NamespaceSelector, ExternalEntities are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + fqdn: + description: 'Restrict egress access to the Fully Qualified Domain Names prescribed by name or by wildcard match patterns. This field can only be set for NetworkPolicyPeer of egress rules. Supported formats are: Exact FQDNs, i.e. "google.com", "db-svc.default.svc.cluster.local" Wildcard expressions, i.e. "*wayfair.com".' + type: string + group: + description: Group is the name of the ClusterGroup which can be set as an AppliedTo or within an Ingress or Egress rule in place of a stand-alone selector. A Group cannot be set with any other selector. + type: string + ipBlock: + description: IPBlock describes the IPAddresses/IPBlocks that is matched in to/from. IPBlock cannot be set as part of the AppliedTo field. Cannot be set with any other selector. + properties: + cidr: + description: CIDR is a string representing the IP Block Valid examples are "192.168.1.1/24". + type: string + required: + - cidr + type: object + namespaceSelector: + description: Select all Pods from Namespaces matched by this selector, as workloads in To/From fields. If set with PodSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except PodSelector or ExternalEntitySelector. Cannot be set with Namespaces. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + namespaces: + description: 'Select Pod/ExternalEntity from Namespaces matched by specifc criteria. Current supported criteria is match: Self, which selects from the same Namespace of the appliedTo workloads. Cannot be set with any other selector except PodSelector or ExternalEntitySelector. This field can only be set when NetworkPolicyPeer is created for ClusterNetworkPolicy ingress/egress rules. Cannot be set with NamespaceSelector.' + properties: + match: + description: NamespaceMatchType describes Namespace matching strategy. + type: string + type: object + podSelector: + description: Select Pods from NetworkPolicy's Namespace as workloads in AppliedTo/To/From fields. If set with NamespaceSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + type: object + type: array + name: + description: Name describes the intention of this rule. Name should be unique within the policy. + type: string + ports: + description: Set of port and protocol allowed/denied by the rule. If this field is unset or empty, this rule matches all ports. + items: + description: NetworkPolicyPort describes the port and protocol to match in a rule. + properties: + endPort: + description: EndPort defines the end of the port range, being the end included within the range. It can only be specified when a numerical `port` is specified. + format: int32 + type: integer + port: + anyOf: + - type: integer + - type: string + description: The port on the given protocol. This can be either a numerical or named port on a Pod. If this field is not provided, this matches all port names and numbers. + x-kubernetes-int-or-string: true + protocol: + default: TCP + description: The protocol (TCP, UDP, or SCTP) which traffic must match. If not specified, this field defaults to TCP. + type: string + type: object + type: array + to: + description: Rule is matched if traffic is intended for workloads selected by this field. This field can't be used with ToServices. If this field and ToServices are both empty or missing this rule matches all destinations. + items: + description: NetworkPolicyPeer describes the grouping selector of workloads. + properties: + externalEntitySelector: + description: Select ExternalEntities from NetworkPolicy's Namespace as workloads in AppliedTo/To/From fields. If set with NamespaceSelector, ExternalEntities are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + fqdn: + description: 'Restrict egress access to the Fully Qualified Domain Names prescribed by name or by wildcard match patterns. This field can only be set for NetworkPolicyPeer of egress rules. Supported formats are: Exact FQDNs, i.e. "google.com", "db-svc.default.svc.cluster.local" Wildcard expressions, i.e. "*wayfair.com".' + type: string + group: + description: Group is the name of the ClusterGroup which can be set as an AppliedTo or within an Ingress or Egress rule in place of a stand-alone selector. A Group cannot be set with any other selector. + type: string + ipBlock: + description: IPBlock describes the IPAddresses/IPBlocks that is matched in to/from. IPBlock cannot be set as part of the AppliedTo field. Cannot be set with any other selector. + properties: + cidr: + description: CIDR is a string representing the IP Block Valid examples are "192.168.1.1/24". + type: string + required: + - cidr + type: object + namespaceSelector: + description: Select all Pods from Namespaces matched by this selector, as workloads in To/From fields. If set with PodSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except PodSelector or ExternalEntitySelector. Cannot be set with Namespaces. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + namespaces: + description: 'Select Pod/ExternalEntity from Namespaces matched by specifc criteria. Current supported criteria is match: Self, which selects from the same Namespace of the appliedTo workloads. Cannot be set with any other selector except PodSelector or ExternalEntitySelector. This field can only be set when NetworkPolicyPeer is created for ClusterNetworkPolicy ingress/egress rules. Cannot be set with NamespaceSelector.' + properties: + match: + description: NamespaceMatchType describes Namespace matching strategy. + type: string + type: object + podSelector: + description: Select Pods from NetworkPolicy's Namespace as workloads in AppliedTo/To/From fields. If set with NamespaceSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + type: object + type: array + toServices: + description: Rule is matched if traffic is intended for a Service listed in this field. Currently only ClusterIP types Services are supported in this field. This field can only be used when AntreaProxy is enabled. This field can't be used with To or Ports. If this field and To are both empty or missing, this rule matches all destinations. + items: + description: ServiceReference represents a reference to a v1.Service. + properties: + name: + description: Name of the Service + type: string + namespace: + description: Namespace of the Service + type: string + required: + - name + type: object + type: array + required: + - action + type: object + type: array + ingress: + description: Set of ingress rules evaluated based on the order in which they are set. Currently Ingress rule supports setting the `From` field but not the `To` field within a Rule. + items: + description: Rule describes the traffic allowed to/from the workloads selected by Spec.AppliedTo. Based on the action specified in the rule, traffic is either allowed or denied which exactly match the specified ports and protocol. + properties: + action: + description: Action specifies the action to be applied on the rule. + type: string + appliedTo: + description: Select workloads on which this rule will be applied to. Cannot be set in conjunction with NetworkPolicySpec/ClusterNetworkPolicySpec.AppliedTo. + items: + description: NetworkPolicyPeer describes the grouping selector of workloads. + properties: + externalEntitySelector: + description: Select ExternalEntities from NetworkPolicy's Namespace as workloads in AppliedTo/To/From fields. If set with NamespaceSelector, ExternalEntities are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + fqdn: + description: 'Restrict egress access to the Fully Qualified Domain Names prescribed by name or by wildcard match patterns. This field can only be set for NetworkPolicyPeer of egress rules. Supported formats are: Exact FQDNs, i.e. "google.com", "db-svc.default.svc.cluster.local" Wildcard expressions, i.e. "*wayfair.com".' + type: string + group: + description: Group is the name of the ClusterGroup which can be set as an AppliedTo or within an Ingress or Egress rule in place of a stand-alone selector. A Group cannot be set with any other selector. + type: string + ipBlock: + description: IPBlock describes the IPAddresses/IPBlocks that is matched in to/from. IPBlock cannot be set as part of the AppliedTo field. Cannot be set with any other selector. + properties: + cidr: + description: CIDR is a string representing the IP Block Valid examples are "192.168.1.1/24". + type: string + required: + - cidr + type: object + namespaceSelector: + description: Select all Pods from Namespaces matched by this selector, as workloads in To/From fields. If set with PodSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except PodSelector or ExternalEntitySelector. Cannot be set with Namespaces. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + namespaces: + description: 'Select Pod/ExternalEntity from Namespaces matched by specifc criteria. Current supported criteria is match: Self, which selects from the same Namespace of the appliedTo workloads. Cannot be set with any other selector except PodSelector or ExternalEntitySelector. This field can only be set when NetworkPolicyPeer is created for ClusterNetworkPolicy ingress/egress rules. Cannot be set with NamespaceSelector.' + properties: + match: + description: NamespaceMatchType describes Namespace matching strategy. + type: string + type: object + podSelector: + description: Select Pods from NetworkPolicy's Namespace as workloads in AppliedTo/To/From fields. If set with NamespaceSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + type: object + type: array + enableLogging: + description: EnableLogging is used to indicate if agent should generate logs when rules are matched. Should be default to false. + type: boolean + from: + description: Rule is matched if traffic originates from workloads selected by this field. If this field is empty, this rule matches all sources. + items: + description: NetworkPolicyPeer describes the grouping selector of workloads. + properties: + externalEntitySelector: + description: Select ExternalEntities from NetworkPolicy's Namespace as workloads in AppliedTo/To/From fields. If set with NamespaceSelector, ExternalEntities are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + fqdn: + description: 'Restrict egress access to the Fully Qualified Domain Names prescribed by name or by wildcard match patterns. This field can only be set for NetworkPolicyPeer of egress rules. Supported formats are: Exact FQDNs, i.e. "google.com", "db-svc.default.svc.cluster.local" Wildcard expressions, i.e. "*wayfair.com".' + type: string + group: + description: Group is the name of the ClusterGroup which can be set as an AppliedTo or within an Ingress or Egress rule in place of a stand-alone selector. A Group cannot be set with any other selector. + type: string + ipBlock: + description: IPBlock describes the IPAddresses/IPBlocks that is matched in to/from. IPBlock cannot be set as part of the AppliedTo field. Cannot be set with any other selector. + properties: + cidr: + description: CIDR is a string representing the IP Block Valid examples are "192.168.1.1/24". + type: string + required: + - cidr + type: object + namespaceSelector: + description: Select all Pods from Namespaces matched by this selector, as workloads in To/From fields. If set with PodSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except PodSelector or ExternalEntitySelector. Cannot be set with Namespaces. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + namespaces: + description: 'Select Pod/ExternalEntity from Namespaces matched by specifc criteria. Current supported criteria is match: Self, which selects from the same Namespace of the appliedTo workloads. Cannot be set with any other selector except PodSelector or ExternalEntitySelector. This field can only be set when NetworkPolicyPeer is created for ClusterNetworkPolicy ingress/egress rules. Cannot be set with NamespaceSelector.' + properties: + match: + description: NamespaceMatchType describes Namespace matching strategy. + type: string + type: object + podSelector: + description: Select Pods from NetworkPolicy's Namespace as workloads in AppliedTo/To/From fields. If set with NamespaceSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + type: object + type: array + name: + description: Name describes the intention of this rule. Name should be unique within the policy. + type: string + ports: + description: Set of port and protocol allowed/denied by the rule. If this field is unset or empty, this rule matches all ports. + items: + description: NetworkPolicyPort describes the port and protocol to match in a rule. + properties: + endPort: + description: EndPort defines the end of the port range, being the end included within the range. It can only be specified when a numerical `port` is specified. + format: int32 + type: integer + port: + anyOf: + - type: integer + - type: string + description: The port on the given protocol. This can be either a numerical or named port on a Pod. If this field is not provided, this matches all port names and numbers. + x-kubernetes-int-or-string: true + protocol: + default: TCP + description: The protocol (TCP, UDP, or SCTP) which traffic must match. If not specified, this field defaults to TCP. + type: string + type: object + type: array + to: + description: Rule is matched if traffic is intended for workloads selected by this field. This field can't be used with ToServices. If this field and ToServices are both empty or missing this rule matches all destinations. + items: + description: NetworkPolicyPeer describes the grouping selector of workloads. + properties: + externalEntitySelector: + description: Select ExternalEntities from NetworkPolicy's Namespace as workloads in AppliedTo/To/From fields. If set with NamespaceSelector, ExternalEntities are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + fqdn: + description: 'Restrict egress access to the Fully Qualified Domain Names prescribed by name or by wildcard match patterns. This field can only be set for NetworkPolicyPeer of egress rules. Supported formats are: Exact FQDNs, i.e. "google.com", "db-svc.default.svc.cluster.local" Wildcard expressions, i.e. "*wayfair.com".' + type: string + group: + description: Group is the name of the ClusterGroup which can be set as an AppliedTo or within an Ingress or Egress rule in place of a stand-alone selector. A Group cannot be set with any other selector. + type: string + ipBlock: + description: IPBlock describes the IPAddresses/IPBlocks that is matched in to/from. IPBlock cannot be set as part of the AppliedTo field. Cannot be set with any other selector. + properties: + cidr: + description: CIDR is a string representing the IP Block Valid examples are "192.168.1.1/24". + type: string + required: + - cidr + type: object + namespaceSelector: + description: Select all Pods from Namespaces matched by this selector, as workloads in To/From fields. If set with PodSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except PodSelector or ExternalEntitySelector. Cannot be set with Namespaces. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + namespaces: + description: 'Select Pod/ExternalEntity from Namespaces matched by specifc criteria. Current supported criteria is match: Self, which selects from the same Namespace of the appliedTo workloads. Cannot be set with any other selector except PodSelector or ExternalEntitySelector. This field can only be set when NetworkPolicyPeer is created for ClusterNetworkPolicy ingress/egress rules. Cannot be set with NamespaceSelector.' + properties: + match: + description: NamespaceMatchType describes Namespace matching strategy. + type: string + type: object + podSelector: + description: Select Pods from NetworkPolicy's Namespace as workloads in AppliedTo/To/From fields. If set with NamespaceSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + type: object + type: array + toServices: + description: Rule is matched if traffic is intended for a Service listed in this field. Currently only ClusterIP types Services are supported in this field. This field can only be used when AntreaProxy is enabled. This field can't be used with To or Ports. If this field and To are both empty or missing, this rule matches all destinations. + items: + description: ServiceReference represents a reference to a v1.Service. + properties: + name: + description: Name of the Service + type: string + namespace: + description: Namespace of the Service + type: string + required: + - name + type: object + type: array + required: + - action + type: object + type: array + priority: + description: Priority specfies the order of the ClusterNetworkPolicy relative to other AntreaClusterNetworkPolicies. + type: number + tier: + description: Tier specifies the tier to which this ClusterNetworkPolicy belongs to. The ClusterNetworkPolicy order will be determined based on the combination of the Tier's Priority and the ClusterNetworkPolicy's own Priority. If not specified, this policy will be created in the Application Tier right above the K8s NetworkPolicy which resides at the bottom. + type: string + required: + - priority + type: object endpoints: description: If exported resource is EndPoints. properties: @@ -767,6 +1793,959 @@ spec: items: type: string type: array + clusternetworkpolicy: + description: If imported resource is AntreaClusterNetworkPolicy. + properties: + appliedTo: + description: Select workloads on which the rules will be applied to. Cannot be set in conjunction with AppliedTo in each rule. + items: + description: NetworkPolicyPeer describes the grouping selector of workloads. + properties: + externalEntitySelector: + description: Select ExternalEntities from NetworkPolicy's Namespace as workloads in AppliedTo/To/From fields. If set with NamespaceSelector, ExternalEntities are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + fqdn: + description: 'Restrict egress access to the Fully Qualified Domain Names prescribed by name or by wildcard match patterns. This field can only be set for NetworkPolicyPeer of egress rules. Supported formats are: Exact FQDNs, i.e. "google.com", "db-svc.default.svc.cluster.local" Wildcard expressions, i.e. "*wayfair.com".' + type: string + group: + description: Group is the name of the ClusterGroup which can be set as an AppliedTo or within an Ingress or Egress rule in place of a stand-alone selector. A Group cannot be set with any other selector. + type: string + ipBlock: + description: IPBlock describes the IPAddresses/IPBlocks that is matched in to/from. IPBlock cannot be set as part of the AppliedTo field. Cannot be set with any other selector. + properties: + cidr: + description: CIDR is a string representing the IP Block Valid examples are "192.168.1.1/24". + type: string + required: + - cidr + type: object + namespaceSelector: + description: Select all Pods from Namespaces matched by this selector, as workloads in To/From fields. If set with PodSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except PodSelector or ExternalEntitySelector. Cannot be set with Namespaces. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + namespaces: + description: 'Select Pod/ExternalEntity from Namespaces matched by specifc criteria. Current supported criteria is match: Self, which selects from the same Namespace of the appliedTo workloads. Cannot be set with any other selector except PodSelector or ExternalEntitySelector. This field can only be set when NetworkPolicyPeer is created for ClusterNetworkPolicy ingress/egress rules. Cannot be set with NamespaceSelector.' + properties: + match: + description: NamespaceMatchType describes Namespace matching strategy. + type: string + type: object + podSelector: + description: Select Pods from NetworkPolicy's Namespace as workloads in AppliedTo/To/From fields. If set with NamespaceSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + type: object + type: array + egress: + description: Set of egress rules evaluated based on the order in which they are set. Currently Egress rule supports setting the `To` field but not the `From` field within a Rule. + items: + description: Rule describes the traffic allowed to/from the workloads selected by Spec.AppliedTo. Based on the action specified in the rule, traffic is either allowed or denied which exactly match the specified ports and protocol. + properties: + action: + description: Action specifies the action to be applied on the rule. + type: string + appliedTo: + description: Select workloads on which this rule will be applied to. Cannot be set in conjunction with NetworkPolicySpec/ClusterNetworkPolicySpec.AppliedTo. + items: + description: NetworkPolicyPeer describes the grouping selector of workloads. + properties: + externalEntitySelector: + description: Select ExternalEntities from NetworkPolicy's Namespace as workloads in AppliedTo/To/From fields. If set with NamespaceSelector, ExternalEntities are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + fqdn: + description: 'Restrict egress access to the Fully Qualified Domain Names prescribed by name or by wildcard match patterns. This field can only be set for NetworkPolicyPeer of egress rules. Supported formats are: Exact FQDNs, i.e. "google.com", "db-svc.default.svc.cluster.local" Wildcard expressions, i.e. "*wayfair.com".' + type: string + group: + description: Group is the name of the ClusterGroup which can be set as an AppliedTo or within an Ingress or Egress rule in place of a stand-alone selector. A Group cannot be set with any other selector. + type: string + ipBlock: + description: IPBlock describes the IPAddresses/IPBlocks that is matched in to/from. IPBlock cannot be set as part of the AppliedTo field. Cannot be set with any other selector. + properties: + cidr: + description: CIDR is a string representing the IP Block Valid examples are "192.168.1.1/24". + type: string + required: + - cidr + type: object + namespaceSelector: + description: Select all Pods from Namespaces matched by this selector, as workloads in To/From fields. If set with PodSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except PodSelector or ExternalEntitySelector. Cannot be set with Namespaces. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + namespaces: + description: 'Select Pod/ExternalEntity from Namespaces matched by specifc criteria. Current supported criteria is match: Self, which selects from the same Namespace of the appliedTo workloads. Cannot be set with any other selector except PodSelector or ExternalEntitySelector. This field can only be set when NetworkPolicyPeer is created for ClusterNetworkPolicy ingress/egress rules. Cannot be set with NamespaceSelector.' + properties: + match: + description: NamespaceMatchType describes Namespace matching strategy. + type: string + type: object + podSelector: + description: Select Pods from NetworkPolicy's Namespace as workloads in AppliedTo/To/From fields. If set with NamespaceSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + type: object + type: array + enableLogging: + description: EnableLogging is used to indicate if agent should generate logs when rules are matched. Should be default to false. + type: boolean + from: + description: Rule is matched if traffic originates from workloads selected by this field. If this field is empty, this rule matches all sources. + items: + description: NetworkPolicyPeer describes the grouping selector of workloads. + properties: + externalEntitySelector: + description: Select ExternalEntities from NetworkPolicy's Namespace as workloads in AppliedTo/To/From fields. If set with NamespaceSelector, ExternalEntities are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + fqdn: + description: 'Restrict egress access to the Fully Qualified Domain Names prescribed by name or by wildcard match patterns. This field can only be set for NetworkPolicyPeer of egress rules. Supported formats are: Exact FQDNs, i.e. "google.com", "db-svc.default.svc.cluster.local" Wildcard expressions, i.e. "*wayfair.com".' + type: string + group: + description: Group is the name of the ClusterGroup which can be set as an AppliedTo or within an Ingress or Egress rule in place of a stand-alone selector. A Group cannot be set with any other selector. + type: string + ipBlock: + description: IPBlock describes the IPAddresses/IPBlocks that is matched in to/from. IPBlock cannot be set as part of the AppliedTo field. Cannot be set with any other selector. + properties: + cidr: + description: CIDR is a string representing the IP Block Valid examples are "192.168.1.1/24". + type: string + required: + - cidr + type: object + namespaceSelector: + description: Select all Pods from Namespaces matched by this selector, as workloads in To/From fields. If set with PodSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except PodSelector or ExternalEntitySelector. Cannot be set with Namespaces. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + namespaces: + description: 'Select Pod/ExternalEntity from Namespaces matched by specifc criteria. Current supported criteria is match: Self, which selects from the same Namespace of the appliedTo workloads. Cannot be set with any other selector except PodSelector or ExternalEntitySelector. This field can only be set when NetworkPolicyPeer is created for ClusterNetworkPolicy ingress/egress rules. Cannot be set with NamespaceSelector.' + properties: + match: + description: NamespaceMatchType describes Namespace matching strategy. + type: string + type: object + podSelector: + description: Select Pods from NetworkPolicy's Namespace as workloads in AppliedTo/To/From fields. If set with NamespaceSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + type: object + type: array + name: + description: Name describes the intention of this rule. Name should be unique within the policy. + type: string + ports: + description: Set of port and protocol allowed/denied by the rule. If this field is unset or empty, this rule matches all ports. + items: + description: NetworkPolicyPort describes the port and protocol to match in a rule. + properties: + endPort: + description: EndPort defines the end of the port range, being the end included within the range. It can only be specified when a numerical `port` is specified. + format: int32 + type: integer + port: + anyOf: + - type: integer + - type: string + description: The port on the given protocol. This can be either a numerical or named port on a Pod. If this field is not provided, this matches all port names and numbers. + x-kubernetes-int-or-string: true + protocol: + default: TCP + description: The protocol (TCP, UDP, or SCTP) which traffic must match. If not specified, this field defaults to TCP. + type: string + type: object + type: array + to: + description: Rule is matched if traffic is intended for workloads selected by this field. This field can't be used with ToServices. If this field and ToServices are both empty or missing this rule matches all destinations. + items: + description: NetworkPolicyPeer describes the grouping selector of workloads. + properties: + externalEntitySelector: + description: Select ExternalEntities from NetworkPolicy's Namespace as workloads in AppliedTo/To/From fields. If set with NamespaceSelector, ExternalEntities are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + fqdn: + description: 'Restrict egress access to the Fully Qualified Domain Names prescribed by name or by wildcard match patterns. This field can only be set for NetworkPolicyPeer of egress rules. Supported formats are: Exact FQDNs, i.e. "google.com", "db-svc.default.svc.cluster.local" Wildcard expressions, i.e. "*wayfair.com".' + type: string + group: + description: Group is the name of the ClusterGroup which can be set as an AppliedTo or within an Ingress or Egress rule in place of a stand-alone selector. A Group cannot be set with any other selector. + type: string + ipBlock: + description: IPBlock describes the IPAddresses/IPBlocks that is matched in to/from. IPBlock cannot be set as part of the AppliedTo field. Cannot be set with any other selector. + properties: + cidr: + description: CIDR is a string representing the IP Block Valid examples are "192.168.1.1/24". + type: string + required: + - cidr + type: object + namespaceSelector: + description: Select all Pods from Namespaces matched by this selector, as workloads in To/From fields. If set with PodSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except PodSelector or ExternalEntitySelector. Cannot be set with Namespaces. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + namespaces: + description: 'Select Pod/ExternalEntity from Namespaces matched by specifc criteria. Current supported criteria is match: Self, which selects from the same Namespace of the appliedTo workloads. Cannot be set with any other selector except PodSelector or ExternalEntitySelector. This field can only be set when NetworkPolicyPeer is created for ClusterNetworkPolicy ingress/egress rules. Cannot be set with NamespaceSelector.' + properties: + match: + description: NamespaceMatchType describes Namespace matching strategy. + type: string + type: object + podSelector: + description: Select Pods from NetworkPolicy's Namespace as workloads in AppliedTo/To/From fields. If set with NamespaceSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + type: object + type: array + toServices: + description: Rule is matched if traffic is intended for a Service listed in this field. Currently only ClusterIP types Services are supported in this field. This field can only be used when AntreaProxy is enabled. This field can't be used with To or Ports. If this field and To are both empty or missing, this rule matches all destinations. + items: + description: ServiceReference represents a reference to a v1.Service. + properties: + name: + description: Name of the Service + type: string + namespace: + description: Namespace of the Service + type: string + required: + - name + type: object + type: array + required: + - action + type: object + type: array + ingress: + description: Set of ingress rules evaluated based on the order in which they are set. Currently Ingress rule supports setting the `From` field but not the `To` field within a Rule. + items: + description: Rule describes the traffic allowed to/from the workloads selected by Spec.AppliedTo. Based on the action specified in the rule, traffic is either allowed or denied which exactly match the specified ports and protocol. + properties: + action: + description: Action specifies the action to be applied on the rule. + type: string + appliedTo: + description: Select workloads on which this rule will be applied to. Cannot be set in conjunction with NetworkPolicySpec/ClusterNetworkPolicySpec.AppliedTo. + items: + description: NetworkPolicyPeer describes the grouping selector of workloads. + properties: + externalEntitySelector: + description: Select ExternalEntities from NetworkPolicy's Namespace as workloads in AppliedTo/To/From fields. If set with NamespaceSelector, ExternalEntities are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + fqdn: + description: 'Restrict egress access to the Fully Qualified Domain Names prescribed by name or by wildcard match patterns. This field can only be set for NetworkPolicyPeer of egress rules. Supported formats are: Exact FQDNs, i.e. "google.com", "db-svc.default.svc.cluster.local" Wildcard expressions, i.e. "*wayfair.com".' + type: string + group: + description: Group is the name of the ClusterGroup which can be set as an AppliedTo or within an Ingress or Egress rule in place of a stand-alone selector. A Group cannot be set with any other selector. + type: string + ipBlock: + description: IPBlock describes the IPAddresses/IPBlocks that is matched in to/from. IPBlock cannot be set as part of the AppliedTo field. Cannot be set with any other selector. + properties: + cidr: + description: CIDR is a string representing the IP Block Valid examples are "192.168.1.1/24". + type: string + required: + - cidr + type: object + namespaceSelector: + description: Select all Pods from Namespaces matched by this selector, as workloads in To/From fields. If set with PodSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except PodSelector or ExternalEntitySelector. Cannot be set with Namespaces. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + namespaces: + description: 'Select Pod/ExternalEntity from Namespaces matched by specifc criteria. Current supported criteria is match: Self, which selects from the same Namespace of the appliedTo workloads. Cannot be set with any other selector except PodSelector or ExternalEntitySelector. This field can only be set when NetworkPolicyPeer is created for ClusterNetworkPolicy ingress/egress rules. Cannot be set with NamespaceSelector.' + properties: + match: + description: NamespaceMatchType describes Namespace matching strategy. + type: string + type: object + podSelector: + description: Select Pods from NetworkPolicy's Namespace as workloads in AppliedTo/To/From fields. If set with NamespaceSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + type: object + type: array + enableLogging: + description: EnableLogging is used to indicate if agent should generate logs when rules are matched. Should be default to false. + type: boolean + from: + description: Rule is matched if traffic originates from workloads selected by this field. If this field is empty, this rule matches all sources. + items: + description: NetworkPolicyPeer describes the grouping selector of workloads. + properties: + externalEntitySelector: + description: Select ExternalEntities from NetworkPolicy's Namespace as workloads in AppliedTo/To/From fields. If set with NamespaceSelector, ExternalEntities are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + fqdn: + description: 'Restrict egress access to the Fully Qualified Domain Names prescribed by name or by wildcard match patterns. This field can only be set for NetworkPolicyPeer of egress rules. Supported formats are: Exact FQDNs, i.e. "google.com", "db-svc.default.svc.cluster.local" Wildcard expressions, i.e. "*wayfair.com".' + type: string + group: + description: Group is the name of the ClusterGroup which can be set as an AppliedTo or within an Ingress or Egress rule in place of a stand-alone selector. A Group cannot be set with any other selector. + type: string + ipBlock: + description: IPBlock describes the IPAddresses/IPBlocks that is matched in to/from. IPBlock cannot be set as part of the AppliedTo field. Cannot be set with any other selector. + properties: + cidr: + description: CIDR is a string representing the IP Block Valid examples are "192.168.1.1/24". + type: string + required: + - cidr + type: object + namespaceSelector: + description: Select all Pods from Namespaces matched by this selector, as workloads in To/From fields. If set with PodSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except PodSelector or ExternalEntitySelector. Cannot be set with Namespaces. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + namespaces: + description: 'Select Pod/ExternalEntity from Namespaces matched by specifc criteria. Current supported criteria is match: Self, which selects from the same Namespace of the appliedTo workloads. Cannot be set with any other selector except PodSelector or ExternalEntitySelector. This field can only be set when NetworkPolicyPeer is created for ClusterNetworkPolicy ingress/egress rules. Cannot be set with NamespaceSelector.' + properties: + match: + description: NamespaceMatchType describes Namespace matching strategy. + type: string + type: object + podSelector: + description: Select Pods from NetworkPolicy's Namespace as workloads in AppliedTo/To/From fields. If set with NamespaceSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + type: object + type: array + name: + description: Name describes the intention of this rule. Name should be unique within the policy. + type: string + ports: + description: Set of port and protocol allowed/denied by the rule. If this field is unset or empty, this rule matches all ports. + items: + description: NetworkPolicyPort describes the port and protocol to match in a rule. + properties: + endPort: + description: EndPort defines the end of the port range, being the end included within the range. It can only be specified when a numerical `port` is specified. + format: int32 + type: integer + port: + anyOf: + - type: integer + - type: string + description: The port on the given protocol. This can be either a numerical or named port on a Pod. If this field is not provided, this matches all port names and numbers. + x-kubernetes-int-or-string: true + protocol: + default: TCP + description: The protocol (TCP, UDP, or SCTP) which traffic must match. If not specified, this field defaults to TCP. + type: string + type: object + type: array + to: + description: Rule is matched if traffic is intended for workloads selected by this field. This field can't be used with ToServices. If this field and ToServices are both empty or missing this rule matches all destinations. + items: + description: NetworkPolicyPeer describes the grouping selector of workloads. + properties: + externalEntitySelector: + description: Select ExternalEntities from NetworkPolicy's Namespace as workloads in AppliedTo/To/From fields. If set with NamespaceSelector, ExternalEntities are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + fqdn: + description: 'Restrict egress access to the Fully Qualified Domain Names prescribed by name or by wildcard match patterns. This field can only be set for NetworkPolicyPeer of egress rules. Supported formats are: Exact FQDNs, i.e. "google.com", "db-svc.default.svc.cluster.local" Wildcard expressions, i.e. "*wayfair.com".' + type: string + group: + description: Group is the name of the ClusterGroup which can be set as an AppliedTo or within an Ingress or Egress rule in place of a stand-alone selector. A Group cannot be set with any other selector. + type: string + ipBlock: + description: IPBlock describes the IPAddresses/IPBlocks that is matched in to/from. IPBlock cannot be set as part of the AppliedTo field. Cannot be set with any other selector. + properties: + cidr: + description: CIDR is a string representing the IP Block Valid examples are "192.168.1.1/24". + type: string + required: + - cidr + type: object + namespaceSelector: + description: Select all Pods from Namespaces matched by this selector, as workloads in To/From fields. If set with PodSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except PodSelector or ExternalEntitySelector. Cannot be set with Namespaces. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + namespaces: + description: 'Select Pod/ExternalEntity from Namespaces matched by specifc criteria. Current supported criteria is match: Self, which selects from the same Namespace of the appliedTo workloads. Cannot be set with any other selector except PodSelector or ExternalEntitySelector. This field can only be set when NetworkPolicyPeer is created for ClusterNetworkPolicy ingress/egress rules. Cannot be set with NamespaceSelector.' + properties: + match: + description: NamespaceMatchType describes Namespace matching strategy. + type: string + type: object + podSelector: + description: Select Pods from NetworkPolicy's Namespace as workloads in AppliedTo/To/From fields. If set with NamespaceSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + type: object + type: array + toServices: + description: Rule is matched if traffic is intended for a Service listed in this field. Currently only ClusterIP types Services are supported in this field. This field can only be used when AntreaProxy is enabled. This field can't be used with To or Ports. If this field and To are both empty or missing, this rule matches all destinations. + items: + description: ServiceReference represents a reference to a v1.Service. + properties: + name: + description: Name of the Service + type: string + namespace: + description: Namespace of the Service + type: string + required: + - name + type: object + type: array + required: + - action + type: object + type: array + priority: + description: Priority specfies the order of the ClusterNetworkPolicy relative to other AntreaClusterNetworkPolicies. + type: number + tier: + description: Tier specifies the tier to which this ClusterNetworkPolicy belongs to. The ClusterNetworkPolicy order will be determined based on the combination of the Tier's Priority and the ClusterNetworkPolicy's own Priority. If not specified, this policy will be created in the Application Tier right above the K8s NetworkPolicy which resides at the bottom. + type: string + required: + - priority + type: object endpoints: description: If imported resource is EndPoints. properties: @@ -1389,6 +3368,46 @@ rules: - patch - update - watch +- apiGroups: + - crd.antrea.io + resources: + - clusternetworkpolicies + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - crd.antrea.io + resources: + - tiers + verbs: + - get + - list + - watch +- apiGroups: + - multicluster.crd.antrea.io + resources: + - acnpimports + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - multicluster.crd.antrea.io + resources: + - acnpimports/status + verbs: + - get + - patch + - update - apiGroups: - multicluster.crd.antrea.io resources: diff --git a/multicluster/cmd/multicluster-controller/controller.go b/multicluster/cmd/multicluster-controller/controller.go index 8989da33e45..13fee7972c5 100644 --- a/multicluster/cmd/multicluster-controller/controller.go +++ b/multicluster/cmd/multicluster-controller/controller.go @@ -39,6 +39,7 @@ import ( multiclusterv1alpha1 "antrea.io/antrea/multicluster/apis/multicluster/v1alpha1" multiclustercontrollers "antrea.io/antrea/multicluster/controllers/multicluster" + antreacrd "antrea.io/antrea/pkg/apis/crd/v1alpha1" "antrea.io/antrea/pkg/apiserver/certificate" // +kubebuilder:scaffold:imports ) @@ -59,6 +60,7 @@ func init() { utilruntime.Must(clientgoscheme.AddToScheme(scheme)) utilruntime.Must(k8smcsv1alpha1.AddToScheme(scheme)) utilruntime.Must(multiclusterv1alpha1.AddToScheme(scheme)) + utilruntime.Must(antreacrd.AddToScheme(scheme)) //+kubebuilder:scaffold:scheme } diff --git a/multicluster/config/crd/bases/multicluster.crd.antrea.io_acnpimports.yaml b/multicluster/config/crd/bases/multicluster.crd.antrea.io_acnpimports.yaml new file mode 100644 index 00000000000..7821d2e745a --- /dev/null +++ b/multicluster/config/crd/bases/multicluster.crd.antrea.io_acnpimports.yaml @@ -0,0 +1,77 @@ + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.4.1 + creationTimestamp: null + name: acnpimports.multicluster.crd.antrea.io +spec: + group: multicluster.crd.antrea.io + names: + kind: ACNPImport + listKind: ACNPImportList + plural: acnpimports + singular: acnpimport + scope: Cluster + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: ACNPImport describes an ACNP imported from the leader cluster + in a ClusterSet. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + status: + properties: + conditions: + items: + properties: + lastTransitionTime: + format: date-time + type: string + message: + type: string + reason: + type: string + status: + description: Status is one of {"True", "False", "Unknown"} + enum: + - "True" + - "False" + - Unknown + type: string + type: + type: string + required: + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] diff --git a/multicluster/config/crd/bases/multicluster.crd.antrea.io_resourceexports.yaml b/multicluster/config/crd/bases/multicluster.crd.antrea.io_resourceexports.yaml index a2839dc02e6..7539481a70a 100644 --- a/multicluster/config/crd/bases/multicluster.crd.antrea.io_resourceexports.yaml +++ b/multicluster/config/crd/bases/multicluster.crd.antrea.io_resourceexports.yaml @@ -40,6 +40,1616 @@ spec: description: ClusterID specifies the member cluster this resource exported from. type: string + clusternetworkpolicy: + description: If exported resource is AntreaClusterNetworkPolicy. + properties: + appliedTo: + description: Select workloads on which the rules will be applied + to. Cannot be set in conjunction with AppliedTo in each rule. + items: + description: NetworkPolicyPeer describes the grouping selector + of workloads. + properties: + externalEntitySelector: + description: Select ExternalEntities from NetworkPolicy's + Namespace as workloads in AppliedTo/To/From fields. If + set with NamespaceSelector, ExternalEntities are matched + from Namespaces matched by the NamespaceSelector. Cannot + be set with any other selector except NamespaceSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector + that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are In, + NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. + If the operator is In or NotIn, the values array + must be non-empty. If the operator is Exists + or DoesNotExist, the values array must be empty. + This array is replaced during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. + A single {key,value} in the matchLabels map is equivalent + to an element of matchExpressions, whose key field + is "key", the operator is "In", and the values array + contains only "value". The requirements are ANDed. + type: object + type: object + fqdn: + description: 'Restrict egress access to the Fully Qualified + Domain Names prescribed by name or by wildcard match patterns. + This field can only be set for NetworkPolicyPeer of egress + rules. Supported formats are: Exact FQDNs, i.e. "google.com", + "db-svc.default.svc.cluster.local" Wildcard expressions, + i.e. "*wayfair.com".' + type: string + group: + description: Group is the name of the ClusterGroup which + can be set as an AppliedTo or within an Ingress or Egress + rule in place of a stand-alone selector. A Group cannot + be set with any other selector. + type: string + ipBlock: + description: IPBlock describes the IPAddresses/IPBlocks + that is matched in to/from. IPBlock cannot be set as part + of the AppliedTo field. Cannot be set with any other selector. + properties: + cidr: + description: CIDR is a string representing the IP Block + Valid examples are "192.168.1.1/24". + type: string + required: + - cidr + type: object + namespaceSelector: + description: Select all Pods from Namespaces matched by + this selector, as workloads in To/From fields. If set + with PodSelector, Pods are matched from Namespaces matched + by the NamespaceSelector. Cannot be set with any other + selector except PodSelector or ExternalEntitySelector. + Cannot be set with Namespaces. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector + that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are In, + NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. + If the operator is In or NotIn, the values array + must be non-empty. If the operator is Exists + or DoesNotExist, the values array must be empty. + This array is replaced during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. + A single {key,value} in the matchLabels map is equivalent + to an element of matchExpressions, whose key field + is "key", the operator is "In", and the values array + contains only "value". The requirements are ANDed. + type: object + type: object + namespaces: + description: 'Select Pod/ExternalEntity from Namespaces + matched by specifc criteria. Current supported criteria + is match: Self, which selects from the same Namespace + of the appliedTo workloads. Cannot be set with any other + selector except PodSelector or ExternalEntitySelector. + This field can only be set when NetworkPolicyPeer is created + for ClusterNetworkPolicy ingress/egress rules. Cannot + be set with NamespaceSelector.' + properties: + match: + description: NamespaceMatchType describes Namespace + matching strategy. + type: string + type: object + podSelector: + description: Select Pods from NetworkPolicy's Namespace + as workloads in AppliedTo/To/From fields. If set with + NamespaceSelector, Pods are matched from Namespaces matched + by the NamespaceSelector. Cannot be set with any other + selector except NamespaceSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector + that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are In, + NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. + If the operator is In or NotIn, the values array + must be non-empty. If the operator is Exists + or DoesNotExist, the values array must be empty. + This array is replaced during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. + A single {key,value} in the matchLabels map is equivalent + to an element of matchExpressions, whose key field + is "key", the operator is "In", and the values array + contains only "value". The requirements are ANDed. + type: object + type: object + type: object + type: array + egress: + description: Set of egress rules evaluated based on the order + in which they are set. Currently Egress rule supports setting + the `To` field but not the `From` field within a Rule. + items: + description: Rule describes the traffic allowed to/from the + workloads selected by Spec.AppliedTo. Based on the action + specified in the rule, traffic is either allowed or denied + which exactly match the specified ports and protocol. + properties: + action: + description: Action specifies the action to be applied on + the rule. + type: string + appliedTo: + description: Select workloads on which this rule will be + applied to. Cannot be set in conjunction with NetworkPolicySpec/ClusterNetworkPolicySpec.AppliedTo. + items: + description: NetworkPolicyPeer describes the grouping + selector of workloads. + properties: + externalEntitySelector: + description: Select ExternalEntities from NetworkPolicy's + Namespace as workloads in AppliedTo/To/From fields. + If set with NamespaceSelector, ExternalEntities + are matched from Namespaces matched by the NamespaceSelector. + Cannot be set with any other selector except NamespaceSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + fqdn: + description: 'Restrict egress access to the Fully + Qualified Domain Names prescribed by name or by + wildcard match patterns. This field can only be + set for NetworkPolicyPeer of egress rules. Supported + formats are: Exact FQDNs, i.e. "google.com", "db-svc.default.svc.cluster.local" Wildcard + expressions, i.e. "*wayfair.com".' + type: string + group: + description: Group is the name of the ClusterGroup + which can be set as an AppliedTo or within an Ingress + or Egress rule in place of a stand-alone selector. + A Group cannot be set with any other selector. + type: string + ipBlock: + description: IPBlock describes the IPAddresses/IPBlocks + that is matched in to/from. IPBlock cannot be set + as part of the AppliedTo field. Cannot be set with + any other selector. + properties: + cidr: + description: CIDR is a string representing the + IP Block Valid examples are "192.168.1.1/24". + type: string + required: + - cidr + type: object + namespaceSelector: + description: Select all Pods from Namespaces matched + by this selector, as workloads in To/From fields. + If set with PodSelector, Pods are matched from Namespaces + matched by the NamespaceSelector. Cannot be set + with any other selector except PodSelector or ExternalEntitySelector. + Cannot be set with Namespaces. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + namespaces: + description: 'Select Pod/ExternalEntity from Namespaces + matched by specifc criteria. Current supported criteria + is match: Self, which selects from the same Namespace + of the appliedTo workloads. Cannot be set with any + other selector except PodSelector or ExternalEntitySelector. + This field can only be set when NetworkPolicyPeer + is created for ClusterNetworkPolicy ingress/egress + rules. Cannot be set with NamespaceSelector.' + properties: + match: + description: NamespaceMatchType describes Namespace + matching strategy. + type: string + type: object + podSelector: + description: Select Pods from NetworkPolicy's Namespace + as workloads in AppliedTo/To/From fields. If set + with NamespaceSelector, Pods are matched from Namespaces + matched by the NamespaceSelector. Cannot be set + with any other selector except NamespaceSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + type: object + type: array + enableLogging: + description: EnableLogging is used to indicate if agent + should generate logs when rules are matched. Should be + default to false. + type: boolean + from: + description: Rule is matched if traffic originates from + workloads selected by this field. If this field is empty, + this rule matches all sources. + items: + description: NetworkPolicyPeer describes the grouping + selector of workloads. + properties: + externalEntitySelector: + description: Select ExternalEntities from NetworkPolicy's + Namespace as workloads in AppliedTo/To/From fields. + If set with NamespaceSelector, ExternalEntities + are matched from Namespaces matched by the NamespaceSelector. + Cannot be set with any other selector except NamespaceSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + fqdn: + description: 'Restrict egress access to the Fully + Qualified Domain Names prescribed by name or by + wildcard match patterns. This field can only be + set for NetworkPolicyPeer of egress rules. Supported + formats are: Exact FQDNs, i.e. "google.com", "db-svc.default.svc.cluster.local" Wildcard + expressions, i.e. "*wayfair.com".' + type: string + group: + description: Group is the name of the ClusterGroup + which can be set as an AppliedTo or within an Ingress + or Egress rule in place of a stand-alone selector. + A Group cannot be set with any other selector. + type: string + ipBlock: + description: IPBlock describes the IPAddresses/IPBlocks + that is matched in to/from. IPBlock cannot be set + as part of the AppliedTo field. Cannot be set with + any other selector. + properties: + cidr: + description: CIDR is a string representing the + IP Block Valid examples are "192.168.1.1/24". + type: string + required: + - cidr + type: object + namespaceSelector: + description: Select all Pods from Namespaces matched + by this selector, as workloads in To/From fields. + If set with PodSelector, Pods are matched from Namespaces + matched by the NamespaceSelector. Cannot be set + with any other selector except PodSelector or ExternalEntitySelector. + Cannot be set with Namespaces. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + namespaces: + description: 'Select Pod/ExternalEntity from Namespaces + matched by specifc criteria. Current supported criteria + is match: Self, which selects from the same Namespace + of the appliedTo workloads. Cannot be set with any + other selector except PodSelector or ExternalEntitySelector. + This field can only be set when NetworkPolicyPeer + is created for ClusterNetworkPolicy ingress/egress + rules. Cannot be set with NamespaceSelector.' + properties: + match: + description: NamespaceMatchType describes Namespace + matching strategy. + type: string + type: object + podSelector: + description: Select Pods from NetworkPolicy's Namespace + as workloads in AppliedTo/To/From fields. If set + with NamespaceSelector, Pods are matched from Namespaces + matched by the NamespaceSelector. Cannot be set + with any other selector except NamespaceSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + type: object + type: array + name: + description: Name describes the intention of this rule. + Name should be unique within the policy. + type: string + ports: + description: Set of port and protocol allowed/denied by + the rule. If this field is unset or empty, this rule matches + all ports. + items: + description: NetworkPolicyPort describes the port and + protocol to match in a rule. + properties: + endPort: + description: EndPort defines the end of the port range, + being the end included within the range. It can + only be specified when a numerical `port` is specified. + format: int32 + type: integer + port: + anyOf: + - type: integer + - type: string + description: The port on the given protocol. This + can be either a numerical or named port on a Pod. + If this field is not provided, this matches all + port names and numbers. + x-kubernetes-int-or-string: true + protocol: + default: TCP + description: The protocol (TCP, UDP, or SCTP) which + traffic must match. If not specified, this field + defaults to TCP. + type: string + type: object + type: array + to: + description: Rule is matched if traffic is intended for + workloads selected by this field. This field can't be + used with ToServices. If this field and ToServices are + both empty or missing this rule matches all destinations. + items: + description: NetworkPolicyPeer describes the grouping + selector of workloads. + properties: + externalEntitySelector: + description: Select ExternalEntities from NetworkPolicy's + Namespace as workloads in AppliedTo/To/From fields. + If set with NamespaceSelector, ExternalEntities + are matched from Namespaces matched by the NamespaceSelector. + Cannot be set with any other selector except NamespaceSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + fqdn: + description: 'Restrict egress access to the Fully + Qualified Domain Names prescribed by name or by + wildcard match patterns. This field can only be + set for NetworkPolicyPeer of egress rules. Supported + formats are: Exact FQDNs, i.e. "google.com", "db-svc.default.svc.cluster.local" Wildcard + expressions, i.e. "*wayfair.com".' + type: string + group: + description: Group is the name of the ClusterGroup + which can be set as an AppliedTo or within an Ingress + or Egress rule in place of a stand-alone selector. + A Group cannot be set with any other selector. + type: string + ipBlock: + description: IPBlock describes the IPAddresses/IPBlocks + that is matched in to/from. IPBlock cannot be set + as part of the AppliedTo field. Cannot be set with + any other selector. + properties: + cidr: + description: CIDR is a string representing the + IP Block Valid examples are "192.168.1.1/24". + type: string + required: + - cidr + type: object + namespaceSelector: + description: Select all Pods from Namespaces matched + by this selector, as workloads in To/From fields. + If set with PodSelector, Pods are matched from Namespaces + matched by the NamespaceSelector. Cannot be set + with any other selector except PodSelector or ExternalEntitySelector. + Cannot be set with Namespaces. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + namespaces: + description: 'Select Pod/ExternalEntity from Namespaces + matched by specifc criteria. Current supported criteria + is match: Self, which selects from the same Namespace + of the appliedTo workloads. Cannot be set with any + other selector except PodSelector or ExternalEntitySelector. + This field can only be set when NetworkPolicyPeer + is created for ClusterNetworkPolicy ingress/egress + rules. Cannot be set with NamespaceSelector.' + properties: + match: + description: NamespaceMatchType describes Namespace + matching strategy. + type: string + type: object + podSelector: + description: Select Pods from NetworkPolicy's Namespace + as workloads in AppliedTo/To/From fields. If set + with NamespaceSelector, Pods are matched from Namespaces + matched by the NamespaceSelector. Cannot be set + with any other selector except NamespaceSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + type: object + type: array + toServices: + description: Rule is matched if traffic is intended for + a Service listed in this field. Currently only ClusterIP + types Services are supported in this field. This field + can only be used when AntreaProxy is enabled. This field + can't be used with To or Ports. If this field and To are + both empty or missing, this rule matches all destinations. + items: + description: ServiceReference represents a reference to + a v1.Service. + properties: + name: + description: Name of the Service + type: string + namespace: + description: Namespace of the Service + type: string + required: + - name + type: object + type: array + required: + - action + type: object + type: array + ingress: + description: Set of ingress rules evaluated based on the order + in which they are set. Currently Ingress rule supports setting + the `From` field but not the `To` field within a Rule. + items: + description: Rule describes the traffic allowed to/from the + workloads selected by Spec.AppliedTo. Based on the action + specified in the rule, traffic is either allowed or denied + which exactly match the specified ports and protocol. + properties: + action: + description: Action specifies the action to be applied on + the rule. + type: string + appliedTo: + description: Select workloads on which this rule will be + applied to. Cannot be set in conjunction with NetworkPolicySpec/ClusterNetworkPolicySpec.AppliedTo. + items: + description: NetworkPolicyPeer describes the grouping + selector of workloads. + properties: + externalEntitySelector: + description: Select ExternalEntities from NetworkPolicy's + Namespace as workloads in AppliedTo/To/From fields. + If set with NamespaceSelector, ExternalEntities + are matched from Namespaces matched by the NamespaceSelector. + Cannot be set with any other selector except NamespaceSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + fqdn: + description: 'Restrict egress access to the Fully + Qualified Domain Names prescribed by name or by + wildcard match patterns. This field can only be + set for NetworkPolicyPeer of egress rules. Supported + formats are: Exact FQDNs, i.e. "google.com", "db-svc.default.svc.cluster.local" Wildcard + expressions, i.e. "*wayfair.com".' + type: string + group: + description: Group is the name of the ClusterGroup + which can be set as an AppliedTo or within an Ingress + or Egress rule in place of a stand-alone selector. + A Group cannot be set with any other selector. + type: string + ipBlock: + description: IPBlock describes the IPAddresses/IPBlocks + that is matched in to/from. IPBlock cannot be set + as part of the AppliedTo field. Cannot be set with + any other selector. + properties: + cidr: + description: CIDR is a string representing the + IP Block Valid examples are "192.168.1.1/24". + type: string + required: + - cidr + type: object + namespaceSelector: + description: Select all Pods from Namespaces matched + by this selector, as workloads in To/From fields. + If set with PodSelector, Pods are matched from Namespaces + matched by the NamespaceSelector. Cannot be set + with any other selector except PodSelector or ExternalEntitySelector. + Cannot be set with Namespaces. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + namespaces: + description: 'Select Pod/ExternalEntity from Namespaces + matched by specifc criteria. Current supported criteria + is match: Self, which selects from the same Namespace + of the appliedTo workloads. Cannot be set with any + other selector except PodSelector or ExternalEntitySelector. + This field can only be set when NetworkPolicyPeer + is created for ClusterNetworkPolicy ingress/egress + rules. Cannot be set with NamespaceSelector.' + properties: + match: + description: NamespaceMatchType describes Namespace + matching strategy. + type: string + type: object + podSelector: + description: Select Pods from NetworkPolicy's Namespace + as workloads in AppliedTo/To/From fields. If set + with NamespaceSelector, Pods are matched from Namespaces + matched by the NamespaceSelector. Cannot be set + with any other selector except NamespaceSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + type: object + type: array + enableLogging: + description: EnableLogging is used to indicate if agent + should generate logs when rules are matched. Should be + default to false. + type: boolean + from: + description: Rule is matched if traffic originates from + workloads selected by this field. If this field is empty, + this rule matches all sources. + items: + description: NetworkPolicyPeer describes the grouping + selector of workloads. + properties: + externalEntitySelector: + description: Select ExternalEntities from NetworkPolicy's + Namespace as workloads in AppliedTo/To/From fields. + If set with NamespaceSelector, ExternalEntities + are matched from Namespaces matched by the NamespaceSelector. + Cannot be set with any other selector except NamespaceSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + fqdn: + description: 'Restrict egress access to the Fully + Qualified Domain Names prescribed by name or by + wildcard match patterns. This field can only be + set for NetworkPolicyPeer of egress rules. Supported + formats are: Exact FQDNs, i.e. "google.com", "db-svc.default.svc.cluster.local" Wildcard + expressions, i.e. "*wayfair.com".' + type: string + group: + description: Group is the name of the ClusterGroup + which can be set as an AppliedTo or within an Ingress + or Egress rule in place of a stand-alone selector. + A Group cannot be set with any other selector. + type: string + ipBlock: + description: IPBlock describes the IPAddresses/IPBlocks + that is matched in to/from. IPBlock cannot be set + as part of the AppliedTo field. Cannot be set with + any other selector. + properties: + cidr: + description: CIDR is a string representing the + IP Block Valid examples are "192.168.1.1/24". + type: string + required: + - cidr + type: object + namespaceSelector: + description: Select all Pods from Namespaces matched + by this selector, as workloads in To/From fields. + If set with PodSelector, Pods are matched from Namespaces + matched by the NamespaceSelector. Cannot be set + with any other selector except PodSelector or ExternalEntitySelector. + Cannot be set with Namespaces. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + namespaces: + description: 'Select Pod/ExternalEntity from Namespaces + matched by specifc criteria. Current supported criteria + is match: Self, which selects from the same Namespace + of the appliedTo workloads. Cannot be set with any + other selector except PodSelector or ExternalEntitySelector. + This field can only be set when NetworkPolicyPeer + is created for ClusterNetworkPolicy ingress/egress + rules. Cannot be set with NamespaceSelector.' + properties: + match: + description: NamespaceMatchType describes Namespace + matching strategy. + type: string + type: object + podSelector: + description: Select Pods from NetworkPolicy's Namespace + as workloads in AppliedTo/To/From fields. If set + with NamespaceSelector, Pods are matched from Namespaces + matched by the NamespaceSelector. Cannot be set + with any other selector except NamespaceSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + type: object + type: array + name: + description: Name describes the intention of this rule. + Name should be unique within the policy. + type: string + ports: + description: Set of port and protocol allowed/denied by + the rule. If this field is unset or empty, this rule matches + all ports. + items: + description: NetworkPolicyPort describes the port and + protocol to match in a rule. + properties: + endPort: + description: EndPort defines the end of the port range, + being the end included within the range. It can + only be specified when a numerical `port` is specified. + format: int32 + type: integer + port: + anyOf: + - type: integer + - type: string + description: The port on the given protocol. This + can be either a numerical or named port on a Pod. + If this field is not provided, this matches all + port names and numbers. + x-kubernetes-int-or-string: true + protocol: + default: TCP + description: The protocol (TCP, UDP, or SCTP) which + traffic must match. If not specified, this field + defaults to TCP. + type: string + type: object + type: array + to: + description: Rule is matched if traffic is intended for + workloads selected by this field. This field can't be + used with ToServices. If this field and ToServices are + both empty or missing this rule matches all destinations. + items: + description: NetworkPolicyPeer describes the grouping + selector of workloads. + properties: + externalEntitySelector: + description: Select ExternalEntities from NetworkPolicy's + Namespace as workloads in AppliedTo/To/From fields. + If set with NamespaceSelector, ExternalEntities + are matched from Namespaces matched by the NamespaceSelector. + Cannot be set with any other selector except NamespaceSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + fqdn: + description: 'Restrict egress access to the Fully + Qualified Domain Names prescribed by name or by + wildcard match patterns. This field can only be + set for NetworkPolicyPeer of egress rules. Supported + formats are: Exact FQDNs, i.e. "google.com", "db-svc.default.svc.cluster.local" Wildcard + expressions, i.e. "*wayfair.com".' + type: string + group: + description: Group is the name of the ClusterGroup + which can be set as an AppliedTo or within an Ingress + or Egress rule in place of a stand-alone selector. + A Group cannot be set with any other selector. + type: string + ipBlock: + description: IPBlock describes the IPAddresses/IPBlocks + that is matched in to/from. IPBlock cannot be set + as part of the AppliedTo field. Cannot be set with + any other selector. + properties: + cidr: + description: CIDR is a string representing the + IP Block Valid examples are "192.168.1.1/24". + type: string + required: + - cidr + type: object + namespaceSelector: + description: Select all Pods from Namespaces matched + by this selector, as workloads in To/From fields. + If set with PodSelector, Pods are matched from Namespaces + matched by the NamespaceSelector. Cannot be set + with any other selector except PodSelector or ExternalEntitySelector. + Cannot be set with Namespaces. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + namespaces: + description: 'Select Pod/ExternalEntity from Namespaces + matched by specifc criteria. Current supported criteria + is match: Self, which selects from the same Namespace + of the appliedTo workloads. Cannot be set with any + other selector except PodSelector or ExternalEntitySelector. + This field can only be set when NetworkPolicyPeer + is created for ClusterNetworkPolicy ingress/egress + rules. Cannot be set with NamespaceSelector.' + properties: + match: + description: NamespaceMatchType describes Namespace + matching strategy. + type: string + type: object + podSelector: + description: Select Pods from NetworkPolicy's Namespace + as workloads in AppliedTo/To/From fields. If set + with NamespaceSelector, Pods are matched from Namespaces + matched by the NamespaceSelector. Cannot be set + with any other selector except NamespaceSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + type: object + type: array + toServices: + description: Rule is matched if traffic is intended for + a Service listed in this field. Currently only ClusterIP + types Services are supported in this field. This field + can only be used when AntreaProxy is enabled. This field + can't be used with To or Ports. If this field and To are + both empty or missing, this rule matches all destinations. + items: + description: ServiceReference represents a reference to + a v1.Service. + properties: + name: + description: Name of the Service + type: string + namespace: + description: Namespace of the Service + type: string + required: + - name + type: object + type: array + required: + - action + type: object + type: array + priority: + description: Priority specfies the order of the ClusterNetworkPolicy + relative to other AntreaClusterNetworkPolicies. + type: number + tier: + description: Tier specifies the tier to which this ClusterNetworkPolicy + belongs to. The ClusterNetworkPolicy order will be determined + based on the combination of the Tier's Priority and the ClusterNetworkPolicy's + own Priority. If not specified, this policy will be created + in the Application Tier right above the K8s NetworkPolicy which + resides at the bottom. + type: string + required: + - priority + type: object endpoints: description: If exported resource is EndPoints. properties: diff --git a/multicluster/config/crd/bases/multicluster.crd.antrea.io_resourceimports.yaml b/multicluster/config/crd/bases/multicluster.crd.antrea.io_resourceimports.yaml index a7e31350907..ef9b9827319 100644 --- a/multicluster/config/crd/bases/multicluster.crd.antrea.io_resourceimports.yaml +++ b/multicluster/config/crd/bases/multicluster.crd.antrea.io_resourceimports.yaml @@ -42,6 +42,1616 @@ spec: items: type: string type: array + clusternetworkpolicy: + description: If imported resource is AntreaClusterNetworkPolicy. + properties: + appliedTo: + description: Select workloads on which the rules will be applied + to. Cannot be set in conjunction with AppliedTo in each rule. + items: + description: NetworkPolicyPeer describes the grouping selector + of workloads. + properties: + externalEntitySelector: + description: Select ExternalEntities from NetworkPolicy's + Namespace as workloads in AppliedTo/To/From fields. If + set with NamespaceSelector, ExternalEntities are matched + from Namespaces matched by the NamespaceSelector. Cannot + be set with any other selector except NamespaceSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector + that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are In, + NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. + If the operator is In or NotIn, the values array + must be non-empty. If the operator is Exists + or DoesNotExist, the values array must be empty. + This array is replaced during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. + A single {key,value} in the matchLabels map is equivalent + to an element of matchExpressions, whose key field + is "key", the operator is "In", and the values array + contains only "value". The requirements are ANDed. + type: object + type: object + fqdn: + description: 'Restrict egress access to the Fully Qualified + Domain Names prescribed by name or by wildcard match patterns. + This field can only be set for NetworkPolicyPeer of egress + rules. Supported formats are: Exact FQDNs, i.e. "google.com", + "db-svc.default.svc.cluster.local" Wildcard expressions, + i.e. "*wayfair.com".' + type: string + group: + description: Group is the name of the ClusterGroup which + can be set as an AppliedTo or within an Ingress or Egress + rule in place of a stand-alone selector. A Group cannot + be set with any other selector. + type: string + ipBlock: + description: IPBlock describes the IPAddresses/IPBlocks + that is matched in to/from. IPBlock cannot be set as part + of the AppliedTo field. Cannot be set with any other selector. + properties: + cidr: + description: CIDR is a string representing the IP Block + Valid examples are "192.168.1.1/24". + type: string + required: + - cidr + type: object + namespaceSelector: + description: Select all Pods from Namespaces matched by + this selector, as workloads in To/From fields. If set + with PodSelector, Pods are matched from Namespaces matched + by the NamespaceSelector. Cannot be set with any other + selector except PodSelector or ExternalEntitySelector. + Cannot be set with Namespaces. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector + that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are In, + NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. + If the operator is In or NotIn, the values array + must be non-empty. If the operator is Exists + or DoesNotExist, the values array must be empty. + This array is replaced during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. + A single {key,value} in the matchLabels map is equivalent + to an element of matchExpressions, whose key field + is "key", the operator is "In", and the values array + contains only "value". The requirements are ANDed. + type: object + type: object + namespaces: + description: 'Select Pod/ExternalEntity from Namespaces + matched by specifc criteria. Current supported criteria + is match: Self, which selects from the same Namespace + of the appliedTo workloads. Cannot be set with any other + selector except PodSelector or ExternalEntitySelector. + This field can only be set when NetworkPolicyPeer is created + for ClusterNetworkPolicy ingress/egress rules. Cannot + be set with NamespaceSelector.' + properties: + match: + description: NamespaceMatchType describes Namespace + matching strategy. + type: string + type: object + podSelector: + description: Select Pods from NetworkPolicy's Namespace + as workloads in AppliedTo/To/From fields. If set with + NamespaceSelector, Pods are matched from Namespaces matched + by the NamespaceSelector. Cannot be set with any other + selector except NamespaceSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector + that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are In, + NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. + If the operator is In or NotIn, the values array + must be non-empty. If the operator is Exists + or DoesNotExist, the values array must be empty. + This array is replaced during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. + A single {key,value} in the matchLabels map is equivalent + to an element of matchExpressions, whose key field + is "key", the operator is "In", and the values array + contains only "value". The requirements are ANDed. + type: object + type: object + type: object + type: array + egress: + description: Set of egress rules evaluated based on the order + in which they are set. Currently Egress rule supports setting + the `To` field but not the `From` field within a Rule. + items: + description: Rule describes the traffic allowed to/from the + workloads selected by Spec.AppliedTo. Based on the action + specified in the rule, traffic is either allowed or denied + which exactly match the specified ports and protocol. + properties: + action: + description: Action specifies the action to be applied on + the rule. + type: string + appliedTo: + description: Select workloads on which this rule will be + applied to. Cannot be set in conjunction with NetworkPolicySpec/ClusterNetworkPolicySpec.AppliedTo. + items: + description: NetworkPolicyPeer describes the grouping + selector of workloads. + properties: + externalEntitySelector: + description: Select ExternalEntities from NetworkPolicy's + Namespace as workloads in AppliedTo/To/From fields. + If set with NamespaceSelector, ExternalEntities + are matched from Namespaces matched by the NamespaceSelector. + Cannot be set with any other selector except NamespaceSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + fqdn: + description: 'Restrict egress access to the Fully + Qualified Domain Names prescribed by name or by + wildcard match patterns. This field can only be + set for NetworkPolicyPeer of egress rules. Supported + formats are: Exact FQDNs, i.e. "google.com", "db-svc.default.svc.cluster.local" Wildcard + expressions, i.e. "*wayfair.com".' + type: string + group: + description: Group is the name of the ClusterGroup + which can be set as an AppliedTo or within an Ingress + or Egress rule in place of a stand-alone selector. + A Group cannot be set with any other selector. + type: string + ipBlock: + description: IPBlock describes the IPAddresses/IPBlocks + that is matched in to/from. IPBlock cannot be set + as part of the AppliedTo field. Cannot be set with + any other selector. + properties: + cidr: + description: CIDR is a string representing the + IP Block Valid examples are "192.168.1.1/24". + type: string + required: + - cidr + type: object + namespaceSelector: + description: Select all Pods from Namespaces matched + by this selector, as workloads in To/From fields. + If set with PodSelector, Pods are matched from Namespaces + matched by the NamespaceSelector. Cannot be set + with any other selector except PodSelector or ExternalEntitySelector. + Cannot be set with Namespaces. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + namespaces: + description: 'Select Pod/ExternalEntity from Namespaces + matched by specifc criteria. Current supported criteria + is match: Self, which selects from the same Namespace + of the appliedTo workloads. Cannot be set with any + other selector except PodSelector or ExternalEntitySelector. + This field can only be set when NetworkPolicyPeer + is created for ClusterNetworkPolicy ingress/egress + rules. Cannot be set with NamespaceSelector.' + properties: + match: + description: NamespaceMatchType describes Namespace + matching strategy. + type: string + type: object + podSelector: + description: Select Pods from NetworkPolicy's Namespace + as workloads in AppliedTo/To/From fields. If set + with NamespaceSelector, Pods are matched from Namespaces + matched by the NamespaceSelector. Cannot be set + with any other selector except NamespaceSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + type: object + type: array + enableLogging: + description: EnableLogging is used to indicate if agent + should generate logs when rules are matched. Should be + default to false. + type: boolean + from: + description: Rule is matched if traffic originates from + workloads selected by this field. If this field is empty, + this rule matches all sources. + items: + description: NetworkPolicyPeer describes the grouping + selector of workloads. + properties: + externalEntitySelector: + description: Select ExternalEntities from NetworkPolicy's + Namespace as workloads in AppliedTo/To/From fields. + If set with NamespaceSelector, ExternalEntities + are matched from Namespaces matched by the NamespaceSelector. + Cannot be set with any other selector except NamespaceSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + fqdn: + description: 'Restrict egress access to the Fully + Qualified Domain Names prescribed by name or by + wildcard match patterns. This field can only be + set for NetworkPolicyPeer of egress rules. Supported + formats are: Exact FQDNs, i.e. "google.com", "db-svc.default.svc.cluster.local" Wildcard + expressions, i.e. "*wayfair.com".' + type: string + group: + description: Group is the name of the ClusterGroup + which can be set as an AppliedTo or within an Ingress + or Egress rule in place of a stand-alone selector. + A Group cannot be set with any other selector. + type: string + ipBlock: + description: IPBlock describes the IPAddresses/IPBlocks + that is matched in to/from. IPBlock cannot be set + as part of the AppliedTo field. Cannot be set with + any other selector. + properties: + cidr: + description: CIDR is a string representing the + IP Block Valid examples are "192.168.1.1/24". + type: string + required: + - cidr + type: object + namespaceSelector: + description: Select all Pods from Namespaces matched + by this selector, as workloads in To/From fields. + If set with PodSelector, Pods are matched from Namespaces + matched by the NamespaceSelector. Cannot be set + with any other selector except PodSelector or ExternalEntitySelector. + Cannot be set with Namespaces. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + namespaces: + description: 'Select Pod/ExternalEntity from Namespaces + matched by specifc criteria. Current supported criteria + is match: Self, which selects from the same Namespace + of the appliedTo workloads. Cannot be set with any + other selector except PodSelector or ExternalEntitySelector. + This field can only be set when NetworkPolicyPeer + is created for ClusterNetworkPolicy ingress/egress + rules. Cannot be set with NamespaceSelector.' + properties: + match: + description: NamespaceMatchType describes Namespace + matching strategy. + type: string + type: object + podSelector: + description: Select Pods from NetworkPolicy's Namespace + as workloads in AppliedTo/To/From fields. If set + with NamespaceSelector, Pods are matched from Namespaces + matched by the NamespaceSelector. Cannot be set + with any other selector except NamespaceSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + type: object + type: array + name: + description: Name describes the intention of this rule. + Name should be unique within the policy. + type: string + ports: + description: Set of port and protocol allowed/denied by + the rule. If this field is unset or empty, this rule matches + all ports. + items: + description: NetworkPolicyPort describes the port and + protocol to match in a rule. + properties: + endPort: + description: EndPort defines the end of the port range, + being the end included within the range. It can + only be specified when a numerical `port` is specified. + format: int32 + type: integer + port: + anyOf: + - type: integer + - type: string + description: The port on the given protocol. This + can be either a numerical or named port on a Pod. + If this field is not provided, this matches all + port names and numbers. + x-kubernetes-int-or-string: true + protocol: + default: TCP + description: The protocol (TCP, UDP, or SCTP) which + traffic must match. If not specified, this field + defaults to TCP. + type: string + type: object + type: array + to: + description: Rule is matched if traffic is intended for + workloads selected by this field. This field can't be + used with ToServices. If this field and ToServices are + both empty or missing this rule matches all destinations. + items: + description: NetworkPolicyPeer describes the grouping + selector of workloads. + properties: + externalEntitySelector: + description: Select ExternalEntities from NetworkPolicy's + Namespace as workloads in AppliedTo/To/From fields. + If set with NamespaceSelector, ExternalEntities + are matched from Namespaces matched by the NamespaceSelector. + Cannot be set with any other selector except NamespaceSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + fqdn: + description: 'Restrict egress access to the Fully + Qualified Domain Names prescribed by name or by + wildcard match patterns. This field can only be + set for NetworkPolicyPeer of egress rules. Supported + formats are: Exact FQDNs, i.e. "google.com", "db-svc.default.svc.cluster.local" Wildcard + expressions, i.e. "*wayfair.com".' + type: string + group: + description: Group is the name of the ClusterGroup + which can be set as an AppliedTo or within an Ingress + or Egress rule in place of a stand-alone selector. + A Group cannot be set with any other selector. + type: string + ipBlock: + description: IPBlock describes the IPAddresses/IPBlocks + that is matched in to/from. IPBlock cannot be set + as part of the AppliedTo field. Cannot be set with + any other selector. + properties: + cidr: + description: CIDR is a string representing the + IP Block Valid examples are "192.168.1.1/24". + type: string + required: + - cidr + type: object + namespaceSelector: + description: Select all Pods from Namespaces matched + by this selector, as workloads in To/From fields. + If set with PodSelector, Pods are matched from Namespaces + matched by the NamespaceSelector. Cannot be set + with any other selector except PodSelector or ExternalEntitySelector. + Cannot be set with Namespaces. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + namespaces: + description: 'Select Pod/ExternalEntity from Namespaces + matched by specifc criteria. Current supported criteria + is match: Self, which selects from the same Namespace + of the appliedTo workloads. Cannot be set with any + other selector except PodSelector or ExternalEntitySelector. + This field can only be set when NetworkPolicyPeer + is created for ClusterNetworkPolicy ingress/egress + rules. Cannot be set with NamespaceSelector.' + properties: + match: + description: NamespaceMatchType describes Namespace + matching strategy. + type: string + type: object + podSelector: + description: Select Pods from NetworkPolicy's Namespace + as workloads in AppliedTo/To/From fields. If set + with NamespaceSelector, Pods are matched from Namespaces + matched by the NamespaceSelector. Cannot be set + with any other selector except NamespaceSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + type: object + type: array + toServices: + description: Rule is matched if traffic is intended for + a Service listed in this field. Currently only ClusterIP + types Services are supported in this field. This field + can only be used when AntreaProxy is enabled. This field + can't be used with To or Ports. If this field and To are + both empty or missing, this rule matches all destinations. + items: + description: ServiceReference represents a reference to + a v1.Service. + properties: + name: + description: Name of the Service + type: string + namespace: + description: Namespace of the Service + type: string + required: + - name + type: object + type: array + required: + - action + type: object + type: array + ingress: + description: Set of ingress rules evaluated based on the order + in which they are set. Currently Ingress rule supports setting + the `From` field but not the `To` field within a Rule. + items: + description: Rule describes the traffic allowed to/from the + workloads selected by Spec.AppliedTo. Based on the action + specified in the rule, traffic is either allowed or denied + which exactly match the specified ports and protocol. + properties: + action: + description: Action specifies the action to be applied on + the rule. + type: string + appliedTo: + description: Select workloads on which this rule will be + applied to. Cannot be set in conjunction with NetworkPolicySpec/ClusterNetworkPolicySpec.AppliedTo. + items: + description: NetworkPolicyPeer describes the grouping + selector of workloads. + properties: + externalEntitySelector: + description: Select ExternalEntities from NetworkPolicy's + Namespace as workloads in AppliedTo/To/From fields. + If set with NamespaceSelector, ExternalEntities + are matched from Namespaces matched by the NamespaceSelector. + Cannot be set with any other selector except NamespaceSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + fqdn: + description: 'Restrict egress access to the Fully + Qualified Domain Names prescribed by name or by + wildcard match patterns. This field can only be + set for NetworkPolicyPeer of egress rules. Supported + formats are: Exact FQDNs, i.e. "google.com", "db-svc.default.svc.cluster.local" Wildcard + expressions, i.e. "*wayfair.com".' + type: string + group: + description: Group is the name of the ClusterGroup + which can be set as an AppliedTo or within an Ingress + or Egress rule in place of a stand-alone selector. + A Group cannot be set with any other selector. + type: string + ipBlock: + description: IPBlock describes the IPAddresses/IPBlocks + that is matched in to/from. IPBlock cannot be set + as part of the AppliedTo field. Cannot be set with + any other selector. + properties: + cidr: + description: CIDR is a string representing the + IP Block Valid examples are "192.168.1.1/24". + type: string + required: + - cidr + type: object + namespaceSelector: + description: Select all Pods from Namespaces matched + by this selector, as workloads in To/From fields. + If set with PodSelector, Pods are matched from Namespaces + matched by the NamespaceSelector. Cannot be set + with any other selector except PodSelector or ExternalEntitySelector. + Cannot be set with Namespaces. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + namespaces: + description: 'Select Pod/ExternalEntity from Namespaces + matched by specifc criteria. Current supported criteria + is match: Self, which selects from the same Namespace + of the appliedTo workloads. Cannot be set with any + other selector except PodSelector or ExternalEntitySelector. + This field can only be set when NetworkPolicyPeer + is created for ClusterNetworkPolicy ingress/egress + rules. Cannot be set with NamespaceSelector.' + properties: + match: + description: NamespaceMatchType describes Namespace + matching strategy. + type: string + type: object + podSelector: + description: Select Pods from NetworkPolicy's Namespace + as workloads in AppliedTo/To/From fields. If set + with NamespaceSelector, Pods are matched from Namespaces + matched by the NamespaceSelector. Cannot be set + with any other selector except NamespaceSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + type: object + type: array + enableLogging: + description: EnableLogging is used to indicate if agent + should generate logs when rules are matched. Should be + default to false. + type: boolean + from: + description: Rule is matched if traffic originates from + workloads selected by this field. If this field is empty, + this rule matches all sources. + items: + description: NetworkPolicyPeer describes the grouping + selector of workloads. + properties: + externalEntitySelector: + description: Select ExternalEntities from NetworkPolicy's + Namespace as workloads in AppliedTo/To/From fields. + If set with NamespaceSelector, ExternalEntities + are matched from Namespaces matched by the NamespaceSelector. + Cannot be set with any other selector except NamespaceSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + fqdn: + description: 'Restrict egress access to the Fully + Qualified Domain Names prescribed by name or by + wildcard match patterns. This field can only be + set for NetworkPolicyPeer of egress rules. Supported + formats are: Exact FQDNs, i.e. "google.com", "db-svc.default.svc.cluster.local" Wildcard + expressions, i.e. "*wayfair.com".' + type: string + group: + description: Group is the name of the ClusterGroup + which can be set as an AppliedTo or within an Ingress + or Egress rule in place of a stand-alone selector. + A Group cannot be set with any other selector. + type: string + ipBlock: + description: IPBlock describes the IPAddresses/IPBlocks + that is matched in to/from. IPBlock cannot be set + as part of the AppliedTo field. Cannot be set with + any other selector. + properties: + cidr: + description: CIDR is a string representing the + IP Block Valid examples are "192.168.1.1/24". + type: string + required: + - cidr + type: object + namespaceSelector: + description: Select all Pods from Namespaces matched + by this selector, as workloads in To/From fields. + If set with PodSelector, Pods are matched from Namespaces + matched by the NamespaceSelector. Cannot be set + with any other selector except PodSelector or ExternalEntitySelector. + Cannot be set with Namespaces. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + namespaces: + description: 'Select Pod/ExternalEntity from Namespaces + matched by specifc criteria. Current supported criteria + is match: Self, which selects from the same Namespace + of the appliedTo workloads. Cannot be set with any + other selector except PodSelector or ExternalEntitySelector. + This field can only be set when NetworkPolicyPeer + is created for ClusterNetworkPolicy ingress/egress + rules. Cannot be set with NamespaceSelector.' + properties: + match: + description: NamespaceMatchType describes Namespace + matching strategy. + type: string + type: object + podSelector: + description: Select Pods from NetworkPolicy's Namespace + as workloads in AppliedTo/To/From fields. If set + with NamespaceSelector, Pods are matched from Namespaces + matched by the NamespaceSelector. Cannot be set + with any other selector except NamespaceSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + type: object + type: array + name: + description: Name describes the intention of this rule. + Name should be unique within the policy. + type: string + ports: + description: Set of port and protocol allowed/denied by + the rule. If this field is unset or empty, this rule matches + all ports. + items: + description: NetworkPolicyPort describes the port and + protocol to match in a rule. + properties: + endPort: + description: EndPort defines the end of the port range, + being the end included within the range. It can + only be specified when a numerical `port` is specified. + format: int32 + type: integer + port: + anyOf: + - type: integer + - type: string + description: The port on the given protocol. This + can be either a numerical or named port on a Pod. + If this field is not provided, this matches all + port names and numbers. + x-kubernetes-int-or-string: true + protocol: + default: TCP + description: The protocol (TCP, UDP, or SCTP) which + traffic must match. If not specified, this field + defaults to TCP. + type: string + type: object + type: array + to: + description: Rule is matched if traffic is intended for + workloads selected by this field. This field can't be + used with ToServices. If this field and ToServices are + both empty or missing this rule matches all destinations. + items: + description: NetworkPolicyPeer describes the grouping + selector of workloads. + properties: + externalEntitySelector: + description: Select ExternalEntities from NetworkPolicy's + Namespace as workloads in AppliedTo/To/From fields. + If set with NamespaceSelector, ExternalEntities + are matched from Namespaces matched by the NamespaceSelector. + Cannot be set with any other selector except NamespaceSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + fqdn: + description: 'Restrict egress access to the Fully + Qualified Domain Names prescribed by name or by + wildcard match patterns. This field can only be + set for NetworkPolicyPeer of egress rules. Supported + formats are: Exact FQDNs, i.e. "google.com", "db-svc.default.svc.cluster.local" Wildcard + expressions, i.e. "*wayfair.com".' + type: string + group: + description: Group is the name of the ClusterGroup + which can be set as an AppliedTo or within an Ingress + or Egress rule in place of a stand-alone selector. + A Group cannot be set with any other selector. + type: string + ipBlock: + description: IPBlock describes the IPAddresses/IPBlocks + that is matched in to/from. IPBlock cannot be set + as part of the AppliedTo field. Cannot be set with + any other selector. + properties: + cidr: + description: CIDR is a string representing the + IP Block Valid examples are "192.168.1.1/24". + type: string + required: + - cidr + type: object + namespaceSelector: + description: Select all Pods from Namespaces matched + by this selector, as workloads in To/From fields. + If set with PodSelector, Pods are matched from Namespaces + matched by the NamespaceSelector. Cannot be set + with any other selector except PodSelector or ExternalEntitySelector. + Cannot be set with Namespaces. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + namespaces: + description: 'Select Pod/ExternalEntity from Namespaces + matched by specifc criteria. Current supported criteria + is match: Self, which selects from the same Namespace + of the appliedTo workloads. Cannot be set with any + other selector except PodSelector or ExternalEntitySelector. + This field can only be set when NetworkPolicyPeer + is created for ClusterNetworkPolicy ingress/egress + rules. Cannot be set with NamespaceSelector.' + properties: + match: + description: NamespaceMatchType describes Namespace + matching strategy. + type: string + type: object + podSelector: + description: Select Pods from NetworkPolicy's Namespace + as workloads in AppliedTo/To/From fields. If set + with NamespaceSelector, Pods are matched from Namespaces + matched by the NamespaceSelector. Cannot be set + with any other selector except NamespaceSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + type: object + type: array + toServices: + description: Rule is matched if traffic is intended for + a Service listed in this field. Currently only ClusterIP + types Services are supported in this field. This field + can only be used when AntreaProxy is enabled. This field + can't be used with To or Ports. If this field and To are + both empty or missing, this rule matches all destinations. + items: + description: ServiceReference represents a reference to + a v1.Service. + properties: + name: + description: Name of the Service + type: string + namespace: + description: Namespace of the Service + type: string + required: + - name + type: object + type: array + required: + - action + type: object + type: array + priority: + description: Priority specfies the order of the ClusterNetworkPolicy + relative to other AntreaClusterNetworkPolicies. + type: number + tier: + description: Tier specifies the tier to which this ClusterNetworkPolicy + belongs to. The ClusterNetworkPolicy order will be determined + based on the combination of the Tier's Priority and the ClusterNetworkPolicy's + own Priority. If not specified, this policy will be created + in the Application Tier right above the K8s NetworkPolicy which + resides at the bottom. + type: string + required: + - priority + type: object endpoints: description: If imported resource is EndPoints. properties: diff --git a/multicluster/config/crd/kustomization.yaml b/multicluster/config/crd/kustomization.yaml index 7f77de35ec8..87c307449eb 100644 --- a/multicluster/config/crd/kustomization.yaml +++ b/multicluster/config/crd/kustomization.yaml @@ -9,6 +9,7 @@ resources: - bases/multicluster.crd.antrea.io_resourceimportfilters.yaml - bases/multicluster.crd.antrea.io_resourceexports.yaml - bases/multicluster.crd.antrea.io_resourceimports.yaml +- bases/multicluster.crd.antrea.io_acnpimports.yaml - k8smcs/multicluster.x-k8s.io_serviceexports.yaml - k8smcs/multicluster.x-k8s.io_serviceimports.yaml #+kubebuilder:scaffold:crdkustomizeresource diff --git a/multicluster/config/rbac/role.yaml b/multicluster/config/rbac/role.yaml index e8831e63cce..2f69305e473 100644 --- a/multicluster/config/rbac/role.yaml +++ b/multicluster/config/rbac/role.yaml @@ -30,6 +30,46 @@ rules: - patch - update - watch +- apiGroups: + - crd.antrea.io + resources: + - clusternetworkpolicies + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - crd.antrea.io + resources: + - tiers + verbs: + - get + - list + - watch +- apiGroups: + - multicluster.crd.antrea.io + resources: + - acnpimports + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - multicluster.crd.antrea.io + resources: + - acnpimports/status + verbs: + - get + - patch + - update - apiGroups: - multicluster.crd.antrea.io resources: diff --git a/multicluster/controllers/multicluster/common/helper.go b/multicluster/controllers/multicluster/common/helper.go index a94453815b7..4ee7bf473d8 100644 --- a/multicluster/controllers/multicluster/common/helper.go +++ b/multicluster/controllers/multicluster/common/helper.go @@ -17,11 +17,13 @@ import corev1 "k8s.io/api/core/v1" const ( AntreaMCServiceAnnotation = "multicluster.antrea.io/imported-service" + AntreaMCACNPAnnotation = "multicluster.antrea.io/imported-acnp" - AntreaMCSPrefix = "antrea-mc-" - ServiceKind = "Service" - EndpointsKind = "Endpoints" - ServiceImportKind = "ServiceImport" + AntreaMCSPrefix = "antrea-mc-" + ServiceKind = "Service" + EndpointsKind = "Endpoints" + AntreaClusterNetworkPolicyKind = "AntreaClusterNetworkPolicy" + ServiceImportKind = "ServiceImport" SourceName = "sourceName" SourceNamespace = "sourceNamespace" diff --git a/multicluster/controllers/multicluster/commonarea/remote_common_area_manager.go b/multicluster/controllers/multicluster/commonarea/remote_common_area_manager.go index e99ffa057b7..8654942cbe2 100644 --- a/multicluster/controllers/multicluster/commonarea/remote_common_area_manager.go +++ b/multicluster/controllers/multicluster/commonarea/remote_common_area_manager.go @@ -35,7 +35,7 @@ type clusterEvent struct { type RemoteCommonAreaManager interface { // Start starts RemoteCommonAreaManager on an event loop which runs in a goroutine Start() error - // Stop stop RemoteCommonAreaManager by terminating the event loop. + // Stop stops RemoteCommonAreaManager by terminating the event loop. Stop() error // AddRemoteCommonArea adds a RemoteCommonArea to RemoteCommonAreaManager. AddRemoteCommonArea(remoteCommonArea RemoteCommonArea) diff --git a/multicluster/controllers/multicluster/commonarea/resourceimport_controller.go b/multicluster/controllers/multicluster/commonarea/resourceimport_controller.go index 12e197c37ac..e5af77e5df7 100644 --- a/multicluster/controllers/multicluster/commonarea/resourceimport_controller.go +++ b/multicluster/controllers/multicluster/commonarea/resourceimport_controller.go @@ -37,6 +37,7 @@ import ( multiclusterv1alpha1 "antrea.io/antrea/multicluster/apis/multicluster/v1alpha1" "antrea.io/antrea/multicluster/controllers/multicluster/common" + "antrea.io/antrea/pkg/apis/crd/v1alpha1" ) const ( @@ -75,8 +76,12 @@ func NewResourceImportReconciler(client client.Client, scheme *runtime.Scheme, l } } +//+kubebuilder:rbac:groups=crd.antrea.io,resources=clusternetworkpolicies,verbs=get;list;watch;create;update;patch;delete +//+kubebuilder:rbac:groups=crd.antrea.io,resources=tiers,verbs=get;list;watch //+kubebuilder:rbac:groups=multicluster.crd.antrea.io,resources=resourceimports,verbs=get;list;watch;create;update;patch;delete //+kubebuilder:rbac:groups=multicluster.crd.antrea.io,resources=resourceimports/status,verbs=get;update;patch +//+kubebuilder:rbac:groups=multicluster.crd.antrea.io,resources=acnpimports,verbs=get;list;watch;create;update;patch;delete +//+kubebuilder:rbac:groups=multicluster.crd.antrea.io,resources=acnpimports/status,verbs=get;update;patch //+kubebuilder:rbac:groups=multicluster.crd.antrea.io,resources=resourceimports/finalizers,verbs=update //+kubebuilder:rbac:groups=multicluster.x-k8s.io,resources=serviceimports,verbs=get;list;watch;create;update;patch;delete //+kubebuilder:rbac:groups=multicluster.x-k8s.io,resources=serviceimports/status,verbs=get;update;patch @@ -127,6 +132,11 @@ func (r *ResourceImportReconciler) Reconcile(ctx context.Context, req ctrl.Reque return r.handleResImpDeleteForEndpoints(ctx, &resImp) } return r.handleResImpUpdateForEndpoints(ctx, &resImp) + case common.AntreaClusterNetworkPolicyKind: + if isDeleted { + return r.handleResImpDeleteForClusterNetworkPolicy(ctx, &resImp) + } + return r.handleResImpUpdateForClusterNetworkPolicy(ctx, &resImp) } // TODO: handle for other ResImport Kinds return ctrl.Result{}, nil @@ -239,15 +249,14 @@ func (r *ResourceImportReconciler) handleResImpDeleteForService(ctx context.Cont err = r.localClusterClient.Get(ctx, svcName, svc) if err != nil { if apierrors.IsNotFound(err) { + klog.V(2).InfoS("Service corresponding to ResourceImport has already been deleted", + "service", svcName.String(), "resourceimport", klog.KObj(resImp)) return cleanupServiceImport() } return ctrl.Result{}, err } err = r.localClusterClient.Delete(ctx, svc, &client.DeleteOptions{}) if err != nil { - if apierrors.IsNotFound(err) { - return cleanupServiceImport() - } return ctrl.Result{}, err } return cleanupServiceImport() @@ -339,6 +348,129 @@ func (r *ResourceImportReconciler) handleResImpDeleteForEndpoints(ctx context.Co return ctrl.Result{}, nil } +func (r *ResourceImportReconciler) handleResImpUpdateForClusterNetworkPolicy(ctx context.Context, resImp *multiclusterv1alpha1.ResourceImport) (ctrl.Result, error) { + acnpImpName := types.NamespacedName{ + Namespace: "", + Name: resImp.Spec.Name, + } + acnpName := types.NamespacedName{ + Namespace: "", + Name: common.AntreaMCSPrefix + resImp.Spec.Name, + } + klog.InfoS("Updating ACNP and ACNPImport corresponding to ResourceImport", + "acnp", acnpName.String(), "resourceimport", klog.KObj(resImp)) + + acnp := &v1alpha1.ClusterNetworkPolicy{} + err := r.localClusterClient.Get(ctx, acnpName, acnp) + acnpNotFound := apierrors.IsNotFound(err) + if err != nil && !acnpNotFound { + return ctrl.Result{}, err + } + if !acnpNotFound { + if _, ok := acnp.Annotations[common.AntreaMCACNPAnnotation]; !ok { + err := errors.New("unable to import Antrea ClusterNetworkPolicy which conflicts with existing one") + klog.ErrorS(err, "", "acnp", klog.KObj(acnp)) + return ctrl.Result{}, err + } + } + acnpObj := getMCAntreaClusterPolicy(resImp) + tierKind, tierName := &v1alpha1.Tier{}, acnpObj.Spec.Tier + err = r.localClusterClient.Get(ctx, types.NamespacedName{Namespace: "", Name: tierName}, tierKind) + tierNotFound := apierrors.IsNotFound(err) + if acnpNotFound && !tierNotFound { + if err = r.localClusterClient.Create(ctx, acnpObj, &client.CreateOptions{}); err != nil { + klog.ErrorS(err, "failed to create imported Antrea ClusterNetworkPolicy", "acnp", klog.KObj(acnpObj)) + return ctrl.Result{}, err + } + } else if !acnpNotFound && tierNotFound { + if err = r.localClusterClient.Delete(ctx, acnpObj, &client.DeleteOptions{}); err != nil { + klog.ErrorS(err, "failed to delete imported Antrea ClusterNetworkPolicy that no longer have a valid Tier for the current cluster", "acnp", klog.KObj(acnpObj)) + return ctrl.Result{}, err + } + } else if !apiequality.Semantic.DeepEqual(acnp.Spec, acnpObj.Spec) { + acnp.Spec = acnpObj.Spec + if err = r.localClusterClient.Update(ctx, acnp, &client.UpdateOptions{}); err != nil { + klog.ErrorS(err, "failed to update imported Antrea ClusterNetworkPolicy", "acnp", klog.KObj(acnpObj)) + return ctrl.Result{}, err + } + } + acnpImp := &multiclusterv1alpha1.ACNPImport{} + err = r.localClusterClient.Get(ctx, acnpImpName, acnpImp) + acnpImpNotFound := apierrors.IsNotFound(err) + if err != nil && !acnpImpNotFound { + klog.ErrorS(err, "failed to get existing ACNPImports") + return ctrl.Result{}, err + } + acnpImpObj := getACNPImport(resImp, tierNotFound) + if acnpImpNotFound { + err := r.localClusterClient.Create(ctx, acnpImpObj, &client.CreateOptions{}) + if err != nil { + klog.ErrorS(err, "failed to create ACNPImport", "acnpimport", klog.KObj(acnpImpObj)) + return ctrl.Result{}, err + } + r.installedResImports.Add(*resImp) + } + patchACNPImportStatus := false + if len(acnpImp.Status.Conditions) == 0 { + acnpImp.Status = acnpImpObj.Status + patchACNPImportStatus = true + } else { + if acnpImp.Status.Conditions[0].Status != acnpImpObj.Status.Conditions[0].Status { + acnpImp.Status = acnpImpObj.Status + patchACNPImportStatus = true + } + } + if patchACNPImportStatus { + if err := r.localClusterClient.Status().Update(ctx, acnpImp); err != nil { + klog.ErrorS(err, "failed to update acnpImport status", "acnpImport", klog.KObj(acnpImp)) + } + } + return ctrl.Result{}, nil +} + +func (r *ResourceImportReconciler) handleResImpDeleteForClusterNetworkPolicy(ctx context.Context, resImp *multiclusterv1alpha1.ResourceImport) (ctrl.Result, error) { + acnpImpName := types.NamespacedName{ + Namespace: "", + Name: resImp.Spec.Name, + } + acnpName := types.NamespacedName{ + Namespace: "", + Name: common.AntreaMCSPrefix + resImp.Spec.Name, + } + klog.InfoS("Deleting ACNP and ACNPImport corresponding to ResourceImport", + "acnp", acnpName.String(), "resourceimport", klog.KObj(resImp)) + + var err error + cleanupACNPImport := func() (ctrl.Result, error) { + acnpImp := &multiclusterv1alpha1.ACNPImport{} + err = r.localClusterClient.Get(ctx, acnpImpName, acnpImp) + if err != nil { + return ctrl.Result{}, client.IgnoreNotFound(err) + } + err = r.localClusterClient.Delete(ctx, acnpImp, &client.DeleteOptions{}) + if err != nil { + return ctrl.Result{}, client.IgnoreNotFound(err) + } + return ctrl.Result{}, nil + } + + acnp := &v1alpha1.ClusterNetworkPolicy{} + err = r.localClusterClient.Get(ctx, acnpName, acnp) + if err != nil { + if apierrors.IsNotFound(err) { + klog.V(2).InfoS("ACNP corresponding to ResourceImport has already been deleted", + "acnp", acnpName.String(), "resourceimport", klog.KObj(resImp)) + return cleanupACNPImport() + } + return ctrl.Result{}, err + } + err = r.localClusterClient.Delete(ctx, acnp, &client.DeleteOptions{}) + if err != nil { + return ctrl.Result{}, err + } + return cleanupACNPImport() +} + func getMCService(resImp *multiclusterv1alpha1.ResourceImport) *corev1.Service { mcsPorts := []corev1.ServicePort{} for _, p := range resImp.Spec.ServiceImport.Spec.Ports { @@ -375,6 +507,57 @@ func getMCServiceImport(resImp *multiclusterv1alpha1.ResourceImport) *k8smcsv1al return svcImp } +func getMCAntreaClusterPolicy(resImp *multiclusterv1alpha1.ResourceImport) *v1alpha1.ClusterNetworkPolicy { + if resImp.Spec.ClusterNetworkPolicy == nil { + return nil + } + return &v1alpha1.ClusterNetworkPolicy{ + ObjectMeta: metav1.ObjectMeta{ + Name: common.AntreaMCSPrefix + resImp.Spec.Name, + Annotations: map[string]string{ + common.AntreaMCACNPAnnotation: "true", + }, + }, + Spec: *resImp.Spec.ClusterNetworkPolicy, + } +} + +func getACNPImport(resImp *multiclusterv1alpha1.ResourceImport, tierNotFound bool) *multiclusterv1alpha1.ACNPImport { + if resImp.Spec.ClusterNetworkPolicy == nil { + return nil + } + return &multiclusterv1alpha1.ACNPImport{ + ObjectMeta: metav1.ObjectMeta{ + Name: resImp.Spec.Name, + }, + Status: multiclusterv1alpha1.ACNPImportStatus{ + Conditions: []multiclusterv1alpha1.ACNPImportCondition{ + getACNPImportStatus(tierNotFound), + }, + }, + } +} + +func getACNPImportStatus(tierNotFound bool) multiclusterv1alpha1.ACNPImportCondition { + tierNotFoundReason := "TierNotFound" + tierNotFoundMessage := "ACNP Tier does not exist in the importing cluster" + time := metav1.Now() + if tierNotFound { + return multiclusterv1alpha1.ACNPImportCondition{ + Type: multiclusterv1alpha1.ACNPImportRealizable, + Status: corev1.ConditionFalse, + LastTransitionTime: &time, + Reason: &tierNotFoundReason, + Message: &tierNotFoundMessage, + } + } + return multiclusterv1alpha1.ACNPImportCondition{ + Type: multiclusterv1alpha1.ACNPImportRealizable, + Status: corev1.ConditionTrue, + LastTransitionTime: &time, + } +} + func removeLocalSubsets(local []corev1.EndpointSubset, allSubsets []corev1.EndpointSubset) []corev1.EndpointSubset { filteredLocal := common.FilterEndpointSubsets(local) size := len(allSubsets) diff --git a/multicluster/controllers/multicluster/commonarea/resourceimport_controller_test.go b/multicluster/controllers/multicluster/commonarea/resourceimport_controller_test.go index ce389376a0c..0141ec4d603 100644 --- a/multicluster/controllers/multicluster/commonarea/resourceimport_controller_test.go +++ b/multicluster/controllers/multicluster/commonarea/resourceimport_controller_test.go @@ -36,13 +36,16 @@ import ( mcsv1alpha1 "antrea.io/antrea/multicluster/apis/multicluster/v1alpha1" "antrea.io/antrea/multicluster/controllers/multicluster/common" + "antrea.io/antrea/pkg/apis/crd/v1alpha1" ) var ( - localClusterID = "cluster-a" - leaderNamespace = "default" - svcResImportName = "default-nginx-service" - epResImportName = "default-nginx-endpoints" + localClusterID = "cluster-a" + leaderNamespace = "default" + svcResImportName = leaderNamespace + "-" + "nginx-service" + epResImportName = leaderNamespace + "-" + "nginx-endpoints" + acnpImportName = "acnp-for-isolation" + acnpResImportName = leaderNamespace + "-" + acnpImportName svcImportReq = ctrl.Request{NamespacedName: types.NamespacedName{ Namespace: leaderNamespace, @@ -52,6 +55,14 @@ var ( Namespace: leaderNamespace, Name: epResImportName, }} + acnpImpReq = ctrl.Request{NamespacedName: types.NamespacedName{ + Namespace: leaderNamespace, + Name: acnpResImportName, + }} + acnpImpNoMatchingTierReq = ctrl.Request{NamespacedName: types.NamespacedName{ + Namespace: leaderNamespace, + Name: "default-acnp-no-matching-tier", + }} ctx = context.Background() scheme = runtime.NewScheme() @@ -108,10 +119,68 @@ var ( }, }, } + allowAction = v1alpha1.RuleActionAllow + dropAction = v1alpha1.RuleActionDrop + securityOpsTier = &v1alpha1.Tier{ + ObjectMeta: metav1.ObjectMeta{ + Name: "securityops", + }, + Spec: v1alpha1.TierSpec{ + Priority: int32(100), + Description: "[READ-ONLY]: System generated SecurityOps Tier", + }, + } + acnpResImport = &mcsv1alpha1.ResourceImport{ + ObjectMeta: metav1.ObjectMeta{ + Namespace: leaderNamespace, + Name: acnpResImportName, + }, + Spec: mcsv1alpha1.ResourceImportSpec{ + Name: acnpImportName, + Kind: common.AntreaClusterNetworkPolicyKind, + ClusterNetworkPolicy: &v1alpha1.ClusterNetworkPolicySpec{ + Tier: "securityops", + Priority: 1.0, + AppliedTo: []v1alpha1.NetworkPolicyPeer{ + {NamespaceSelector: &metav1.LabelSelector{}}, + }, + Ingress: []v1alpha1.Rule{ + { + Action: &dropAction, + From: []v1alpha1.NetworkPolicyPeer{ + { + Namespaces: &v1alpha1.PeerNamespaces{ + Match: v1alpha1.NamespaceMatchSelf, + }, + }, + }, + }, + }, + }, + }, + } + acnpResImportNoMatchingTier = &mcsv1alpha1.ResourceImport{ + ObjectMeta: metav1.ObjectMeta{ + Namespace: leaderNamespace, + Name: "default-acnp-no-matching-tier", + }, + Spec: mcsv1alpha1.ResourceImportSpec{ + Name: "acnp-no-matching-tier", + Kind: common.AntreaClusterNetworkPolicyKind, + ClusterNetworkPolicy: &v1alpha1.ClusterNetworkPolicySpec{ + Tier: "somerandomtier", + Priority: 1.0, + AppliedTo: []v1alpha1.NetworkPolicyPeer{ + {NamespaceSelector: &metav1.LabelSelector{}}, + }, + }, + }, + } ) func init() { utilruntime.Must(mcsv1alpha1.AddToScheme(scheme)) + utilruntime.Must(v1alpha1.AddToScheme(scheme)) utilruntime.Must(k8smcsapi.AddToScheme(scheme)) utilruntime.Must(k8sscheme.AddToScheme(scheme)) } @@ -170,6 +239,68 @@ func TestResourceImportReconciler_handleCreateEvent(t *testing.T) { } } +func TestResourceImportReconciler_handleCopySpanACNPCreateEvent(t *testing.T) { + remoteMgr := NewRemoteCommonAreaManager("test-clusterset", common.ClusterID(localClusterID)) + go remoteMgr.Start() + defer remoteMgr.Stop() + + fakeClient := fake.NewClientBuilder().WithScheme(scheme).WithObjects(securityOpsTier).Build() + fakeRemoteClient := fake.NewClientBuilder().WithScheme(scheme).WithObjects(acnpResImport, acnpResImportNoMatchingTier).Build() + remoteCluster := NewFakeRemoteCommonArea(scheme, &remoteMgr, fakeRemoteClient, "leader-cluster", "default") + + tests := []struct { + name string + acnpImportName string + req ctrl.Request + expectedSuccess bool + }{ + { + name: "import ACNP of pre-defined tiers", + acnpImportName: acnpImportName, + req: acnpImpReq, + expectedSuccess: true, + }, + { + name: "import ACNP of non-existing tier", + acnpImportName: "acnp-no-matching-tier", + req: acnpImpNoMatchingTierReq, + expectedSuccess: false, + }, + } + r := NewResourceImportReconciler(fakeClient, scheme, fakeClient, remoteCluster) + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + if _, err := r.Reconcile(ctx, tt.req); err != nil { + if err != nil { + t.Errorf("ResourceImport Reconciler should handle ACNP create event successfully but got error = %v", err) + } + } else { + acnp := &v1alpha1.ClusterNetworkPolicy{} + err := fakeClient.Get(ctx, types.NamespacedName{Namespace: "", Name: common.AntreaMCSPrefix + tt.acnpImportName}, acnp) + if tt.expectedSuccess && err != nil { + t.Errorf("ResourceImport Reconciler should import an ACNP successfully but got error = %v", err) + } else if !tt.expectedSuccess && (err == nil || !apierrors.IsNotFound(err)) { + t.Errorf("ResourceImport Reconciler should not import an ACNP whose Tier does not exist in current cluster. Expected NotFound error. Actual err = %v", err) + } + acnpImport := &mcsv1alpha1.ACNPImport{} + if err := fakeClient.Get(ctx, types.NamespacedName{Namespace: "", Name: tt.acnpImportName}, acnpImport); err != nil { + t.Errorf("ResourceImport Reconciler should create ACNPImport for ACNP type resouc") + } + status := acnpImport.Status.Conditions + if len(status) > 0 && status[0].Type == mcsv1alpha1.ACNPImportRealizable { + if tt.expectedSuccess && status[0].Status != corev1.ConditionTrue { + t.Errorf("ACNPImport %v realizable status should be True but is %v instead", acnpImportName, status[0].Status) + } else if !tt.expectedSuccess && status[0].Status != corev1.ConditionFalse { + t.Errorf("ACNPImport %v realizable status should be False but is %v instead", acnpImportName, status[0].Status) + } + } else { + t.Errorf("No realizable status provided for ACNPImport %v", acnpImportName) + } + } + }) + } +} + func TestResourceImportReconciler_handleDeleteEvent(t *testing.T) { remoteMgr := NewRemoteCommonAreaManager("test-clusterset", common.ClusterID(localClusterID)) go remoteMgr.Start() @@ -244,6 +375,42 @@ func TestResourceImportReconciler_handleDeleteEvent(t *testing.T) { } } +func TestResourceImportReconciler_handleCopySpanACNPDeleteEvent(t *testing.T) { + remoteMgr := NewRemoteCommonAreaManager("test-clusterset", common.ClusterID(localClusterID)) + go remoteMgr.Start() + defer remoteMgr.Stop() + + existingACNP := &v1alpha1.ClusterNetworkPolicy{ + ObjectMeta: metav1.ObjectMeta{ + Name: common.AntreaMCSPrefix + acnpImportName, + }, + } + existingACNPImport := &mcsv1alpha1.ACNPImport{ + ObjectMeta: metav1.ObjectMeta{ + Name: acnpImportName, + }, + } + + fakeClient := fake.NewClientBuilder().WithScheme(scheme).WithObjects(existingACNP, existingACNPImport).Build() + fakeRemoteClient := fake.NewClientBuilder().WithScheme(scheme).Build() + remoteCluster := NewFakeRemoteCommonArea(scheme, &remoteMgr, fakeRemoteClient, "leader-cluster", "default") + + r := NewResourceImportReconciler(fakeClient, scheme, fakeClient, remoteCluster) + r.installedResImports.Add(*acnpResImport) + + if _, err := r.Reconcile(ctx, acnpImpReq); err != nil { + t.Errorf("ResourceImport Reconciler should handle ACNP ResourceImport delete event successfully but got error = %v", err) + } + acnp := &v1alpha1.ClusterNetworkPolicy{} + if err := fakeClient.Get(ctx, types.NamespacedName{Namespace: "", Name: common.AntreaMCSPrefix + acnpImportName}, acnp); !apierrors.IsNotFound(err) { + t.Errorf("ResourceImport Reconciler should delete ACNP successfully but got error = %v", err) + } + acnpImport := &mcsv1alpha1.ACNPImport{} + if err := fakeClient.Get(ctx, types.NamespacedName{Namespace: "", Name: acnpImportName}, acnpImport); !apierrors.IsNotFound(err) { + t.Errorf("ResourceImport Reconciler should delete ACNPImport successfully but got error = %v", err) + } +} + func TestResourceImportReconciler_handleUpdateEvent(t *testing.T) { remoteMgr := NewRemoteCommonAreaManager("test-clusterset", common.ClusterID(localClusterID)) go remoteMgr.Start() @@ -491,3 +658,216 @@ func TestResourceImportReconciler_handleUpdateEvent(t *testing.T) { }) } } + +func TestResourceImportReconciler_handleCopySpanACNPUpdateEvent(t *testing.T) { + remoteMgr := NewRemoteCommonAreaManager("test-clusterset", common.ClusterID(localClusterID)) + go remoteMgr.Start() + defer remoteMgr.Stop() + + existingACNP1 := &v1alpha1.ClusterNetworkPolicy{ + ObjectMeta: metav1.ObjectMeta{ + Name: common.AntreaMCSPrefix + acnpImportName, + Annotations: map[string]string{common.AntreaMCACNPAnnotation: "true"}, + }, + Spec: v1alpha1.ClusterNetworkPolicySpec{ + Tier: "securityops", + Priority: 1.0, + AppliedTo: []v1alpha1.NetworkPolicyPeer{ + {NamespaceSelector: &metav1.LabelSelector{}}, + }, + Ingress: []v1alpha1.Rule{ + { + Action: &allowAction, + From: []v1alpha1.NetworkPolicyPeer{ + { + Namespaces: &v1alpha1.PeerNamespaces{ + Match: v1alpha1.NamespaceMatchSelf, + }, + }, + }, + }, + }, + }, + } + existingACNPImport1 := &mcsv1alpha1.ACNPImport{ + ObjectMeta: metav1.ObjectMeta{ + Name: acnpImportName, + }, + Status: mcsv1alpha1.ACNPImportStatus{ + Conditions: []mcsv1alpha1.ACNPImportCondition{ + { + Type: mcsv1alpha1.ACNPImportRealizable, + Status: corev1.ConditionTrue, + }, + }, + }, + } + existingACNPImport2 := &mcsv1alpha1.ACNPImport{ + ObjectMeta: metav1.ObjectMeta{ + Name: "acnp-no-matching-tier", + }, + Status: mcsv1alpha1.ACNPImportStatus{ + Conditions: []mcsv1alpha1.ACNPImportCondition{ + { + Type: mcsv1alpha1.ACNPImportRealizable, + Status: corev1.ConditionFalse, + }, + }, + }, + } + updatedResImport2 := &mcsv1alpha1.ResourceImport{ + ObjectMeta: metav1.ObjectMeta{ + Namespace: leaderNamespace, + Name: "default-acnp-no-matching-tier", + }, + Spec: mcsv1alpha1.ResourceImportSpec{ + Name: "acnp-no-matching-tier", + Kind: common.AntreaClusterNetworkPolicyKind, + ClusterNetworkPolicy: &v1alpha1.ClusterNetworkPolicySpec{ + Tier: "securityops", + Priority: 1.0, + AppliedTo: []v1alpha1.NetworkPolicyPeer{ + {NamespaceSelector: &metav1.LabelSelector{}}, + }, + }, + }, + } + existingACNP3 := &v1alpha1.ClusterNetworkPolicy{ + ObjectMeta: metav1.ObjectMeta{ + Name: common.AntreaMCSPrefix + "valid-updated-to-no-valid", + Annotations: map[string]string{common.AntreaMCACNPAnnotation: "true"}, + }, + Spec: v1alpha1.ClusterNetworkPolicySpec{ + Tier: "securityops", + Priority: 1.0, + AppliedTo: []v1alpha1.NetworkPolicyPeer{ + {NamespaceSelector: &metav1.LabelSelector{}}, + }, + }, + } + existingACNPImport3 := &mcsv1alpha1.ACNPImport{ + ObjectMeta: metav1.ObjectMeta{ + Name: "valid-updated-to-no-valid", + }, + Status: mcsv1alpha1.ACNPImportStatus{ + Conditions: []mcsv1alpha1.ACNPImportCondition{ + { + Type: mcsv1alpha1.ACNPImportRealizable, + Status: corev1.ConditionTrue, + }, + }, + }, + } + updatedResImport3 := &mcsv1alpha1.ResourceImport{ + ObjectMeta: metav1.ObjectMeta{ + Namespace: leaderNamespace, + Name: "default-valid-updated-to-no-valid", + }, + Spec: mcsv1alpha1.ResourceImportSpec{ + Name: acnpImportName, + Kind: common.AntreaClusterNetworkPolicyKind, + ClusterNetworkPolicy: &v1alpha1.ClusterNetworkPolicySpec{ + Tier: "somerandomtier", + Priority: 1.0, + AppliedTo: []v1alpha1.NetworkPolicyPeer{ + {NamespaceSelector: &metav1.LabelSelector{}}, + }, + }, + }, + } + acnpImp3Req := ctrl.Request{NamespacedName: types.NamespacedName{ + Namespace: leaderNamespace, + Name: "default-valid-updated-to-no-valid", + }} + acnpImp4Req := ctrl.Request{NamespacedName: types.NamespacedName{ + Namespace: leaderNamespace, + Name: "default-name-conflict", + }} + existingACNP4 := &v1alpha1.ClusterNetworkPolicy{ + ObjectMeta: metav1.ObjectMeta{ + Name: common.AntreaMCSPrefix + "name-conflict", + }, + Spec: v1alpha1.ClusterNetworkPolicySpec{ + Tier: "securityops", + Priority: 1.0, + AppliedTo: []v1alpha1.NetworkPolicyPeer{ + {NamespaceSelector: &metav1.LabelSelector{}}, + }, + }, + } + + fakeClient := fake.NewClientBuilder().WithScheme(scheme).WithObjects(existingACNP1, existingACNPImport1, existingACNPImport2, + existingACNP3, existingACNPImport3, existingACNP4, securityOpsTier).Build() + fakeRemoteClient := fake.NewClientBuilder().WithScheme(scheme).WithObjects(acnpResImport, updatedResImport2, updatedResImport3).Build() + remoteCluster := NewFakeRemoteCommonArea(scheme, &remoteMgr, fakeRemoteClient, "leader-cluster", "default") + + r := NewResourceImportReconciler(fakeClient, scheme, fakeClient, remoteCluster) + r.installedResImports.Add(*acnpResImport) + r.installedResImports.Add(*acnpResImportNoMatchingTier) + r.installedResImports.Add(*updatedResImport3) + + tests := []struct { + name string + acnpImportName string + req ctrl.Request + expectErr bool + expectImportSuccess bool + expectedUpdatedACNPSpec *v1alpha1.ClusterNetworkPolicySpec + }{ + { + name: "update acnp spec", + acnpImportName: acnpImportName, + req: acnpImpReq, + expectErr: false, + expectImportSuccess: true, + expectedUpdatedACNPSpec: acnpResImport.Spec.ClusterNetworkPolicy, + }, + { + name: "imported acnp missing tier update to valid tier", + acnpImportName: "acnp-no-matching-tier", + req: acnpImpNoMatchingTierReq, + expectErr: false, + expectImportSuccess: true, + expectedUpdatedACNPSpec: updatedResImport2.Spec.ClusterNetworkPolicy, + }, + { + name: "valid imported acnp update to missing tier", + req: acnpImp3Req, + acnpImportName: "valid-updated-to-no-valid", + expectErr: false, + expectImportSuccess: false, + expectedUpdatedACNPSpec: nil, + }, + { + name: "name conflict with existing acnp", + req: acnpImp4Req, + acnpImportName: "name-conflict", + expectErr: true, + expectImportSuccess: false, + expectedUpdatedACNPSpec: nil, + }, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + if _, err := r.Reconcile(ctx, tt.req); err != nil { + if tt.expectErr { + assert.Contains(t, err.Error(), "conflicts with existing one") + } else { + t.Errorf("ResourceImport Reconciler should handle update event successfully but got error = %v", err) + } + } else { + if tt.expectedUpdatedACNPSpec != nil { + acnp := &v1alpha1.ClusterNetworkPolicy{} + err := fakeClient.Get(ctx, types.NamespacedName{Namespace: "", Name: common.AntreaMCSPrefix + tt.acnpImportName}, acnp) + if tt.expectImportSuccess && err != nil { + t.Errorf("ResourceImport Reconciler should import an ACNP successfully but got error = %v", err) + } else if !tt.expectImportSuccess && (err == nil || !apierrors.IsNotFound(err)) { + t.Errorf("ResourceImport Reconciler should not import an ACNP whose Tier does not exist in current cluster. Expected NotFound error. Actual err = %v", err) + } else if !reflect.DeepEqual(acnp.Spec, *tt.expectedUpdatedACNPSpec) { + t.Errorf("ACNP spec was not updated successfully") + } + } + } + }) + } +} diff --git a/multicluster/controllers/multicluster/resourceexport_controller.go b/multicluster/controllers/multicluster/resourceexport_controller.go index af5cb422e93..6f4cdb708d1 100644 --- a/multicluster/controllers/multicluster/resourceexport_controller.go +++ b/multicluster/controllers/multicluster/resourceexport_controller.go @@ -79,7 +79,7 @@ func NewResourceExportReconciler( // For more details, check Reconcile and its Result here: // - https://pkg.go.dev/sigs.k8s.io/controller-runtime@v0.8.3/pkg/reconcile func (r *ResourceExportReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) { - klog.V(2).InfoS("reconciling ResourceExport", "resourceexport", req.NamespacedName) + klog.InfoS("reconciling ResourceExport", "resourceexport", req.NamespacedName) var resExport mcsv1alpha1.ResourceExport if err := r.Client.Get(ctx, req.NamespacedName, &resExport); err != nil { return ctrl.Result{}, client.IgnoreNotFound(err) @@ -92,6 +92,7 @@ func (r *ResourceExportReconciler) Reconcile(ctx context.Context, req ctrl.Reque // More details about using Finalizers, please refer to https://book.kubebuilder.io/reference/using-finalizers.html. if !resExport.DeletionTimestamp.IsZero() { if common.StringExistsInSlice(resExport.Finalizers, common.ResourceExportFinalizer) { + klog.Info("There are finalizers, handling delete event") err := r.handleDeleteEvent(ctx, &resExport) if err != nil { return ctrl.Result{}, err @@ -102,10 +103,11 @@ func (r *ResourceExportReconciler) Reconcile(ctx context.Context, req ctrl.Reque } return ctrl.Result{}, nil } + klog.Info("There are no finalizers, returning") return ctrl.Result{}, nil } - createResImport, existResImport, err := r.getExistingResImport(ctx, resExport) + createResImport, existingResImport, err := r.getExistingResImport(ctx, resExport) if err != nil { return ctrl.Result{}, err } @@ -114,9 +116,11 @@ func (r *ResourceExportReconciler) Reconcile(ctx context.Context, req ctrl.Reque resImport := &mcsv1alpha1.ResourceImport{} switch resExport.Spec.Kind { case common.ServiceKind: - resImport, changed, err = r.refreshServiceResourceImport(&resExport, existResImport, createResImport) + resImport, changed, err = r.refreshServiceResourceImport(&resExport, existingResImport, createResImport) case common.EndpointsKind: - resImport, changed, err = r.refreshEndpointsResourceImport(&resExport, existResImport, createResImport) + resImport, changed, err = r.refreshEndpointsResourceImport(&resExport, existingResImport, createResImport) + case common.AntreaClusterNetworkPolicyKind: + resImport, changed, err = r.refreshACNPResourceImport(&resExport, existingResImport, createResImport) } if err != nil { r.updateResourceExportStatus(&resExport, failed) @@ -203,6 +207,7 @@ func (r *ResourceExportReconciler) handleDeleteEvent(ctx context.Context, resExp return err } resImportName := GetResourceImportName(resExport) + klog.Infof("There is resImport to delete named %s", resImportName) undeleteItems := RemoveDeletedResourceExports(reList.Items) if len(undeleteItems) == 0 { @@ -379,6 +384,32 @@ func (r *ResourceExportReconciler) refreshEndpointsResourceImport( return newResImport, true, nil } +func (r *ResourceExportReconciler) refreshACNPResourceImport( + resExport *mcsv1alpha1.ResourceExport, + resImport *mcsv1alpha1.ResourceImport, + createResImport bool) (*mcsv1alpha1.ResourceImport, bool, error) { + newResImport := resImport.DeepCopy() + newResImport.Spec.Name = resExport.Spec.Name + newResImport.Spec.Namespace = resExport.Spec.Namespace + newResImport.Spec.Kind = common.AntreaClusterNetworkPolicyKind + if createResImport { + newResImport.Spec.ClusterNetworkPolicy = resExport.Spec.ClusterNetworkPolicy + return newResImport, true, nil + } + if !apiequality.Semantic.DeepEqual(resExport.Spec.ClusterNetworkPolicy, resImport.Spec.ClusterNetworkPolicy) { + undeletedItems, err := r.getNotDeletedResourceExports(resExport) + if err != nil { + klog.ErrorS(err, "failed to list ResourceExports for ACNP, retry later") + return newResImport, false, err + } + if len(undeletedItems) == 1 && undeletedItems[0].Name == resExport.Name && undeletedItems[0].Namespace == resExport.Namespace { + newResImport.Spec.ClusterNetworkPolicy = resExport.Spec.ClusterNetworkPolicy + return newResImport, true, nil + } + } + return newResImport, false, nil +} + func (r *ResourceExportReconciler) getNotDeletedResourceExports(resExport *mcsv1alpha1.ResourceExport) ([]mcsv1alpha1.ResourceExport, error) { reList := &mcsv1alpha1.ResourceExportList{} err := r.Client.List(context.TODO(), reList, &client.ListOptions{ @@ -461,9 +492,15 @@ func SvcPortsConverter(svcPort []corev1.ServicePort) []mcs.ServicePort { } func GetResourceImportName(resExport *mcsv1alpha1.ResourceExport) types.NamespacedName { + if resExport.Spec.Namespace != "" { + return types.NamespacedName{ + Namespace: resExport.Namespace, + Name: resExport.Spec.Namespace + "-" + resExport.Spec.Name + "-" + strings.ToLower(resExport.Spec.Kind), + } + } return types.NamespacedName{ Namespace: resExport.Namespace, - Name: resExport.Spec.Namespace + "-" + resExport.Spec.Name + "-" + strings.ToLower(resExport.Spec.Kind), + Name: resExport.Spec.Name + "-" + strings.ToLower(resExport.Spec.Kind), } } diff --git a/multicluster/controllers/multicluster/resourceexport_controller_test.go b/multicluster/controllers/multicluster/resourceexport_controller_test.go index ba8c20af1b0..428d162b90b 100644 --- a/multicluster/controllers/multicluster/resourceexport_controller_test.go +++ b/multicluster/controllers/multicluster/resourceexport_controller_test.go @@ -31,11 +31,13 @@ import ( mcsv1alpha1 "antrea.io/antrea/multicluster/apis/multicluster/v1alpha1" "antrea.io/antrea/multicluster/controllers/multicluster/common" + "antrea.io/antrea/pkg/apis/crd/v1alpha1" ) var ( - now = metav1.Now() - svcLabels = map[string]string{ + now = metav1.Now() + dropAction = v1alpha1.RuleActionDrop + svcLabels = map[string]string{ common.SourceNamespace: "default", common.SourceName: "nginx", common.SourceKind: "Service", @@ -54,6 +56,29 @@ var ( Namespace: "default", Name: "cluster-a-default-nginx-endpoints", }} + acnpResReq = ctrl.Request{NamespacedName: types.NamespacedName{ + Namespace: "default", + Name: "test-acnp-export", + }} + isolationACNPSpec = &v1alpha1.ClusterNetworkPolicySpec{ + Tier: "securityops", + Priority: 1.0, + AppliedTo: []v1alpha1.NetworkPolicyPeer{ + {NamespaceSelector: &metav1.LabelSelector{}}, + }, + Ingress: []v1alpha1.Rule{ + { + Action: &dropAction, + From: []v1alpha1.NetworkPolicyPeer{ + { + Namespaces: &v1alpha1.PeerNamespaces{ + Match: v1alpha1.NamespaceMatchSelf, + }, + }, + }, + }, + }, + } ) func TestResourceExportReconciler_handleServiceExportDeleteEvent(t *testing.T) { @@ -261,6 +286,40 @@ func TestResourceExportReconciler_handleEndpointExportCreateEvent(t *testing.T) } } +func TestResourceExportReconciler_handleACNPExportCreateEvent(t *testing.T) { + existingResExport := &mcsv1alpha1.ResourceExport{ + ObjectMeta: metav1.ObjectMeta{ + Namespace: "default", + Name: "test-acnp-export", + Finalizers: []string{common.ResourceExportFinalizer}, + }, + Spec: mcsv1alpha1.ResourceExportSpec{ + Name: "test-acnp", + Kind: common.AntreaClusterNetworkPolicyKind, + ClusterNetworkPolicy: isolationACNPSpec, + }, + } + expectedImportSpec := mcsv1alpha1.ResourceImportSpec{ + Name: "test-acnp", + Kind: common.AntreaClusterNetworkPolicyKind, + ClusterNetworkPolicy: isolationACNPSpec, + } + namespacedName := GetResourceImportName(existingResExport) + fakeClient := fake.NewClientBuilder().WithScheme(scheme).WithObjects(existingResExport).Build() + r := NewResourceExportReconciler(fakeClient, scheme) + if _, err := r.Reconcile(ctx, acnpResReq); err != nil { + t.Errorf("ResourceExport Reconciler should handle ACNP ResourceExport create event successfully but got error = %v", err) + } else { + resImport := &mcsv1alpha1.ResourceImport{} + err := fakeClient.Get(ctx, namespacedName, resImport) + if err != nil { + t.Errorf("failed to get ResourceImport, got error = %v", err) + } else if !reflect.DeepEqual(resImport.Spec, expectedImportSpec) { + t.Errorf("expected ResourceImport Spec %v, but got %v", expectedImportSpec, resImport.Spec) + } + } +} + var ( newResExport = &mcsv1alpha1.ResourceExport{ ObjectMeta: metav1.ObjectMeta{ diff --git a/multicluster/pkg/client/clientset/versioned/typed/multicluster/v1alpha1/acnpimport.go b/multicluster/pkg/client/clientset/versioned/typed/multicluster/v1alpha1/acnpimport.go new file mode 100644 index 00000000000..c5359933c4b --- /dev/null +++ b/multicluster/pkg/client/clientset/versioned/typed/multicluster/v1alpha1/acnpimport.go @@ -0,0 +1,183 @@ +/* +Copyright 2021 Antrea Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ +// Code generated by client-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + "context" + "time" + + v1alpha1 "antrea.io/antrea/multicluster/apis/multicluster/v1alpha1" + scheme "antrea.io/antrea/multicluster/pkg/client/clientset/versioned/scheme" + v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + types "k8s.io/apimachinery/pkg/types" + watch "k8s.io/apimachinery/pkg/watch" + rest "k8s.io/client-go/rest" +) + +// ACNPImportsGetter has a method to return a ACNPImportInterface. +// A group's client should implement this interface. +type ACNPImportsGetter interface { + ACNPImports() ACNPImportInterface +} + +// ACNPImportInterface has methods to work with ACNPImport resources. +type ACNPImportInterface interface { + Create(ctx context.Context, aCNPImport *v1alpha1.ACNPImport, opts v1.CreateOptions) (*v1alpha1.ACNPImport, error) + Update(ctx context.Context, aCNPImport *v1alpha1.ACNPImport, opts v1.UpdateOptions) (*v1alpha1.ACNPImport, error) + UpdateStatus(ctx context.Context, aCNPImport *v1alpha1.ACNPImport, opts v1.UpdateOptions) (*v1alpha1.ACNPImport, error) + Delete(ctx context.Context, name string, opts v1.DeleteOptions) error + DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error + Get(ctx context.Context, name string, opts v1.GetOptions) (*v1alpha1.ACNPImport, error) + List(ctx context.Context, opts v1.ListOptions) (*v1alpha1.ACNPImportList, error) + Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) + Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.ACNPImport, err error) + ACNPImportExpansion +} + +// aCNPImports implements ACNPImportInterface +type aCNPImports struct { + client rest.Interface +} + +// newACNPImports returns a ACNPImports +func newACNPImports(c *MulticlusterV1alpha1Client) *aCNPImports { + return &aCNPImports{ + client: c.RESTClient(), + } +} + +// Get takes name of the aCNPImport, and returns the corresponding aCNPImport object, and an error if there is any. +func (c *aCNPImports) Get(ctx context.Context, name string, options v1.GetOptions) (result *v1alpha1.ACNPImport, err error) { + result = &v1alpha1.ACNPImport{} + err = c.client.Get(). + Resource("acnpimports"). + Name(name). + VersionedParams(&options, scheme.ParameterCodec). + Do(ctx). + Into(result) + return +} + +// List takes label and field selectors, and returns the list of ACNPImports that match those selectors. +func (c *aCNPImports) List(ctx context.Context, opts v1.ListOptions) (result *v1alpha1.ACNPImportList, err error) { + var timeout time.Duration + if opts.TimeoutSeconds != nil { + timeout = time.Duration(*opts.TimeoutSeconds) * time.Second + } + result = &v1alpha1.ACNPImportList{} + err = c.client.Get(). + Resource("acnpimports"). + VersionedParams(&opts, scheme.ParameterCodec). + Timeout(timeout). + Do(ctx). + Into(result) + return +} + +// Watch returns a watch.Interface that watches the requested aCNPImports. +func (c *aCNPImports) Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) { + var timeout time.Duration + if opts.TimeoutSeconds != nil { + timeout = time.Duration(*opts.TimeoutSeconds) * time.Second + } + opts.Watch = true + return c.client.Get(). + Resource("acnpimports"). + VersionedParams(&opts, scheme.ParameterCodec). + Timeout(timeout). + Watch(ctx) +} + +// Create takes the representation of a aCNPImport and creates it. Returns the server's representation of the aCNPImport, and an error, if there is any. +func (c *aCNPImports) Create(ctx context.Context, aCNPImport *v1alpha1.ACNPImport, opts v1.CreateOptions) (result *v1alpha1.ACNPImport, err error) { + result = &v1alpha1.ACNPImport{} + err = c.client.Post(). + Resource("acnpimports"). + VersionedParams(&opts, scheme.ParameterCodec). + Body(aCNPImport). + Do(ctx). + Into(result) + return +} + +// Update takes the representation of a aCNPImport and updates it. Returns the server's representation of the aCNPImport, and an error, if there is any. +func (c *aCNPImports) Update(ctx context.Context, aCNPImport *v1alpha1.ACNPImport, opts v1.UpdateOptions) (result *v1alpha1.ACNPImport, err error) { + result = &v1alpha1.ACNPImport{} + err = c.client.Put(). + Resource("acnpimports"). + Name(aCNPImport.Name). + VersionedParams(&opts, scheme.ParameterCodec). + Body(aCNPImport). + Do(ctx). + Into(result) + return +} + +// UpdateStatus was generated because the type contains a Status member. +// Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus(). +func (c *aCNPImports) UpdateStatus(ctx context.Context, aCNPImport *v1alpha1.ACNPImport, opts v1.UpdateOptions) (result *v1alpha1.ACNPImport, err error) { + result = &v1alpha1.ACNPImport{} + err = c.client.Put(). + Resource("acnpimports"). + Name(aCNPImport.Name). + SubResource("status"). + VersionedParams(&opts, scheme.ParameterCodec). + Body(aCNPImport). + Do(ctx). + Into(result) + return +} + +// Delete takes name of the aCNPImport and deletes it. Returns an error if one occurs. +func (c *aCNPImports) Delete(ctx context.Context, name string, opts v1.DeleteOptions) error { + return c.client.Delete(). + Resource("acnpimports"). + Name(name). + Body(&opts). + Do(ctx). + Error() +} + +// DeleteCollection deletes a collection of objects. +func (c *aCNPImports) DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error { + var timeout time.Duration + if listOpts.TimeoutSeconds != nil { + timeout = time.Duration(*listOpts.TimeoutSeconds) * time.Second + } + return c.client.Delete(). + Resource("acnpimports"). + VersionedParams(&listOpts, scheme.ParameterCodec). + Timeout(timeout). + Body(&opts). + Do(ctx). + Error() +} + +// Patch applies the patch and returns the patched aCNPImport. +func (c *aCNPImports) Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.ACNPImport, err error) { + result = &v1alpha1.ACNPImport{} + err = c.client.Patch(pt). + Resource("acnpimports"). + Name(name). + SubResource(subresources...). + VersionedParams(&opts, scheme.ParameterCodec). + Body(data). + Do(ctx). + Into(result) + return +} diff --git a/multicluster/pkg/client/clientset/versioned/typed/multicluster/v1alpha1/fake/fake_acnpimport.go b/multicluster/pkg/client/clientset/versioned/typed/multicluster/v1alpha1/fake/fake_acnpimport.go new file mode 100644 index 00000000000..5af9bd4660f --- /dev/null +++ b/multicluster/pkg/client/clientset/versioned/typed/multicluster/v1alpha1/fake/fake_acnpimport.go @@ -0,0 +1,132 @@ +/* +Copyright 2021 Antrea Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ +// Code generated by client-gen. DO NOT EDIT. + +package fake + +import ( + "context" + + v1alpha1 "antrea.io/antrea/multicluster/apis/multicluster/v1alpha1" + v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + labels "k8s.io/apimachinery/pkg/labels" + schema "k8s.io/apimachinery/pkg/runtime/schema" + types "k8s.io/apimachinery/pkg/types" + watch "k8s.io/apimachinery/pkg/watch" + testing "k8s.io/client-go/testing" +) + +// FakeACNPImports implements ACNPImportInterface +type FakeACNPImports struct { + Fake *FakeMulticlusterV1alpha1 +} + +var acnpimportsResource = schema.GroupVersionResource{Group: "multicluster.crd.antrea.io", Version: "v1alpha1", Resource: "acnpimports"} + +var acnpimportsKind = schema.GroupVersionKind{Group: "multicluster.crd.antrea.io", Version: "v1alpha1", Kind: "ACNPImport"} + +// Get takes name of the aCNPImport, and returns the corresponding aCNPImport object, and an error if there is any. +func (c *FakeACNPImports) Get(ctx context.Context, name string, options v1.GetOptions) (result *v1alpha1.ACNPImport, err error) { + obj, err := c.Fake. + Invokes(testing.NewRootGetAction(acnpimportsResource, name), &v1alpha1.ACNPImport{}) + if obj == nil { + return nil, err + } + return obj.(*v1alpha1.ACNPImport), err +} + +// List takes label and field selectors, and returns the list of ACNPImports that match those selectors. +func (c *FakeACNPImports) List(ctx context.Context, opts v1.ListOptions) (result *v1alpha1.ACNPImportList, err error) { + obj, err := c.Fake. + Invokes(testing.NewRootListAction(acnpimportsResource, acnpimportsKind, opts), &v1alpha1.ACNPImportList{}) + if obj == nil { + return nil, err + } + + label, _, _ := testing.ExtractFromListOptions(opts) + if label == nil { + label = labels.Everything() + } + list := &v1alpha1.ACNPImportList{ListMeta: obj.(*v1alpha1.ACNPImportList).ListMeta} + for _, item := range obj.(*v1alpha1.ACNPImportList).Items { + if label.Matches(labels.Set(item.Labels)) { + list.Items = append(list.Items, item) + } + } + return list, err +} + +// Watch returns a watch.Interface that watches the requested aCNPImports. +func (c *FakeACNPImports) Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) { + return c.Fake. + InvokesWatch(testing.NewRootWatchAction(acnpimportsResource, opts)) +} + +// Create takes the representation of a aCNPImport and creates it. Returns the server's representation of the aCNPImport, and an error, if there is any. +func (c *FakeACNPImports) Create(ctx context.Context, aCNPImport *v1alpha1.ACNPImport, opts v1.CreateOptions) (result *v1alpha1.ACNPImport, err error) { + obj, err := c.Fake. + Invokes(testing.NewRootCreateAction(acnpimportsResource, aCNPImport), &v1alpha1.ACNPImport{}) + if obj == nil { + return nil, err + } + return obj.(*v1alpha1.ACNPImport), err +} + +// Update takes the representation of a aCNPImport and updates it. Returns the server's representation of the aCNPImport, and an error, if there is any. +func (c *FakeACNPImports) Update(ctx context.Context, aCNPImport *v1alpha1.ACNPImport, opts v1.UpdateOptions) (result *v1alpha1.ACNPImport, err error) { + obj, err := c.Fake. + Invokes(testing.NewRootUpdateAction(acnpimportsResource, aCNPImport), &v1alpha1.ACNPImport{}) + if obj == nil { + return nil, err + } + return obj.(*v1alpha1.ACNPImport), err +} + +// UpdateStatus was generated because the type contains a Status member. +// Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus(). +func (c *FakeACNPImports) UpdateStatus(ctx context.Context, aCNPImport *v1alpha1.ACNPImport, opts v1.UpdateOptions) (*v1alpha1.ACNPImport, error) { + obj, err := c.Fake. + Invokes(testing.NewRootUpdateSubresourceAction(acnpimportsResource, "status", aCNPImport), &v1alpha1.ACNPImport{}) + if obj == nil { + return nil, err + } + return obj.(*v1alpha1.ACNPImport), err +} + +// Delete takes name of the aCNPImport and deletes it. Returns an error if one occurs. +func (c *FakeACNPImports) Delete(ctx context.Context, name string, opts v1.DeleteOptions) error { + _, err := c.Fake. + Invokes(testing.NewRootDeleteAction(acnpimportsResource, name), &v1alpha1.ACNPImport{}) + return err +} + +// DeleteCollection deletes a collection of objects. +func (c *FakeACNPImports) DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error { + action := testing.NewRootDeleteCollectionAction(acnpimportsResource, listOpts) + + _, err := c.Fake.Invokes(action, &v1alpha1.ACNPImportList{}) + return err +} + +// Patch applies the patch and returns the patched aCNPImport. +func (c *FakeACNPImports) Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.ACNPImport, err error) { + obj, err := c.Fake. + Invokes(testing.NewRootPatchSubresourceAction(acnpimportsResource, name, pt, data, subresources...), &v1alpha1.ACNPImport{}) + if obj == nil { + return nil, err + } + return obj.(*v1alpha1.ACNPImport), err +} diff --git a/multicluster/pkg/client/clientset/versioned/typed/multicluster/v1alpha1/fake/fake_multicluster_client.go b/multicluster/pkg/client/clientset/versioned/typed/multicluster/v1alpha1/fake/fake_multicluster_client.go index 30ac2ac7dae..12b08f2e009 100644 --- a/multicluster/pkg/client/clientset/versioned/typed/multicluster/v1alpha1/fake/fake_multicluster_client.go +++ b/multicluster/pkg/client/clientset/versioned/typed/multicluster/v1alpha1/fake/fake_multicluster_client.go @@ -27,6 +27,10 @@ type FakeMulticlusterV1alpha1 struct { *testing.Fake } +func (c *FakeMulticlusterV1alpha1) ACNPImports() v1alpha1.ACNPImportInterface { + return &FakeACNPImports{c} +} + func (c *FakeMulticlusterV1alpha1) ClusterClaims(namespace string) v1alpha1.ClusterClaimInterface { return &FakeClusterClaims{c, namespace} } diff --git a/multicluster/pkg/client/clientset/versioned/typed/multicluster/v1alpha1/generated_expansion.go b/multicluster/pkg/client/clientset/versioned/typed/multicluster/v1alpha1/generated_expansion.go index f666a0a8999..415b34aa575 100644 --- a/multicluster/pkg/client/clientset/versioned/typed/multicluster/v1alpha1/generated_expansion.go +++ b/multicluster/pkg/client/clientset/versioned/typed/multicluster/v1alpha1/generated_expansion.go @@ -17,6 +17,8 @@ limitations under the License. package v1alpha1 +type ACNPImportExpansion interface{} + type ClusterClaimExpansion interface{} type ClusterSetExpansion interface{} diff --git a/multicluster/pkg/client/clientset/versioned/typed/multicluster/v1alpha1/multicluster_client.go b/multicluster/pkg/client/clientset/versioned/typed/multicluster/v1alpha1/multicluster_client.go index e3b1c38e45f..5985172b310 100644 --- a/multicluster/pkg/client/clientset/versioned/typed/multicluster/v1alpha1/multicluster_client.go +++ b/multicluster/pkg/client/clientset/versioned/typed/multicluster/v1alpha1/multicluster_client.go @@ -25,6 +25,7 @@ import ( type MulticlusterV1alpha1Interface interface { RESTClient() rest.Interface + ACNPImportsGetter ClusterClaimsGetter ClusterSetsGetter MemberClusterAnnouncesGetter @@ -39,6 +40,10 @@ type MulticlusterV1alpha1Client struct { restClient rest.Interface } +func (c *MulticlusterV1alpha1Client) ACNPImports() ACNPImportInterface { + return newACNPImports(c) +} + func (c *MulticlusterV1alpha1Client) ClusterClaims(namespace string) ClusterClaimInterface { return newClusterClaims(c, namespace) } diff --git a/multicluster/pkg/client/informers/externalversions/generic.go b/multicluster/pkg/client/informers/externalversions/generic.go index 838bedf070a..f294fc5d9f9 100644 --- a/multicluster/pkg/client/informers/externalversions/generic.go +++ b/multicluster/pkg/client/informers/externalversions/generic.go @@ -52,6 +52,8 @@ func (f *genericInformer) Lister() cache.GenericLister { func (f *sharedInformerFactory) ForResource(resource schema.GroupVersionResource) (GenericInformer, error) { switch resource { // Group=multicluster.crd.antrea.io, Version=v1alpha1 + case v1alpha1.SchemeGroupVersion.WithResource("acnpimports"): + return &genericInformer{resource: resource.GroupResource(), informer: f.Multicluster().V1alpha1().ACNPImports().Informer()}, nil case v1alpha1.SchemeGroupVersion.WithResource("clusterclaims"): return &genericInformer{resource: resource.GroupResource(), informer: f.Multicluster().V1alpha1().ClusterClaims().Informer()}, nil case v1alpha1.SchemeGroupVersion.WithResource("clustersets"): diff --git a/multicluster/pkg/client/informers/externalversions/multicluster/v1alpha1/acnpimport.go b/multicluster/pkg/client/informers/externalversions/multicluster/v1alpha1/acnpimport.go new file mode 100644 index 00000000000..7d04a5f024f --- /dev/null +++ b/multicluster/pkg/client/informers/externalversions/multicluster/v1alpha1/acnpimport.go @@ -0,0 +1,88 @@ +/* +Copyright 2021 Antrea Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ +// Code generated by informer-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + "context" + time "time" + + multiclusterv1alpha1 "antrea.io/antrea/multicluster/apis/multicluster/v1alpha1" + versioned "antrea.io/antrea/multicluster/pkg/client/clientset/versioned" + internalinterfaces "antrea.io/antrea/multicluster/pkg/client/informers/externalversions/internalinterfaces" + v1alpha1 "antrea.io/antrea/multicluster/pkg/client/listers/multicluster/v1alpha1" + v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + runtime "k8s.io/apimachinery/pkg/runtime" + watch "k8s.io/apimachinery/pkg/watch" + cache "k8s.io/client-go/tools/cache" +) + +// ACNPImportInformer provides access to a shared informer and lister for +// ACNPImports. +type ACNPImportInformer interface { + Informer() cache.SharedIndexInformer + Lister() v1alpha1.ACNPImportLister +} + +type aCNPImportInformer struct { + factory internalinterfaces.SharedInformerFactory + tweakListOptions internalinterfaces.TweakListOptionsFunc +} + +// NewACNPImportInformer constructs a new informer for ACNPImport type. +// Always prefer using an informer factory to get a shared informer instead of getting an independent +// one. This reduces memory footprint and number of connections to the server. +func NewACNPImportInformer(client versioned.Interface, resyncPeriod time.Duration, indexers cache.Indexers) cache.SharedIndexInformer { + return NewFilteredACNPImportInformer(client, resyncPeriod, indexers, nil) +} + +// NewFilteredACNPImportInformer constructs a new informer for ACNPImport type. +// Always prefer using an informer factory to get a shared informer instead of getting an independent +// one. This reduces memory footprint and number of connections to the server. +func NewFilteredACNPImportInformer(client versioned.Interface, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer { + return cache.NewSharedIndexInformer( + &cache.ListWatch{ + ListFunc: func(options v1.ListOptions) (runtime.Object, error) { + if tweakListOptions != nil { + tweakListOptions(&options) + } + return client.MulticlusterV1alpha1().ACNPImports().List(context.TODO(), options) + }, + WatchFunc: func(options v1.ListOptions) (watch.Interface, error) { + if tweakListOptions != nil { + tweakListOptions(&options) + } + return client.MulticlusterV1alpha1().ACNPImports().Watch(context.TODO(), options) + }, + }, + &multiclusterv1alpha1.ACNPImport{}, + resyncPeriod, + indexers, + ) +} + +func (f *aCNPImportInformer) defaultInformer(client versioned.Interface, resyncPeriod time.Duration) cache.SharedIndexInformer { + return NewFilteredACNPImportInformer(client, resyncPeriod, cache.Indexers{cache.NamespaceIndex: cache.MetaNamespaceIndexFunc}, f.tweakListOptions) +} + +func (f *aCNPImportInformer) Informer() cache.SharedIndexInformer { + return f.factory.InformerFor(&multiclusterv1alpha1.ACNPImport{}, f.defaultInformer) +} + +func (f *aCNPImportInformer) Lister() v1alpha1.ACNPImportLister { + return v1alpha1.NewACNPImportLister(f.Informer().GetIndexer()) +} diff --git a/multicluster/pkg/client/informers/externalversions/multicluster/v1alpha1/interface.go b/multicluster/pkg/client/informers/externalversions/multicluster/v1alpha1/interface.go index ff4c3100c97..3752d69c273 100644 --- a/multicluster/pkg/client/informers/externalversions/multicluster/v1alpha1/interface.go +++ b/multicluster/pkg/client/informers/externalversions/multicluster/v1alpha1/interface.go @@ -23,6 +23,8 @@ import ( // Interface provides access to all the informers in this group version. type Interface interface { + // ACNPImports returns a ACNPImportInformer. + ACNPImports() ACNPImportInformer // ClusterClaims returns a ClusterClaimInformer. ClusterClaims() ClusterClaimInformer // ClusterSets returns a ClusterSetInformer. @@ -50,6 +52,11 @@ func New(f internalinterfaces.SharedInformerFactory, namespace string, tweakList return &version{factory: f, namespace: namespace, tweakListOptions: tweakListOptions} } +// ACNPImports returns a ACNPImportInformer. +func (v *version) ACNPImports() ACNPImportInformer { + return &aCNPImportInformer{factory: v.factory, tweakListOptions: v.tweakListOptions} +} + // ClusterClaims returns a ClusterClaimInformer. func (v *version) ClusterClaims() ClusterClaimInformer { return &clusterClaimInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions} diff --git a/multicluster/pkg/client/listers/multicluster/v1alpha1/acnpimport.go b/multicluster/pkg/client/listers/multicluster/v1alpha1/acnpimport.go new file mode 100644 index 00000000000..0c8602e79de --- /dev/null +++ b/multicluster/pkg/client/listers/multicluster/v1alpha1/acnpimport.go @@ -0,0 +1,67 @@ +/* +Copyright 2021 Antrea Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ +// Code generated by lister-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + v1alpha1 "antrea.io/antrea/multicluster/apis/multicluster/v1alpha1" + "k8s.io/apimachinery/pkg/api/errors" + "k8s.io/apimachinery/pkg/labels" + "k8s.io/client-go/tools/cache" +) + +// ACNPImportLister helps list ACNPImports. +// All objects returned here must be treated as read-only. +type ACNPImportLister interface { + // List lists all ACNPImports in the indexer. + // Objects returned here must be treated as read-only. + List(selector labels.Selector) (ret []*v1alpha1.ACNPImport, err error) + // Get retrieves the ACNPImport from the index for a given name. + // Objects returned here must be treated as read-only. + Get(name string) (*v1alpha1.ACNPImport, error) + ACNPImportListerExpansion +} + +// aCNPImportLister implements the ACNPImportLister interface. +type aCNPImportLister struct { + indexer cache.Indexer +} + +// NewACNPImportLister returns a new ACNPImportLister. +func NewACNPImportLister(indexer cache.Indexer) ACNPImportLister { + return &aCNPImportLister{indexer: indexer} +} + +// List lists all ACNPImports in the indexer. +func (s *aCNPImportLister) List(selector labels.Selector) (ret []*v1alpha1.ACNPImport, err error) { + err = cache.ListAll(s.indexer, selector, func(m interface{}) { + ret = append(ret, m.(*v1alpha1.ACNPImport)) + }) + return ret, err +} + +// Get retrieves the ACNPImport from the index for a given name. +func (s *aCNPImportLister) Get(name string) (*v1alpha1.ACNPImport, error) { + obj, exists, err := s.indexer.GetByKey(name) + if err != nil { + return nil, err + } + if !exists { + return nil, errors.NewNotFound(v1alpha1.Resource("acnpimport"), name) + } + return obj.(*v1alpha1.ACNPImport), nil +} diff --git a/multicluster/pkg/client/listers/multicluster/v1alpha1/expansion_generated.go b/multicluster/pkg/client/listers/multicluster/v1alpha1/expansion_generated.go index 80cd468ef4e..1bad923a226 100644 --- a/multicluster/pkg/client/listers/multicluster/v1alpha1/expansion_generated.go +++ b/multicluster/pkg/client/listers/multicluster/v1alpha1/expansion_generated.go @@ -17,6 +17,10 @@ limitations under the License. package v1alpha1 +// ACNPImportListerExpansion allows custom methods to be added to +// ACNPImportLister. +type ACNPImportListerExpansion interface{} + // ClusterClaimListerExpansion allows custom methods to be added to // ClusterClaimLister. type ClusterClaimListerExpansion interface{} diff --git a/pkg/apis/crd/v1alpha1/types.go b/pkg/apis/crd/v1alpha1/types.go index e72ef932acc..c5eea604dbe 100644 --- a/pkg/apis/crd/v1alpha1/types.go +++ b/pkg/apis/crd/v1alpha1/types.go @@ -314,12 +314,12 @@ type NetworkPolicySpec struct { // Currently Ingress rule supports setting the `From` field but not the `To` // field within a Rule. // +optional - Ingress []Rule `json:"ingress"` + Ingress []Rule `json:"ingress,omitempty"` // Set of egress rules evaluated based on the order in which they are set. // Currently Egress rule supports setting the `To` field but not the `From` // field within a Rule. // +optional - Egress []Rule `json:"egress"` + Egress []Rule `json:"egress,omitempty"` } // NetworkPolicyPhase defines the phase in which a NetworkPolicy is. @@ -360,12 +360,12 @@ type Rule struct { // Rule is matched if traffic originates from workloads selected by // this field. If this field is empty, this rule matches all sources. // +optional - From []NetworkPolicyPeer `json:"from"` + From []NetworkPolicyPeer `json:"from,omitempty"` // Rule is matched if traffic is intended for workloads selected by // this field. This field can't be used with ToServices. If this field // and ToServices are both empty or missing this rule matches all destinations. // +optional - To []NetworkPolicyPeer `json:"to"` + To []NetworkPolicyPeer `json:"to,omitempty"` // Rule is matched if traffic is intended for a Service listed in this field. // Currently only ClusterIP types Services are supported in this field. This field // can only be used when AntreaProxy is enabled. This field can't be used with To @@ -376,9 +376,10 @@ type Rule struct { // Name describes the intention of this rule. // Name should be unique within the policy. // +optional - Name string `json:"name"` + Name string `json:"name,omitempty"` // EnableLogging is used to indicate if agent should generate logs // when rules are matched. Should be default to false. + // +optional EnableLogging bool `json:"enableLogging"` // Select workloads on which this rule will be applied to. Cannot be set in // conjunction with NetworkPolicySpec/ClusterNetworkPolicySpec.AppliedTo. @@ -541,12 +542,12 @@ type ClusterNetworkPolicySpec struct { // Currently Ingress rule supports setting the `From` field but not the `To` // field within a Rule. // +optional - Ingress []Rule `json:"ingress"` + Ingress []Rule `json:"ingress,omitempty"` // Set of egress rules evaluated based on the order in which they are set. // Currently Egress rule supports setting the `To` field but not the `From` // field within a Rule. // +optional - Egress []Rule `json:"egress"` + Egress []Rule `json:"egress,omitempty"` } // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object