diff --git a/ci/jenkins/test-mc.sh b/ci/jenkins/test-mc.sh index a6eca62a516..c6400e787d2 100755 --- a/ci/jenkins/test-mc.sh +++ b/ci/jenkins/test-mc.sh @@ -138,7 +138,7 @@ function cleanup_multicluster_antrea { function clean_multicluster { echo "====== Cleanup Multicluster Antrea Installation in clusters ======" - for kubeconfig in ${multicluster_kubeconfigs[@]} + for kubeconfig in "${multicluster_kubeconfigs[@]}" do cleanup_multicluster_ns "antrea-multicluster-test" $kubeconfig cleanup_multicluster_ns "antrea-mcs-ns" $kubeconfig @@ -174,7 +174,7 @@ function wait_for_multicluster_controller_ready { sed -i 's/antrea-mcs-ns/kube-system/g' ./multicluster/test/yamls/leader-access-token.yml echo "type: Opaque" >>./multicluster/test/yamls/leader-access-token.yml - for config in ${membercluter_kubeconfigs[@]}; + for config in "${membercluter_kubeconfigs[@]}"; do kubectl apply -f ./multicluster/build/yamls/antrea-multicluster-member.yml ${config} kubectl rollout status deployment/antrea-mc-controller -n kube-system ${config} @@ -203,7 +203,7 @@ function deliver_antrea_multicluster { docker save -o ${WORKDIR}/antrea-ubuntu.tar $DOCKER_REGISTRY/antrea/antrea-ubuntu:latest - for kubeconfig in ${multicluster_kubeconfigs[@]} + for kubeconfig in "${multicluster_kubeconfigs[@]}" do kubectl get nodes -o wide --no-headers=true ${kubeconfig}| awk '{print $6}' | while read IP; do rsync -avr --progress --inplace -e "ssh -o StrictHostKeyChecking=no" "${WORKDIR}"/antrea-ubuntu.tar jenkins@[${IP}]:${WORKDIR}/antrea-ubuntu.tar @@ -225,7 +225,7 @@ function deliver_multicluster_controller { docker save antrea/antrea-mc-controller:latest -o "${WORKDIR}"/antrea-mcs.tar ./multicluster/hack/generate-manifest.sh -l antrea-mcs-ns >./multicluster/test/yamls/manifest.yml - for kubeconfig in ${multicluster_kubeconfigs[@]} + for kubeconfig in "${multicluster_kubeconfigs[@]}" do kubectl get nodes -o wide --no-headers=true "${kubeconfig}"| awk '{print $6}' | while read IP; do rsync -avr --progress --inplace -e "ssh -o StrictHostKeyChecking=no" "${WORKDIR}"/antrea-mcs.tar jenkins@[${IP}]:${WORKDIR}/antrea-mcs.tar @@ -237,7 +237,7 @@ function deliver_multicluster_controller { sed -i "s||${leader_ip}|" ./multicluster/test/yamls/east-member-cluster.yml sed -i "s||${leader_ip}|" ./multicluster/test/yamls/west-member-cluster.yml - for kubeconfig in ${membercluter_kubeconfigs[@]} + for kubeconfig in "${membercluter_kubeconfigs[@]}" do ip=$(kubectl get nodes -o wide --no-headers=true ${EAST_CLUSTER_CONFIG} | awk -v role="$CONTROL_PLANE_NODE_ROLE" '$3 == role {print $6}') rsync -avr --progress --inplace -e "ssh -o StrictHostKeyChecking=no" ./multicluster/test/yamls/test-east-serviceexport.yml jenkins@[${ip}]:${WORKDIR}/serviceexport.yml @@ -265,7 +265,7 @@ function run_multicluster_e2e { docker tag "${DOCKER_REGISTRY}/antrea/agnhost:2.26" "agnhost:2.26" docker save agnhost:2.26 -o "${WORKDIR}"/agnhost.tar - for kubeconfig in ${membercluter_kubeconfigs[@]} + for kubeconfig in "${membercluter_kubeconfigs[@]}" do kubectl get nodes -o wide --no-headers=true "${kubeconfig}"| awk '{print $6}' | while read IP; do rsync -avr --progress --inplace -e "ssh -o StrictHostKeyChecking=no" "${WORKDIR}"/nginx.tar jenkins@["${IP}"]:"${WORKDIR}"/nginx.tar diff --git a/docs/multicluster/architecture.md b/docs/multicluster/architecture.md index 0dc7869288f..dee62cea984 100644 --- a/docs/multicluster/architecture.md +++ b/docs/multicluster/architecture.md @@ -26,7 +26,8 @@ The MemberClusterAnnounce CRD declares a member cluster configuration to the lea The Common Area is an abstraction in the Antrea Multi-cluster implementation provides a storage interface for resource export/import that can be read/written by all member and leader clusters -in the ClusterSet. The Common Area is implemented with a Namespace in the leader cluster +in the ClusterSet. The Common Area is implemented with a Namespace in the leader cluster for a +given ClusterSet. ## Antrea Multi-cluster Controller @@ -88,3 +89,17 @@ The Service Ports definition will be the same as exported Services, the Endpoint IPs from all member clusters. The new created Antrea Multi-cluster Service is just like a regular Kubernetes Service, so Pods in a member cluster can access the multi-cluster Service as usual without any extra setting. + +## Antrea Multi-cluster policy enforcement + +At this moment, Antrea does not support Pod-level policy enforcement for cross-cluster traffic. Access +towards Multi-cluster Services can be regulated with Antrea ClusterNetworkPolicy `toService` rules. In +each member cluster, users can create an Antrea ClusterNetworkPolicy selecting Pods in that cluster, with +the imported Mutli-cluster Service name and Namespace in an egress `toService` rule, and the Action to +take for traffic matching this rule. For more information regarding Antrea ClusterNetworkPolicy (ACNP), +refer to [this document](../antrea-network-policy.md). + +Multi-cluster admins can also specify certain ClusterNetworkPolicies to be replicated across the entire +ClusterSet. The ACNP to be replicated should be created as a ResourceExport in the leader cluster, and +the resource export/import pipeline will ensure member clusters receive this ACNP spec to be replicated. +Each member cluster's Multi-cluster Controller will then create an ACNP in their respective clusters. diff --git a/docs/multicluster/getting-started.md b/docs/multicluster/getting-started.md index 87081a2e284..d9d42cf9b12 100644 --- a/docs/multicluster/getting-started.md +++ b/docs/multicluster/getting-started.md @@ -412,6 +412,91 @@ ResourceExport into the corresponding ResourceImport until users correct it. due to forementioned mismatch issue, Antrea Multi-cluster Controller will also skip converging the corresponding Endpoints ResourceExport until users correct it. +## Multi-cluster ClusterNetworkPolicy Replication + +Since Antrea v1.6.0, Multi-cluster admins can specify certain ClusterNetworkPolicies to be replicated +across the entire ClusterSet. This is especially useful for ClusterSet admins who want all clusters in +the ClusterSet to be applied with a consistent security posture (for example, all Namespaces in all +clusters can only communicate with Pods in their own namespaces). For more information regarding +Antrea ClusterNetworkPolicy (ACNP), refer to [this document](../antrea-network-policy.md). + +To achieve such ACNP replication across clusters, admins can, in the acting leader cluster of a +Multi-cluster deployment, create a ResourceExport of kind `AntreaClusterNetworkPolicy` which contains +the ClusterNetworkPolicy spec they wish to be replicated. The ResourceExport should be created in the +Namespace which implements the Common Area of the ClusterSet. In future releases, some additional tooling +may become available to automate the creation of such ResourceExport and make ACNP replication easier. + +```yaml +apiVersion: multicluster.crd.antrea.io/v1alpha1 +kind: ResourceExport +metadata: + name: strict-namespace-isolation-for-test-clusterset + namespace: antrea-mcs-ns # Namespace that implements Common Area of test-clusterset +spec: + kind: AntreaClusterNetworkPolicy + name: strict-namespace-isolation # In each importing cluster, an ACNP of name antrea-mc-strict-namespace-isolation will be created with the spec below + clusternetworkpolicy: + priority: 1 + tier: securityops + appliedTo: + - namespaceSelector: {} # Selects all Namespaces in the member cluster + ingress: + - action: Pass + from: + - namespaces: + match: Self # Skip drop rule for traffic from Pods in the same Namespace + - podSelector: + matchLabels: + k8s-app: kube-dns # Skip drop rule for traffic from the core-dns components + - action: Drop + from: + - namespaceSelector: {} # Drop from Pods from all other Namespaces +``` + +The above sample spec will create an ACNP in each member cluster which implements strict namespace +isolation for that cluster. + +Note that because the Tier that an ACNP refers to must exist before the ACNP is applied, an importing +cluster may fail to create the ACNP to be replicated, if the Tier in the ResourceExport spec cannot be +found in that particular cluster. If there are such failures, the ACNP creation status of failed member +clusters will be reported back to the Common Area as K8s Events, and can be checked by describing the +ResourceImport of the original ResourceExport: + +```text +kubectl describe resourceimport -A +--- +Name: strict-namespace-isolation-antreaclusternetworkpolicy +Namespace: antrea-mcs-ns +API Version: multicluster.crd.antrea.io/v1alpha1 +Kind: ResourceImport +Spec: + Clusternetworkpolicy: + Applied To: + Namespace Selector: + Ingress: + Action: Pass + Enable Logging: false + From: + Namespaces: + Match: Self + Pod Selector: + Match Labels: + k8s-app: kube-dns + Action: Drop + Enable Logging: false + From: + Namespace Selector: + Priority: 1 + Tier: random + Kind: AntreaClusterNetworkPolicy + Name: strict-namespace-isolation + ... +Events: + Type Reason Age From Message + ---- ------ ---- ---- ------- + Warning ACNPImportFailed 2m11s resourceimport-controller ACNP Tier random does not exist in the importing cluster test-cluster-west +``` + ## Known Issue We recommend user to reinstall or update Antrea Multi-cluster controllers through `kubectl apply`. diff --git a/multicluster/Makefile b/multicluster/Makefile index a47ffb12e2e..c958326194c 100644 --- a/multicluster/Makefile +++ b/multicluster/Makefile @@ -1,5 +1,10 @@ # Produce CRDs that work back to Kubernetes 1.11 (no version conversion) -CRD_OPTIONS ?= "crd:trivialVersions=true,preserveUnknownFields=false" +# For controller-gen, float value is not allowed by default as it is considered dangerous +# See https://github.com/kubernetes-sigs/controller-tools/issues/245 +# However the ResourceExport/Import refers to ACNP type definition and the priority field in ACNP spec is type float64. +# Hence, before any ACNP spec bumps that changes the priorty field to a different type, +# the allowDangerousTypes flag is needed for CRD manifests to generate correctly. +CRD_OPTIONS ?= "crd:trivialVersions=true,allowDangerousTypes=true,preserveUnknownFields=false" # Get the currently used golang install path (in GOPATH/bin, unless GOBIN is set) ifeq (,$(shell go env GOBIN)) diff --git a/multicluster/apis/multicluster/v1alpha1/resourceexport_types.go b/multicluster/apis/multicluster/v1alpha1/resourceexport_types.go index 6d58cfb5b79..fe0afdb9e36 100644 --- a/multicluster/apis/multicluster/v1alpha1/resourceexport_types.go +++ b/multicluster/apis/multicluster/v1alpha1/resourceexport_types.go @@ -20,6 +20,7 @@ import ( v1 "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "antrea.io/antrea/pkg/apis/crd/v1alpha1" "antrea.io/antrea/pkg/apis/crd/v1alpha2" ) @@ -63,6 +64,8 @@ type ResourceExportSpec struct { Endpoints *EndpointsExport `json:"endpoints,omitempty"` // If exported resource is ExternalEntity. ExternalEntity *ExternalEntityExport `json:"externalentity,omitempty"` + // If exported resource is AntreaClusterNetworkPolicy. + ClusterNetworkPolicy *v1alpha1.ClusterNetworkPolicySpec `json:"clusternetworkpolicy,omitempty"` // If exported resource Kind is unknown. Raw RawResourceExport `json:"raw,omitempty"` } diff --git a/multicluster/apis/multicluster/v1alpha1/resourceexport_webhook.go b/multicluster/apis/multicluster/v1alpha1/resourceexport_webhook.go index 132e8f5c8d1..96770b999bf 100644 --- a/multicluster/apis/multicluster/v1alpha1/resourceexport_webhook.go +++ b/multicluster/apis/multicluster/v1alpha1/resourceexport_webhook.go @@ -21,6 +21,8 @@ import ( ctrl "sigs.k8s.io/controller-runtime" logf "sigs.k8s.io/controller-runtime/pkg/log" "sigs.k8s.io/controller-runtime/pkg/webhook" + + "antrea.io/antrea/multicluster/controllers/multicluster/common" ) // log is for logging in this package. @@ -39,6 +41,25 @@ var _ webhook.Defaulter = &ResourceExport{} // Default implements webhook.Defaulter so a webhook will be registered for the type func (r *ResourceExport) Default() { resourceexportlog.Info("default", "name", r.Name) + if r.Spec.ClusterNetworkPolicy == nil { + // Only mutate ResourceExport created for ClusterNetworkPolicy resources + return + } + if len(r.Labels) == 0 { + r.Labels = map[string]string{} + } + if nameLabelVal, exists := r.Labels[common.SourceName]; !exists || nameLabelVal != r.Spec.Name { + r.Labels[common.SourceName] = r.Spec.Name + } + if namespaceLabelVal, exists := r.Labels[common.SourceNamespace]; !exists || namespaceLabelVal != "" { + r.Labels[common.SourceNamespace] = "" + } + if kindLabelVal, exists := r.Labels[common.SourceKind]; !exists || kindLabelVal != common.AntreaClusterNetworkPolicyKind { + r.Labels[common.SourceKind] = common.AntreaClusterNetworkPolicyKind + } + if r.DeletionTimestamp.IsZero() && !common.StringExistsInSlice(r.Finalizers, common.ResourceExportFinalizer) { + r.Finalizers = append(r.Finalizers, common.ResourceExportFinalizer) + } } //+kubebuilder:webhook:path=/validate-multicluster-crd-antrea-io-v1alpha1-resourceexport,mutating=false,failurePolicy=fail,sideEffects=None,groups=multicluster.crd.antrea.io,resources=resourceexports,verbs=create;update,versions=v1alpha1,name=vresourceexport.kb.io,admissionReviewVersions={v1,v1beta1} diff --git a/multicluster/apis/multicluster/v1alpha1/resourceimport_types.go b/multicluster/apis/multicluster/v1alpha1/resourceimport_types.go index d2223f6895c..de0b8eb1c23 100644 --- a/multicluster/apis/multicluster/v1alpha1/resourceimport_types.go +++ b/multicluster/apis/multicluster/v1alpha1/resourceimport_types.go @@ -21,6 +21,7 @@ import ( metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" mcs "sigs.k8s.io/mcs-api/pkg/apis/v1alpha1" + "antrea.io/antrea/pkg/apis/crd/v1alpha1" "antrea.io/antrea/pkg/apis/crd/v1alpha2" ) @@ -57,6 +58,8 @@ type ResourceImportSpec struct { Endpoints *EndpointsImport `json:"endpoints,omitempty"` // If imported resource is ExternalEntity. ExternalEntity *ExternalEntityImport `json:"externalentity,omitempty"` + // If imported resource is AntreaClusterNetworkPolicy. + ClusterNetworkPolicy *v1alpha1.ClusterNetworkPolicySpec `json:"clusternetworkpolicy,omitempty"` // If imported resource is ANP. // TODO: // ANP uses float64 as priority. Type float64 is discouraged by k8s, and is not supported by controller-gen tools. diff --git a/multicluster/apis/multicluster/v1alpha1/zz_generated.deepcopy.go b/multicluster/apis/multicluster/v1alpha1/zz_generated.deepcopy.go index 822b6fbb25c..1811af33287 100644 --- a/multicluster/apis/multicluster/v1alpha1/zz_generated.deepcopy.go +++ b/multicluster/apis/multicluster/v1alpha1/zz_generated.deepcopy.go @@ -1,4 +1,3 @@ -//go:build !ignore_autogenerated // +build !ignore_autogenerated /* @@ -22,6 +21,7 @@ limitations under the License. package v1alpha1 import ( + crdv1alpha1 "antrea.io/antrea/pkg/apis/crd/v1alpha1" "antrea.io/antrea/pkg/apis/crd/v1alpha2" "k8s.io/api/core/v1" "k8s.io/apimachinery/pkg/runtime" @@ -651,6 +651,11 @@ func (in *ResourceExportSpec) DeepCopyInto(out *ResourceExportSpec) { *out = new(ExternalEntityExport) (*in).DeepCopyInto(*out) } + if in.ClusterNetworkPolicy != nil { + in, out := &in.ClusterNetworkPolicy, &out.ClusterNetworkPolicy + *out = new(crdv1alpha1.ClusterNetworkPolicySpec) + (*in).DeepCopyInto(*out) + } in.Raw.DeepCopyInto(&out.Raw) } @@ -895,6 +900,11 @@ func (in *ResourceImportSpec) DeepCopyInto(out *ResourceImportSpec) { *out = new(ExternalEntityImport) (*in).DeepCopyInto(*out) } + if in.ClusterNetworkPolicy != nil { + in, out := &in.ClusterNetworkPolicy, &out.ClusterNetworkPolicy + *out = new(crdv1alpha1.ClusterNetworkPolicySpec) + (*in).DeepCopyInto(*out) + } if in.Raw != nil { in, out := &in.Raw, &out.Raw *out = new(RawResourceImport) diff --git a/multicluster/build/yamls/antrea-multicluster-leader-global.yml b/multicluster/build/yamls/antrea-multicluster-leader-global.yml index a6e2f5af46e..fc35c73efc8 100644 --- a/multicluster/build/yamls/antrea-multicluster-leader-global.yml +++ b/multicluster/build/yamls/antrea-multicluster-leader-global.yml @@ -376,6 +376,1678 @@ spec: description: ClusterID specifies the member cluster this resource exported from. type: string + clusternetworkpolicy: + description: If exported resource is AntreaClusterNetworkPolicy. + properties: + appliedTo: + description: Select workloads on which the rules will be applied + to. Cannot be set in conjunction with AppliedTo in each rule. + items: + description: NetworkPolicyPeer describes the grouping selector + of workloads. + properties: + externalEntitySelector: + description: Select ExternalEntities from NetworkPolicy's + Namespace as workloads in AppliedTo/To/From fields. If + set with NamespaceSelector, ExternalEntities are matched + from Namespaces matched by the NamespaceSelector. Cannot + be set with any other selector except NamespaceSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector + that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are In, + NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. + If the operator is In or NotIn, the values array + must be non-empty. If the operator is Exists + or DoesNotExist, the values array must be empty. + This array is replaced during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. + A single {key,value} in the matchLabels map is equivalent + to an element of matchExpressions, whose key field + is "key", the operator is "In", and the values array + contains only "value". The requirements are ANDed. + type: object + type: object + fqdn: + description: 'Restrict egress access to the Fully Qualified + Domain Names prescribed by name or by wildcard match patterns. + This field can only be set for NetworkPolicyPeer of egress + rules. Supported formats are: Exact FQDNs, i.e. "google.com", + "db-svc.default.svc.cluster.local" Wildcard expressions, + i.e. "*wayfair.com".' + type: string + group: + description: Group is the name of the ClusterGroup which + can be set as an AppliedTo or within an Ingress or Egress + rule in place of a stand-alone selector. A Group cannot + be set with any other selector. + type: string + ipBlock: + description: IPBlock describes the IPAddresses/IPBlocks + that is matched in to/from. IPBlock cannot be set as part + of the AppliedTo field. Cannot be set with any other selector. + properties: + cidr: + description: CIDR is a string representing the IP Block + Valid examples are "192.168.1.1/24". + type: string + required: + - cidr + type: object + namespaceSelector: + description: Select all Pods from Namespaces matched by + this selector, as workloads in To/From fields. If set + with PodSelector, Pods are matched from Namespaces matched + by the NamespaceSelector. Cannot be set with any other + selector except PodSelector or ExternalEntitySelector. + Cannot be set with Namespaces. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector + that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are In, + NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. + If the operator is In or NotIn, the values array + must be non-empty. If the operator is Exists + or DoesNotExist, the values array must be empty. + This array is replaced during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. + A single {key,value} in the matchLabels map is equivalent + to an element of matchExpressions, whose key field + is "key", the operator is "In", and the values array + contains only "value". The requirements are ANDed. + type: object + type: object + namespaces: + description: 'Select Pod/ExternalEntity from Namespaces + matched by specifc criteria. Current supported criteria + is match: Self, which selects from the same Namespace + of the appliedTo workloads. Cannot be set with any other + selector except PodSelector or ExternalEntitySelector. + This field can only be set when NetworkPolicyPeer is created + for ClusterNetworkPolicy ingress/egress rules. Cannot + be set with NamespaceSelector.' + properties: + match: + description: NamespaceMatchType describes Namespace + matching strategy. + type: string + type: object + podSelector: + description: Select Pods from NetworkPolicy's Namespace + as workloads in AppliedTo/To/From fields. If set with + NamespaceSelector, Pods are matched from Namespaces matched + by the NamespaceSelector. Cannot be set with any other + selector except NamespaceSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector + that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are In, + NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. + If the operator is In or NotIn, the values array + must be non-empty. If the operator is Exists + or DoesNotExist, the values array must be empty. + This array is replaced during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. + A single {key,value} in the matchLabels map is equivalent + to an element of matchExpressions, whose key field + is "key", the operator is "In", and the values array + contains only "value". The requirements are ANDed. + type: object + type: object + serviceAccount: + description: Select all Pods with the ServiceAccount matched + by this field, as workloads in AppliedTo/To/From fields. + Cannot be set with any other selector. + properties: + name: + type: string + namespace: + type: string + type: object + type: object + type: array + egress: + description: Set of egress rules evaluated based on the order + in which they are set. Currently Egress rule supports setting + the `To` field but not the `From` field within a Rule. + items: + description: Rule describes the traffic allowed to/from the + workloads selected by Spec.AppliedTo. Based on the action + specified in the rule, traffic is either allowed or denied + which exactly match the specified ports and protocol. + properties: + action: + description: Action specifies the action to be applied on + the rule. + type: string + appliedTo: + description: Select workloads on which this rule will be + applied to. Cannot be set in conjunction with NetworkPolicySpec/ClusterNetworkPolicySpec.AppliedTo. + items: + description: NetworkPolicyPeer describes the grouping + selector of workloads. + properties: + externalEntitySelector: + description: Select ExternalEntities from NetworkPolicy's + Namespace as workloads in AppliedTo/To/From fields. + If set with NamespaceSelector, ExternalEntities + are matched from Namespaces matched by the NamespaceSelector. + Cannot be set with any other selector except NamespaceSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + fqdn: + description: 'Restrict egress access to the Fully + Qualified Domain Names prescribed by name or by + wildcard match patterns. This field can only be + set for NetworkPolicyPeer of egress rules. Supported + formats are: Exact FQDNs, i.e. "google.com", "db-svc.default.svc.cluster.local" Wildcard + expressions, i.e. "*wayfair.com".' + type: string + group: + description: Group is the name of the ClusterGroup + which can be set as an AppliedTo or within an Ingress + or Egress rule in place of a stand-alone selector. + A Group cannot be set with any other selector. + type: string + ipBlock: + description: IPBlock describes the IPAddresses/IPBlocks + that is matched in to/from. IPBlock cannot be set + as part of the AppliedTo field. Cannot be set with + any other selector. + properties: + cidr: + description: CIDR is a string representing the + IP Block Valid examples are "192.168.1.1/24". + type: string + required: + - cidr + type: object + namespaceSelector: + description: Select all Pods from Namespaces matched + by this selector, as workloads in To/From fields. + If set with PodSelector, Pods are matched from Namespaces + matched by the NamespaceSelector. Cannot be set + with any other selector except PodSelector or ExternalEntitySelector. + Cannot be set with Namespaces. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + namespaces: + description: 'Select Pod/ExternalEntity from Namespaces + matched by specifc criteria. Current supported criteria + is match: Self, which selects from the same Namespace + of the appliedTo workloads. Cannot be set with any + other selector except PodSelector or ExternalEntitySelector. + This field can only be set when NetworkPolicyPeer + is created for ClusterNetworkPolicy ingress/egress + rules. Cannot be set with NamespaceSelector.' + properties: + match: + description: NamespaceMatchType describes Namespace + matching strategy. + type: string + type: object + podSelector: + description: Select Pods from NetworkPolicy's Namespace + as workloads in AppliedTo/To/From fields. If set + with NamespaceSelector, Pods are matched from Namespaces + matched by the NamespaceSelector. Cannot be set + with any other selector except NamespaceSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + serviceAccount: + description: Select all Pods with the ServiceAccount + matched by this field, as workloads in AppliedTo/To/From + fields. Cannot be set with any other selector. + properties: + name: + type: string + namespace: + type: string + type: object + type: object + type: array + enableLogging: + description: EnableLogging is used to indicate if agent + should generate logs when rules are matched. Should be + default to false. + type: boolean + from: + description: Rule is matched if traffic originates from + workloads selected by this field. If this field is empty, + this rule matches all sources. + items: + description: NetworkPolicyPeer describes the grouping + selector of workloads. + properties: + externalEntitySelector: + description: Select ExternalEntities from NetworkPolicy's + Namespace as workloads in AppliedTo/To/From fields. + If set with NamespaceSelector, ExternalEntities + are matched from Namespaces matched by the NamespaceSelector. + Cannot be set with any other selector except NamespaceSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + fqdn: + description: 'Restrict egress access to the Fully + Qualified Domain Names prescribed by name or by + wildcard match patterns. This field can only be + set for NetworkPolicyPeer of egress rules. Supported + formats are: Exact FQDNs, i.e. "google.com", "db-svc.default.svc.cluster.local" Wildcard + expressions, i.e. "*wayfair.com".' + type: string + group: + description: Group is the name of the ClusterGroup + which can be set as an AppliedTo or within an Ingress + or Egress rule in place of a stand-alone selector. + A Group cannot be set with any other selector. + type: string + ipBlock: + description: IPBlock describes the IPAddresses/IPBlocks + that is matched in to/from. IPBlock cannot be set + as part of the AppliedTo field. Cannot be set with + any other selector. + properties: + cidr: + description: CIDR is a string representing the + IP Block Valid examples are "192.168.1.1/24". + type: string + required: + - cidr + type: object + namespaceSelector: + description: Select all Pods from Namespaces matched + by this selector, as workloads in To/From fields. + If set with PodSelector, Pods are matched from Namespaces + matched by the NamespaceSelector. Cannot be set + with any other selector except PodSelector or ExternalEntitySelector. + Cannot be set with Namespaces. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + namespaces: + description: 'Select Pod/ExternalEntity from Namespaces + matched by specifc criteria. Current supported criteria + is match: Self, which selects from the same Namespace + of the appliedTo workloads. Cannot be set with any + other selector except PodSelector or ExternalEntitySelector. + This field can only be set when NetworkPolicyPeer + is created for ClusterNetworkPolicy ingress/egress + rules. Cannot be set with NamespaceSelector.' + properties: + match: + description: NamespaceMatchType describes Namespace + matching strategy. + type: string + type: object + podSelector: + description: Select Pods from NetworkPolicy's Namespace + as workloads in AppliedTo/To/From fields. If set + with NamespaceSelector, Pods are matched from Namespaces + matched by the NamespaceSelector. Cannot be set + with any other selector except NamespaceSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + serviceAccount: + description: Select all Pods with the ServiceAccount + matched by this field, as workloads in AppliedTo/To/From + fields. Cannot be set with any other selector. + properties: + name: + type: string + namespace: + type: string + type: object + type: object + type: array + name: + description: Name describes the intention of this rule. + Name should be unique within the policy. + type: string + ports: + description: Set of port and protocol allowed/denied by + the rule. If this field is unset or empty, this rule matches + all ports. + items: + description: NetworkPolicyPort describes the port and + protocol to match in a rule. + properties: + endPort: + description: EndPort defines the end of the port range, + being the end included within the range. It can + only be specified when a numerical `port` is specified. + format: int32 + type: integer + port: + anyOf: + - type: integer + - type: string + description: The port on the given protocol. This + can be either a numerical or named port on a Pod. + If this field is not provided, this matches all + port names and numbers. + x-kubernetes-int-or-string: true + protocol: + default: TCP + description: The protocol (TCP, UDP, or SCTP) which + traffic must match. If not specified, this field + defaults to TCP. + type: string + type: object + type: array + to: + description: Rule is matched if traffic is intended for + workloads selected by this field. This field can't be + used with ToServices. If this field and ToServices are + both empty or missing this rule matches all destinations. + items: + description: NetworkPolicyPeer describes the grouping + selector of workloads. + properties: + externalEntitySelector: + description: Select ExternalEntities from NetworkPolicy's + Namespace as workloads in AppliedTo/To/From fields. + If set with NamespaceSelector, ExternalEntities + are matched from Namespaces matched by the NamespaceSelector. + Cannot be set with any other selector except NamespaceSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + fqdn: + description: 'Restrict egress access to the Fully + Qualified Domain Names prescribed by name or by + wildcard match patterns. This field can only be + set for NetworkPolicyPeer of egress rules. Supported + formats are: Exact FQDNs, i.e. "google.com", "db-svc.default.svc.cluster.local" Wildcard + expressions, i.e. "*wayfair.com".' + type: string + group: + description: Group is the name of the ClusterGroup + which can be set as an AppliedTo or within an Ingress + or Egress rule in place of a stand-alone selector. + A Group cannot be set with any other selector. + type: string + ipBlock: + description: IPBlock describes the IPAddresses/IPBlocks + that is matched in to/from. IPBlock cannot be set + as part of the AppliedTo field. Cannot be set with + any other selector. + properties: + cidr: + description: CIDR is a string representing the + IP Block Valid examples are "192.168.1.1/24". + type: string + required: + - cidr + type: object + namespaceSelector: + description: Select all Pods from Namespaces matched + by this selector, as workloads in To/From fields. + If set with PodSelector, Pods are matched from Namespaces + matched by the NamespaceSelector. Cannot be set + with any other selector except PodSelector or ExternalEntitySelector. + Cannot be set with Namespaces. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + namespaces: + description: 'Select Pod/ExternalEntity from Namespaces + matched by specifc criteria. Current supported criteria + is match: Self, which selects from the same Namespace + of the appliedTo workloads. Cannot be set with any + other selector except PodSelector or ExternalEntitySelector. + This field can only be set when NetworkPolicyPeer + is created for ClusterNetworkPolicy ingress/egress + rules. Cannot be set with NamespaceSelector.' + properties: + match: + description: NamespaceMatchType describes Namespace + matching strategy. + type: string + type: object + podSelector: + description: Select Pods from NetworkPolicy's Namespace + as workloads in AppliedTo/To/From fields. If set + with NamespaceSelector, Pods are matched from Namespaces + matched by the NamespaceSelector. Cannot be set + with any other selector except NamespaceSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + serviceAccount: + description: Select all Pods with the ServiceAccount + matched by this field, as workloads in AppliedTo/To/From + fields. Cannot be set with any other selector. + properties: + name: + type: string + namespace: + type: string + type: object + type: object + type: array + toServices: + description: Rule is matched if traffic is intended for + a Service listed in this field. Currently only ClusterIP + types Services are supported in this field. This field + can only be used when AntreaProxy is enabled. This field + can't be used with To or Ports. If this field and To are + both empty or missing, this rule matches all destinations. + items: + description: NamespacedName refers to a Namespace scoped + resource. All fields must be used together. + properties: + name: + type: string + namespace: + type: string + type: object + type: array + required: + - action + type: object + type: array + ingress: + description: Set of ingress rules evaluated based on the order + in which they are set. Currently Ingress rule supports setting + the `From` field but not the `To` field within a Rule. + items: + description: Rule describes the traffic allowed to/from the + workloads selected by Spec.AppliedTo. Based on the action + specified in the rule, traffic is either allowed or denied + which exactly match the specified ports and protocol. + properties: + action: + description: Action specifies the action to be applied on + the rule. + type: string + appliedTo: + description: Select workloads on which this rule will be + applied to. Cannot be set in conjunction with NetworkPolicySpec/ClusterNetworkPolicySpec.AppliedTo. + items: + description: NetworkPolicyPeer describes the grouping + selector of workloads. + properties: + externalEntitySelector: + description: Select ExternalEntities from NetworkPolicy's + Namespace as workloads in AppliedTo/To/From fields. + If set with NamespaceSelector, ExternalEntities + are matched from Namespaces matched by the NamespaceSelector. + Cannot be set with any other selector except NamespaceSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + fqdn: + description: 'Restrict egress access to the Fully + Qualified Domain Names prescribed by name or by + wildcard match patterns. This field can only be + set for NetworkPolicyPeer of egress rules. Supported + formats are: Exact FQDNs, i.e. "google.com", "db-svc.default.svc.cluster.local" Wildcard + expressions, i.e. "*wayfair.com".' + type: string + group: + description: Group is the name of the ClusterGroup + which can be set as an AppliedTo or within an Ingress + or Egress rule in place of a stand-alone selector. + A Group cannot be set with any other selector. + type: string + ipBlock: + description: IPBlock describes the IPAddresses/IPBlocks + that is matched in to/from. IPBlock cannot be set + as part of the AppliedTo field. Cannot be set with + any other selector. + properties: + cidr: + description: CIDR is a string representing the + IP Block Valid examples are "192.168.1.1/24". + type: string + required: + - cidr + type: object + namespaceSelector: + description: Select all Pods from Namespaces matched + by this selector, as workloads in To/From fields. + If set with PodSelector, Pods are matched from Namespaces + matched by the NamespaceSelector. Cannot be set + with any other selector except PodSelector or ExternalEntitySelector. + Cannot be set with Namespaces. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + namespaces: + description: 'Select Pod/ExternalEntity from Namespaces + matched by specifc criteria. Current supported criteria + is match: Self, which selects from the same Namespace + of the appliedTo workloads. Cannot be set with any + other selector except PodSelector or ExternalEntitySelector. + This field can only be set when NetworkPolicyPeer + is created for ClusterNetworkPolicy ingress/egress + rules. Cannot be set with NamespaceSelector.' + properties: + match: + description: NamespaceMatchType describes Namespace + matching strategy. + type: string + type: object + podSelector: + description: Select Pods from NetworkPolicy's Namespace + as workloads in AppliedTo/To/From fields. If set + with NamespaceSelector, Pods are matched from Namespaces + matched by the NamespaceSelector. Cannot be set + with any other selector except NamespaceSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + serviceAccount: + description: Select all Pods with the ServiceAccount + matched by this field, as workloads in AppliedTo/To/From + fields. Cannot be set with any other selector. + properties: + name: + type: string + namespace: + type: string + type: object + type: object + type: array + enableLogging: + description: EnableLogging is used to indicate if agent + should generate logs when rules are matched. Should be + default to false. + type: boolean + from: + description: Rule is matched if traffic originates from + workloads selected by this field. If this field is empty, + this rule matches all sources. + items: + description: NetworkPolicyPeer describes the grouping + selector of workloads. + properties: + externalEntitySelector: + description: Select ExternalEntities from NetworkPolicy's + Namespace as workloads in AppliedTo/To/From fields. + If set with NamespaceSelector, ExternalEntities + are matched from Namespaces matched by the NamespaceSelector. + Cannot be set with any other selector except NamespaceSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + fqdn: + description: 'Restrict egress access to the Fully + Qualified Domain Names prescribed by name or by + wildcard match patterns. This field can only be + set for NetworkPolicyPeer of egress rules. Supported + formats are: Exact FQDNs, i.e. "google.com", "db-svc.default.svc.cluster.local" Wildcard + expressions, i.e. "*wayfair.com".' + type: string + group: + description: Group is the name of the ClusterGroup + which can be set as an AppliedTo or within an Ingress + or Egress rule in place of a stand-alone selector. + A Group cannot be set with any other selector. + type: string + ipBlock: + description: IPBlock describes the IPAddresses/IPBlocks + that is matched in to/from. IPBlock cannot be set + as part of the AppliedTo field. Cannot be set with + any other selector. + properties: + cidr: + description: CIDR is a string representing the + IP Block Valid examples are "192.168.1.1/24". + type: string + required: + - cidr + type: object + namespaceSelector: + description: Select all Pods from Namespaces matched + by this selector, as workloads in To/From fields. + If set with PodSelector, Pods are matched from Namespaces + matched by the NamespaceSelector. Cannot be set + with any other selector except PodSelector or ExternalEntitySelector. + Cannot be set with Namespaces. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + namespaces: + description: 'Select Pod/ExternalEntity from Namespaces + matched by specifc criteria. Current supported criteria + is match: Self, which selects from the same Namespace + of the appliedTo workloads. Cannot be set with any + other selector except PodSelector or ExternalEntitySelector. + This field can only be set when NetworkPolicyPeer + is created for ClusterNetworkPolicy ingress/egress + rules. Cannot be set with NamespaceSelector.' + properties: + match: + description: NamespaceMatchType describes Namespace + matching strategy. + type: string + type: object + podSelector: + description: Select Pods from NetworkPolicy's Namespace + as workloads in AppliedTo/To/From fields. If set + with NamespaceSelector, Pods are matched from Namespaces + matched by the NamespaceSelector. Cannot be set + with any other selector except NamespaceSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + serviceAccount: + description: Select all Pods with the ServiceAccount + matched by this field, as workloads in AppliedTo/To/From + fields. Cannot be set with any other selector. + properties: + name: + type: string + namespace: + type: string + type: object + type: object + type: array + name: + description: Name describes the intention of this rule. + Name should be unique within the policy. + type: string + ports: + description: Set of port and protocol allowed/denied by + the rule. If this field is unset or empty, this rule matches + all ports. + items: + description: NetworkPolicyPort describes the port and + protocol to match in a rule. + properties: + endPort: + description: EndPort defines the end of the port range, + being the end included within the range. It can + only be specified when a numerical `port` is specified. + format: int32 + type: integer + port: + anyOf: + - type: integer + - type: string + description: The port on the given protocol. This + can be either a numerical or named port on a Pod. + If this field is not provided, this matches all + port names and numbers. + x-kubernetes-int-or-string: true + protocol: + default: TCP + description: The protocol (TCP, UDP, or SCTP) which + traffic must match. If not specified, this field + defaults to TCP. + type: string + type: object + type: array + to: + description: Rule is matched if traffic is intended for + workloads selected by this field. This field can't be + used with ToServices. If this field and ToServices are + both empty or missing this rule matches all destinations. + items: + description: NetworkPolicyPeer describes the grouping + selector of workloads. + properties: + externalEntitySelector: + description: Select ExternalEntities from NetworkPolicy's + Namespace as workloads in AppliedTo/To/From fields. + If set with NamespaceSelector, ExternalEntities + are matched from Namespaces matched by the NamespaceSelector. + Cannot be set with any other selector except NamespaceSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + fqdn: + description: 'Restrict egress access to the Fully + Qualified Domain Names prescribed by name or by + wildcard match patterns. This field can only be + set for NetworkPolicyPeer of egress rules. Supported + formats are: Exact FQDNs, i.e. "google.com", "db-svc.default.svc.cluster.local" Wildcard + expressions, i.e. "*wayfair.com".' + type: string + group: + description: Group is the name of the ClusterGroup + which can be set as an AppliedTo or within an Ingress + or Egress rule in place of a stand-alone selector. + A Group cannot be set with any other selector. + type: string + ipBlock: + description: IPBlock describes the IPAddresses/IPBlocks + that is matched in to/from. IPBlock cannot be set + as part of the AppliedTo field. Cannot be set with + any other selector. + properties: + cidr: + description: CIDR is a string representing the + IP Block Valid examples are "192.168.1.1/24". + type: string + required: + - cidr + type: object + namespaceSelector: + description: Select all Pods from Namespaces matched + by this selector, as workloads in To/From fields. + If set with PodSelector, Pods are matched from Namespaces + matched by the NamespaceSelector. Cannot be set + with any other selector except PodSelector or ExternalEntitySelector. + Cannot be set with Namespaces. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + namespaces: + description: 'Select Pod/ExternalEntity from Namespaces + matched by specifc criteria. Current supported criteria + is match: Self, which selects from the same Namespace + of the appliedTo workloads. Cannot be set with any + other selector except PodSelector or ExternalEntitySelector. + This field can only be set when NetworkPolicyPeer + is created for ClusterNetworkPolicy ingress/egress + rules. Cannot be set with NamespaceSelector.' + properties: + match: + description: NamespaceMatchType describes Namespace + matching strategy. + type: string + type: object + podSelector: + description: Select Pods from NetworkPolicy's Namespace + as workloads in AppliedTo/To/From fields. If set + with NamespaceSelector, Pods are matched from Namespaces + matched by the NamespaceSelector. Cannot be set + with any other selector except NamespaceSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + serviceAccount: + description: Select all Pods with the ServiceAccount + matched by this field, as workloads in AppliedTo/To/From + fields. Cannot be set with any other selector. + properties: + name: + type: string + namespace: + type: string + type: object + type: object + type: array + toServices: + description: Rule is matched if traffic is intended for + a Service listed in this field. Currently only ClusterIP + types Services are supported in this field. This field + can only be used when AntreaProxy is enabled. This field + can't be used with To or Ports. If this field and To are + both empty or missing, this rule matches all destinations. + items: + description: NamespacedName refers to a Namespace scoped + resource. All fields must be used together. + properties: + name: + type: string + namespace: + type: string + type: object + type: array + required: + - action + type: object + type: array + priority: + description: Priority specfies the order of the ClusterNetworkPolicy + relative to other AntreaClusterNetworkPolicies. + type: number + tier: + description: Tier specifies the tier to which this ClusterNetworkPolicy + belongs to. The ClusterNetworkPolicy order will be determined + based on the combination of the Tier's Priority and the ClusterNetworkPolicy's + own Priority. If not specified, this policy will be created + in the Application Tier right above the K8s NetworkPolicy which + resides at the bottom. + type: string + required: + - priority + type: object endpoints: description: If exported resource is EndPoints. properties: @@ -1129,6 +2801,1678 @@ spec: items: type: string type: array + clusternetworkpolicy: + description: If imported resource is AntreaClusterNetworkPolicy. + properties: + appliedTo: + description: Select workloads on which the rules will be applied + to. Cannot be set in conjunction with AppliedTo in each rule. + items: + description: NetworkPolicyPeer describes the grouping selector + of workloads. + properties: + externalEntitySelector: + description: Select ExternalEntities from NetworkPolicy's + Namespace as workloads in AppliedTo/To/From fields. If + set with NamespaceSelector, ExternalEntities are matched + from Namespaces matched by the NamespaceSelector. Cannot + be set with any other selector except NamespaceSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector + that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are In, + NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. + If the operator is In or NotIn, the values array + must be non-empty. If the operator is Exists + or DoesNotExist, the values array must be empty. + This array is replaced during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. + A single {key,value} in the matchLabels map is equivalent + to an element of matchExpressions, whose key field + is "key", the operator is "In", and the values array + contains only "value". The requirements are ANDed. + type: object + type: object + fqdn: + description: 'Restrict egress access to the Fully Qualified + Domain Names prescribed by name or by wildcard match patterns. + This field can only be set for NetworkPolicyPeer of egress + rules. Supported formats are: Exact FQDNs, i.e. "google.com", + "db-svc.default.svc.cluster.local" Wildcard expressions, + i.e. "*wayfair.com".' + type: string + group: + description: Group is the name of the ClusterGroup which + can be set as an AppliedTo or within an Ingress or Egress + rule in place of a stand-alone selector. A Group cannot + be set with any other selector. + type: string + ipBlock: + description: IPBlock describes the IPAddresses/IPBlocks + that is matched in to/from. IPBlock cannot be set as part + of the AppliedTo field. Cannot be set with any other selector. + properties: + cidr: + description: CIDR is a string representing the IP Block + Valid examples are "192.168.1.1/24". + type: string + required: + - cidr + type: object + namespaceSelector: + description: Select all Pods from Namespaces matched by + this selector, as workloads in To/From fields. If set + with PodSelector, Pods are matched from Namespaces matched + by the NamespaceSelector. Cannot be set with any other + selector except PodSelector or ExternalEntitySelector. + Cannot be set with Namespaces. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector + that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are In, + NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. + If the operator is In or NotIn, the values array + must be non-empty. If the operator is Exists + or DoesNotExist, the values array must be empty. + This array is replaced during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. + A single {key,value} in the matchLabels map is equivalent + to an element of matchExpressions, whose key field + is "key", the operator is "In", and the values array + contains only "value". The requirements are ANDed. + type: object + type: object + namespaces: + description: 'Select Pod/ExternalEntity from Namespaces + matched by specifc criteria. Current supported criteria + is match: Self, which selects from the same Namespace + of the appliedTo workloads. Cannot be set with any other + selector except PodSelector or ExternalEntitySelector. + This field can only be set when NetworkPolicyPeer is created + for ClusterNetworkPolicy ingress/egress rules. Cannot + be set with NamespaceSelector.' + properties: + match: + description: NamespaceMatchType describes Namespace + matching strategy. + type: string + type: object + podSelector: + description: Select Pods from NetworkPolicy's Namespace + as workloads in AppliedTo/To/From fields. If set with + NamespaceSelector, Pods are matched from Namespaces matched + by the NamespaceSelector. Cannot be set with any other + selector except NamespaceSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector + that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are In, + NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. + If the operator is In or NotIn, the values array + must be non-empty. If the operator is Exists + or DoesNotExist, the values array must be empty. + This array is replaced during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. + A single {key,value} in the matchLabels map is equivalent + to an element of matchExpressions, whose key field + is "key", the operator is "In", and the values array + contains only "value". The requirements are ANDed. + type: object + type: object + serviceAccount: + description: Select all Pods with the ServiceAccount matched + by this field, as workloads in AppliedTo/To/From fields. + Cannot be set with any other selector. + properties: + name: + type: string + namespace: + type: string + type: object + type: object + type: array + egress: + description: Set of egress rules evaluated based on the order + in which they are set. Currently Egress rule supports setting + the `To` field but not the `From` field within a Rule. + items: + description: Rule describes the traffic allowed to/from the + workloads selected by Spec.AppliedTo. Based on the action + specified in the rule, traffic is either allowed or denied + which exactly match the specified ports and protocol. + properties: + action: + description: Action specifies the action to be applied on + the rule. + type: string + appliedTo: + description: Select workloads on which this rule will be + applied to. Cannot be set in conjunction with NetworkPolicySpec/ClusterNetworkPolicySpec.AppliedTo. + items: + description: NetworkPolicyPeer describes the grouping + selector of workloads. + properties: + externalEntitySelector: + description: Select ExternalEntities from NetworkPolicy's + Namespace as workloads in AppliedTo/To/From fields. + If set with NamespaceSelector, ExternalEntities + are matched from Namespaces matched by the NamespaceSelector. + Cannot be set with any other selector except NamespaceSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + fqdn: + description: 'Restrict egress access to the Fully + Qualified Domain Names prescribed by name or by + wildcard match patterns. This field can only be + set for NetworkPolicyPeer of egress rules. Supported + formats are: Exact FQDNs, i.e. "google.com", "db-svc.default.svc.cluster.local" Wildcard + expressions, i.e. "*wayfair.com".' + type: string + group: + description: Group is the name of the ClusterGroup + which can be set as an AppliedTo or within an Ingress + or Egress rule in place of a stand-alone selector. + A Group cannot be set with any other selector. + type: string + ipBlock: + description: IPBlock describes the IPAddresses/IPBlocks + that is matched in to/from. IPBlock cannot be set + as part of the AppliedTo field. Cannot be set with + any other selector. + properties: + cidr: + description: CIDR is a string representing the + IP Block Valid examples are "192.168.1.1/24". + type: string + required: + - cidr + type: object + namespaceSelector: + description: Select all Pods from Namespaces matched + by this selector, as workloads in To/From fields. + If set with PodSelector, Pods are matched from Namespaces + matched by the NamespaceSelector. Cannot be set + with any other selector except PodSelector or ExternalEntitySelector. + Cannot be set with Namespaces. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + namespaces: + description: 'Select Pod/ExternalEntity from Namespaces + matched by specifc criteria. Current supported criteria + is match: Self, which selects from the same Namespace + of the appliedTo workloads. Cannot be set with any + other selector except PodSelector or ExternalEntitySelector. + This field can only be set when NetworkPolicyPeer + is created for ClusterNetworkPolicy ingress/egress + rules. Cannot be set with NamespaceSelector.' + properties: + match: + description: NamespaceMatchType describes Namespace + matching strategy. + type: string + type: object + podSelector: + description: Select Pods from NetworkPolicy's Namespace + as workloads in AppliedTo/To/From fields. If set + with NamespaceSelector, Pods are matched from Namespaces + matched by the NamespaceSelector. Cannot be set + with any other selector except NamespaceSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + serviceAccount: + description: Select all Pods with the ServiceAccount + matched by this field, as workloads in AppliedTo/To/From + fields. Cannot be set with any other selector. + properties: + name: + type: string + namespace: + type: string + type: object + type: object + type: array + enableLogging: + description: EnableLogging is used to indicate if agent + should generate logs when rules are matched. Should be + default to false. + type: boolean + from: + description: Rule is matched if traffic originates from + workloads selected by this field. If this field is empty, + this rule matches all sources. + items: + description: NetworkPolicyPeer describes the grouping + selector of workloads. + properties: + externalEntitySelector: + description: Select ExternalEntities from NetworkPolicy's + Namespace as workloads in AppliedTo/To/From fields. + If set with NamespaceSelector, ExternalEntities + are matched from Namespaces matched by the NamespaceSelector. + Cannot be set with any other selector except NamespaceSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + fqdn: + description: 'Restrict egress access to the Fully + Qualified Domain Names prescribed by name or by + wildcard match patterns. This field can only be + set for NetworkPolicyPeer of egress rules. Supported + formats are: Exact FQDNs, i.e. "google.com", "db-svc.default.svc.cluster.local" Wildcard + expressions, i.e. "*wayfair.com".' + type: string + group: + description: Group is the name of the ClusterGroup + which can be set as an AppliedTo or within an Ingress + or Egress rule in place of a stand-alone selector. + A Group cannot be set with any other selector. + type: string + ipBlock: + description: IPBlock describes the IPAddresses/IPBlocks + that is matched in to/from. IPBlock cannot be set + as part of the AppliedTo field. Cannot be set with + any other selector. + properties: + cidr: + description: CIDR is a string representing the + IP Block Valid examples are "192.168.1.1/24". + type: string + required: + - cidr + type: object + namespaceSelector: + description: Select all Pods from Namespaces matched + by this selector, as workloads in To/From fields. + If set with PodSelector, Pods are matched from Namespaces + matched by the NamespaceSelector. Cannot be set + with any other selector except PodSelector or ExternalEntitySelector. + Cannot be set with Namespaces. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + namespaces: + description: 'Select Pod/ExternalEntity from Namespaces + matched by specifc criteria. Current supported criteria + is match: Self, which selects from the same Namespace + of the appliedTo workloads. Cannot be set with any + other selector except PodSelector or ExternalEntitySelector. + This field can only be set when NetworkPolicyPeer + is created for ClusterNetworkPolicy ingress/egress + rules. Cannot be set with NamespaceSelector.' + properties: + match: + description: NamespaceMatchType describes Namespace + matching strategy. + type: string + type: object + podSelector: + description: Select Pods from NetworkPolicy's Namespace + as workloads in AppliedTo/To/From fields. If set + with NamespaceSelector, Pods are matched from Namespaces + matched by the NamespaceSelector. Cannot be set + with any other selector except NamespaceSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + serviceAccount: + description: Select all Pods with the ServiceAccount + matched by this field, as workloads in AppliedTo/To/From + fields. Cannot be set with any other selector. + properties: + name: + type: string + namespace: + type: string + type: object + type: object + type: array + name: + description: Name describes the intention of this rule. + Name should be unique within the policy. + type: string + ports: + description: Set of port and protocol allowed/denied by + the rule. If this field is unset or empty, this rule matches + all ports. + items: + description: NetworkPolicyPort describes the port and + protocol to match in a rule. + properties: + endPort: + description: EndPort defines the end of the port range, + being the end included within the range. It can + only be specified when a numerical `port` is specified. + format: int32 + type: integer + port: + anyOf: + - type: integer + - type: string + description: The port on the given protocol. This + can be either a numerical or named port on a Pod. + If this field is not provided, this matches all + port names and numbers. + x-kubernetes-int-or-string: true + protocol: + default: TCP + description: The protocol (TCP, UDP, or SCTP) which + traffic must match. If not specified, this field + defaults to TCP. + type: string + type: object + type: array + to: + description: Rule is matched if traffic is intended for + workloads selected by this field. This field can't be + used with ToServices. If this field and ToServices are + both empty or missing this rule matches all destinations. + items: + description: NetworkPolicyPeer describes the grouping + selector of workloads. + properties: + externalEntitySelector: + description: Select ExternalEntities from NetworkPolicy's + Namespace as workloads in AppliedTo/To/From fields. + If set with NamespaceSelector, ExternalEntities + are matched from Namespaces matched by the NamespaceSelector. + Cannot be set with any other selector except NamespaceSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + fqdn: + description: 'Restrict egress access to the Fully + Qualified Domain Names prescribed by name or by + wildcard match patterns. This field can only be + set for NetworkPolicyPeer of egress rules. Supported + formats are: Exact FQDNs, i.e. "google.com", "db-svc.default.svc.cluster.local" Wildcard + expressions, i.e. "*wayfair.com".' + type: string + group: + description: Group is the name of the ClusterGroup + which can be set as an AppliedTo or within an Ingress + or Egress rule in place of a stand-alone selector. + A Group cannot be set with any other selector. + type: string + ipBlock: + description: IPBlock describes the IPAddresses/IPBlocks + that is matched in to/from. IPBlock cannot be set + as part of the AppliedTo field. Cannot be set with + any other selector. + properties: + cidr: + description: CIDR is a string representing the + IP Block Valid examples are "192.168.1.1/24". + type: string + required: + - cidr + type: object + namespaceSelector: + description: Select all Pods from Namespaces matched + by this selector, as workloads in To/From fields. + If set with PodSelector, Pods are matched from Namespaces + matched by the NamespaceSelector. Cannot be set + with any other selector except PodSelector or ExternalEntitySelector. + Cannot be set with Namespaces. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + namespaces: + description: 'Select Pod/ExternalEntity from Namespaces + matched by specifc criteria. Current supported criteria + is match: Self, which selects from the same Namespace + of the appliedTo workloads. Cannot be set with any + other selector except PodSelector or ExternalEntitySelector. + This field can only be set when NetworkPolicyPeer + is created for ClusterNetworkPolicy ingress/egress + rules. Cannot be set with NamespaceSelector.' + properties: + match: + description: NamespaceMatchType describes Namespace + matching strategy. + type: string + type: object + podSelector: + description: Select Pods from NetworkPolicy's Namespace + as workloads in AppliedTo/To/From fields. If set + with NamespaceSelector, Pods are matched from Namespaces + matched by the NamespaceSelector. Cannot be set + with any other selector except NamespaceSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + serviceAccount: + description: Select all Pods with the ServiceAccount + matched by this field, as workloads in AppliedTo/To/From + fields. Cannot be set with any other selector. + properties: + name: + type: string + namespace: + type: string + type: object + type: object + type: array + toServices: + description: Rule is matched if traffic is intended for + a Service listed in this field. Currently only ClusterIP + types Services are supported in this field. This field + can only be used when AntreaProxy is enabled. This field + can't be used with To or Ports. If this field and To are + both empty or missing, this rule matches all destinations. + items: + description: NamespacedName refers to a Namespace scoped + resource. All fields must be used together. + properties: + name: + type: string + namespace: + type: string + type: object + type: array + required: + - action + type: object + type: array + ingress: + description: Set of ingress rules evaluated based on the order + in which they are set. Currently Ingress rule supports setting + the `From` field but not the `To` field within a Rule. + items: + description: Rule describes the traffic allowed to/from the + workloads selected by Spec.AppliedTo. Based on the action + specified in the rule, traffic is either allowed or denied + which exactly match the specified ports and protocol. + properties: + action: + description: Action specifies the action to be applied on + the rule. + type: string + appliedTo: + description: Select workloads on which this rule will be + applied to. Cannot be set in conjunction with NetworkPolicySpec/ClusterNetworkPolicySpec.AppliedTo. + items: + description: NetworkPolicyPeer describes the grouping + selector of workloads. + properties: + externalEntitySelector: + description: Select ExternalEntities from NetworkPolicy's + Namespace as workloads in AppliedTo/To/From fields. + If set with NamespaceSelector, ExternalEntities + are matched from Namespaces matched by the NamespaceSelector. + Cannot be set with any other selector except NamespaceSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + fqdn: + description: 'Restrict egress access to the Fully + Qualified Domain Names prescribed by name or by + wildcard match patterns. This field can only be + set for NetworkPolicyPeer of egress rules. Supported + formats are: Exact FQDNs, i.e. "google.com", "db-svc.default.svc.cluster.local" Wildcard + expressions, i.e. "*wayfair.com".' + type: string + group: + description: Group is the name of the ClusterGroup + which can be set as an AppliedTo or within an Ingress + or Egress rule in place of a stand-alone selector. + A Group cannot be set with any other selector. + type: string + ipBlock: + description: IPBlock describes the IPAddresses/IPBlocks + that is matched in to/from. IPBlock cannot be set + as part of the AppliedTo field. Cannot be set with + any other selector. + properties: + cidr: + description: CIDR is a string representing the + IP Block Valid examples are "192.168.1.1/24". + type: string + required: + - cidr + type: object + namespaceSelector: + description: Select all Pods from Namespaces matched + by this selector, as workloads in To/From fields. + If set with PodSelector, Pods are matched from Namespaces + matched by the NamespaceSelector. Cannot be set + with any other selector except PodSelector or ExternalEntitySelector. + Cannot be set with Namespaces. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + namespaces: + description: 'Select Pod/ExternalEntity from Namespaces + matched by specifc criteria. Current supported criteria + is match: Self, which selects from the same Namespace + of the appliedTo workloads. Cannot be set with any + other selector except PodSelector or ExternalEntitySelector. + This field can only be set when NetworkPolicyPeer + is created for ClusterNetworkPolicy ingress/egress + rules. Cannot be set with NamespaceSelector.' + properties: + match: + description: NamespaceMatchType describes Namespace + matching strategy. + type: string + type: object + podSelector: + description: Select Pods from NetworkPolicy's Namespace + as workloads in AppliedTo/To/From fields. If set + with NamespaceSelector, Pods are matched from Namespaces + matched by the NamespaceSelector. Cannot be set + with any other selector except NamespaceSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + serviceAccount: + description: Select all Pods with the ServiceAccount + matched by this field, as workloads in AppliedTo/To/From + fields. Cannot be set with any other selector. + properties: + name: + type: string + namespace: + type: string + type: object + type: object + type: array + enableLogging: + description: EnableLogging is used to indicate if agent + should generate logs when rules are matched. Should be + default to false. + type: boolean + from: + description: Rule is matched if traffic originates from + workloads selected by this field. If this field is empty, + this rule matches all sources. + items: + description: NetworkPolicyPeer describes the grouping + selector of workloads. + properties: + externalEntitySelector: + description: Select ExternalEntities from NetworkPolicy's + Namespace as workloads in AppliedTo/To/From fields. + If set with NamespaceSelector, ExternalEntities + are matched from Namespaces matched by the NamespaceSelector. + Cannot be set with any other selector except NamespaceSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + fqdn: + description: 'Restrict egress access to the Fully + Qualified Domain Names prescribed by name or by + wildcard match patterns. This field can only be + set for NetworkPolicyPeer of egress rules. Supported + formats are: Exact FQDNs, i.e. "google.com", "db-svc.default.svc.cluster.local" Wildcard + expressions, i.e. "*wayfair.com".' + type: string + group: + description: Group is the name of the ClusterGroup + which can be set as an AppliedTo or within an Ingress + or Egress rule in place of a stand-alone selector. + A Group cannot be set with any other selector. + type: string + ipBlock: + description: IPBlock describes the IPAddresses/IPBlocks + that is matched in to/from. IPBlock cannot be set + as part of the AppliedTo field. Cannot be set with + any other selector. + properties: + cidr: + description: CIDR is a string representing the + IP Block Valid examples are "192.168.1.1/24". + type: string + required: + - cidr + type: object + namespaceSelector: + description: Select all Pods from Namespaces matched + by this selector, as workloads in To/From fields. + If set with PodSelector, Pods are matched from Namespaces + matched by the NamespaceSelector. Cannot be set + with any other selector except PodSelector or ExternalEntitySelector. + Cannot be set with Namespaces. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + namespaces: + description: 'Select Pod/ExternalEntity from Namespaces + matched by specifc criteria. Current supported criteria + is match: Self, which selects from the same Namespace + of the appliedTo workloads. Cannot be set with any + other selector except PodSelector or ExternalEntitySelector. + This field can only be set when NetworkPolicyPeer + is created for ClusterNetworkPolicy ingress/egress + rules. Cannot be set with NamespaceSelector.' + properties: + match: + description: NamespaceMatchType describes Namespace + matching strategy. + type: string + type: object + podSelector: + description: Select Pods from NetworkPolicy's Namespace + as workloads in AppliedTo/To/From fields. If set + with NamespaceSelector, Pods are matched from Namespaces + matched by the NamespaceSelector. Cannot be set + with any other selector except NamespaceSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + serviceAccount: + description: Select all Pods with the ServiceAccount + matched by this field, as workloads in AppliedTo/To/From + fields. Cannot be set with any other selector. + properties: + name: + type: string + namespace: + type: string + type: object + type: object + type: array + name: + description: Name describes the intention of this rule. + Name should be unique within the policy. + type: string + ports: + description: Set of port and protocol allowed/denied by + the rule. If this field is unset or empty, this rule matches + all ports. + items: + description: NetworkPolicyPort describes the port and + protocol to match in a rule. + properties: + endPort: + description: EndPort defines the end of the port range, + being the end included within the range. It can + only be specified when a numerical `port` is specified. + format: int32 + type: integer + port: + anyOf: + - type: integer + - type: string + description: The port on the given protocol. This + can be either a numerical or named port on a Pod. + If this field is not provided, this matches all + port names and numbers. + x-kubernetes-int-or-string: true + protocol: + default: TCP + description: The protocol (TCP, UDP, or SCTP) which + traffic must match. If not specified, this field + defaults to TCP. + type: string + type: object + type: array + to: + description: Rule is matched if traffic is intended for + workloads selected by this field. This field can't be + used with ToServices. If this field and ToServices are + both empty or missing this rule matches all destinations. + items: + description: NetworkPolicyPeer describes the grouping + selector of workloads. + properties: + externalEntitySelector: + description: Select ExternalEntities from NetworkPolicy's + Namespace as workloads in AppliedTo/To/From fields. + If set with NamespaceSelector, ExternalEntities + are matched from Namespaces matched by the NamespaceSelector. + Cannot be set with any other selector except NamespaceSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + fqdn: + description: 'Restrict egress access to the Fully + Qualified Domain Names prescribed by name or by + wildcard match patterns. This field can only be + set for NetworkPolicyPeer of egress rules. Supported + formats are: Exact FQDNs, i.e. "google.com", "db-svc.default.svc.cluster.local" Wildcard + expressions, i.e. "*wayfair.com".' + type: string + group: + description: Group is the name of the ClusterGroup + which can be set as an AppliedTo or within an Ingress + or Egress rule in place of a stand-alone selector. + A Group cannot be set with any other selector. + type: string + ipBlock: + description: IPBlock describes the IPAddresses/IPBlocks + that is matched in to/from. IPBlock cannot be set + as part of the AppliedTo field. Cannot be set with + any other selector. + properties: + cidr: + description: CIDR is a string representing the + IP Block Valid examples are "192.168.1.1/24". + type: string + required: + - cidr + type: object + namespaceSelector: + description: Select all Pods from Namespaces matched + by this selector, as workloads in To/From fields. + If set with PodSelector, Pods are matched from Namespaces + matched by the NamespaceSelector. Cannot be set + with any other selector except PodSelector or ExternalEntitySelector. + Cannot be set with Namespaces. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + namespaces: + description: 'Select Pod/ExternalEntity from Namespaces + matched by specifc criteria. Current supported criteria + is match: Self, which selects from the same Namespace + of the appliedTo workloads. Cannot be set with any + other selector except PodSelector or ExternalEntitySelector. + This field can only be set when NetworkPolicyPeer + is created for ClusterNetworkPolicy ingress/egress + rules. Cannot be set with NamespaceSelector.' + properties: + match: + description: NamespaceMatchType describes Namespace + matching strategy. + type: string + type: object + podSelector: + description: Select Pods from NetworkPolicy's Namespace + as workloads in AppliedTo/To/From fields. If set + with NamespaceSelector, Pods are matched from Namespaces + matched by the NamespaceSelector. Cannot be set + with any other selector except NamespaceSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + serviceAccount: + description: Select all Pods with the ServiceAccount + matched by this field, as workloads in AppliedTo/To/From + fields. Cannot be set with any other selector. + properties: + name: + type: string + namespace: + type: string + type: object + type: object + type: array + toServices: + description: Rule is matched if traffic is intended for + a Service listed in this field. Currently only ClusterIP + types Services are supported in this field. This field + can only be used when AntreaProxy is enabled. This field + can't be used with To or Ports. If this field and To are + both empty or missing, this rule matches all destinations. + items: + description: NamespacedName refers to a Namespace scoped + resource. All fields must be used together. + properties: + name: + type: string + namespace: + type: string + type: object + type: array + required: + - action + type: object + type: array + priority: + description: Priority specfies the order of the ClusterNetworkPolicy + relative to other AntreaClusterNetworkPolicies. + type: number + tier: + description: Tier specifies the tier to which this ClusterNetworkPolicy + belongs to. The ClusterNetworkPolicy order will be determined + based on the combination of the Tier's Priority and the ClusterNetworkPolicy's + own Priority. If not specified, this policy will be created + in the Application Tier right above the K8s NetworkPolicy which + resides at the bottom. + type: string + required: + - priority + type: object endpoints: description: If imported resource is EndPoints. properties: diff --git a/multicluster/build/yamls/antrea-multicluster-leader-namespaced.yml b/multicluster/build/yamls/antrea-multicluster-leader-namespaced.yml index f47189981ed..3b86f1926fd 100644 --- a/multicluster/build/yamls/antrea-multicluster-leader-namespaced.yml +++ b/multicluster/build/yamls/antrea-multicluster-leader-namespaced.yml @@ -33,6 +33,12 @@ rules: - patch - update - watch +- apiGroups: + - "" + resources: + - events + verbs: + - create - apiGroups: - "" resources: @@ -45,6 +51,26 @@ rules: - patch - update - watch +- apiGroups: + - crd.antrea.io + resources: + - clusternetworkpolicies + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - crd.antrea.io + resources: + - tiers + verbs: + - get + - list + - watch - apiGroups: - multicluster.crd.antrea.io resources: @@ -316,6 +342,12 @@ metadata: name: antrea-mc-member-cluster-role namespace: changeme rules: +- apiGroups: + - "" + resources: + - events + verbs: + - create - apiGroups: - multicluster.crd.antrea.io resources: diff --git a/multicluster/build/yamls/antrea-multicluster-member.yml b/multicluster/build/yamls/antrea-multicluster-member.yml index 85ce32e4148..54e526df71a 100644 --- a/multicluster/build/yamls/antrea-multicluster-member.yml +++ b/multicluster/build/yamls/antrea-multicluster-member.yml @@ -376,6 +376,1678 @@ spec: description: ClusterID specifies the member cluster this resource exported from. type: string + clusternetworkpolicy: + description: If exported resource is AntreaClusterNetworkPolicy. + properties: + appliedTo: + description: Select workloads on which the rules will be applied + to. Cannot be set in conjunction with AppliedTo in each rule. + items: + description: NetworkPolicyPeer describes the grouping selector + of workloads. + properties: + externalEntitySelector: + description: Select ExternalEntities from NetworkPolicy's + Namespace as workloads in AppliedTo/To/From fields. If + set with NamespaceSelector, ExternalEntities are matched + from Namespaces matched by the NamespaceSelector. Cannot + be set with any other selector except NamespaceSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector + that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are In, + NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. + If the operator is In or NotIn, the values array + must be non-empty. If the operator is Exists + or DoesNotExist, the values array must be empty. + This array is replaced during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. + A single {key,value} in the matchLabels map is equivalent + to an element of matchExpressions, whose key field + is "key", the operator is "In", and the values array + contains only "value". The requirements are ANDed. + type: object + type: object + fqdn: + description: 'Restrict egress access to the Fully Qualified + Domain Names prescribed by name or by wildcard match patterns. + This field can only be set for NetworkPolicyPeer of egress + rules. Supported formats are: Exact FQDNs, i.e. "google.com", + "db-svc.default.svc.cluster.local" Wildcard expressions, + i.e. "*wayfair.com".' + type: string + group: + description: Group is the name of the ClusterGroup which + can be set as an AppliedTo or within an Ingress or Egress + rule in place of a stand-alone selector. A Group cannot + be set with any other selector. + type: string + ipBlock: + description: IPBlock describes the IPAddresses/IPBlocks + that is matched in to/from. IPBlock cannot be set as part + of the AppliedTo field. Cannot be set with any other selector. + properties: + cidr: + description: CIDR is a string representing the IP Block + Valid examples are "192.168.1.1/24". + type: string + required: + - cidr + type: object + namespaceSelector: + description: Select all Pods from Namespaces matched by + this selector, as workloads in To/From fields. If set + with PodSelector, Pods are matched from Namespaces matched + by the NamespaceSelector. Cannot be set with any other + selector except PodSelector or ExternalEntitySelector. + Cannot be set with Namespaces. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector + that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are In, + NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. + If the operator is In or NotIn, the values array + must be non-empty. If the operator is Exists + or DoesNotExist, the values array must be empty. + This array is replaced during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. + A single {key,value} in the matchLabels map is equivalent + to an element of matchExpressions, whose key field + is "key", the operator is "In", and the values array + contains only "value". The requirements are ANDed. + type: object + type: object + namespaces: + description: 'Select Pod/ExternalEntity from Namespaces + matched by specifc criteria. Current supported criteria + is match: Self, which selects from the same Namespace + of the appliedTo workloads. Cannot be set with any other + selector except PodSelector or ExternalEntitySelector. + This field can only be set when NetworkPolicyPeer is created + for ClusterNetworkPolicy ingress/egress rules. Cannot + be set with NamespaceSelector.' + properties: + match: + description: NamespaceMatchType describes Namespace + matching strategy. + type: string + type: object + podSelector: + description: Select Pods from NetworkPolicy's Namespace + as workloads in AppliedTo/To/From fields. If set with + NamespaceSelector, Pods are matched from Namespaces matched + by the NamespaceSelector. Cannot be set with any other + selector except NamespaceSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector + that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are In, + NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. + If the operator is In or NotIn, the values array + must be non-empty. If the operator is Exists + or DoesNotExist, the values array must be empty. + This array is replaced during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. + A single {key,value} in the matchLabels map is equivalent + to an element of matchExpressions, whose key field + is "key", the operator is "In", and the values array + contains only "value". The requirements are ANDed. + type: object + type: object + serviceAccount: + description: Select all Pods with the ServiceAccount matched + by this field, as workloads in AppliedTo/To/From fields. + Cannot be set with any other selector. + properties: + name: + type: string + namespace: + type: string + type: object + type: object + type: array + egress: + description: Set of egress rules evaluated based on the order + in which they are set. Currently Egress rule supports setting + the `To` field but not the `From` field within a Rule. + items: + description: Rule describes the traffic allowed to/from the + workloads selected by Spec.AppliedTo. Based on the action + specified in the rule, traffic is either allowed or denied + which exactly match the specified ports and protocol. + properties: + action: + description: Action specifies the action to be applied on + the rule. + type: string + appliedTo: + description: Select workloads on which this rule will be + applied to. Cannot be set in conjunction with NetworkPolicySpec/ClusterNetworkPolicySpec.AppliedTo. + items: + description: NetworkPolicyPeer describes the grouping + selector of workloads. + properties: + externalEntitySelector: + description: Select ExternalEntities from NetworkPolicy's + Namespace as workloads in AppliedTo/To/From fields. + If set with NamespaceSelector, ExternalEntities + are matched from Namespaces matched by the NamespaceSelector. + Cannot be set with any other selector except NamespaceSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + fqdn: + description: 'Restrict egress access to the Fully + Qualified Domain Names prescribed by name or by + wildcard match patterns. This field can only be + set for NetworkPolicyPeer of egress rules. Supported + formats are: Exact FQDNs, i.e. "google.com", "db-svc.default.svc.cluster.local" Wildcard + expressions, i.e. "*wayfair.com".' + type: string + group: + description: Group is the name of the ClusterGroup + which can be set as an AppliedTo or within an Ingress + or Egress rule in place of a stand-alone selector. + A Group cannot be set with any other selector. + type: string + ipBlock: + description: IPBlock describes the IPAddresses/IPBlocks + that is matched in to/from. IPBlock cannot be set + as part of the AppliedTo field. Cannot be set with + any other selector. + properties: + cidr: + description: CIDR is a string representing the + IP Block Valid examples are "192.168.1.1/24". + type: string + required: + - cidr + type: object + namespaceSelector: + description: Select all Pods from Namespaces matched + by this selector, as workloads in To/From fields. + If set with PodSelector, Pods are matched from Namespaces + matched by the NamespaceSelector. Cannot be set + with any other selector except PodSelector or ExternalEntitySelector. + Cannot be set with Namespaces. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + namespaces: + description: 'Select Pod/ExternalEntity from Namespaces + matched by specifc criteria. Current supported criteria + is match: Self, which selects from the same Namespace + of the appliedTo workloads. Cannot be set with any + other selector except PodSelector or ExternalEntitySelector. + This field can only be set when NetworkPolicyPeer + is created for ClusterNetworkPolicy ingress/egress + rules. Cannot be set with NamespaceSelector.' + properties: + match: + description: NamespaceMatchType describes Namespace + matching strategy. + type: string + type: object + podSelector: + description: Select Pods from NetworkPolicy's Namespace + as workloads in AppliedTo/To/From fields. If set + with NamespaceSelector, Pods are matched from Namespaces + matched by the NamespaceSelector. Cannot be set + with any other selector except NamespaceSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + serviceAccount: + description: Select all Pods with the ServiceAccount + matched by this field, as workloads in AppliedTo/To/From + fields. Cannot be set with any other selector. + properties: + name: + type: string + namespace: + type: string + type: object + type: object + type: array + enableLogging: + description: EnableLogging is used to indicate if agent + should generate logs when rules are matched. Should be + default to false. + type: boolean + from: + description: Rule is matched if traffic originates from + workloads selected by this field. If this field is empty, + this rule matches all sources. + items: + description: NetworkPolicyPeer describes the grouping + selector of workloads. + properties: + externalEntitySelector: + description: Select ExternalEntities from NetworkPolicy's + Namespace as workloads in AppliedTo/To/From fields. + If set with NamespaceSelector, ExternalEntities + are matched from Namespaces matched by the NamespaceSelector. + Cannot be set with any other selector except NamespaceSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + fqdn: + description: 'Restrict egress access to the Fully + Qualified Domain Names prescribed by name or by + wildcard match patterns. This field can only be + set for NetworkPolicyPeer of egress rules. Supported + formats are: Exact FQDNs, i.e. "google.com", "db-svc.default.svc.cluster.local" Wildcard + expressions, i.e. "*wayfair.com".' + type: string + group: + description: Group is the name of the ClusterGroup + which can be set as an AppliedTo or within an Ingress + or Egress rule in place of a stand-alone selector. + A Group cannot be set with any other selector. + type: string + ipBlock: + description: IPBlock describes the IPAddresses/IPBlocks + that is matched in to/from. IPBlock cannot be set + as part of the AppliedTo field. Cannot be set with + any other selector. + properties: + cidr: + description: CIDR is a string representing the + IP Block Valid examples are "192.168.1.1/24". + type: string + required: + - cidr + type: object + namespaceSelector: + description: Select all Pods from Namespaces matched + by this selector, as workloads in To/From fields. + If set with PodSelector, Pods are matched from Namespaces + matched by the NamespaceSelector. Cannot be set + with any other selector except PodSelector or ExternalEntitySelector. + Cannot be set with Namespaces. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + namespaces: + description: 'Select Pod/ExternalEntity from Namespaces + matched by specifc criteria. Current supported criteria + is match: Self, which selects from the same Namespace + of the appliedTo workloads. Cannot be set with any + other selector except PodSelector or ExternalEntitySelector. + This field can only be set when NetworkPolicyPeer + is created for ClusterNetworkPolicy ingress/egress + rules. Cannot be set with NamespaceSelector.' + properties: + match: + description: NamespaceMatchType describes Namespace + matching strategy. + type: string + type: object + podSelector: + description: Select Pods from NetworkPolicy's Namespace + as workloads in AppliedTo/To/From fields. If set + with NamespaceSelector, Pods are matched from Namespaces + matched by the NamespaceSelector. Cannot be set + with any other selector except NamespaceSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + serviceAccount: + description: Select all Pods with the ServiceAccount + matched by this field, as workloads in AppliedTo/To/From + fields. Cannot be set with any other selector. + properties: + name: + type: string + namespace: + type: string + type: object + type: object + type: array + name: + description: Name describes the intention of this rule. + Name should be unique within the policy. + type: string + ports: + description: Set of port and protocol allowed/denied by + the rule. If this field is unset or empty, this rule matches + all ports. + items: + description: NetworkPolicyPort describes the port and + protocol to match in a rule. + properties: + endPort: + description: EndPort defines the end of the port range, + being the end included within the range. It can + only be specified when a numerical `port` is specified. + format: int32 + type: integer + port: + anyOf: + - type: integer + - type: string + description: The port on the given protocol. This + can be either a numerical or named port on a Pod. + If this field is not provided, this matches all + port names and numbers. + x-kubernetes-int-or-string: true + protocol: + default: TCP + description: The protocol (TCP, UDP, or SCTP) which + traffic must match. If not specified, this field + defaults to TCP. + type: string + type: object + type: array + to: + description: Rule is matched if traffic is intended for + workloads selected by this field. This field can't be + used with ToServices. If this field and ToServices are + both empty or missing this rule matches all destinations. + items: + description: NetworkPolicyPeer describes the grouping + selector of workloads. + properties: + externalEntitySelector: + description: Select ExternalEntities from NetworkPolicy's + Namespace as workloads in AppliedTo/To/From fields. + If set with NamespaceSelector, ExternalEntities + are matched from Namespaces matched by the NamespaceSelector. + Cannot be set with any other selector except NamespaceSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + fqdn: + description: 'Restrict egress access to the Fully + Qualified Domain Names prescribed by name or by + wildcard match patterns. This field can only be + set for NetworkPolicyPeer of egress rules. Supported + formats are: Exact FQDNs, i.e. "google.com", "db-svc.default.svc.cluster.local" Wildcard + expressions, i.e. "*wayfair.com".' + type: string + group: + description: Group is the name of the ClusterGroup + which can be set as an AppliedTo or within an Ingress + or Egress rule in place of a stand-alone selector. + A Group cannot be set with any other selector. + type: string + ipBlock: + description: IPBlock describes the IPAddresses/IPBlocks + that is matched in to/from. IPBlock cannot be set + as part of the AppliedTo field. Cannot be set with + any other selector. + properties: + cidr: + description: CIDR is a string representing the + IP Block Valid examples are "192.168.1.1/24". + type: string + required: + - cidr + type: object + namespaceSelector: + description: Select all Pods from Namespaces matched + by this selector, as workloads in To/From fields. + If set with PodSelector, Pods are matched from Namespaces + matched by the NamespaceSelector. Cannot be set + with any other selector except PodSelector or ExternalEntitySelector. + Cannot be set with Namespaces. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + namespaces: + description: 'Select Pod/ExternalEntity from Namespaces + matched by specifc criteria. Current supported criteria + is match: Self, which selects from the same Namespace + of the appliedTo workloads. Cannot be set with any + other selector except PodSelector or ExternalEntitySelector. + This field can only be set when NetworkPolicyPeer + is created for ClusterNetworkPolicy ingress/egress + rules. Cannot be set with NamespaceSelector.' + properties: + match: + description: NamespaceMatchType describes Namespace + matching strategy. + type: string + type: object + podSelector: + description: Select Pods from NetworkPolicy's Namespace + as workloads in AppliedTo/To/From fields. If set + with NamespaceSelector, Pods are matched from Namespaces + matched by the NamespaceSelector. Cannot be set + with any other selector except NamespaceSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + serviceAccount: + description: Select all Pods with the ServiceAccount + matched by this field, as workloads in AppliedTo/To/From + fields. Cannot be set with any other selector. + properties: + name: + type: string + namespace: + type: string + type: object + type: object + type: array + toServices: + description: Rule is matched if traffic is intended for + a Service listed in this field. Currently only ClusterIP + types Services are supported in this field. This field + can only be used when AntreaProxy is enabled. This field + can't be used with To or Ports. If this field and To are + both empty or missing, this rule matches all destinations. + items: + description: NamespacedName refers to a Namespace scoped + resource. All fields must be used together. + properties: + name: + type: string + namespace: + type: string + type: object + type: array + required: + - action + type: object + type: array + ingress: + description: Set of ingress rules evaluated based on the order + in which they are set. Currently Ingress rule supports setting + the `From` field but not the `To` field within a Rule. + items: + description: Rule describes the traffic allowed to/from the + workloads selected by Spec.AppliedTo. Based on the action + specified in the rule, traffic is either allowed or denied + which exactly match the specified ports and protocol. + properties: + action: + description: Action specifies the action to be applied on + the rule. + type: string + appliedTo: + description: Select workloads on which this rule will be + applied to. Cannot be set in conjunction with NetworkPolicySpec/ClusterNetworkPolicySpec.AppliedTo. + items: + description: NetworkPolicyPeer describes the grouping + selector of workloads. + properties: + externalEntitySelector: + description: Select ExternalEntities from NetworkPolicy's + Namespace as workloads in AppliedTo/To/From fields. + If set with NamespaceSelector, ExternalEntities + are matched from Namespaces matched by the NamespaceSelector. + Cannot be set with any other selector except NamespaceSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + fqdn: + description: 'Restrict egress access to the Fully + Qualified Domain Names prescribed by name or by + wildcard match patterns. This field can only be + set for NetworkPolicyPeer of egress rules. Supported + formats are: Exact FQDNs, i.e. "google.com", "db-svc.default.svc.cluster.local" Wildcard + expressions, i.e. "*wayfair.com".' + type: string + group: + description: Group is the name of the ClusterGroup + which can be set as an AppliedTo or within an Ingress + or Egress rule in place of a stand-alone selector. + A Group cannot be set with any other selector. + type: string + ipBlock: + description: IPBlock describes the IPAddresses/IPBlocks + that is matched in to/from. IPBlock cannot be set + as part of the AppliedTo field. Cannot be set with + any other selector. + properties: + cidr: + description: CIDR is a string representing the + IP Block Valid examples are "192.168.1.1/24". + type: string + required: + - cidr + type: object + namespaceSelector: + description: Select all Pods from Namespaces matched + by this selector, as workloads in To/From fields. + If set with PodSelector, Pods are matched from Namespaces + matched by the NamespaceSelector. Cannot be set + with any other selector except PodSelector or ExternalEntitySelector. + Cannot be set with Namespaces. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + namespaces: + description: 'Select Pod/ExternalEntity from Namespaces + matched by specifc criteria. Current supported criteria + is match: Self, which selects from the same Namespace + of the appliedTo workloads. Cannot be set with any + other selector except PodSelector or ExternalEntitySelector. + This field can only be set when NetworkPolicyPeer + is created for ClusterNetworkPolicy ingress/egress + rules. Cannot be set with NamespaceSelector.' + properties: + match: + description: NamespaceMatchType describes Namespace + matching strategy. + type: string + type: object + podSelector: + description: Select Pods from NetworkPolicy's Namespace + as workloads in AppliedTo/To/From fields. If set + with NamespaceSelector, Pods are matched from Namespaces + matched by the NamespaceSelector. Cannot be set + with any other selector except NamespaceSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + serviceAccount: + description: Select all Pods with the ServiceAccount + matched by this field, as workloads in AppliedTo/To/From + fields. Cannot be set with any other selector. + properties: + name: + type: string + namespace: + type: string + type: object + type: object + type: array + enableLogging: + description: EnableLogging is used to indicate if agent + should generate logs when rules are matched. Should be + default to false. + type: boolean + from: + description: Rule is matched if traffic originates from + workloads selected by this field. If this field is empty, + this rule matches all sources. + items: + description: NetworkPolicyPeer describes the grouping + selector of workloads. + properties: + externalEntitySelector: + description: Select ExternalEntities from NetworkPolicy's + Namespace as workloads in AppliedTo/To/From fields. + If set with NamespaceSelector, ExternalEntities + are matched from Namespaces matched by the NamespaceSelector. + Cannot be set with any other selector except NamespaceSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + fqdn: + description: 'Restrict egress access to the Fully + Qualified Domain Names prescribed by name or by + wildcard match patterns. This field can only be + set for NetworkPolicyPeer of egress rules. Supported + formats are: Exact FQDNs, i.e. "google.com", "db-svc.default.svc.cluster.local" Wildcard + expressions, i.e. "*wayfair.com".' + type: string + group: + description: Group is the name of the ClusterGroup + which can be set as an AppliedTo or within an Ingress + or Egress rule in place of a stand-alone selector. + A Group cannot be set with any other selector. + type: string + ipBlock: + description: IPBlock describes the IPAddresses/IPBlocks + that is matched in to/from. IPBlock cannot be set + as part of the AppliedTo field. Cannot be set with + any other selector. + properties: + cidr: + description: CIDR is a string representing the + IP Block Valid examples are "192.168.1.1/24". + type: string + required: + - cidr + type: object + namespaceSelector: + description: Select all Pods from Namespaces matched + by this selector, as workloads in To/From fields. + If set with PodSelector, Pods are matched from Namespaces + matched by the NamespaceSelector. Cannot be set + with any other selector except PodSelector or ExternalEntitySelector. + Cannot be set with Namespaces. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + namespaces: + description: 'Select Pod/ExternalEntity from Namespaces + matched by specifc criteria. Current supported criteria + is match: Self, which selects from the same Namespace + of the appliedTo workloads. Cannot be set with any + other selector except PodSelector or ExternalEntitySelector. + This field can only be set when NetworkPolicyPeer + is created for ClusterNetworkPolicy ingress/egress + rules. Cannot be set with NamespaceSelector.' + properties: + match: + description: NamespaceMatchType describes Namespace + matching strategy. + type: string + type: object + podSelector: + description: Select Pods from NetworkPolicy's Namespace + as workloads in AppliedTo/To/From fields. If set + with NamespaceSelector, Pods are matched from Namespaces + matched by the NamespaceSelector. Cannot be set + with any other selector except NamespaceSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + serviceAccount: + description: Select all Pods with the ServiceAccount + matched by this field, as workloads in AppliedTo/To/From + fields. Cannot be set with any other selector. + properties: + name: + type: string + namespace: + type: string + type: object + type: object + type: array + name: + description: Name describes the intention of this rule. + Name should be unique within the policy. + type: string + ports: + description: Set of port and protocol allowed/denied by + the rule. If this field is unset or empty, this rule matches + all ports. + items: + description: NetworkPolicyPort describes the port and + protocol to match in a rule. + properties: + endPort: + description: EndPort defines the end of the port range, + being the end included within the range. It can + only be specified when a numerical `port` is specified. + format: int32 + type: integer + port: + anyOf: + - type: integer + - type: string + description: The port on the given protocol. This + can be either a numerical or named port on a Pod. + If this field is not provided, this matches all + port names and numbers. + x-kubernetes-int-or-string: true + protocol: + default: TCP + description: The protocol (TCP, UDP, or SCTP) which + traffic must match. If not specified, this field + defaults to TCP. + type: string + type: object + type: array + to: + description: Rule is matched if traffic is intended for + workloads selected by this field. This field can't be + used with ToServices. If this field and ToServices are + both empty or missing this rule matches all destinations. + items: + description: NetworkPolicyPeer describes the grouping + selector of workloads. + properties: + externalEntitySelector: + description: Select ExternalEntities from NetworkPolicy's + Namespace as workloads in AppliedTo/To/From fields. + If set with NamespaceSelector, ExternalEntities + are matched from Namespaces matched by the NamespaceSelector. + Cannot be set with any other selector except NamespaceSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + fqdn: + description: 'Restrict egress access to the Fully + Qualified Domain Names prescribed by name or by + wildcard match patterns. This field can only be + set for NetworkPolicyPeer of egress rules. Supported + formats are: Exact FQDNs, i.e. "google.com", "db-svc.default.svc.cluster.local" Wildcard + expressions, i.e. "*wayfair.com".' + type: string + group: + description: Group is the name of the ClusterGroup + which can be set as an AppliedTo or within an Ingress + or Egress rule in place of a stand-alone selector. + A Group cannot be set with any other selector. + type: string + ipBlock: + description: IPBlock describes the IPAddresses/IPBlocks + that is matched in to/from. IPBlock cannot be set + as part of the AppliedTo field. Cannot be set with + any other selector. + properties: + cidr: + description: CIDR is a string representing the + IP Block Valid examples are "192.168.1.1/24". + type: string + required: + - cidr + type: object + namespaceSelector: + description: Select all Pods from Namespaces matched + by this selector, as workloads in To/From fields. + If set with PodSelector, Pods are matched from Namespaces + matched by the NamespaceSelector. Cannot be set + with any other selector except PodSelector or ExternalEntitySelector. + Cannot be set with Namespaces. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + namespaces: + description: 'Select Pod/ExternalEntity from Namespaces + matched by specifc criteria. Current supported criteria + is match: Self, which selects from the same Namespace + of the appliedTo workloads. Cannot be set with any + other selector except PodSelector or ExternalEntitySelector. + This field can only be set when NetworkPolicyPeer + is created for ClusterNetworkPolicy ingress/egress + rules. Cannot be set with NamespaceSelector.' + properties: + match: + description: NamespaceMatchType describes Namespace + matching strategy. + type: string + type: object + podSelector: + description: Select Pods from NetworkPolicy's Namespace + as workloads in AppliedTo/To/From fields. If set + with NamespaceSelector, Pods are matched from Namespaces + matched by the NamespaceSelector. Cannot be set + with any other selector except NamespaceSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + serviceAccount: + description: Select all Pods with the ServiceAccount + matched by this field, as workloads in AppliedTo/To/From + fields. Cannot be set with any other selector. + properties: + name: + type: string + namespace: + type: string + type: object + type: object + type: array + toServices: + description: Rule is matched if traffic is intended for + a Service listed in this field. Currently only ClusterIP + types Services are supported in this field. This field + can only be used when AntreaProxy is enabled. This field + can't be used with To or Ports. If this field and To are + both empty or missing, this rule matches all destinations. + items: + description: NamespacedName refers to a Namespace scoped + resource. All fields must be used together. + properties: + name: + type: string + namespace: + type: string + type: object + type: array + required: + - action + type: object + type: array + priority: + description: Priority specfies the order of the ClusterNetworkPolicy + relative to other AntreaClusterNetworkPolicies. + type: number + tier: + description: Tier specifies the tier to which this ClusterNetworkPolicy + belongs to. The ClusterNetworkPolicy order will be determined + based on the combination of the Tier's Priority and the ClusterNetworkPolicy's + own Priority. If not specified, this policy will be created + in the Application Tier right above the K8s NetworkPolicy which + resides at the bottom. + type: string + required: + - priority + type: object endpoints: description: If exported resource is EndPoints. properties: @@ -1129,6 +2801,1678 @@ spec: items: type: string type: array + clusternetworkpolicy: + description: If imported resource is AntreaClusterNetworkPolicy. + properties: + appliedTo: + description: Select workloads on which the rules will be applied + to. Cannot be set in conjunction with AppliedTo in each rule. + items: + description: NetworkPolicyPeer describes the grouping selector + of workloads. + properties: + externalEntitySelector: + description: Select ExternalEntities from NetworkPolicy's + Namespace as workloads in AppliedTo/To/From fields. If + set with NamespaceSelector, ExternalEntities are matched + from Namespaces matched by the NamespaceSelector. Cannot + be set with any other selector except NamespaceSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector + that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are In, + NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. + If the operator is In or NotIn, the values array + must be non-empty. If the operator is Exists + or DoesNotExist, the values array must be empty. + This array is replaced during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. + A single {key,value} in the matchLabels map is equivalent + to an element of matchExpressions, whose key field + is "key", the operator is "In", and the values array + contains only "value". The requirements are ANDed. + type: object + type: object + fqdn: + description: 'Restrict egress access to the Fully Qualified + Domain Names prescribed by name or by wildcard match patterns. + This field can only be set for NetworkPolicyPeer of egress + rules. Supported formats are: Exact FQDNs, i.e. "google.com", + "db-svc.default.svc.cluster.local" Wildcard expressions, + i.e. "*wayfair.com".' + type: string + group: + description: Group is the name of the ClusterGroup which + can be set as an AppliedTo or within an Ingress or Egress + rule in place of a stand-alone selector. A Group cannot + be set with any other selector. + type: string + ipBlock: + description: IPBlock describes the IPAddresses/IPBlocks + that is matched in to/from. IPBlock cannot be set as part + of the AppliedTo field. Cannot be set with any other selector. + properties: + cidr: + description: CIDR is a string representing the IP Block + Valid examples are "192.168.1.1/24". + type: string + required: + - cidr + type: object + namespaceSelector: + description: Select all Pods from Namespaces matched by + this selector, as workloads in To/From fields. If set + with PodSelector, Pods are matched from Namespaces matched + by the NamespaceSelector. Cannot be set with any other + selector except PodSelector or ExternalEntitySelector. + Cannot be set with Namespaces. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector + that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are In, + NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. + If the operator is In or NotIn, the values array + must be non-empty. If the operator is Exists + or DoesNotExist, the values array must be empty. + This array is replaced during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. + A single {key,value} in the matchLabels map is equivalent + to an element of matchExpressions, whose key field + is "key", the operator is "In", and the values array + contains only "value". The requirements are ANDed. + type: object + type: object + namespaces: + description: 'Select Pod/ExternalEntity from Namespaces + matched by specifc criteria. Current supported criteria + is match: Self, which selects from the same Namespace + of the appliedTo workloads. Cannot be set with any other + selector except PodSelector or ExternalEntitySelector. + This field can only be set when NetworkPolicyPeer is created + for ClusterNetworkPolicy ingress/egress rules. Cannot + be set with NamespaceSelector.' + properties: + match: + description: NamespaceMatchType describes Namespace + matching strategy. + type: string + type: object + podSelector: + description: Select Pods from NetworkPolicy's Namespace + as workloads in AppliedTo/To/From fields. If set with + NamespaceSelector, Pods are matched from Namespaces matched + by the NamespaceSelector. Cannot be set with any other + selector except NamespaceSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector + that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are In, + NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. + If the operator is In or NotIn, the values array + must be non-empty. If the operator is Exists + or DoesNotExist, the values array must be empty. + This array is replaced during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. + A single {key,value} in the matchLabels map is equivalent + to an element of matchExpressions, whose key field + is "key", the operator is "In", and the values array + contains only "value". The requirements are ANDed. + type: object + type: object + serviceAccount: + description: Select all Pods with the ServiceAccount matched + by this field, as workloads in AppliedTo/To/From fields. + Cannot be set with any other selector. + properties: + name: + type: string + namespace: + type: string + type: object + type: object + type: array + egress: + description: Set of egress rules evaluated based on the order + in which they are set. Currently Egress rule supports setting + the `To` field but not the `From` field within a Rule. + items: + description: Rule describes the traffic allowed to/from the + workloads selected by Spec.AppliedTo. Based on the action + specified in the rule, traffic is either allowed or denied + which exactly match the specified ports and protocol. + properties: + action: + description: Action specifies the action to be applied on + the rule. + type: string + appliedTo: + description: Select workloads on which this rule will be + applied to. Cannot be set in conjunction with NetworkPolicySpec/ClusterNetworkPolicySpec.AppliedTo. + items: + description: NetworkPolicyPeer describes the grouping + selector of workloads. + properties: + externalEntitySelector: + description: Select ExternalEntities from NetworkPolicy's + Namespace as workloads in AppliedTo/To/From fields. + If set with NamespaceSelector, ExternalEntities + are matched from Namespaces matched by the NamespaceSelector. + Cannot be set with any other selector except NamespaceSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + fqdn: + description: 'Restrict egress access to the Fully + Qualified Domain Names prescribed by name or by + wildcard match patterns. This field can only be + set for NetworkPolicyPeer of egress rules. Supported + formats are: Exact FQDNs, i.e. "google.com", "db-svc.default.svc.cluster.local" Wildcard + expressions, i.e. "*wayfair.com".' + type: string + group: + description: Group is the name of the ClusterGroup + which can be set as an AppliedTo or within an Ingress + or Egress rule in place of a stand-alone selector. + A Group cannot be set with any other selector. + type: string + ipBlock: + description: IPBlock describes the IPAddresses/IPBlocks + that is matched in to/from. IPBlock cannot be set + as part of the AppliedTo field. Cannot be set with + any other selector. + properties: + cidr: + description: CIDR is a string representing the + IP Block Valid examples are "192.168.1.1/24". + type: string + required: + - cidr + type: object + namespaceSelector: + description: Select all Pods from Namespaces matched + by this selector, as workloads in To/From fields. + If set with PodSelector, Pods are matched from Namespaces + matched by the NamespaceSelector. Cannot be set + with any other selector except PodSelector or ExternalEntitySelector. + Cannot be set with Namespaces. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + namespaces: + description: 'Select Pod/ExternalEntity from Namespaces + matched by specifc criteria. Current supported criteria + is match: Self, which selects from the same Namespace + of the appliedTo workloads. Cannot be set with any + other selector except PodSelector or ExternalEntitySelector. + This field can only be set when NetworkPolicyPeer + is created for ClusterNetworkPolicy ingress/egress + rules. Cannot be set with NamespaceSelector.' + properties: + match: + description: NamespaceMatchType describes Namespace + matching strategy. + type: string + type: object + podSelector: + description: Select Pods from NetworkPolicy's Namespace + as workloads in AppliedTo/To/From fields. If set + with NamespaceSelector, Pods are matched from Namespaces + matched by the NamespaceSelector. Cannot be set + with any other selector except NamespaceSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + serviceAccount: + description: Select all Pods with the ServiceAccount + matched by this field, as workloads in AppliedTo/To/From + fields. Cannot be set with any other selector. + properties: + name: + type: string + namespace: + type: string + type: object + type: object + type: array + enableLogging: + description: EnableLogging is used to indicate if agent + should generate logs when rules are matched. Should be + default to false. + type: boolean + from: + description: Rule is matched if traffic originates from + workloads selected by this field. If this field is empty, + this rule matches all sources. + items: + description: NetworkPolicyPeer describes the grouping + selector of workloads. + properties: + externalEntitySelector: + description: Select ExternalEntities from NetworkPolicy's + Namespace as workloads in AppliedTo/To/From fields. + If set with NamespaceSelector, ExternalEntities + are matched from Namespaces matched by the NamespaceSelector. + Cannot be set with any other selector except NamespaceSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + fqdn: + description: 'Restrict egress access to the Fully + Qualified Domain Names prescribed by name or by + wildcard match patterns. This field can only be + set for NetworkPolicyPeer of egress rules. Supported + formats are: Exact FQDNs, i.e. "google.com", "db-svc.default.svc.cluster.local" Wildcard + expressions, i.e. "*wayfair.com".' + type: string + group: + description: Group is the name of the ClusterGroup + which can be set as an AppliedTo or within an Ingress + or Egress rule in place of a stand-alone selector. + A Group cannot be set with any other selector. + type: string + ipBlock: + description: IPBlock describes the IPAddresses/IPBlocks + that is matched in to/from. IPBlock cannot be set + as part of the AppliedTo field. Cannot be set with + any other selector. + properties: + cidr: + description: CIDR is a string representing the + IP Block Valid examples are "192.168.1.1/24". + type: string + required: + - cidr + type: object + namespaceSelector: + description: Select all Pods from Namespaces matched + by this selector, as workloads in To/From fields. + If set with PodSelector, Pods are matched from Namespaces + matched by the NamespaceSelector. Cannot be set + with any other selector except PodSelector or ExternalEntitySelector. + Cannot be set with Namespaces. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + namespaces: + description: 'Select Pod/ExternalEntity from Namespaces + matched by specifc criteria. Current supported criteria + is match: Self, which selects from the same Namespace + of the appliedTo workloads. Cannot be set with any + other selector except PodSelector or ExternalEntitySelector. + This field can only be set when NetworkPolicyPeer + is created for ClusterNetworkPolicy ingress/egress + rules. Cannot be set with NamespaceSelector.' + properties: + match: + description: NamespaceMatchType describes Namespace + matching strategy. + type: string + type: object + podSelector: + description: Select Pods from NetworkPolicy's Namespace + as workloads in AppliedTo/To/From fields. If set + with NamespaceSelector, Pods are matched from Namespaces + matched by the NamespaceSelector. Cannot be set + with any other selector except NamespaceSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + serviceAccount: + description: Select all Pods with the ServiceAccount + matched by this field, as workloads in AppliedTo/To/From + fields. Cannot be set with any other selector. + properties: + name: + type: string + namespace: + type: string + type: object + type: object + type: array + name: + description: Name describes the intention of this rule. + Name should be unique within the policy. + type: string + ports: + description: Set of port and protocol allowed/denied by + the rule. If this field is unset or empty, this rule matches + all ports. + items: + description: NetworkPolicyPort describes the port and + protocol to match in a rule. + properties: + endPort: + description: EndPort defines the end of the port range, + being the end included within the range. It can + only be specified when a numerical `port` is specified. + format: int32 + type: integer + port: + anyOf: + - type: integer + - type: string + description: The port on the given protocol. This + can be either a numerical or named port on a Pod. + If this field is not provided, this matches all + port names and numbers. + x-kubernetes-int-or-string: true + protocol: + default: TCP + description: The protocol (TCP, UDP, or SCTP) which + traffic must match. If not specified, this field + defaults to TCP. + type: string + type: object + type: array + to: + description: Rule is matched if traffic is intended for + workloads selected by this field. This field can't be + used with ToServices. If this field and ToServices are + both empty or missing this rule matches all destinations. + items: + description: NetworkPolicyPeer describes the grouping + selector of workloads. + properties: + externalEntitySelector: + description: Select ExternalEntities from NetworkPolicy's + Namespace as workloads in AppliedTo/To/From fields. + If set with NamespaceSelector, ExternalEntities + are matched from Namespaces matched by the NamespaceSelector. + Cannot be set with any other selector except NamespaceSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + fqdn: + description: 'Restrict egress access to the Fully + Qualified Domain Names prescribed by name or by + wildcard match patterns. This field can only be + set for NetworkPolicyPeer of egress rules. Supported + formats are: Exact FQDNs, i.e. "google.com", "db-svc.default.svc.cluster.local" Wildcard + expressions, i.e. "*wayfair.com".' + type: string + group: + description: Group is the name of the ClusterGroup + which can be set as an AppliedTo or within an Ingress + or Egress rule in place of a stand-alone selector. + A Group cannot be set with any other selector. + type: string + ipBlock: + description: IPBlock describes the IPAddresses/IPBlocks + that is matched in to/from. IPBlock cannot be set + as part of the AppliedTo field. Cannot be set with + any other selector. + properties: + cidr: + description: CIDR is a string representing the + IP Block Valid examples are "192.168.1.1/24". + type: string + required: + - cidr + type: object + namespaceSelector: + description: Select all Pods from Namespaces matched + by this selector, as workloads in To/From fields. + If set with PodSelector, Pods are matched from Namespaces + matched by the NamespaceSelector. Cannot be set + with any other selector except PodSelector or ExternalEntitySelector. + Cannot be set with Namespaces. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + namespaces: + description: 'Select Pod/ExternalEntity from Namespaces + matched by specifc criteria. Current supported criteria + is match: Self, which selects from the same Namespace + of the appliedTo workloads. Cannot be set with any + other selector except PodSelector or ExternalEntitySelector. + This field can only be set when NetworkPolicyPeer + is created for ClusterNetworkPolicy ingress/egress + rules. Cannot be set with NamespaceSelector.' + properties: + match: + description: NamespaceMatchType describes Namespace + matching strategy. + type: string + type: object + podSelector: + description: Select Pods from NetworkPolicy's Namespace + as workloads in AppliedTo/To/From fields. If set + with NamespaceSelector, Pods are matched from Namespaces + matched by the NamespaceSelector. Cannot be set + with any other selector except NamespaceSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + serviceAccount: + description: Select all Pods with the ServiceAccount + matched by this field, as workloads in AppliedTo/To/From + fields. Cannot be set with any other selector. + properties: + name: + type: string + namespace: + type: string + type: object + type: object + type: array + toServices: + description: Rule is matched if traffic is intended for + a Service listed in this field. Currently only ClusterIP + types Services are supported in this field. This field + can only be used when AntreaProxy is enabled. This field + can't be used with To or Ports. If this field and To are + both empty or missing, this rule matches all destinations. + items: + description: NamespacedName refers to a Namespace scoped + resource. All fields must be used together. + properties: + name: + type: string + namespace: + type: string + type: object + type: array + required: + - action + type: object + type: array + ingress: + description: Set of ingress rules evaluated based on the order + in which they are set. Currently Ingress rule supports setting + the `From` field but not the `To` field within a Rule. + items: + description: Rule describes the traffic allowed to/from the + workloads selected by Spec.AppliedTo. Based on the action + specified in the rule, traffic is either allowed or denied + which exactly match the specified ports and protocol. + properties: + action: + description: Action specifies the action to be applied on + the rule. + type: string + appliedTo: + description: Select workloads on which this rule will be + applied to. Cannot be set in conjunction with NetworkPolicySpec/ClusterNetworkPolicySpec.AppliedTo. + items: + description: NetworkPolicyPeer describes the grouping + selector of workloads. + properties: + externalEntitySelector: + description: Select ExternalEntities from NetworkPolicy's + Namespace as workloads in AppliedTo/To/From fields. + If set with NamespaceSelector, ExternalEntities + are matched from Namespaces matched by the NamespaceSelector. + Cannot be set with any other selector except NamespaceSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + fqdn: + description: 'Restrict egress access to the Fully + Qualified Domain Names prescribed by name or by + wildcard match patterns. This field can only be + set for NetworkPolicyPeer of egress rules. Supported + formats are: Exact FQDNs, i.e. "google.com", "db-svc.default.svc.cluster.local" Wildcard + expressions, i.e. "*wayfair.com".' + type: string + group: + description: Group is the name of the ClusterGroup + which can be set as an AppliedTo or within an Ingress + or Egress rule in place of a stand-alone selector. + A Group cannot be set with any other selector. + type: string + ipBlock: + description: IPBlock describes the IPAddresses/IPBlocks + that is matched in to/from. IPBlock cannot be set + as part of the AppliedTo field. Cannot be set with + any other selector. + properties: + cidr: + description: CIDR is a string representing the + IP Block Valid examples are "192.168.1.1/24". + type: string + required: + - cidr + type: object + namespaceSelector: + description: Select all Pods from Namespaces matched + by this selector, as workloads in To/From fields. + If set with PodSelector, Pods are matched from Namespaces + matched by the NamespaceSelector. Cannot be set + with any other selector except PodSelector or ExternalEntitySelector. + Cannot be set with Namespaces. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + namespaces: + description: 'Select Pod/ExternalEntity from Namespaces + matched by specifc criteria. Current supported criteria + is match: Self, which selects from the same Namespace + of the appliedTo workloads. Cannot be set with any + other selector except PodSelector or ExternalEntitySelector. + This field can only be set when NetworkPolicyPeer + is created for ClusterNetworkPolicy ingress/egress + rules. Cannot be set with NamespaceSelector.' + properties: + match: + description: NamespaceMatchType describes Namespace + matching strategy. + type: string + type: object + podSelector: + description: Select Pods from NetworkPolicy's Namespace + as workloads in AppliedTo/To/From fields. If set + with NamespaceSelector, Pods are matched from Namespaces + matched by the NamespaceSelector. Cannot be set + with any other selector except NamespaceSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + serviceAccount: + description: Select all Pods with the ServiceAccount + matched by this field, as workloads in AppliedTo/To/From + fields. Cannot be set with any other selector. + properties: + name: + type: string + namespace: + type: string + type: object + type: object + type: array + enableLogging: + description: EnableLogging is used to indicate if agent + should generate logs when rules are matched. Should be + default to false. + type: boolean + from: + description: Rule is matched if traffic originates from + workloads selected by this field. If this field is empty, + this rule matches all sources. + items: + description: NetworkPolicyPeer describes the grouping + selector of workloads. + properties: + externalEntitySelector: + description: Select ExternalEntities from NetworkPolicy's + Namespace as workloads in AppliedTo/To/From fields. + If set with NamespaceSelector, ExternalEntities + are matched from Namespaces matched by the NamespaceSelector. + Cannot be set with any other selector except NamespaceSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + fqdn: + description: 'Restrict egress access to the Fully + Qualified Domain Names prescribed by name or by + wildcard match patterns. This field can only be + set for NetworkPolicyPeer of egress rules. Supported + formats are: Exact FQDNs, i.e. "google.com", "db-svc.default.svc.cluster.local" Wildcard + expressions, i.e. "*wayfair.com".' + type: string + group: + description: Group is the name of the ClusterGroup + which can be set as an AppliedTo or within an Ingress + or Egress rule in place of a stand-alone selector. + A Group cannot be set with any other selector. + type: string + ipBlock: + description: IPBlock describes the IPAddresses/IPBlocks + that is matched in to/from. IPBlock cannot be set + as part of the AppliedTo field. Cannot be set with + any other selector. + properties: + cidr: + description: CIDR is a string representing the + IP Block Valid examples are "192.168.1.1/24". + type: string + required: + - cidr + type: object + namespaceSelector: + description: Select all Pods from Namespaces matched + by this selector, as workloads in To/From fields. + If set with PodSelector, Pods are matched from Namespaces + matched by the NamespaceSelector. Cannot be set + with any other selector except PodSelector or ExternalEntitySelector. + Cannot be set with Namespaces. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + namespaces: + description: 'Select Pod/ExternalEntity from Namespaces + matched by specifc criteria. Current supported criteria + is match: Self, which selects from the same Namespace + of the appliedTo workloads. Cannot be set with any + other selector except PodSelector or ExternalEntitySelector. + This field can only be set when NetworkPolicyPeer + is created for ClusterNetworkPolicy ingress/egress + rules. Cannot be set with NamespaceSelector.' + properties: + match: + description: NamespaceMatchType describes Namespace + matching strategy. + type: string + type: object + podSelector: + description: Select Pods from NetworkPolicy's Namespace + as workloads in AppliedTo/To/From fields. If set + with NamespaceSelector, Pods are matched from Namespaces + matched by the NamespaceSelector. Cannot be set + with any other selector except NamespaceSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + serviceAccount: + description: Select all Pods with the ServiceAccount + matched by this field, as workloads in AppliedTo/To/From + fields. Cannot be set with any other selector. + properties: + name: + type: string + namespace: + type: string + type: object + type: object + type: array + name: + description: Name describes the intention of this rule. + Name should be unique within the policy. + type: string + ports: + description: Set of port and protocol allowed/denied by + the rule. If this field is unset or empty, this rule matches + all ports. + items: + description: NetworkPolicyPort describes the port and + protocol to match in a rule. + properties: + endPort: + description: EndPort defines the end of the port range, + being the end included within the range. It can + only be specified when a numerical `port` is specified. + format: int32 + type: integer + port: + anyOf: + - type: integer + - type: string + description: The port on the given protocol. This + can be either a numerical or named port on a Pod. + If this field is not provided, this matches all + port names and numbers. + x-kubernetes-int-or-string: true + protocol: + default: TCP + description: The protocol (TCP, UDP, or SCTP) which + traffic must match. If not specified, this field + defaults to TCP. + type: string + type: object + type: array + to: + description: Rule is matched if traffic is intended for + workloads selected by this field. This field can't be + used with ToServices. If this field and ToServices are + both empty or missing this rule matches all destinations. + items: + description: NetworkPolicyPeer describes the grouping + selector of workloads. + properties: + externalEntitySelector: + description: Select ExternalEntities from NetworkPolicy's + Namespace as workloads in AppliedTo/To/From fields. + If set with NamespaceSelector, ExternalEntities + are matched from Namespaces matched by the NamespaceSelector. + Cannot be set with any other selector except NamespaceSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + fqdn: + description: 'Restrict egress access to the Fully + Qualified Domain Names prescribed by name or by + wildcard match patterns. This field can only be + set for NetworkPolicyPeer of egress rules. Supported + formats are: Exact FQDNs, i.e. "google.com", "db-svc.default.svc.cluster.local" Wildcard + expressions, i.e. "*wayfair.com".' + type: string + group: + description: Group is the name of the ClusterGroup + which can be set as an AppliedTo or within an Ingress + or Egress rule in place of a stand-alone selector. + A Group cannot be set with any other selector. + type: string + ipBlock: + description: IPBlock describes the IPAddresses/IPBlocks + that is matched in to/from. IPBlock cannot be set + as part of the AppliedTo field. Cannot be set with + any other selector. + properties: + cidr: + description: CIDR is a string representing the + IP Block Valid examples are "192.168.1.1/24". + type: string + required: + - cidr + type: object + namespaceSelector: + description: Select all Pods from Namespaces matched + by this selector, as workloads in To/From fields. + If set with PodSelector, Pods are matched from Namespaces + matched by the NamespaceSelector. Cannot be set + with any other selector except PodSelector or ExternalEntitySelector. + Cannot be set with Namespaces. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + namespaces: + description: 'Select Pod/ExternalEntity from Namespaces + matched by specifc criteria. Current supported criteria + is match: Self, which selects from the same Namespace + of the appliedTo workloads. Cannot be set with any + other selector except PodSelector or ExternalEntitySelector. + This field can only be set when NetworkPolicyPeer + is created for ClusterNetworkPolicy ingress/egress + rules. Cannot be set with NamespaceSelector.' + properties: + match: + description: NamespaceMatchType describes Namespace + matching strategy. + type: string + type: object + podSelector: + description: Select Pods from NetworkPolicy's Namespace + as workloads in AppliedTo/To/From fields. If set + with NamespaceSelector, Pods are matched from Namespaces + matched by the NamespaceSelector. Cannot be set + with any other selector except NamespaceSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + serviceAccount: + description: Select all Pods with the ServiceAccount + matched by this field, as workloads in AppliedTo/To/From + fields. Cannot be set with any other selector. + properties: + name: + type: string + namespace: + type: string + type: object + type: object + type: array + toServices: + description: Rule is matched if traffic is intended for + a Service listed in this field. Currently only ClusterIP + types Services are supported in this field. This field + can only be used when AntreaProxy is enabled. This field + can't be used with To or Ports. If this field and To are + both empty or missing, this rule matches all destinations. + items: + description: NamespacedName refers to a Namespace scoped + resource. All fields must be used together. + properties: + name: + type: string + namespace: + type: string + type: object + type: array + required: + - action + type: object + type: array + priority: + description: Priority specfies the order of the ClusterNetworkPolicy + relative to other AntreaClusterNetworkPolicies. + type: number + tier: + description: Tier specifies the tier to which this ClusterNetworkPolicy + belongs to. The ClusterNetworkPolicy order will be determined + based on the combination of the Tier's Priority and the ClusterNetworkPolicy's + own Priority. If not specified, this policy will be created + in the Application Tier right above the K8s NetworkPolicy which + resides at the bottom. + type: string + required: + - priority + type: object endpoints: description: If imported resource is EndPoints. properties: @@ -1932,6 +5276,12 @@ rules: - patch - update - watch +- apiGroups: + - "" + resources: + - events + verbs: + - create - apiGroups: - "" resources: @@ -1944,6 +5294,26 @@ rules: - patch - update - watch +- apiGroups: + - crd.antrea.io + resources: + - clusternetworkpolicies + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - crd.antrea.io + resources: + - tiers + verbs: + - get + - list + - watch - apiGroups: - multicluster.crd.antrea.io resources: diff --git a/multicluster/cmd/multicluster-controller/controller.go b/multicluster/cmd/multicluster-controller/controller.go index 8989da33e45..13fee7972c5 100644 --- a/multicluster/cmd/multicluster-controller/controller.go +++ b/multicluster/cmd/multicluster-controller/controller.go @@ -39,6 +39,7 @@ import ( multiclusterv1alpha1 "antrea.io/antrea/multicluster/apis/multicluster/v1alpha1" multiclustercontrollers "antrea.io/antrea/multicluster/controllers/multicluster" + antreacrd "antrea.io/antrea/pkg/apis/crd/v1alpha1" "antrea.io/antrea/pkg/apiserver/certificate" // +kubebuilder:scaffold:imports ) @@ -59,6 +60,7 @@ func init() { utilruntime.Must(clientgoscheme.AddToScheme(scheme)) utilruntime.Must(k8smcsv1alpha1.AddToScheme(scheme)) utilruntime.Must(multiclusterv1alpha1.AddToScheme(scheme)) + utilruntime.Must(antreacrd.AddToScheme(scheme)) //+kubebuilder:scaffold:scheme } diff --git a/multicluster/config/crd/bases/multicluster.crd.antrea.io_resourceexports.yaml b/multicluster/config/crd/bases/multicluster.crd.antrea.io_resourceexports.yaml index a2839dc02e6..32993f38ba1 100644 --- a/multicluster/config/crd/bases/multicluster.crd.antrea.io_resourceexports.yaml +++ b/multicluster/config/crd/bases/multicluster.crd.antrea.io_resourceexports.yaml @@ -40,6 +40,1678 @@ spec: description: ClusterID specifies the member cluster this resource exported from. type: string + clusternetworkpolicy: + description: If exported resource is AntreaClusterNetworkPolicy. + properties: + appliedTo: + description: Select workloads on which the rules will be applied + to. Cannot be set in conjunction with AppliedTo in each rule. + items: + description: NetworkPolicyPeer describes the grouping selector + of workloads. + properties: + externalEntitySelector: + description: Select ExternalEntities from NetworkPolicy's + Namespace as workloads in AppliedTo/To/From fields. If + set with NamespaceSelector, ExternalEntities are matched + from Namespaces matched by the NamespaceSelector. Cannot + be set with any other selector except NamespaceSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector + that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are In, + NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. + If the operator is In or NotIn, the values array + must be non-empty. If the operator is Exists + or DoesNotExist, the values array must be empty. + This array is replaced during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. + A single {key,value} in the matchLabels map is equivalent + to an element of matchExpressions, whose key field + is "key", the operator is "In", and the values array + contains only "value". The requirements are ANDed. + type: object + type: object + fqdn: + description: 'Restrict egress access to the Fully Qualified + Domain Names prescribed by name or by wildcard match patterns. + This field can only be set for NetworkPolicyPeer of egress + rules. Supported formats are: Exact FQDNs, i.e. "google.com", + "db-svc.default.svc.cluster.local" Wildcard expressions, + i.e. "*wayfair.com".' + type: string + group: + description: Group is the name of the ClusterGroup which + can be set as an AppliedTo or within an Ingress or Egress + rule in place of a stand-alone selector. A Group cannot + be set with any other selector. + type: string + ipBlock: + description: IPBlock describes the IPAddresses/IPBlocks + that is matched in to/from. IPBlock cannot be set as part + of the AppliedTo field. Cannot be set with any other selector. + properties: + cidr: + description: CIDR is a string representing the IP Block + Valid examples are "192.168.1.1/24". + type: string + required: + - cidr + type: object + namespaceSelector: + description: Select all Pods from Namespaces matched by + this selector, as workloads in To/From fields. If set + with PodSelector, Pods are matched from Namespaces matched + by the NamespaceSelector. Cannot be set with any other + selector except PodSelector or ExternalEntitySelector. + Cannot be set with Namespaces. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector + that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are In, + NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. + If the operator is In or NotIn, the values array + must be non-empty. If the operator is Exists + or DoesNotExist, the values array must be empty. + This array is replaced during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. + A single {key,value} in the matchLabels map is equivalent + to an element of matchExpressions, whose key field + is "key", the operator is "In", and the values array + contains only "value". The requirements are ANDed. + type: object + type: object + namespaces: + description: 'Select Pod/ExternalEntity from Namespaces + matched by specifc criteria. Current supported criteria + is match: Self, which selects from the same Namespace + of the appliedTo workloads. Cannot be set with any other + selector except PodSelector or ExternalEntitySelector. + This field can only be set when NetworkPolicyPeer is created + for ClusterNetworkPolicy ingress/egress rules. Cannot + be set with NamespaceSelector.' + properties: + match: + description: NamespaceMatchType describes Namespace + matching strategy. + type: string + type: object + podSelector: + description: Select Pods from NetworkPolicy's Namespace + as workloads in AppliedTo/To/From fields. If set with + NamespaceSelector, Pods are matched from Namespaces matched + by the NamespaceSelector. Cannot be set with any other + selector except NamespaceSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector + that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are In, + NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. + If the operator is In or NotIn, the values array + must be non-empty. If the operator is Exists + or DoesNotExist, the values array must be empty. + This array is replaced during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. + A single {key,value} in the matchLabels map is equivalent + to an element of matchExpressions, whose key field + is "key", the operator is "In", and the values array + contains only "value". The requirements are ANDed. + type: object + type: object + serviceAccount: + description: Select all Pods with the ServiceAccount matched + by this field, as workloads in AppliedTo/To/From fields. + Cannot be set with any other selector. + properties: + name: + type: string + namespace: + type: string + type: object + type: object + type: array + egress: + description: Set of egress rules evaluated based on the order + in which they are set. Currently Egress rule supports setting + the `To` field but not the `From` field within a Rule. + items: + description: Rule describes the traffic allowed to/from the + workloads selected by Spec.AppliedTo. Based on the action + specified in the rule, traffic is either allowed or denied + which exactly match the specified ports and protocol. + properties: + action: + description: Action specifies the action to be applied on + the rule. + type: string + appliedTo: + description: Select workloads on which this rule will be + applied to. Cannot be set in conjunction with NetworkPolicySpec/ClusterNetworkPolicySpec.AppliedTo. + items: + description: NetworkPolicyPeer describes the grouping + selector of workloads. + properties: + externalEntitySelector: + description: Select ExternalEntities from NetworkPolicy's + Namespace as workloads in AppliedTo/To/From fields. + If set with NamespaceSelector, ExternalEntities + are matched from Namespaces matched by the NamespaceSelector. + Cannot be set with any other selector except NamespaceSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + fqdn: + description: 'Restrict egress access to the Fully + Qualified Domain Names prescribed by name or by + wildcard match patterns. This field can only be + set for NetworkPolicyPeer of egress rules. Supported + formats are: Exact FQDNs, i.e. "google.com", "db-svc.default.svc.cluster.local" Wildcard + expressions, i.e. "*wayfair.com".' + type: string + group: + description: Group is the name of the ClusterGroup + which can be set as an AppliedTo or within an Ingress + or Egress rule in place of a stand-alone selector. + A Group cannot be set with any other selector. + type: string + ipBlock: + description: IPBlock describes the IPAddresses/IPBlocks + that is matched in to/from. IPBlock cannot be set + as part of the AppliedTo field. Cannot be set with + any other selector. + properties: + cidr: + description: CIDR is a string representing the + IP Block Valid examples are "192.168.1.1/24". + type: string + required: + - cidr + type: object + namespaceSelector: + description: Select all Pods from Namespaces matched + by this selector, as workloads in To/From fields. + If set with PodSelector, Pods are matched from Namespaces + matched by the NamespaceSelector. Cannot be set + with any other selector except PodSelector or ExternalEntitySelector. + Cannot be set with Namespaces. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + namespaces: + description: 'Select Pod/ExternalEntity from Namespaces + matched by specifc criteria. Current supported criteria + is match: Self, which selects from the same Namespace + of the appliedTo workloads. Cannot be set with any + other selector except PodSelector or ExternalEntitySelector. + This field can only be set when NetworkPolicyPeer + is created for ClusterNetworkPolicy ingress/egress + rules. Cannot be set with NamespaceSelector.' + properties: + match: + description: NamespaceMatchType describes Namespace + matching strategy. + type: string + type: object + podSelector: + description: Select Pods from NetworkPolicy's Namespace + as workloads in AppliedTo/To/From fields. If set + with NamespaceSelector, Pods are matched from Namespaces + matched by the NamespaceSelector. Cannot be set + with any other selector except NamespaceSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + serviceAccount: + description: Select all Pods with the ServiceAccount + matched by this field, as workloads in AppliedTo/To/From + fields. Cannot be set with any other selector. + properties: + name: + type: string + namespace: + type: string + type: object + type: object + type: array + enableLogging: + description: EnableLogging is used to indicate if agent + should generate logs when rules are matched. Should be + default to false. + type: boolean + from: + description: Rule is matched if traffic originates from + workloads selected by this field. If this field is empty, + this rule matches all sources. + items: + description: NetworkPolicyPeer describes the grouping + selector of workloads. + properties: + externalEntitySelector: + description: Select ExternalEntities from NetworkPolicy's + Namespace as workloads in AppliedTo/To/From fields. + If set with NamespaceSelector, ExternalEntities + are matched from Namespaces matched by the NamespaceSelector. + Cannot be set with any other selector except NamespaceSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + fqdn: + description: 'Restrict egress access to the Fully + Qualified Domain Names prescribed by name or by + wildcard match patterns. This field can only be + set for NetworkPolicyPeer of egress rules. Supported + formats are: Exact FQDNs, i.e. "google.com", "db-svc.default.svc.cluster.local" Wildcard + expressions, i.e. "*wayfair.com".' + type: string + group: + description: Group is the name of the ClusterGroup + which can be set as an AppliedTo or within an Ingress + or Egress rule in place of a stand-alone selector. + A Group cannot be set with any other selector. + type: string + ipBlock: + description: IPBlock describes the IPAddresses/IPBlocks + that is matched in to/from. IPBlock cannot be set + as part of the AppliedTo field. Cannot be set with + any other selector. + properties: + cidr: + description: CIDR is a string representing the + IP Block Valid examples are "192.168.1.1/24". + type: string + required: + - cidr + type: object + namespaceSelector: + description: Select all Pods from Namespaces matched + by this selector, as workloads in To/From fields. + If set with PodSelector, Pods are matched from Namespaces + matched by the NamespaceSelector. Cannot be set + with any other selector except PodSelector or ExternalEntitySelector. + Cannot be set with Namespaces. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + namespaces: + description: 'Select Pod/ExternalEntity from Namespaces + matched by specifc criteria. Current supported criteria + is match: Self, which selects from the same Namespace + of the appliedTo workloads. Cannot be set with any + other selector except PodSelector or ExternalEntitySelector. + This field can only be set when NetworkPolicyPeer + is created for ClusterNetworkPolicy ingress/egress + rules. Cannot be set with NamespaceSelector.' + properties: + match: + description: NamespaceMatchType describes Namespace + matching strategy. + type: string + type: object + podSelector: + description: Select Pods from NetworkPolicy's Namespace + as workloads in AppliedTo/To/From fields. If set + with NamespaceSelector, Pods are matched from Namespaces + matched by the NamespaceSelector. Cannot be set + with any other selector except NamespaceSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + serviceAccount: + description: Select all Pods with the ServiceAccount + matched by this field, as workloads in AppliedTo/To/From + fields. Cannot be set with any other selector. + properties: + name: + type: string + namespace: + type: string + type: object + type: object + type: array + name: + description: Name describes the intention of this rule. + Name should be unique within the policy. + type: string + ports: + description: Set of port and protocol allowed/denied by + the rule. If this field is unset or empty, this rule matches + all ports. + items: + description: NetworkPolicyPort describes the port and + protocol to match in a rule. + properties: + endPort: + description: EndPort defines the end of the port range, + being the end included within the range. It can + only be specified when a numerical `port` is specified. + format: int32 + type: integer + port: + anyOf: + - type: integer + - type: string + description: The port on the given protocol. This + can be either a numerical or named port on a Pod. + If this field is not provided, this matches all + port names and numbers. + x-kubernetes-int-or-string: true + protocol: + default: TCP + description: The protocol (TCP, UDP, or SCTP) which + traffic must match. If not specified, this field + defaults to TCP. + type: string + type: object + type: array + to: + description: Rule is matched if traffic is intended for + workloads selected by this field. This field can't be + used with ToServices. If this field and ToServices are + both empty or missing this rule matches all destinations. + items: + description: NetworkPolicyPeer describes the grouping + selector of workloads. + properties: + externalEntitySelector: + description: Select ExternalEntities from NetworkPolicy's + Namespace as workloads in AppliedTo/To/From fields. + If set with NamespaceSelector, ExternalEntities + are matched from Namespaces matched by the NamespaceSelector. + Cannot be set with any other selector except NamespaceSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + fqdn: + description: 'Restrict egress access to the Fully + Qualified Domain Names prescribed by name or by + wildcard match patterns. This field can only be + set for NetworkPolicyPeer of egress rules. Supported + formats are: Exact FQDNs, i.e. "google.com", "db-svc.default.svc.cluster.local" Wildcard + expressions, i.e. "*wayfair.com".' + type: string + group: + description: Group is the name of the ClusterGroup + which can be set as an AppliedTo or within an Ingress + or Egress rule in place of a stand-alone selector. + A Group cannot be set with any other selector. + type: string + ipBlock: + description: IPBlock describes the IPAddresses/IPBlocks + that is matched in to/from. IPBlock cannot be set + as part of the AppliedTo field. Cannot be set with + any other selector. + properties: + cidr: + description: CIDR is a string representing the + IP Block Valid examples are "192.168.1.1/24". + type: string + required: + - cidr + type: object + namespaceSelector: + description: Select all Pods from Namespaces matched + by this selector, as workloads in To/From fields. + If set with PodSelector, Pods are matched from Namespaces + matched by the NamespaceSelector. Cannot be set + with any other selector except PodSelector or ExternalEntitySelector. + Cannot be set with Namespaces. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + namespaces: + description: 'Select Pod/ExternalEntity from Namespaces + matched by specifc criteria. Current supported criteria + is match: Self, which selects from the same Namespace + of the appliedTo workloads. Cannot be set with any + other selector except PodSelector or ExternalEntitySelector. + This field can only be set when NetworkPolicyPeer + is created for ClusterNetworkPolicy ingress/egress + rules. Cannot be set with NamespaceSelector.' + properties: + match: + description: NamespaceMatchType describes Namespace + matching strategy. + type: string + type: object + podSelector: + description: Select Pods from NetworkPolicy's Namespace + as workloads in AppliedTo/To/From fields. If set + with NamespaceSelector, Pods are matched from Namespaces + matched by the NamespaceSelector. Cannot be set + with any other selector except NamespaceSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + serviceAccount: + description: Select all Pods with the ServiceAccount + matched by this field, as workloads in AppliedTo/To/From + fields. Cannot be set with any other selector. + properties: + name: + type: string + namespace: + type: string + type: object + type: object + type: array + toServices: + description: Rule is matched if traffic is intended for + a Service listed in this field. Currently only ClusterIP + types Services are supported in this field. This field + can only be used when AntreaProxy is enabled. This field + can't be used with To or Ports. If this field and To are + both empty or missing, this rule matches all destinations. + items: + description: NamespacedName refers to a Namespace scoped + resource. All fields must be used together. + properties: + name: + type: string + namespace: + type: string + type: object + type: array + required: + - action + type: object + type: array + ingress: + description: Set of ingress rules evaluated based on the order + in which they are set. Currently Ingress rule supports setting + the `From` field but not the `To` field within a Rule. + items: + description: Rule describes the traffic allowed to/from the + workloads selected by Spec.AppliedTo. Based on the action + specified in the rule, traffic is either allowed or denied + which exactly match the specified ports and protocol. + properties: + action: + description: Action specifies the action to be applied on + the rule. + type: string + appliedTo: + description: Select workloads on which this rule will be + applied to. Cannot be set in conjunction with NetworkPolicySpec/ClusterNetworkPolicySpec.AppliedTo. + items: + description: NetworkPolicyPeer describes the grouping + selector of workloads. + properties: + externalEntitySelector: + description: Select ExternalEntities from NetworkPolicy's + Namespace as workloads in AppliedTo/To/From fields. + If set with NamespaceSelector, ExternalEntities + are matched from Namespaces matched by the NamespaceSelector. + Cannot be set with any other selector except NamespaceSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + fqdn: + description: 'Restrict egress access to the Fully + Qualified Domain Names prescribed by name or by + wildcard match patterns. This field can only be + set for NetworkPolicyPeer of egress rules. Supported + formats are: Exact FQDNs, i.e. "google.com", "db-svc.default.svc.cluster.local" Wildcard + expressions, i.e. "*wayfair.com".' + type: string + group: + description: Group is the name of the ClusterGroup + which can be set as an AppliedTo or within an Ingress + or Egress rule in place of a stand-alone selector. + A Group cannot be set with any other selector. + type: string + ipBlock: + description: IPBlock describes the IPAddresses/IPBlocks + that is matched in to/from. IPBlock cannot be set + as part of the AppliedTo field. Cannot be set with + any other selector. + properties: + cidr: + description: CIDR is a string representing the + IP Block Valid examples are "192.168.1.1/24". + type: string + required: + - cidr + type: object + namespaceSelector: + description: Select all Pods from Namespaces matched + by this selector, as workloads in To/From fields. + If set with PodSelector, Pods are matched from Namespaces + matched by the NamespaceSelector. Cannot be set + with any other selector except PodSelector or ExternalEntitySelector. + Cannot be set with Namespaces. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + namespaces: + description: 'Select Pod/ExternalEntity from Namespaces + matched by specifc criteria. Current supported criteria + is match: Self, which selects from the same Namespace + of the appliedTo workloads. Cannot be set with any + other selector except PodSelector or ExternalEntitySelector. + This field can only be set when NetworkPolicyPeer + is created for ClusterNetworkPolicy ingress/egress + rules. Cannot be set with NamespaceSelector.' + properties: + match: + description: NamespaceMatchType describes Namespace + matching strategy. + type: string + type: object + podSelector: + description: Select Pods from NetworkPolicy's Namespace + as workloads in AppliedTo/To/From fields. If set + with NamespaceSelector, Pods are matched from Namespaces + matched by the NamespaceSelector. Cannot be set + with any other selector except NamespaceSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + serviceAccount: + description: Select all Pods with the ServiceAccount + matched by this field, as workloads in AppliedTo/To/From + fields. Cannot be set with any other selector. + properties: + name: + type: string + namespace: + type: string + type: object + type: object + type: array + enableLogging: + description: EnableLogging is used to indicate if agent + should generate logs when rules are matched. Should be + default to false. + type: boolean + from: + description: Rule is matched if traffic originates from + workloads selected by this field. If this field is empty, + this rule matches all sources. + items: + description: NetworkPolicyPeer describes the grouping + selector of workloads. + properties: + externalEntitySelector: + description: Select ExternalEntities from NetworkPolicy's + Namespace as workloads in AppliedTo/To/From fields. + If set with NamespaceSelector, ExternalEntities + are matched from Namespaces matched by the NamespaceSelector. + Cannot be set with any other selector except NamespaceSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + fqdn: + description: 'Restrict egress access to the Fully + Qualified Domain Names prescribed by name or by + wildcard match patterns. This field can only be + set for NetworkPolicyPeer of egress rules. Supported + formats are: Exact FQDNs, i.e. "google.com", "db-svc.default.svc.cluster.local" Wildcard + expressions, i.e. "*wayfair.com".' + type: string + group: + description: Group is the name of the ClusterGroup + which can be set as an AppliedTo or within an Ingress + or Egress rule in place of a stand-alone selector. + A Group cannot be set with any other selector. + type: string + ipBlock: + description: IPBlock describes the IPAddresses/IPBlocks + that is matched in to/from. IPBlock cannot be set + as part of the AppliedTo field. Cannot be set with + any other selector. + properties: + cidr: + description: CIDR is a string representing the + IP Block Valid examples are "192.168.1.1/24". + type: string + required: + - cidr + type: object + namespaceSelector: + description: Select all Pods from Namespaces matched + by this selector, as workloads in To/From fields. + If set with PodSelector, Pods are matched from Namespaces + matched by the NamespaceSelector. Cannot be set + with any other selector except PodSelector or ExternalEntitySelector. + Cannot be set with Namespaces. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + namespaces: + description: 'Select Pod/ExternalEntity from Namespaces + matched by specifc criteria. Current supported criteria + is match: Self, which selects from the same Namespace + of the appliedTo workloads. Cannot be set with any + other selector except PodSelector or ExternalEntitySelector. + This field can only be set when NetworkPolicyPeer + is created for ClusterNetworkPolicy ingress/egress + rules. Cannot be set with NamespaceSelector.' + properties: + match: + description: NamespaceMatchType describes Namespace + matching strategy. + type: string + type: object + podSelector: + description: Select Pods from NetworkPolicy's Namespace + as workloads in AppliedTo/To/From fields. If set + with NamespaceSelector, Pods are matched from Namespaces + matched by the NamespaceSelector. Cannot be set + with any other selector except NamespaceSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + serviceAccount: + description: Select all Pods with the ServiceAccount + matched by this field, as workloads in AppliedTo/To/From + fields. Cannot be set with any other selector. + properties: + name: + type: string + namespace: + type: string + type: object + type: object + type: array + name: + description: Name describes the intention of this rule. + Name should be unique within the policy. + type: string + ports: + description: Set of port and protocol allowed/denied by + the rule. If this field is unset or empty, this rule matches + all ports. + items: + description: NetworkPolicyPort describes the port and + protocol to match in a rule. + properties: + endPort: + description: EndPort defines the end of the port range, + being the end included within the range. It can + only be specified when a numerical `port` is specified. + format: int32 + type: integer + port: + anyOf: + - type: integer + - type: string + description: The port on the given protocol. This + can be either a numerical or named port on a Pod. + If this field is not provided, this matches all + port names and numbers. + x-kubernetes-int-or-string: true + protocol: + default: TCP + description: The protocol (TCP, UDP, or SCTP) which + traffic must match. If not specified, this field + defaults to TCP. + type: string + type: object + type: array + to: + description: Rule is matched if traffic is intended for + workloads selected by this field. This field can't be + used with ToServices. If this field and ToServices are + both empty or missing this rule matches all destinations. + items: + description: NetworkPolicyPeer describes the grouping + selector of workloads. + properties: + externalEntitySelector: + description: Select ExternalEntities from NetworkPolicy's + Namespace as workloads in AppliedTo/To/From fields. + If set with NamespaceSelector, ExternalEntities + are matched from Namespaces matched by the NamespaceSelector. + Cannot be set with any other selector except NamespaceSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + fqdn: + description: 'Restrict egress access to the Fully + Qualified Domain Names prescribed by name or by + wildcard match patterns. This field can only be + set for NetworkPolicyPeer of egress rules. Supported + formats are: Exact FQDNs, i.e. "google.com", "db-svc.default.svc.cluster.local" Wildcard + expressions, i.e. "*wayfair.com".' + type: string + group: + description: Group is the name of the ClusterGroup + which can be set as an AppliedTo or within an Ingress + or Egress rule in place of a stand-alone selector. + A Group cannot be set with any other selector. + type: string + ipBlock: + description: IPBlock describes the IPAddresses/IPBlocks + that is matched in to/from. IPBlock cannot be set + as part of the AppliedTo field. Cannot be set with + any other selector. + properties: + cidr: + description: CIDR is a string representing the + IP Block Valid examples are "192.168.1.1/24". + type: string + required: + - cidr + type: object + namespaceSelector: + description: Select all Pods from Namespaces matched + by this selector, as workloads in To/From fields. + If set with PodSelector, Pods are matched from Namespaces + matched by the NamespaceSelector. Cannot be set + with any other selector except PodSelector or ExternalEntitySelector. + Cannot be set with Namespaces. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + namespaces: + description: 'Select Pod/ExternalEntity from Namespaces + matched by specifc criteria. Current supported criteria + is match: Self, which selects from the same Namespace + of the appliedTo workloads. Cannot be set with any + other selector except PodSelector or ExternalEntitySelector. + This field can only be set when NetworkPolicyPeer + is created for ClusterNetworkPolicy ingress/egress + rules. Cannot be set with NamespaceSelector.' + properties: + match: + description: NamespaceMatchType describes Namespace + matching strategy. + type: string + type: object + podSelector: + description: Select Pods from NetworkPolicy's Namespace + as workloads in AppliedTo/To/From fields. If set + with NamespaceSelector, Pods are matched from Namespaces + matched by the NamespaceSelector. Cannot be set + with any other selector except NamespaceSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + serviceAccount: + description: Select all Pods with the ServiceAccount + matched by this field, as workloads in AppliedTo/To/From + fields. Cannot be set with any other selector. + properties: + name: + type: string + namespace: + type: string + type: object + type: object + type: array + toServices: + description: Rule is matched if traffic is intended for + a Service listed in this field. Currently only ClusterIP + types Services are supported in this field. This field + can only be used when AntreaProxy is enabled. This field + can't be used with To or Ports. If this field and To are + both empty or missing, this rule matches all destinations. + items: + description: NamespacedName refers to a Namespace scoped + resource. All fields must be used together. + properties: + name: + type: string + namespace: + type: string + type: object + type: array + required: + - action + type: object + type: array + priority: + description: Priority specfies the order of the ClusterNetworkPolicy + relative to other AntreaClusterNetworkPolicies. + type: number + tier: + description: Tier specifies the tier to which this ClusterNetworkPolicy + belongs to. The ClusterNetworkPolicy order will be determined + based on the combination of the Tier's Priority and the ClusterNetworkPolicy's + own Priority. If not specified, this policy will be created + in the Application Tier right above the K8s NetworkPolicy which + resides at the bottom. + type: string + required: + - priority + type: object endpoints: description: If exported resource is EndPoints. properties: diff --git a/multicluster/config/crd/bases/multicluster.crd.antrea.io_resourceimports.yaml b/multicluster/config/crd/bases/multicluster.crd.antrea.io_resourceimports.yaml index a7e31350907..8790288ea66 100644 --- a/multicluster/config/crd/bases/multicluster.crd.antrea.io_resourceimports.yaml +++ b/multicluster/config/crd/bases/multicluster.crd.antrea.io_resourceimports.yaml @@ -42,6 +42,1678 @@ spec: items: type: string type: array + clusternetworkpolicy: + description: If imported resource is AntreaClusterNetworkPolicy. + properties: + appliedTo: + description: Select workloads on which the rules will be applied + to. Cannot be set in conjunction with AppliedTo in each rule. + items: + description: NetworkPolicyPeer describes the grouping selector + of workloads. + properties: + externalEntitySelector: + description: Select ExternalEntities from NetworkPolicy's + Namespace as workloads in AppliedTo/To/From fields. If + set with NamespaceSelector, ExternalEntities are matched + from Namespaces matched by the NamespaceSelector. Cannot + be set with any other selector except NamespaceSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector + that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are In, + NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. + If the operator is In or NotIn, the values array + must be non-empty. If the operator is Exists + or DoesNotExist, the values array must be empty. + This array is replaced during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. + A single {key,value} in the matchLabels map is equivalent + to an element of matchExpressions, whose key field + is "key", the operator is "In", and the values array + contains only "value". The requirements are ANDed. + type: object + type: object + fqdn: + description: 'Restrict egress access to the Fully Qualified + Domain Names prescribed by name or by wildcard match patterns. + This field can only be set for NetworkPolicyPeer of egress + rules. Supported formats are: Exact FQDNs, i.e. "google.com", + "db-svc.default.svc.cluster.local" Wildcard expressions, + i.e. "*wayfair.com".' + type: string + group: + description: Group is the name of the ClusterGroup which + can be set as an AppliedTo or within an Ingress or Egress + rule in place of a stand-alone selector. A Group cannot + be set with any other selector. + type: string + ipBlock: + description: IPBlock describes the IPAddresses/IPBlocks + that is matched in to/from. IPBlock cannot be set as part + of the AppliedTo field. Cannot be set with any other selector. + properties: + cidr: + description: CIDR is a string representing the IP Block + Valid examples are "192.168.1.1/24". + type: string + required: + - cidr + type: object + namespaceSelector: + description: Select all Pods from Namespaces matched by + this selector, as workloads in To/From fields. If set + with PodSelector, Pods are matched from Namespaces matched + by the NamespaceSelector. Cannot be set with any other + selector except PodSelector or ExternalEntitySelector. + Cannot be set with Namespaces. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector + that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are In, + NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. + If the operator is In or NotIn, the values array + must be non-empty. If the operator is Exists + or DoesNotExist, the values array must be empty. + This array is replaced during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. + A single {key,value} in the matchLabels map is equivalent + to an element of matchExpressions, whose key field + is "key", the operator is "In", and the values array + contains only "value". The requirements are ANDed. + type: object + type: object + namespaces: + description: 'Select Pod/ExternalEntity from Namespaces + matched by specifc criteria. Current supported criteria + is match: Self, which selects from the same Namespace + of the appliedTo workloads. Cannot be set with any other + selector except PodSelector or ExternalEntitySelector. + This field can only be set when NetworkPolicyPeer is created + for ClusterNetworkPolicy ingress/egress rules. Cannot + be set with NamespaceSelector.' + properties: + match: + description: NamespaceMatchType describes Namespace + matching strategy. + type: string + type: object + podSelector: + description: Select Pods from NetworkPolicy's Namespace + as workloads in AppliedTo/To/From fields. If set with + NamespaceSelector, Pods are matched from Namespaces matched + by the NamespaceSelector. Cannot be set with any other + selector except NamespaceSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector + that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are In, + NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. + If the operator is In or NotIn, the values array + must be non-empty. If the operator is Exists + or DoesNotExist, the values array must be empty. + This array is replaced during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. + A single {key,value} in the matchLabels map is equivalent + to an element of matchExpressions, whose key field + is "key", the operator is "In", and the values array + contains only "value". The requirements are ANDed. + type: object + type: object + serviceAccount: + description: Select all Pods with the ServiceAccount matched + by this field, as workloads in AppliedTo/To/From fields. + Cannot be set with any other selector. + properties: + name: + type: string + namespace: + type: string + type: object + type: object + type: array + egress: + description: Set of egress rules evaluated based on the order + in which they are set. Currently Egress rule supports setting + the `To` field but not the `From` field within a Rule. + items: + description: Rule describes the traffic allowed to/from the + workloads selected by Spec.AppliedTo. Based on the action + specified in the rule, traffic is either allowed or denied + which exactly match the specified ports and protocol. + properties: + action: + description: Action specifies the action to be applied on + the rule. + type: string + appliedTo: + description: Select workloads on which this rule will be + applied to. Cannot be set in conjunction with NetworkPolicySpec/ClusterNetworkPolicySpec.AppliedTo. + items: + description: NetworkPolicyPeer describes the grouping + selector of workloads. + properties: + externalEntitySelector: + description: Select ExternalEntities from NetworkPolicy's + Namespace as workloads in AppliedTo/To/From fields. + If set with NamespaceSelector, ExternalEntities + are matched from Namespaces matched by the NamespaceSelector. + Cannot be set with any other selector except NamespaceSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + fqdn: + description: 'Restrict egress access to the Fully + Qualified Domain Names prescribed by name or by + wildcard match patterns. This field can only be + set for NetworkPolicyPeer of egress rules. Supported + formats are: Exact FQDNs, i.e. "google.com", "db-svc.default.svc.cluster.local" Wildcard + expressions, i.e. "*wayfair.com".' + type: string + group: + description: Group is the name of the ClusterGroup + which can be set as an AppliedTo or within an Ingress + or Egress rule in place of a stand-alone selector. + A Group cannot be set with any other selector. + type: string + ipBlock: + description: IPBlock describes the IPAddresses/IPBlocks + that is matched in to/from. IPBlock cannot be set + as part of the AppliedTo field. Cannot be set with + any other selector. + properties: + cidr: + description: CIDR is a string representing the + IP Block Valid examples are "192.168.1.1/24". + type: string + required: + - cidr + type: object + namespaceSelector: + description: Select all Pods from Namespaces matched + by this selector, as workloads in To/From fields. + If set with PodSelector, Pods are matched from Namespaces + matched by the NamespaceSelector. Cannot be set + with any other selector except PodSelector or ExternalEntitySelector. + Cannot be set with Namespaces. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + namespaces: + description: 'Select Pod/ExternalEntity from Namespaces + matched by specifc criteria. Current supported criteria + is match: Self, which selects from the same Namespace + of the appliedTo workloads. Cannot be set with any + other selector except PodSelector or ExternalEntitySelector. + This field can only be set when NetworkPolicyPeer + is created for ClusterNetworkPolicy ingress/egress + rules. Cannot be set with NamespaceSelector.' + properties: + match: + description: NamespaceMatchType describes Namespace + matching strategy. + type: string + type: object + podSelector: + description: Select Pods from NetworkPolicy's Namespace + as workloads in AppliedTo/To/From fields. If set + with NamespaceSelector, Pods are matched from Namespaces + matched by the NamespaceSelector. Cannot be set + with any other selector except NamespaceSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + serviceAccount: + description: Select all Pods with the ServiceAccount + matched by this field, as workloads in AppliedTo/To/From + fields. Cannot be set with any other selector. + properties: + name: + type: string + namespace: + type: string + type: object + type: object + type: array + enableLogging: + description: EnableLogging is used to indicate if agent + should generate logs when rules are matched. Should be + default to false. + type: boolean + from: + description: Rule is matched if traffic originates from + workloads selected by this field. If this field is empty, + this rule matches all sources. + items: + description: NetworkPolicyPeer describes the grouping + selector of workloads. + properties: + externalEntitySelector: + description: Select ExternalEntities from NetworkPolicy's + Namespace as workloads in AppliedTo/To/From fields. + If set with NamespaceSelector, ExternalEntities + are matched from Namespaces matched by the NamespaceSelector. + Cannot be set with any other selector except NamespaceSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + fqdn: + description: 'Restrict egress access to the Fully + Qualified Domain Names prescribed by name or by + wildcard match patterns. This field can only be + set for NetworkPolicyPeer of egress rules. Supported + formats are: Exact FQDNs, i.e. "google.com", "db-svc.default.svc.cluster.local" Wildcard + expressions, i.e. "*wayfair.com".' + type: string + group: + description: Group is the name of the ClusterGroup + which can be set as an AppliedTo or within an Ingress + or Egress rule in place of a stand-alone selector. + A Group cannot be set with any other selector. + type: string + ipBlock: + description: IPBlock describes the IPAddresses/IPBlocks + that is matched in to/from. IPBlock cannot be set + as part of the AppliedTo field. Cannot be set with + any other selector. + properties: + cidr: + description: CIDR is a string representing the + IP Block Valid examples are "192.168.1.1/24". + type: string + required: + - cidr + type: object + namespaceSelector: + description: Select all Pods from Namespaces matched + by this selector, as workloads in To/From fields. + If set with PodSelector, Pods are matched from Namespaces + matched by the NamespaceSelector. Cannot be set + with any other selector except PodSelector or ExternalEntitySelector. + Cannot be set with Namespaces. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + namespaces: + description: 'Select Pod/ExternalEntity from Namespaces + matched by specifc criteria. Current supported criteria + is match: Self, which selects from the same Namespace + of the appliedTo workloads. Cannot be set with any + other selector except PodSelector or ExternalEntitySelector. + This field can only be set when NetworkPolicyPeer + is created for ClusterNetworkPolicy ingress/egress + rules. Cannot be set with NamespaceSelector.' + properties: + match: + description: NamespaceMatchType describes Namespace + matching strategy. + type: string + type: object + podSelector: + description: Select Pods from NetworkPolicy's Namespace + as workloads in AppliedTo/To/From fields. If set + with NamespaceSelector, Pods are matched from Namespaces + matched by the NamespaceSelector. Cannot be set + with any other selector except NamespaceSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + serviceAccount: + description: Select all Pods with the ServiceAccount + matched by this field, as workloads in AppliedTo/To/From + fields. Cannot be set with any other selector. + properties: + name: + type: string + namespace: + type: string + type: object + type: object + type: array + name: + description: Name describes the intention of this rule. + Name should be unique within the policy. + type: string + ports: + description: Set of port and protocol allowed/denied by + the rule. If this field is unset or empty, this rule matches + all ports. + items: + description: NetworkPolicyPort describes the port and + protocol to match in a rule. + properties: + endPort: + description: EndPort defines the end of the port range, + being the end included within the range. It can + only be specified when a numerical `port` is specified. + format: int32 + type: integer + port: + anyOf: + - type: integer + - type: string + description: The port on the given protocol. This + can be either a numerical or named port on a Pod. + If this field is not provided, this matches all + port names and numbers. + x-kubernetes-int-or-string: true + protocol: + default: TCP + description: The protocol (TCP, UDP, or SCTP) which + traffic must match. If not specified, this field + defaults to TCP. + type: string + type: object + type: array + to: + description: Rule is matched if traffic is intended for + workloads selected by this field. This field can't be + used with ToServices. If this field and ToServices are + both empty or missing this rule matches all destinations. + items: + description: NetworkPolicyPeer describes the grouping + selector of workloads. + properties: + externalEntitySelector: + description: Select ExternalEntities from NetworkPolicy's + Namespace as workloads in AppliedTo/To/From fields. + If set with NamespaceSelector, ExternalEntities + are matched from Namespaces matched by the NamespaceSelector. + Cannot be set with any other selector except NamespaceSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + fqdn: + description: 'Restrict egress access to the Fully + Qualified Domain Names prescribed by name or by + wildcard match patterns. This field can only be + set for NetworkPolicyPeer of egress rules. Supported + formats are: Exact FQDNs, i.e. "google.com", "db-svc.default.svc.cluster.local" Wildcard + expressions, i.e. "*wayfair.com".' + type: string + group: + description: Group is the name of the ClusterGroup + which can be set as an AppliedTo or within an Ingress + or Egress rule in place of a stand-alone selector. + A Group cannot be set with any other selector. + type: string + ipBlock: + description: IPBlock describes the IPAddresses/IPBlocks + that is matched in to/from. IPBlock cannot be set + as part of the AppliedTo field. Cannot be set with + any other selector. + properties: + cidr: + description: CIDR is a string representing the + IP Block Valid examples are "192.168.1.1/24". + type: string + required: + - cidr + type: object + namespaceSelector: + description: Select all Pods from Namespaces matched + by this selector, as workloads in To/From fields. + If set with PodSelector, Pods are matched from Namespaces + matched by the NamespaceSelector. Cannot be set + with any other selector except PodSelector or ExternalEntitySelector. + Cannot be set with Namespaces. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + namespaces: + description: 'Select Pod/ExternalEntity from Namespaces + matched by specifc criteria. Current supported criteria + is match: Self, which selects from the same Namespace + of the appliedTo workloads. Cannot be set with any + other selector except PodSelector or ExternalEntitySelector. + This field can only be set when NetworkPolicyPeer + is created for ClusterNetworkPolicy ingress/egress + rules. Cannot be set with NamespaceSelector.' + properties: + match: + description: NamespaceMatchType describes Namespace + matching strategy. + type: string + type: object + podSelector: + description: Select Pods from NetworkPolicy's Namespace + as workloads in AppliedTo/To/From fields. If set + with NamespaceSelector, Pods are matched from Namespaces + matched by the NamespaceSelector. Cannot be set + with any other selector except NamespaceSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + serviceAccount: + description: Select all Pods with the ServiceAccount + matched by this field, as workloads in AppliedTo/To/From + fields. Cannot be set with any other selector. + properties: + name: + type: string + namespace: + type: string + type: object + type: object + type: array + toServices: + description: Rule is matched if traffic is intended for + a Service listed in this field. Currently only ClusterIP + types Services are supported in this field. This field + can only be used when AntreaProxy is enabled. This field + can't be used with To or Ports. If this field and To are + both empty or missing, this rule matches all destinations. + items: + description: NamespacedName refers to a Namespace scoped + resource. All fields must be used together. + properties: + name: + type: string + namespace: + type: string + type: object + type: array + required: + - action + type: object + type: array + ingress: + description: Set of ingress rules evaluated based on the order + in which they are set. Currently Ingress rule supports setting + the `From` field but not the `To` field within a Rule. + items: + description: Rule describes the traffic allowed to/from the + workloads selected by Spec.AppliedTo. Based on the action + specified in the rule, traffic is either allowed or denied + which exactly match the specified ports and protocol. + properties: + action: + description: Action specifies the action to be applied on + the rule. + type: string + appliedTo: + description: Select workloads on which this rule will be + applied to. Cannot be set in conjunction with NetworkPolicySpec/ClusterNetworkPolicySpec.AppliedTo. + items: + description: NetworkPolicyPeer describes the grouping + selector of workloads. + properties: + externalEntitySelector: + description: Select ExternalEntities from NetworkPolicy's + Namespace as workloads in AppliedTo/To/From fields. + If set with NamespaceSelector, ExternalEntities + are matched from Namespaces matched by the NamespaceSelector. + Cannot be set with any other selector except NamespaceSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + fqdn: + description: 'Restrict egress access to the Fully + Qualified Domain Names prescribed by name or by + wildcard match patterns. This field can only be + set for NetworkPolicyPeer of egress rules. Supported + formats are: Exact FQDNs, i.e. "google.com", "db-svc.default.svc.cluster.local" Wildcard + expressions, i.e. "*wayfair.com".' + type: string + group: + description: Group is the name of the ClusterGroup + which can be set as an AppliedTo or within an Ingress + or Egress rule in place of a stand-alone selector. + A Group cannot be set with any other selector. + type: string + ipBlock: + description: IPBlock describes the IPAddresses/IPBlocks + that is matched in to/from. IPBlock cannot be set + as part of the AppliedTo field. Cannot be set with + any other selector. + properties: + cidr: + description: CIDR is a string representing the + IP Block Valid examples are "192.168.1.1/24". + type: string + required: + - cidr + type: object + namespaceSelector: + description: Select all Pods from Namespaces matched + by this selector, as workloads in To/From fields. + If set with PodSelector, Pods are matched from Namespaces + matched by the NamespaceSelector. Cannot be set + with any other selector except PodSelector or ExternalEntitySelector. + Cannot be set with Namespaces. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + namespaces: + description: 'Select Pod/ExternalEntity from Namespaces + matched by specifc criteria. Current supported criteria + is match: Self, which selects from the same Namespace + of the appliedTo workloads. Cannot be set with any + other selector except PodSelector or ExternalEntitySelector. + This field can only be set when NetworkPolicyPeer + is created for ClusterNetworkPolicy ingress/egress + rules. Cannot be set with NamespaceSelector.' + properties: + match: + description: NamespaceMatchType describes Namespace + matching strategy. + type: string + type: object + podSelector: + description: Select Pods from NetworkPolicy's Namespace + as workloads in AppliedTo/To/From fields. If set + with NamespaceSelector, Pods are matched from Namespaces + matched by the NamespaceSelector. Cannot be set + with any other selector except NamespaceSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + serviceAccount: + description: Select all Pods with the ServiceAccount + matched by this field, as workloads in AppliedTo/To/From + fields. Cannot be set with any other selector. + properties: + name: + type: string + namespace: + type: string + type: object + type: object + type: array + enableLogging: + description: EnableLogging is used to indicate if agent + should generate logs when rules are matched. Should be + default to false. + type: boolean + from: + description: Rule is matched if traffic originates from + workloads selected by this field. If this field is empty, + this rule matches all sources. + items: + description: NetworkPolicyPeer describes the grouping + selector of workloads. + properties: + externalEntitySelector: + description: Select ExternalEntities from NetworkPolicy's + Namespace as workloads in AppliedTo/To/From fields. + If set with NamespaceSelector, ExternalEntities + are matched from Namespaces matched by the NamespaceSelector. + Cannot be set with any other selector except NamespaceSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + fqdn: + description: 'Restrict egress access to the Fully + Qualified Domain Names prescribed by name or by + wildcard match patterns. This field can only be + set for NetworkPolicyPeer of egress rules. Supported + formats are: Exact FQDNs, i.e. "google.com", "db-svc.default.svc.cluster.local" Wildcard + expressions, i.e. "*wayfair.com".' + type: string + group: + description: Group is the name of the ClusterGroup + which can be set as an AppliedTo or within an Ingress + or Egress rule in place of a stand-alone selector. + A Group cannot be set with any other selector. + type: string + ipBlock: + description: IPBlock describes the IPAddresses/IPBlocks + that is matched in to/from. IPBlock cannot be set + as part of the AppliedTo field. Cannot be set with + any other selector. + properties: + cidr: + description: CIDR is a string representing the + IP Block Valid examples are "192.168.1.1/24". + type: string + required: + - cidr + type: object + namespaceSelector: + description: Select all Pods from Namespaces matched + by this selector, as workloads in To/From fields. + If set with PodSelector, Pods are matched from Namespaces + matched by the NamespaceSelector. Cannot be set + with any other selector except PodSelector or ExternalEntitySelector. + Cannot be set with Namespaces. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + namespaces: + description: 'Select Pod/ExternalEntity from Namespaces + matched by specifc criteria. Current supported criteria + is match: Self, which selects from the same Namespace + of the appliedTo workloads. Cannot be set with any + other selector except PodSelector or ExternalEntitySelector. + This field can only be set when NetworkPolicyPeer + is created for ClusterNetworkPolicy ingress/egress + rules. Cannot be set with NamespaceSelector.' + properties: + match: + description: NamespaceMatchType describes Namespace + matching strategy. + type: string + type: object + podSelector: + description: Select Pods from NetworkPolicy's Namespace + as workloads in AppliedTo/To/From fields. If set + with NamespaceSelector, Pods are matched from Namespaces + matched by the NamespaceSelector. Cannot be set + with any other selector except NamespaceSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + serviceAccount: + description: Select all Pods with the ServiceAccount + matched by this field, as workloads in AppliedTo/To/From + fields. Cannot be set with any other selector. + properties: + name: + type: string + namespace: + type: string + type: object + type: object + type: array + name: + description: Name describes the intention of this rule. + Name should be unique within the policy. + type: string + ports: + description: Set of port and protocol allowed/denied by + the rule. If this field is unset or empty, this rule matches + all ports. + items: + description: NetworkPolicyPort describes the port and + protocol to match in a rule. + properties: + endPort: + description: EndPort defines the end of the port range, + being the end included within the range. It can + only be specified when a numerical `port` is specified. + format: int32 + type: integer + port: + anyOf: + - type: integer + - type: string + description: The port on the given protocol. This + can be either a numerical or named port on a Pod. + If this field is not provided, this matches all + port names and numbers. + x-kubernetes-int-or-string: true + protocol: + default: TCP + description: The protocol (TCP, UDP, or SCTP) which + traffic must match. If not specified, this field + defaults to TCP. + type: string + type: object + type: array + to: + description: Rule is matched if traffic is intended for + workloads selected by this field. This field can't be + used with ToServices. If this field and ToServices are + both empty or missing this rule matches all destinations. + items: + description: NetworkPolicyPeer describes the grouping + selector of workloads. + properties: + externalEntitySelector: + description: Select ExternalEntities from NetworkPolicy's + Namespace as workloads in AppliedTo/To/From fields. + If set with NamespaceSelector, ExternalEntities + are matched from Namespaces matched by the NamespaceSelector. + Cannot be set with any other selector except NamespaceSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + fqdn: + description: 'Restrict egress access to the Fully + Qualified Domain Names prescribed by name or by + wildcard match patterns. This field can only be + set for NetworkPolicyPeer of egress rules. Supported + formats are: Exact FQDNs, i.e. "google.com", "db-svc.default.svc.cluster.local" Wildcard + expressions, i.e. "*wayfair.com".' + type: string + group: + description: Group is the name of the ClusterGroup + which can be set as an AppliedTo or within an Ingress + or Egress rule in place of a stand-alone selector. + A Group cannot be set with any other selector. + type: string + ipBlock: + description: IPBlock describes the IPAddresses/IPBlocks + that is matched in to/from. IPBlock cannot be set + as part of the AppliedTo field. Cannot be set with + any other selector. + properties: + cidr: + description: CIDR is a string representing the + IP Block Valid examples are "192.168.1.1/24". + type: string + required: + - cidr + type: object + namespaceSelector: + description: Select all Pods from Namespaces matched + by this selector, as workloads in To/From fields. + If set with PodSelector, Pods are matched from Namespaces + matched by the NamespaceSelector. Cannot be set + with any other selector except PodSelector or ExternalEntitySelector. + Cannot be set with Namespaces. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + namespaces: + description: 'Select Pod/ExternalEntity from Namespaces + matched by specifc criteria. Current supported criteria + is match: Self, which selects from the same Namespace + of the appliedTo workloads. Cannot be set with any + other selector except PodSelector or ExternalEntitySelector. + This field can only be set when NetworkPolicyPeer + is created for ClusterNetworkPolicy ingress/egress + rules. Cannot be set with NamespaceSelector.' + properties: + match: + description: NamespaceMatchType describes Namespace + matching strategy. + type: string + type: object + podSelector: + description: Select Pods from NetworkPolicy's Namespace + as workloads in AppliedTo/To/From fields. If set + with NamespaceSelector, Pods are matched from Namespaces + matched by the NamespaceSelector. Cannot be set + with any other selector except NamespaceSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + serviceAccount: + description: Select all Pods with the ServiceAccount + matched by this field, as workloads in AppliedTo/To/From + fields. Cannot be set with any other selector. + properties: + name: + type: string + namespace: + type: string + type: object + type: object + type: array + toServices: + description: Rule is matched if traffic is intended for + a Service listed in this field. Currently only ClusterIP + types Services are supported in this field. This field + can only be used when AntreaProxy is enabled. This field + can't be used with To or Ports. If this field and To are + both empty or missing, this rule matches all destinations. + items: + description: NamespacedName refers to a Namespace scoped + resource. All fields must be used together. + properties: + name: + type: string + namespace: + type: string + type: object + type: array + required: + - action + type: object + type: array + priority: + description: Priority specfies the order of the ClusterNetworkPolicy + relative to other AntreaClusterNetworkPolicies. + type: number + tier: + description: Tier specifies the tier to which this ClusterNetworkPolicy + belongs to. The ClusterNetworkPolicy order will be determined + based on the combination of the Tier's Priority and the ClusterNetworkPolicy's + own Priority. If not specified, this policy will be created + in the Application Tier right above the K8s NetworkPolicy which + resides at the bottom. + type: string + required: + - priority + type: object endpoints: description: If imported resource is EndPoints. properties: diff --git a/multicluster/config/overlays/leader-ns/member_cluster_role.yaml b/multicluster/config/overlays/leader-ns/member_cluster_role.yaml index 66201435698..b55887be4de 100644 --- a/multicluster/config/overlays/leader-ns/member_cluster_role.yaml +++ b/multicluster/config/overlays/leader-ns/member_cluster_role.yaml @@ -6,6 +6,12 @@ metadata: name: member-cluster-role namespace: changeme rules: + - apiGroups: + - "" + resources: + - events + verbs: + - create - apiGroups: - multicluster.crd.antrea.io resources: diff --git a/multicluster/config/rbac/role.yaml b/multicluster/config/rbac/role.yaml index e8831e63cce..d5f02c7eea3 100644 --- a/multicluster/config/rbac/role.yaml +++ b/multicluster/config/rbac/role.yaml @@ -18,6 +18,12 @@ rules: - patch - update - watch +- apiGroups: + - "" + resources: + - events + verbs: + - create - apiGroups: - "" resources: @@ -30,6 +36,26 @@ rules: - patch - update - watch +- apiGroups: + - crd.antrea.io + resources: + - clusternetworkpolicies + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - crd.antrea.io + resources: + - tiers + verbs: + - get + - list + - watch - apiGroups: - multicluster.crd.antrea.io resources: diff --git a/multicluster/controllers/multicluster/common/helper.go b/multicluster/controllers/multicluster/common/helper.go index 839421b5334..d6c861f0358 100644 --- a/multicluster/controllers/multicluster/common/helper.go +++ b/multicluster/controllers/multicluster/common/helper.go @@ -17,12 +17,14 @@ import corev1 "k8s.io/api/core/v1" const ( AntreaMCServiceAnnotation = "multicluster.antrea.io/imported-service" + AntreaMCACNPAnnotation = "multicluster.antrea.io/imported-acnp" AntreaMCClusterIDAnnotation = "multicluster.antrea.io/local-cluster-id" - AntreaMCSPrefix = "antrea-mc-" - ServiceKind = "Service" - EndpointsKind = "Endpoints" - ServiceImportKind = "ServiceImport" + AntreaMCSPrefix = "antrea-mc-" + ServiceKind = "Service" + EndpointsKind = "Endpoints" + AntreaClusterNetworkPolicyKind = "AntreaClusterNetworkPolicy" + ServiceImportKind = "ServiceImport" SourceName = "sourceName" SourceNamespace = "sourceNamespace" diff --git a/multicluster/controllers/multicluster/commonarea/acnp_resourceimport_controller.go b/multicluster/controllers/multicluster/commonarea/acnp_resourceimport_controller.go new file mode 100644 index 00000000000..2e8b3ccea3e --- /dev/null +++ b/multicluster/controllers/multicluster/commonarea/acnp_resourceimport_controller.go @@ -0,0 +1,173 @@ +/* +Copyright 2022 Antrea Authors. +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + http://www.apache.org/licenses/LICENSE-2.0 +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package commonarea + +import ( + "context" + "errors" + "fmt" + + corev1 "k8s.io/api/core/v1" + apiequality "k8s.io/apimachinery/pkg/api/equality" + apierrors "k8s.io/apimachinery/pkg/api/errors" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/types" + "k8s.io/klog/v2" + ctrl "sigs.k8s.io/controller-runtime" + "sigs.k8s.io/controller-runtime/pkg/client" + + multiclusterv1alpha1 "antrea.io/antrea/multicluster/apis/multicluster/v1alpha1" + "antrea.io/antrea/multicluster/controllers/multicluster/common" + "antrea.io/antrea/pkg/apis/crd/v1alpha1" +) + +const acnpImportFailed string = "ACNPImportFailed" + +var ( + resourceImportAPIVersion = "multicluster.crd.antrea.io/v1alpha1" + resourceImportKind = "ResourceImport" + acnpEventReportingController = "resourceimport-controller" + // TODO(yang): add run-time pod suffix + acnpEventReportingInstance = "antrea-mc-controller" +) + +func (r *ResourceImportReconciler) handleResImpUpdateForClusterNetworkPolicy(ctx context.Context, resImp *multiclusterv1alpha1.ResourceImport) (ctrl.Result, error) { + acnpName := types.NamespacedName{ + Namespace: "", + Name: common.AntreaMCSPrefix + resImp.Spec.Name, + } + klog.InfoS("Updating ACNP corresponding to ResourceImport", + "acnp", acnpName.String(), "resourceimport", klog.KObj(resImp)) + + acnp := &v1alpha1.ClusterNetworkPolicy{} + err := r.localClusterClient.Get(ctx, acnpName, acnp) + acnpNotFound := apierrors.IsNotFound(err) + if err != nil && !acnpNotFound { + return ctrl.Result{}, err + } + if !acnpNotFound { + if _, ok := acnp.Annotations[common.AntreaMCACNPAnnotation]; !ok { + msg := "Unable to import Antrea ClusterNetworkPolicy which conflicts with existing one in cluster " + r.localClusterID + err := errors.New(msg) + klog.ErrorS(err, "", "acnp", klog.KObj(acnp)) + return ctrl.Result{}, r.reportStatusEvent(msg, ctx, resImp) + } + } + acnpObj := getMCAntreaClusterPolicy(resImp) + tierObj, tierName := &v1alpha1.Tier{}, acnpObj.Spec.Tier + err = r.localClusterClient.Get(ctx, types.NamespacedName{Namespace: "", Name: tierName}, tierObj) + tierNotFound := apierrors.IsNotFound(err) + if err != nil && !tierNotFound { + msg := fmt.Sprintf("Failed to get Tier %s in member cluster %s", tierName, r.localClusterID) + return ctrl.Result{}, r.reportStatusEvent(msg, ctx, resImp) + } + tierNotFoundMsg := fmt.Sprintf("ACNP Tier %s does not exist in importing cluster %s", tierName, r.localClusterID) + if !tierNotFound { + // If the ACNP Tier exists in the importing member cluster, then the policy is realizable. + // Create or update the ACNP if necessary. + if acnpNotFound { + if err = r.localClusterClient.Create(ctx, acnpObj, &client.CreateOptions{}); err != nil { + msg := "Failed to create imported Antrea ClusterNetworkPolicy in cluster " + r.localClusterID + klog.ErrorS(err, msg, "acnp", klog.KObj(acnpObj)) + return ctrl.Result{}, r.reportStatusEvent(msg, ctx, resImp) + } + r.installedResImports.Add(*resImp) + } else if !apiequality.Semantic.DeepEqual(acnp.Spec, acnpObj.Spec) { + acnp.Spec = acnpObj.Spec + if err = r.localClusterClient.Update(ctx, acnp, &client.UpdateOptions{}); err != nil { + msg := "Failed to update imported Antrea ClusterNetworkPolicy in cluster " + r.localClusterID + klog.ErrorS(err, msg, "acnp", klog.KObj(acnpObj)) + return ctrl.Result{}, r.reportStatusEvent(msg, ctx, resImp) + } + } + } else if !acnpNotFound { + // The ACNP Tier does not exist, and the policy cannot be realized in this particular importing member cluster. + // If there is an ACNP previously created via import (which has a valid Tier by then), it should be cleaned up. + if err = r.localClusterClient.Delete(ctx, acnpObj, &client.DeleteOptions{}); err != nil { + msg := "Failed to delete imported Antrea ClusterNetworkPolicy that no longer has a valid Tier for cluster " + r.localClusterID + klog.ErrorS(err, msg, "acnp", klog.KObj(acnpObj)) + return ctrl.Result{}, r.reportStatusEvent(msg, ctx, resImp) + } + return ctrl.Result{}, r.reportStatusEvent(tierNotFoundMsg, ctx, resImp) + } else { + return ctrl.Result{}, r.reportStatusEvent(tierNotFoundMsg, ctx, resImp) + } + return ctrl.Result{}, nil +} + +func (r *ResourceImportReconciler) handleResImpDeleteForClusterNetworkPolicy(ctx context.Context, resImp *multiclusterv1alpha1.ResourceImport) (ctrl.Result, error) { + acnpName := types.NamespacedName{ + Namespace: "", + Name: common.AntreaMCSPrefix + resImp.Spec.Name, + } + klog.InfoS("Deleting ACNP corresponding to ResourceImport", + "acnp", acnpName.String(), "resourceimport", klog.KObj(resImp)) + + acnp := &v1alpha1.ClusterNetworkPolicy{} + err := r.localClusterClient.Get(ctx, acnpName, acnp) + if err != nil { + if apierrors.IsNotFound(err) { + klog.V(2).InfoS("ACNP corresponding to ResourceImport has already been deleted", + "acnp", acnpName.String(), "resourceimport", klog.KObj(resImp)) + return ctrl.Result{}, nil + } + return ctrl.Result{}, err + } + if err = r.localClusterClient.Delete(ctx, acnp, &client.DeleteOptions{}); err != nil { + return ctrl.Result{}, err + } + return ctrl.Result{}, nil +} + +func getMCAntreaClusterPolicy(resImp *multiclusterv1alpha1.ResourceImport) *v1alpha1.ClusterNetworkPolicy { + return &v1alpha1.ClusterNetworkPolicy{ + ObjectMeta: metav1.ObjectMeta{ + Name: common.AntreaMCSPrefix + resImp.Spec.Name, + Annotations: map[string]string{ + common.AntreaMCACNPAnnotation: "true", + }, + }, + Spec: *resImp.Spec.ClusterNetworkPolicy, + } +} + +func (r *ResourceImportReconciler) reportStatusEvent(errMsg string, ctx context.Context, resImp *multiclusterv1alpha1.ResourceImport) error { + t := metav1.Now() + statusEvent := &corev1.Event{ + ObjectMeta: metav1.ObjectMeta{ + Name: fmt.Sprintf("%v.%x", resImp.Name, t.UnixNano()), + Namespace: resImp.Namespace, + }, + Type: corev1.EventTypeWarning, + Reason: acnpImportFailed, + Message: errMsg, + InvolvedObject: corev1.ObjectReference{ + APIVersion: resourceImportAPIVersion, + Kind: resourceImportKind, + Name: resImp.Name, + Namespace: resImp.Namespace, + UID: resImp.GetUID(), + }, + FirstTimestamp: metav1.Now(), + LastTimestamp: metav1.Now(), + ReportingController: acnpEventReportingController, + ReportingInstance: acnpEventReportingInstance, + Action: "synced", + } + if err := r.remoteCommonArea.Create(ctx, statusEvent, &client.CreateOptions{}); err != nil { + klog.ErrorS(err, "Failed to create ACNP import event for ResourceImport", "resImp", klog.KObj(resImp)) + return err + } + return nil +} diff --git a/multicluster/controllers/multicluster/commonarea/acnp_resourceimport_controller_test.go b/multicluster/controllers/multicluster/commonarea/acnp_resourceimport_controller_test.go new file mode 100644 index 00000000000..e9b420b4937 --- /dev/null +++ b/multicluster/controllers/multicluster/commonarea/acnp_resourceimport_controller_test.go @@ -0,0 +1,364 @@ +/* +Copyright 2022 Antrea Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package commonarea + +import ( + "reflect" + "testing" + + "github.com/stretchr/testify/assert" + corev1 "k8s.io/api/core/v1" + apierrors "k8s.io/apimachinery/pkg/api/errors" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/types" + ctrl "sigs.k8s.io/controller-runtime" + "sigs.k8s.io/controller-runtime/pkg/client" + "sigs.k8s.io/controller-runtime/pkg/client/fake" + + mcsv1alpha1 "antrea.io/antrea/multicluster/apis/multicluster/v1alpha1" + "antrea.io/antrea/multicluster/controllers/multicluster/common" + "antrea.io/antrea/pkg/apis/crd/v1alpha1" +) + +var ( + acnpImportName = "acnp-for-isolation" + acnpResImportName = leaderNamespace + "-" + acnpImportName + + acnpImpReq = ctrl.Request{NamespacedName: types.NamespacedName{ + Namespace: leaderNamespace, + Name: acnpResImportName, + }} + acnpImpNoMatchingTierReq = ctrl.Request{NamespacedName: types.NamespacedName{ + Namespace: leaderNamespace, + Name: "default-acnp-no-matching-tier", + }} + + allowAction = v1alpha1.RuleActionAllow + dropAction = v1alpha1.RuleActionDrop + securityOpsTier = &v1alpha1.Tier{ + ObjectMeta: metav1.ObjectMeta{ + Name: "securityops", + }, + Spec: v1alpha1.TierSpec{ + Priority: int32(100), + Description: "[READ-ONLY]: System generated SecurityOps Tier", + }, + } + acnpResImport = &mcsv1alpha1.ResourceImport{ + ObjectMeta: metav1.ObjectMeta{ + Namespace: leaderNamespace, + Name: acnpResImportName, + }, + Spec: mcsv1alpha1.ResourceImportSpec{ + Name: acnpImportName, + Kind: common.AntreaClusterNetworkPolicyKind, + ClusterNetworkPolicy: &v1alpha1.ClusterNetworkPolicySpec{ + Tier: "securityops", + Priority: 1.0, + AppliedTo: []v1alpha1.NetworkPolicyPeer{ + {NamespaceSelector: &metav1.LabelSelector{}}, + }, + Ingress: []v1alpha1.Rule{ + { + Action: &dropAction, + From: []v1alpha1.NetworkPolicyPeer{ + { + Namespaces: &v1alpha1.PeerNamespaces{ + Match: v1alpha1.NamespaceMatchSelf, + }, + }, + }, + }, + }, + }, + }, + } + acnpResImportNoMatchingTier = &mcsv1alpha1.ResourceImport{ + ObjectMeta: metav1.ObjectMeta{ + Namespace: leaderNamespace, + Name: "default-acnp-no-matching-tier", + }, + Spec: mcsv1alpha1.ResourceImportSpec{ + Name: "acnp-no-matching-tier", + Kind: common.AntreaClusterNetworkPolicyKind, + ClusterNetworkPolicy: &v1alpha1.ClusterNetworkPolicySpec{ + Tier: "somerandomtier", + Priority: 1.0, + AppliedTo: []v1alpha1.NetworkPolicyPeer{ + {NamespaceSelector: &metav1.LabelSelector{}}, + }, + }, + }, + } +) + +func TestResourceImportReconciler_handleCopySpanACNPCreateEvent(t *testing.T) { + remoteMgr := NewRemoteCommonAreaManager("test-clusterset", common.ClusterID(localClusterID)) + go remoteMgr.Start() + defer remoteMgr.Stop() + + fakeClient := fake.NewClientBuilder().WithScheme(scheme).WithObjects(securityOpsTier).Build() + fakeRemoteClient := fake.NewClientBuilder().WithScheme(scheme).WithObjects(acnpResImport, acnpResImportNoMatchingTier).Build() + remoteCluster := NewFakeRemoteCommonArea(scheme, &remoteMgr, fakeRemoteClient, "leader-cluster", "default") + + tests := []struct { + name string + acnpImportName string + req ctrl.Request + expectedSuccess bool + }{ + { + name: "import ACNP of pre-defined tiers", + acnpImportName: acnpImportName, + req: acnpImpReq, + expectedSuccess: true, + }, + { + name: "import ACNP of non-existing tier", + acnpImportName: "acnp-no-matching-tier", + req: acnpImpNoMatchingTierReq, + expectedSuccess: false, + }, + } + r := NewResourceImportReconciler(fakeClient, scheme, fakeClient, localClusterID, remoteCluster) + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + if _, err := r.Reconcile(ctx, tt.req); err != nil { + if err != nil { + t.Errorf("ResourceImport Reconciler should handle ACNP create event successfully but got error = %v", err) + } + } else { + acnp := &v1alpha1.ClusterNetworkPolicy{} + err := fakeClient.Get(ctx, types.NamespacedName{Namespace: "", Name: common.AntreaMCSPrefix + tt.acnpImportName}, acnp) + if tt.expectedSuccess && err != nil { + t.Errorf("ResourceImport Reconciler should import an ACNP successfully but got error = %v", err) + } else if !tt.expectedSuccess && (err == nil || !apierrors.IsNotFound(err)) { + t.Errorf("ResourceImport Reconciler should not import an ACNP whose Tier does not exist in current cluster. Expected NotFound error. Actual err = %v", err) + } + if !tt.expectedSuccess { + errorList := &corev1.EventList{} + if err := fakeRemoteClient.List(ctx, errorList, &client.ListOptions{}); err != nil { + t.Errorf("Failed to list Events in remote Common Area") + } + if len(errorList.Items) == 0 { + t.Errorf("An event should be created for failed ACNP imports") + } + } + } + }) + } +} + +func TestResourceImportReconciler_handleCopySpanACNPDeleteEvent(t *testing.T) { + remoteMgr := NewRemoteCommonAreaManager("test-clusterset", common.ClusterID(localClusterID)) + go remoteMgr.Start() + defer remoteMgr.Stop() + + existingACNP := &v1alpha1.ClusterNetworkPolicy{ + ObjectMeta: metav1.ObjectMeta{ + Name: common.AntreaMCSPrefix + acnpImportName, + }, + } + + fakeClient := fake.NewClientBuilder().WithScheme(scheme).WithObjects(existingACNP).Build() + fakeRemoteClient := fake.NewClientBuilder().WithScheme(scheme).Build() + remoteCluster := NewFakeRemoteCommonArea(scheme, &remoteMgr, fakeRemoteClient, "leader-cluster", "default") + + r := NewResourceImportReconciler(fakeClient, scheme, fakeClient, localClusterID, remoteCluster) + r.installedResImports.Add(*acnpResImport) + + if _, err := r.Reconcile(ctx, acnpImpReq); err != nil { + t.Errorf("ResourceImport Reconciler should handle ACNP ResourceImport delete event successfully but got error = %v", err) + } + acnp := &v1alpha1.ClusterNetworkPolicy{} + if err := fakeClient.Get(ctx, types.NamespacedName{Namespace: "", Name: common.AntreaMCSPrefix + acnpImportName}, acnp); !apierrors.IsNotFound(err) { + t.Errorf("ResourceImport Reconciler should delete ACNP successfully but got error = %v", err) + } +} + +func TestResourceImportReconciler_handleCopySpanACNPUpdateEvent(t *testing.T) { + remoteMgr := NewRemoteCommonAreaManager("test-clusterset", common.ClusterID(localClusterID)) + go remoteMgr.Start() + defer remoteMgr.Stop() + + existingACNP1 := &v1alpha1.ClusterNetworkPolicy{ + ObjectMeta: metav1.ObjectMeta{ + Name: common.AntreaMCSPrefix + acnpImportName, + Annotations: map[string]string{common.AntreaMCACNPAnnotation: "true"}, + }, + Spec: v1alpha1.ClusterNetworkPolicySpec{ + Tier: "securityops", + Priority: 1.0, + AppliedTo: []v1alpha1.NetworkPolicyPeer{ + {NamespaceSelector: &metav1.LabelSelector{}}, + }, + Ingress: []v1alpha1.Rule{ + { + Action: &allowAction, + From: []v1alpha1.NetworkPolicyPeer{ + { + Namespaces: &v1alpha1.PeerNamespaces{ + Match: v1alpha1.NamespaceMatchSelf, + }, + }, + }, + }, + }, + }, + } + updatedResImport2 := &mcsv1alpha1.ResourceImport{ + ObjectMeta: metav1.ObjectMeta{ + Namespace: leaderNamespace, + Name: "default-acnp-no-matching-tier", + }, + Spec: mcsv1alpha1.ResourceImportSpec{ + Name: "acnp-no-matching-tier", + Kind: common.AntreaClusterNetworkPolicyKind, + ClusterNetworkPolicy: &v1alpha1.ClusterNetworkPolicySpec{ + Tier: "securityops", + Priority: 1.0, + AppliedTo: []v1alpha1.NetworkPolicyPeer{ + {NamespaceSelector: &metav1.LabelSelector{}}, + }, + }, + }, + } + existingACNP3 := &v1alpha1.ClusterNetworkPolicy{ + ObjectMeta: metav1.ObjectMeta{ + Name: common.AntreaMCSPrefix + "valid-updated-to-no-valid", + Annotations: map[string]string{common.AntreaMCACNPAnnotation: "true"}, + }, + Spec: v1alpha1.ClusterNetworkPolicySpec{ + Tier: "securityops", + Priority: 1.0, + AppliedTo: []v1alpha1.NetworkPolicyPeer{ + {NamespaceSelector: &metav1.LabelSelector{}}, + }, + }, + } + updatedResImport3 := &mcsv1alpha1.ResourceImport{ + ObjectMeta: metav1.ObjectMeta{ + Namespace: leaderNamespace, + Name: "default-valid-updated-to-no-valid", + }, + Spec: mcsv1alpha1.ResourceImportSpec{ + Name: acnpImportName, + Kind: common.AntreaClusterNetworkPolicyKind, + ClusterNetworkPolicy: &v1alpha1.ClusterNetworkPolicySpec{ + Tier: "somerandomtier", + Priority: 1.0, + AppliedTo: []v1alpha1.NetworkPolicyPeer{ + {NamespaceSelector: &metav1.LabelSelector{}}, + }, + }, + }, + } + acnpImp3Req := ctrl.Request{NamespacedName: types.NamespacedName{ + Namespace: leaderNamespace, + Name: "default-valid-updated-to-no-valid", + }} + acnpImp4Req := ctrl.Request{NamespacedName: types.NamespacedName{ + Namespace: leaderNamespace, + Name: "default-name-conflict", + }} + existingACNP4 := &v1alpha1.ClusterNetworkPolicy{ + ObjectMeta: metav1.ObjectMeta{ + Name: common.AntreaMCSPrefix + "name-conflict", + }, + Spec: v1alpha1.ClusterNetworkPolicySpec{ + Tier: "securityops", + Priority: 1.0, + AppliedTo: []v1alpha1.NetworkPolicyPeer{ + {NamespaceSelector: &metav1.LabelSelector{}}, + }, + }, + } + + fakeClient := fake.NewClientBuilder().WithScheme(scheme).WithObjects(existingACNP1, existingACNP3, existingACNP4, securityOpsTier).Build() + fakeRemoteClient := fake.NewClientBuilder().WithScheme(scheme).WithObjects(acnpResImport, updatedResImport2, updatedResImport3).Build() + remoteCluster := NewFakeRemoteCommonArea(scheme, &remoteMgr, fakeRemoteClient, "leader-cluster", "default") + + r := NewResourceImportReconciler(fakeClient, scheme, fakeClient, localClusterID, remoteCluster) + r.installedResImports.Add(*acnpResImport) + r.installedResImports.Add(*acnpResImportNoMatchingTier) + r.installedResImports.Add(*updatedResImport3) + + tests := []struct { + name string + acnpImportName string + req ctrl.Request + expectErr bool + expectImportSuccess bool + expectedUpdatedACNPSpec *v1alpha1.ClusterNetworkPolicySpec + }{ + { + name: "update acnp spec", + acnpImportName: acnpImportName, + req: acnpImpReq, + expectErr: false, + expectImportSuccess: true, + expectedUpdatedACNPSpec: acnpResImport.Spec.ClusterNetworkPolicy, + }, + { + name: "imported acnp missing tier update to valid tier", + acnpImportName: "acnp-no-matching-tier", + req: acnpImpNoMatchingTierReq, + expectErr: false, + expectImportSuccess: true, + expectedUpdatedACNPSpec: updatedResImport2.Spec.ClusterNetworkPolicy, + }, + { + name: "valid imported acnp update to missing tier", + req: acnpImp3Req, + acnpImportName: "valid-updated-to-no-valid", + expectErr: false, + expectImportSuccess: false, + expectedUpdatedACNPSpec: nil, + }, + { + name: "name conflict with existing acnp", + req: acnpImp4Req, + acnpImportName: "name-conflict", + expectErr: true, + expectImportSuccess: false, + expectedUpdatedACNPSpec: nil, + }, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + if _, err := r.Reconcile(ctx, tt.req); err != nil { + if tt.expectErr { + assert.Contains(t, err.Error(), "conflicts with existing one") + } else { + t.Errorf("ResourceImport Reconciler should handle update event successfully but got error = %v", err) + } + } else { + if tt.expectedUpdatedACNPSpec != nil { + acnp := &v1alpha1.ClusterNetworkPolicy{} + err := fakeClient.Get(ctx, types.NamespacedName{Namespace: "", Name: common.AntreaMCSPrefix + tt.acnpImportName}, acnp) + if tt.expectImportSuccess && err != nil { + t.Errorf("ResourceImport Reconciler should import an ACNP successfully but got error = %v", err) + } else if !tt.expectImportSuccess && (err == nil || !apierrors.IsNotFound(err)) { + t.Errorf("ResourceImport Reconciler should not import an ACNP whose Tier does not exist in current cluster. Expected NotFound error. Actual err = %v", err) + } else if !reflect.DeepEqual(acnp.Spec, *tt.expectedUpdatedACNPSpec) { + t.Errorf("ACNP spec was not updated successfully") + } + } + } + }) + } +} diff --git a/multicluster/controllers/multicluster/commonarea/remote_common_area_manager.go b/multicluster/controllers/multicluster/commonarea/remote_common_area_manager.go index e99ffa057b7..8654942cbe2 100644 --- a/multicluster/controllers/multicluster/commonarea/remote_common_area_manager.go +++ b/multicluster/controllers/multicluster/commonarea/remote_common_area_manager.go @@ -35,7 +35,7 @@ type clusterEvent struct { type RemoteCommonAreaManager interface { // Start starts RemoteCommonAreaManager on an event loop which runs in a goroutine Start() error - // Stop stop RemoteCommonAreaManager by terminating the event loop. + // Stop stops RemoteCommonAreaManager by terminating the event loop. Stop() error // AddRemoteCommonArea adds a RemoteCommonArea to RemoteCommonAreaManager. AddRemoteCommonArea(remoteCommonArea RemoteCommonArea) diff --git a/multicluster/controllers/multicluster/commonarea/resourceimport_controller.go b/multicluster/controllers/multicluster/commonarea/resourceimport_controller.go index b5952acf851..5a2d0b816c1 100644 --- a/multicluster/controllers/multicluster/commonarea/resourceimport_controller.go +++ b/multicluster/controllers/multicluster/commonarea/resourceimport_controller.go @@ -77,6 +77,8 @@ func NewResourceImportReconciler(client client.Client, scheme *runtime.Scheme, l } } +//+kubebuilder:rbac:groups=crd.antrea.io,resources=clusternetworkpolicies,verbs=get;list;watch;create;update;patch;delete +//+kubebuilder:rbac:groups=crd.antrea.io,resources=tiers,verbs=get;list;watch //+kubebuilder:rbac:groups=multicluster.crd.antrea.io,resources=resourceimports,verbs=get;list;watch;create;update;patch;delete //+kubebuilder:rbac:groups=multicluster.crd.antrea.io,resources=resourceimports/status,verbs=get;update;patch //+kubebuilder:rbac:groups=multicluster.crd.antrea.io,resources=resourceimports/finalizers,verbs=update @@ -84,11 +86,12 @@ func NewResourceImportReconciler(client client.Client, scheme *runtime.Scheme, l //+kubebuilder:rbac:groups=multicluster.x-k8s.io,resources=serviceimports/status,verbs=get;update;patch //+kubebuilder:rbac:groups="",resources=endpoints,verbs=get;list;watch;update;create;patch;delete //+kubebuilder:rbac:groups="",resources=services,verbs=get;list;watch;update;create;patch;delete +//+kubebuilder:rbac:groups="",resources=events,verbs=create // Reconcile will attempt to ensure that the imported Resource is installed in local cluster as per the // ResourceImport object. func (r *ResourceImportReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) { - klog.V(2).InfoS("reconciling ResourceImport", "resourceimport", req.NamespacedName) + klog.V(2).InfoS("Reconciling ResourceImport", "resourceimport", req.NamespacedName) // TODO: Must check whether this ResourceImport must be reconciled by this member cluster. Check `spec.clusters` field. if r.localClusterClient == nil { return ctrl.Result{}, errors.New("localClusterClient has not been initialized properly, no local cluster client") @@ -104,7 +107,7 @@ func (r *ResourceImportReconciler) Reconcile(ctx context.Context, req ctrl.Reque if err != nil { isDeleted = apierrors.IsNotFound(err) if !isDeleted { - klog.InfoS("unable to fetch ResourceImport", "resourceimport", req.NamespacedName.String(), "err", err) + klog.InfoS("Unable to fetch ResourceImport", "resourceimport", req.NamespacedName.String(), "err", err) return ctrl.Result{}, err } else { resImpObj, exist, err := r.installedResImports.GetByKey(req.NamespacedName.String()) @@ -129,6 +132,11 @@ func (r *ResourceImportReconciler) Reconcile(ctx context.Context, req ctrl.Reque return r.handleResImpDeleteForEndpoints(ctx, &resImp) } return r.handleResImpUpdateForEndpoints(ctx, &resImp) + case common.AntreaClusterNetworkPolicyKind: + if isDeleted { + return r.handleResImpDeleteForClusterNetworkPolicy(ctx, &resImp) + } + return r.handleResImpUpdateForClusterNetworkPolicy(ctx, &resImp) } // TODO: handle for other ResImport Kinds return ctrl.Result{}, nil @@ -242,15 +250,14 @@ func (r *ResourceImportReconciler) handleResImpDeleteForService(ctx context.Cont err = r.localClusterClient.Get(ctx, svcName, svc) if err != nil { if apierrors.IsNotFound(err) { + klog.V(2).InfoS("Service corresponding to ResourceImport has already been deleted", + "service", svcName.String(), "resourceimport", klog.KObj(resImp)) return cleanupServiceImport() } return ctrl.Result{}, err } err = r.localClusterClient.Delete(ctx, svc, &client.DeleteOptions{}) if err != nil { - if apierrors.IsNotFound(err) { - return cleanupServiceImport() - } return ctrl.Result{}, err } return cleanupServiceImport() @@ -343,7 +350,7 @@ func (r *ResourceImportReconciler) handleResImpDeleteForEndpoints(ctx context.Co } func getMCService(resImp *multiclusterv1alpha1.ResourceImport) *corev1.Service { - mcsPorts := []corev1.ServicePort{} + var mcsPorts []corev1.ServicePort for _, p := range resImp.Spec.ServiceImport.Spec.Ports { mcsPorts = append(mcsPorts, corev1.ServicePort{ Name: p.Name, diff --git a/multicluster/controllers/multicluster/commonarea/resourceimport_controller_test.go b/multicluster/controllers/multicluster/commonarea/resourceimport_controller_test.go index 3f895a2e278..0e4619eb996 100644 --- a/multicluster/controllers/multicluster/commonarea/resourceimport_controller_test.go +++ b/multicluster/controllers/multicluster/commonarea/resourceimport_controller_test.go @@ -36,13 +36,14 @@ import ( mcsv1alpha1 "antrea.io/antrea/multicluster/apis/multicluster/v1alpha1" "antrea.io/antrea/multicluster/controllers/multicluster/common" + "antrea.io/antrea/pkg/apis/crd/v1alpha1" ) var ( localClusterID = "cluster-a" leaderNamespace = "default" - svcResImportName = "default-nginx-service" - epResImportName = "default-nginx-endpoints" + svcResImportName = leaderNamespace + "-" + "nginx-service" + epResImportName = leaderNamespace + "-" + "nginx-endpoints" svcImportReq = ctrl.Request{NamespacedName: types.NamespacedName{ Namespace: leaderNamespace, @@ -112,6 +113,7 @@ var ( func init() { utilruntime.Must(mcsv1alpha1.AddToScheme(scheme)) + utilruntime.Must(v1alpha1.AddToScheme(scheme)) utilruntime.Must(k8smcsapi.AddToScheme(scheme)) utilruntime.Must(k8sscheme.AddToScheme(scheme)) } diff --git a/multicluster/controllers/multicluster/resourceexport_controller.go b/multicluster/controllers/multicluster/resourceexport_controller.go index 8f3254b8c94..79e5a170ab1 100644 --- a/multicluster/controllers/multicluster/resourceexport_controller.go +++ b/multicluster/controllers/multicluster/resourceexport_controller.go @@ -74,7 +74,7 @@ func NewResourceExportReconciler( // Reconcile will process all kinds of ResourceExport. Service and Endpoint kinds of ResourceExport // will be handled in this file, and all other kinds will have their own handler files, eg: newkind_handler.go func (r *ResourceExportReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) { - klog.V(2).InfoS("reconciling ResourceExport", "resourceexport", req.NamespacedName) + klog.V(2).InfoS("Reconciling ResourceExport", "resourceexport", req.NamespacedName) var resExport mcsv1alpha1.ResourceExport if err := r.Client.Get(ctx, req.NamespacedName, &resExport); err != nil { return ctrl.Result{}, client.IgnoreNotFound(err) @@ -85,10 +85,8 @@ func (r *ResourceExportReconciler) Reconcile(ctx context.Context, req ctrl.Reque klog.V(2).InfoS("Reconciling Service type of ResourceExport", "resourceexport", req.NamespacedName) case common.EndpointsKind: klog.V(2).InfoS("Reconciling Endpoint type of ResourceExport", "resourceexport", req.NamespacedName) - // Developer can add more supported kinds here in the future. - // eg: add a new case and a new method 'handleNewKind' in a new file like 'newkind_handler.go' - // case common.NewKind: - // return r.handleNewKind(ctx, req, resExport) + case common.AntreaClusterNetworkPolicyKind: + klog.V(2).InfoS("Reconciling AntreaClusterNetworkPolicy type of ResourceExport", "resourceexport", req.NamespacedName) default: klog.InfoS("It's not expected kind, skip reconciling ResourceExport", "resourceexport", req.NamespacedName) return ctrl.Result{}, nil @@ -110,7 +108,7 @@ func (r *ResourceExportReconciler) Reconcile(ctx context.Context, req ctrl.Reque return ctrl.Result{}, nil } - createResImport, existResImport, err := r.getExistingResImport(ctx, resExport) + createResImport, existingResImport, err := r.getExistingResImport(ctx, resExport) if err != nil { return ctrl.Result{}, err } @@ -119,9 +117,11 @@ func (r *ResourceExportReconciler) Reconcile(ctx context.Context, req ctrl.Reque resImport := &mcsv1alpha1.ResourceImport{} switch resExport.Spec.Kind { case common.ServiceKind: - resImport, changed, err = r.refreshServiceResourceImport(&resExport, existResImport, createResImport) + resImport, changed, err = r.refreshServiceResourceImport(&resExport, existingResImport, createResImport) case common.EndpointsKind: - resImport, changed, err = r.refreshEndpointsResourceImport(&resExport, existResImport, createResImport) + resImport, changed, err = r.refreshEndpointsResourceImport(&resExport, existingResImport, createResImport) + case common.AntreaClusterNetworkPolicyKind: + resImport, changed, err = r.refreshACNPResourceImport(&resExport, existingResImport, createResImport) } if err != nil { r.updateResourceExportStatus(&resExport, failed) @@ -132,13 +132,13 @@ func (r *ResourceExportReconciler) Reconcile(ctx context.Context, req ctrl.Reque if createResImport { if err = r.Client.Create(ctx, resImport, &client.CreateOptions{}); err != nil { - klog.ErrorS(err, "failed to create ResourceImport", "resourceimport", resImportName.String()) + klog.ErrorS(err, "Failed to create ResourceImport", "resourceimport", resImportName.String()) return ctrl.Result{}, err } r.updateResourceExportStatus(&resExport, succeed) - klog.InfoS("create ResourceImport successfully", "resourceimport", resImportName.String()) + klog.InfoS("Create ResourceImport successfully", "resourceimport", resImportName.String()) } else if changed { - klog.InfoS("update ResourceImport for ResoureExport", "resourceimport", resImportName.String(), "resourceexport", req.NamespacedName) + klog.InfoS("Update ResourceImport for ResoureExport", "resourceimport", resImportName.String(), "resourceexport", req.NamespacedName) if err = r.handleUpdateEvent(ctx, resImport, &resExport); err != nil { return ctrl.Result{}, err } @@ -161,13 +161,13 @@ func (r *ResourceExportReconciler) handleUpdateEvent(ctx context.Context, var err error if err = r.Client.Update(ctx, resImport, &client.UpdateOptions{}); err != nil { - klog.ErrorS(err, "failed to update ResourceImport", "resourceimport", resImpName.String()) + klog.ErrorS(err, "Failed to update ResourceImport", "resourceimport", resImpName.String()) return err } latestResImport := &mcsv1alpha1.ResourceImport{} err = r.Client.Get(ctx, resImpName, latestResImport) if err != nil { - klog.ErrorS(err, "failed to get latest ResourceImport", "resourceimport", resImpName.String()) + klog.ErrorS(err, "Failed to get latest ResourceImport", "resourceimport", resImpName.String()) return err } @@ -192,7 +192,7 @@ func (r *ResourceExportReconciler) handleUpdateEvent(ctx context.Context, latestResImport.Status.ClusterStatuses = append(latestResImport.Status.ClusterStatuses, newStatus) } if err := r.Client.Status().Update(ctx, latestResImport, &client.UpdateOptions{}); err != nil { - klog.ErrorS(err, "failed to update ResourceImport Status", "resourceimport", resImpName.String()) + klog.ErrorS(err, "Failed to update ResourceImport Status", "resourceimport", resImpName.String()) return err } return nil @@ -208,6 +208,7 @@ func (r *ResourceExportReconciler) handleDeleteEvent(ctx context.Context, resExp return err } resImportName := GetResourceImportName(resExport) + klog.V(2).InfoS("Deleting ResourceImport created by ResourceExport", "resourceimport", resImportName.String(), "resourceexport", resExport.Name) undeleteItems := RemoveDeletedResourceExports(reList.Items) if len(undeleteItems) == 0 { @@ -226,7 +227,7 @@ func (r *ResourceExportReconciler) handleDeleteEvent(ctx context.Context, resExp func (r *ResourceExportReconciler) cleanUpResourceImport(ctx context.Context, resImp types.NamespacedName, re interface{}) error { - klog.InfoS("cleanup ResourceImport", "resourceimport", resImp.String()) + klog.InfoS("Cleaning up ResourceImport", "resourceimport", resImp.String()) resImport := &mcsv1alpha1.ResourceImport{ObjectMeta: metav1.ObjectMeta{ Name: resImp.Name, Namespace: resImp.Namespace, @@ -240,7 +241,7 @@ func (r *ResourceExportReconciler) updateEndpointResourceImport(ctx context.Cont resImport := &mcsv1alpha1.ResourceImport{} err := r.Client.Get(ctx, resImpName, resImport) if err != nil { - klog.ErrorS(err, "failed to get ResourceImport", "resourceimport", resImpName) + klog.ErrorS(err, "Failed to get ResourceImport", "resourceimport", resImpName) return client.IgnoreNotFound(err) } newResImport, changed, err := r.refreshEndpointsResourceImport(existRe, resImport, false) @@ -266,7 +267,7 @@ func (r *ResourceExportReconciler) getExistingResImport(ctx context.Context, err := r.Client.Get(ctx, resImportName, existResImport) if err != nil { if !apierrors.IsNotFound(err) { - klog.ErrorS(err, "failed to get ResourceImport", "resourceimport", resImportName.String()) + klog.ErrorS(err, "Failed to get ResourceImport", "resourceimport", resImportName.String()) return createResImport, nil, err } existResImport = &mcsv1alpha1.ResourceImport{ @@ -309,7 +310,7 @@ func (r *ResourceExportReconciler) refreshServiceResourceImport( if !apiequality.Semantic.DeepEqual(newResImport.Spec.ServiceImport.Spec.Ports, convertedPorts) { undeletedItems, err := r.getNotDeletedResourceExports(resExport) if err != nil { - klog.ErrorS(err, "failed to list ResourceExports, retry later") + klog.ErrorS(err, "Failed to list ResourceExports, retry later") return newResImport, false, err } // When there is only one Service ResourceExport, ResourceImport should reflect the change @@ -368,10 +369,10 @@ func (r *ResourceExportReconciler) refreshEndpointsResourceImport( return newResImport, true, nil } // check all matched Endpoints ResourceExport and generate a new EndpointSubset - newSubsets := []corev1.EndpointSubset{} + var newSubsets []corev1.EndpointSubset undeleteItems, err := r.getNotDeletedResourceExports(resExport) if err != nil { - klog.ErrorS(err, "failed to list ResourceExports, retry later") + klog.ErrorS(err, "Failed to list ResourceExports, retry later") return newResImport, false, err } for _, re := range undeleteItems { @@ -384,6 +385,32 @@ func (r *ResourceExportReconciler) refreshEndpointsResourceImport( return newResImport, true, nil } +func (r *ResourceExportReconciler) refreshACNPResourceImport( + resExport *mcsv1alpha1.ResourceExport, + resImport *mcsv1alpha1.ResourceImport, + createResImport bool) (*mcsv1alpha1.ResourceImport, bool, error) { + newResImport := resImport.DeepCopy() + newResImport.Spec.Name = resExport.Spec.Name + newResImport.Spec.Namespace = resExport.Spec.Namespace + newResImport.Spec.Kind = common.AntreaClusterNetworkPolicyKind + if createResImport { + newResImport.Spec.ClusterNetworkPolicy = resExport.Spec.ClusterNetworkPolicy + return newResImport, true, nil + } + if !apiequality.Semantic.DeepEqual(resExport.Spec.ClusterNetworkPolicy, resImport.Spec.ClusterNetworkPolicy) { + undeletedItems, err := r.getNotDeletedResourceExports(resExport) + if err != nil { + klog.ErrorS(err, "Failed to list ResourceExports for ACNP, retry later") + return newResImport, false, err + } + if len(undeletedItems) == 1 && undeletedItems[0].Name == resExport.Name && undeletedItems[0].Namespace == resExport.Namespace { + newResImport.Spec.ClusterNetworkPolicy = resExport.Spec.ClusterNetworkPolicy + return newResImport, true, nil + } + } + return newResImport, false, nil +} + func (r *ResourceExportReconciler) getNotDeletedResourceExports(resExport *mcsv1alpha1.ResourceExport) ([]mcsv1alpha1.ResourceExport, error) { reList := &mcsv1alpha1.ResourceExportList{} err := r.Client.List(context.TODO(), reList, &client.ListOptions{ @@ -396,7 +423,7 @@ func (r *ResourceExportReconciler) getNotDeletedResourceExports(resExport *mcsv1 } func (r *ResourceExportReconciler) updateResourceExportStatus(resExport *mcsv1alpha1.ResourceExport, res resReason) { - newConditions := []mcsv1alpha1.ResourceExportCondition{} + var newConditions []mcsv1alpha1.ResourceExportCondition switch res { case succeed: newConditions = []mcsv1alpha1.ResourceExportCondition{ @@ -475,9 +502,15 @@ func SvcPortsConverter(svcPort []corev1.ServicePort) []mcs.ServicePort { } func GetResourceImportName(resExport *mcsv1alpha1.ResourceExport) types.NamespacedName { + if resExport.Spec.Namespace != "" { + return types.NamespacedName{ + Namespace: resExport.Namespace, + Name: resExport.Spec.Namespace + "-" + resExport.Spec.Name + "-" + strings.ToLower(resExport.Spec.Kind), + } + } return types.NamespacedName{ Namespace: resExport.Namespace, - Name: resExport.Spec.Namespace + "-" + resExport.Spec.Name + "-" + strings.ToLower(resExport.Spec.Kind), + Name: resExport.Spec.Name + "-" + strings.ToLower(resExport.Spec.Kind), } } @@ -486,7 +519,7 @@ func GetResourceImportName(resExport *mcsv1alpha1.ResourceExport) types.Namespac // RemoveDeletedResourceExports remove any ResourceExports with non-zero DeletionTimestamp // which is actually deleted object. func RemoveDeletedResourceExports(items []mcsv1alpha1.ResourceExport) []mcsv1alpha1.ResourceExport { - undeleteItems := []mcsv1alpha1.ResourceExport{} + var undeleteItems []mcsv1alpha1.ResourceExport for _, i := range items { if i.DeletionTimestamp.IsZero() { undeleteItems = append(undeleteItems, i) diff --git a/multicluster/controllers/multicluster/resourceexport_controller_test.go b/multicluster/controllers/multicluster/resourceexport_controller_test.go index ba8c20af1b0..fd1ff1c61d6 100644 --- a/multicluster/controllers/multicluster/resourceexport_controller_test.go +++ b/multicluster/controllers/multicluster/resourceexport_controller_test.go @@ -31,11 +31,13 @@ import ( mcsv1alpha1 "antrea.io/antrea/multicluster/apis/multicluster/v1alpha1" "antrea.io/antrea/multicluster/controllers/multicluster/common" + "antrea.io/antrea/pkg/apis/crd/v1alpha1" ) var ( - now = metav1.Now() - svcLabels = map[string]string{ + now = metav1.Now() + dropAction = v1alpha1.RuleActionDrop + svcLabels = map[string]string{ common.SourceNamespace: "default", common.SourceName: "nginx", common.SourceKind: "Service", @@ -54,6 +56,29 @@ var ( Namespace: "default", Name: "cluster-a-default-nginx-endpoints", }} + acnpResReq = ctrl.Request{NamespacedName: types.NamespacedName{ + Namespace: "default", + Name: "test-acnp-export", + }} + isolationACNPSpec = &v1alpha1.ClusterNetworkPolicySpec{ + Tier: "securityops", + Priority: 1.0, + AppliedTo: []v1alpha1.NetworkPolicyPeer{ + {NamespaceSelector: &metav1.LabelSelector{}}, + }, + Ingress: []v1alpha1.Rule{ + { + Action: &dropAction, + From: []v1alpha1.NetworkPolicyPeer{ + { + Namespaces: &v1alpha1.PeerNamespaces{ + Match: v1alpha1.NamespaceMatchSelf, + }, + }, + }, + }, + }, + } ) func TestResourceExportReconciler_handleServiceExportDeleteEvent(t *testing.T) { @@ -261,6 +286,40 @@ func TestResourceExportReconciler_handleEndpointExportCreateEvent(t *testing.T) } } +func TestResourceExportReconciler_handleACNPExportCreateEvent(t *testing.T) { + existingResExport := &mcsv1alpha1.ResourceExport{ + ObjectMeta: metav1.ObjectMeta{ + Namespace: "default", + Name: "test-acnp-export", + Finalizers: []string{common.ResourceExportFinalizer}, + }, + Spec: mcsv1alpha1.ResourceExportSpec{ + Name: "test-acnp", + Kind: common.AntreaClusterNetworkPolicyKind, + ClusterNetworkPolicy: isolationACNPSpec, + }, + } + expectedImportSpec := mcsv1alpha1.ResourceImportSpec{ + Name: "test-acnp", + Kind: common.AntreaClusterNetworkPolicyKind, + ClusterNetworkPolicy: isolationACNPSpec, + } + namespacedName := GetResourceImportName(existingResExport) + fakeClient := fake.NewClientBuilder().WithScheme(scheme).WithObjects(existingResExport).Build() + r := NewResourceExportReconciler(fakeClient, scheme) + if _, err := r.Reconcile(ctx, acnpResReq); err != nil { + t.Errorf("ResourceExport Reconciler should handle ACNP ResourceExport create event successfully but got error = %v", err) + } else { + resImport := &mcsv1alpha1.ResourceImport{} + err := fakeClient.Get(ctx, namespacedName, resImport) + if err != nil { + t.Errorf("failed to get ResourceImport, got error = %v", err) + } else if !reflect.DeepEqual(resImport.Spec, expectedImportSpec) { + t.Errorf("expected ResourceImport Spec %v, but got %v", expectedImportSpec, resImport.Spec) + } + } +} + var ( newResExport = &mcsv1alpha1.ResourceExport{ ObjectMeta: metav1.ObjectMeta{ diff --git a/multicluster/controllers/multicluster/stale_controller.go b/multicluster/controllers/multicluster/stale_controller.go index 705593b4cf5..fa03147339c 100644 --- a/multicluster/controllers/multicluster/stale_controller.go +++ b/multicluster/controllers/multicluster/stale_controller.go @@ -33,6 +33,7 @@ import ( mcsv1alpha1 "antrea.io/antrea/multicluster/apis/multicluster/v1alpha1" "antrea.io/antrea/multicluster/controllers/multicluster/common" "antrea.io/antrea/multicluster/controllers/multicluster/commonarea" + crdv1alpha1 "antrea.io/antrea/pkg/apis/crd/v1alpha1" ) // StaleController will clean up ServiceImport and MC Service if no corresponding ResourceImport @@ -68,17 +69,29 @@ func (c *StaleController) cleanup() error { if *c.remoteCommonAreaManager == nil { return errors.New("ClusterSet has not been initialized properly, no available remote common area") } - remoteCluster, err := getRemoteCommonArea(c.remoteCommonAreaManager) if err != nil { return err } - localClusterID := string((*c.remoteCommonAreaManager).GetLocalClusterID()) if len(localClusterID) == 0 { return errors.New("localClusterID is not initialized, retry later") } + resImpList := &mcsv1alpha1.ResourceImportList{} + if err := remoteCluster.List(ctx, resImpList, &client.ListOptions{Namespace: remoteCluster.GetNamespace()}); err != nil { + return err + } + if err := c.cleanupStaleServiceResources(remoteCluster, localClusterID, resImpList); err != nil { + return err + } + if err := c.cleanupACNPResources(resImpList); err != nil { + return err + } + return nil +} +func (c *StaleController) cleanupStaleServiceResources(remoteCluster commonarea.RemoteCommonArea, + localClusterID string, resImpList *mcsv1alpha1.ResourceImportList) error { svcImpList := &k8smcsv1alpha1.ServiceImportList{} if err := c.List(ctx, svcImpList, &client.ListOptions{}); err != nil { return err @@ -89,11 +102,6 @@ func (c *StaleController) cleanup() error { return err } - resImpList := &mcsv1alpha1.ResourceImportList{} - if err := remoteCluster.List(ctx, resImpList, &client.ListOptions{Namespace: remoteCluster.GetNamespace()}); err != nil { - return err - } - svcImpItems := svcImpList.Items var mcsSvcItems []corev1.Service for _, svc := range svcList.Items { @@ -104,12 +112,11 @@ func (c *StaleController) cleanup() error { for _, resImp := range resImpList.Items { for k, svc := range mcsSvcItems { - if svc.Name == common.AntreaMCSPrefix+resImp.Spec.Name && svc.Namespace == resImp.Spec.Namespace { + if resImp.Spec.Kind == common.ServiceKind && svc.Name == common.AntreaMCSPrefix+resImp.Spec.Name && svc.Namespace == resImp.Spec.Namespace { // Set the valid Service item as empty Service, then all left non-empty items should be removed. mcsSvcItems[k] = corev1.Service{} } } - for n, svcImp := range svcImpItems { if svcImp.Name == resImp.Spec.Name && svcImp.Namespace == resImp.Spec.Namespace { svcImpItems[n] = k8smcsv1alpha1.ServiceImport{} @@ -120,18 +127,17 @@ func (c *StaleController) cleanup() error { for _, svc := range mcsSvcItems { s := svc if s.Name != "" { - klog.InfoS("clean up Service", "service", klog.KObj(&s)) + klog.InfoS("Cleaning up stale Service", "service", klog.KObj(&s)) if err := c.Client.Delete(ctx, &s, &client.DeleteOptions{}); err != nil && !apierrors.IsNotFound(err) { return err } } } - for _, svcImp := range svcImpItems { si := svcImp if si.Name != "" { - klog.InfoS("clean up ServiceImport", "serviceimport", klog.KObj(&si)) - if err = c.Client.Delete(ctx, &si, &client.DeleteOptions{}); err != nil && !apierrors.IsNotFound(err) { + klog.InfoS("Cleaning up stale ServiceImport", "serviceimport", klog.KObj(&si)) + if err := c.Client.Delete(ctx, &si, &client.DeleteOptions{}); err != nil && !apierrors.IsNotFound(err) { return err } } @@ -167,7 +173,7 @@ func (c *StaleController) cleanup() error { for _, r := range resExpItems { re := r if re.Name != "" { - klog.InfoS("clean up ResourceExport", "ResourceExport", klog.KObj(&re)) + klog.InfoS("Cleaning up ResourceExport", "ResourceExport", klog.KObj(&re)) if err := remoteCluster.Delete(ctx, &re, &client.DeleteOptions{}); err != nil && !apierrors.IsNotFound(err) { return err } @@ -176,6 +182,35 @@ func (c *StaleController) cleanup() error { return nil } +func (c *StaleController) cleanupACNPResources(resImpList *mcsv1alpha1.ResourceImportList) error { + acnpList := &crdv1alpha1.ClusterNetworkPolicyList{} + if err := c.List(ctx, acnpList, &client.ListOptions{}); err != nil { + return err + } + staleMCACNPItems := map[string]crdv1alpha1.ClusterNetworkPolicy{} + for _, acnp := range acnpList.Items { + if _, ok := acnp.Annotations[common.AntreaMCACNPAnnotation]; ok { + staleMCACNPItems[acnp.Name] = acnp + } + } + for _, resImp := range resImpList.Items { + if resImp.Spec.Kind == common.AntreaClusterNetworkPolicyKind { + acnpNameFromResImp := common.AntreaMCSPrefix + resImp.Spec.Name + if _, ok := staleMCACNPItems[acnpNameFromResImp]; ok { + delete(staleMCACNPItems, acnpNameFromResImp) + } + } + } + for _, stalePolicy := range staleMCACNPItems { + acnp := stalePolicy + klog.InfoS("Cleaning up stale ACNP", "acnp", klog.KObj(&acnp)) + if err := c.Client.Delete(ctx, &acnp, &client.DeleteOptions{}); err != nil && !apierrors.IsNotFound(err) { + return err + } + } + return nil +} + // Enqueue will be called after StaleController is initialized. func (c *StaleController) Enqueue() { // The key can be anything as we only have single item. diff --git a/multicluster/controllers/multicluster/stale_controller_test.go b/multicluster/controllers/multicluster/stale_controller_test.go index eacc0dd66f9..6d401863ce0 100644 --- a/multicluster/controllers/multicluster/stale_controller_test.go +++ b/multicluster/controllers/multicluster/stale_controller_test.go @@ -22,6 +22,7 @@ import ( corev1 "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/util/sets" "k8s.io/klog/v2" "sigs.k8s.io/controller-runtime/pkg/client" "sigs.k8s.io/controller-runtime/pkg/client/fake" @@ -30,9 +31,11 @@ import ( mcsv1alpha1 "antrea.io/antrea/multicluster/apis/multicluster/v1alpha1" "antrea.io/antrea/multicluster/controllers/multicluster/common" "antrea.io/antrea/multicluster/controllers/multicluster/commonarea" + "antrea.io/antrea/pkg/apis/crd/v1alpha1" ) func TestStaleController_CleanupService(t *testing.T) { + localClusterID = "cluster-a" remoteMgr := commonarea.NewRemoteCommonAreaManager("test-clusterset", common.ClusterID(localClusterID)) go remoteMgr.Start() @@ -62,6 +65,7 @@ func TestStaleController_CleanupService(t *testing.T) { Spec: mcsv1alpha1.ResourceImportSpec{ Name: "non-nginx", Namespace: "default", + Kind: common.ServiceKind, }, } tests := []struct { @@ -123,6 +127,94 @@ func TestStaleController_CleanupService(t *testing.T) { } } +func TestStaleController_CleanupACNP(t *testing.T) { + localClusterID = "cluster-a" + remoteMgr := commonarea.NewRemoteCommonAreaManager("test-clusterset", common.ClusterID(localClusterID)) + go remoteMgr.Start() + + acnpImportName := "acnp-for-isolation" + acnpResImportName := leaderNamespace + "-" + acnpImportName + acnpResImport := mcsv1alpha1.ResourceImport{ + ObjectMeta: metav1.ObjectMeta{ + Namespace: "default", + Name: acnpResImportName, + }, + Spec: mcsv1alpha1.ResourceImportSpec{ + Name: acnpImportName, + Kind: common.AntreaClusterNetworkPolicyKind, + ClusterNetworkPolicy: &v1alpha1.ClusterNetworkPolicySpec{ + Tier: "securityops", + Priority: 1.0, + AppliedTo: []v1alpha1.NetworkPolicyPeer{ + {NamespaceSelector: &metav1.LabelSelector{}}, + }, + }, + }, + } + acnp1 := v1alpha1.ClusterNetworkPolicy{ + ObjectMeta: metav1.ObjectMeta{ + Name: common.AntreaMCSPrefix + acnpImportName, + Annotations: map[string]string{common.AntreaMCACNPAnnotation: "true"}, + }, + } + acnp2 := v1alpha1.ClusterNetworkPolicy{ + ObjectMeta: metav1.ObjectMeta{ + Name: common.AntreaMCSPrefix + "some-deleted-resimp", + Annotations: map[string]string{common.AntreaMCACNPAnnotation: "true"}, + }, + } + acnp3 := v1alpha1.ClusterNetworkPolicy{ + ObjectMeta: metav1.ObjectMeta{ + Name: "non-mcs-acnp", + }, + } + tests := []struct { + name string + existingACNPList *v1alpha1.ClusterNetworkPolicyList + existResImpList *mcsv1alpha1.ResourceImportList + expectedACNPRemaining sets.String + }{ + { + name: "cleanup stale ACNP", + existingACNPList: &v1alpha1.ClusterNetworkPolicyList{ + Items: []v1alpha1.ClusterNetworkPolicy{ + acnp1, acnp2, acnp3, + }, + }, + existResImpList: &mcsv1alpha1.ResourceImportList{ + Items: []mcsv1alpha1.ResourceImport{ + acnpResImport, + }, + }, + expectedACNPRemaining: sets.NewString(common.AntreaMCSPrefix+acnpImportName, "non-mcs-acnp"), + }, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + fakeClient := fake.NewClientBuilder().WithScheme(scheme).WithLists(tt.existingACNPList).Build() + fakeRemoteClient := fake.NewClientBuilder().WithScheme(scheme).WithLists(tt.existResImpList).Build() + _ = commonarea.NewFakeRemoteCommonArea(scheme, &remoteMgr, fakeRemoteClient, "leader-cluster", "default") + + c := NewStaleController(fakeClient, scheme, &remoteMgr) + if err := c.cleanup(); err != nil { + t.Errorf("StaleController.cleanup() should clean up all stale ACNPs but got err = %v", err) + } + ctx := context.TODO() + acnpList := &v1alpha1.ClusterNetworkPolicyList{} + if err := fakeClient.List(ctx, acnpList, &client.ListOptions{}); err != nil { + t.Errorf("Error when listing the ACNPs after cleanup") + } + acnpRemaining := sets.NewString() + for _, acnp := range acnpList.Items { + acnpRemaining.Insert(acnp.Name) + } + if !acnpRemaining.Equal(tt.expectedACNPRemaining) { + t.Errorf("Unexpected stale ACNP cleanup result. Expected: %v, Actual: %v", tt.expectedACNPRemaining, acnpRemaining) + } + }) + } +} + func TestStaleController_CleanupResourceExport(t *testing.T) { localClusterID = "cluster-a" remoteMgr := commonarea.NewRemoteCommonAreaManager("test-clusterset", common.ClusterID(localClusterID)) diff --git a/multicluster/controllers/multicluster/test_data.go b/multicluster/controllers/multicluster/test_data.go index e8683da85cf..160db53e4c8 100644 --- a/multicluster/controllers/multicluster/test_data.go +++ b/multicluster/controllers/multicluster/test_data.go @@ -29,6 +29,7 @@ import ( k8smcsapi "sigs.k8s.io/mcs-api/pkg/apis/v1alpha1" mcsv1alpha1 "antrea.io/antrea/multicluster/apis/multicluster/v1alpha1" + crdv1alpha1 "antrea.io/antrea/pkg/apis/crd/v1alpha1" ) var ( @@ -115,4 +116,5 @@ func init() { utilruntime.Must(mcsv1alpha1.AddToScheme(scheme)) utilruntime.Must(k8smcsapi.AddToScheme(scheme)) utilruntime.Must(k8sscheme.AddToScheme(scheme)) + utilruntime.Must(crdv1alpha1.AddToScheme(scheme)) } diff --git a/pkg/apis/crd/v1alpha1/types.go b/pkg/apis/crd/v1alpha1/types.go index 12cc33f2eb4..4d475d17b62 100644 --- a/pkg/apis/crd/v1alpha1/types.go +++ b/pkg/apis/crd/v1alpha1/types.go @@ -314,12 +314,12 @@ type NetworkPolicySpec struct { // Currently Ingress rule supports setting the `From` field but not the `To` // field within a Rule. // +optional - Ingress []Rule `json:"ingress"` + Ingress []Rule `json:"ingress,omitempty"` // Set of egress rules evaluated based on the order in which they are set. // Currently Egress rule supports setting the `To` field but not the `From` // field within a Rule. // +optional - Egress []Rule `json:"egress"` + Egress []Rule `json:"egress,omitempty"` } // NetworkPolicyPhase defines the phase in which a NetworkPolicy is. @@ -360,12 +360,12 @@ type Rule struct { // Rule is matched if traffic originates from workloads selected by // this field. If this field is empty, this rule matches all sources. // +optional - From []NetworkPolicyPeer `json:"from"` + From []NetworkPolicyPeer `json:"from,omitempty"` // Rule is matched if traffic is intended for workloads selected by // this field. This field can't be used with ToServices. If this field // and ToServices are both empty or missing this rule matches all destinations. // +optional - To []NetworkPolicyPeer `json:"to"` + To []NetworkPolicyPeer `json:"to,omitempty"` // Rule is matched if traffic is intended for a Service listed in this field. // Currently only ClusterIP types Services are supported in this field. This field // can only be used when AntreaProxy is enabled. This field can't be used with To @@ -376,9 +376,10 @@ type Rule struct { // Name describes the intention of this rule. // Name should be unique within the policy. // +optional - Name string `json:"name"` + Name string `json:"name,omitempty"` // EnableLogging is used to indicate if agent should generate logs // when rules are matched. Should be default to false. + // +optional EnableLogging bool `json:"enableLogging"` // Select workloads on which this rule will be applied to. Cannot be set in // conjunction with NetworkPolicySpec/ClusterNetworkPolicySpec.AppliedTo. @@ -538,12 +539,12 @@ type ClusterNetworkPolicySpec struct { // Currently Ingress rule supports setting the `From` field but not the `To` // field within a Rule. // +optional - Ingress []Rule `json:"ingress"` + Ingress []Rule `json:"ingress,omitempty"` // Set of egress rules evaluated based on the order in which they are set. // Currently Egress rule supports setting the `To` field but not the `From` // field within a Rule. // +optional - Egress []Rule `json:"egress"` + Egress []Rule `json:"egress,omitempty"` } // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object