update networkpolicy_type and add validation

ironcore-dev · Apr 22, 2024 · 0bd2a26 · 0bd2a26
1 parent 61416a7
commit 0bd2a26
Show file tree

Hide file tree

Showing 10 changed files with 329 additions and 12 deletions.
diff --git a/api/core/v1alpha1/networkpolicy_types.go b/api/core/v1alpha1/networkpolicy_types.go
@@ -15,6 +15,12 @@ type NetworkPolicySpec struct {
 	NetworkRef corev1.LocalObjectReference `json:"networkRef"`
 	// NetworkInterfaceSelector selects the network interfaces that are subject to this policy.
 	NetworkInterfaceSelector metav1.LabelSelector `json:"networkInterfaceSelector"`
+	// Priority is an optional field that specifies the order in which the policy is applied.
+	// Policies with higher "order" are applied after those with lower
+	// order.  If the order is omitted, it may be considered to be "infinite" - i.e. the
+	// policy will be applied last.  Policies with identical order will be applied in
+	// alphanumerical order based on the Policy "Name".
+	Priority *int32 `json:"priority,omitempty"`
 	// Ingress specifies rules for ingress traffic.
 	Ingress []NetworkPolicyIngressRule `json:"ingress,omitempty"`
 	// Egress specifies rules for egress traffic.
@@ -53,7 +59,7 @@ type IPBlock struct {
 type NetworkPolicyPeer struct {
 	// ObjectSelector selects peers with the given kind matching the label selector.
 	// Exclusive with other peer specifiers.
-	ObjectSelector ObjectSelector `json:"objectSelector,omitempty"`
+	ObjectSelector *ObjectSelector `json:"objectSelector,omitempty"`
 	// IPBlock specifies the ip block from or to which network traffic may come.
 	IPBlock *IPBlock `json:"ipBlock,omitempty"`
 }

diff --git a/api/core/v1alpha1/zz_generated.deepcopy.go b/api/core/v1alpha1/zz_generated.deepcopy.go
diff --git a/client-go/applyconfigurations/core/v1alpha1/networkpolicyspec.go b/client-go/applyconfigurations/core/v1alpha1/networkpolicyspec.go
diff --git a/client-go/applyconfigurations/internal/internal.go b/client-go/applyconfigurations/internal/internal.go
diff --git a/client-go/openapi/zz_generated.openapi.go b/client-go/openapi/zz_generated.openapi.go
diff --git a/internal/apis/core/networkpolicy_types.go b/internal/apis/core/networkpolicy_types.go
@@ -15,6 +15,12 @@ type NetworkPolicySpec struct {
 	NetworkRef corev1.LocalObjectReference `json:"networkRef"`
 	// NetworkInterfaceSelector selects the network interfaces that are subject to this policy.
 	NetworkInterfaceSelector metav1.LabelSelector `json:"networkInterfaceSelector"`
+	// Priority is an optional field that specifies the order in which the policy is applied.
+	// Policies with higher "order" are applied after those with lower
+	// order.  If the order is omitted, it may be considered to be "infinite" - i.e. the
+	// policy will be applied last.  Policies with identical order will be applied in
+	// alphanumerical order based on the Policy "Name".
+	Priority *int32 `json:"priority,omitempty"`
 	// Ingress specifies rules for ingress traffic.
 	Ingress []NetworkPolicyIngressRule `json:"ingress,omitempty"`
 	// Egress specifies rules for egress traffic.
@@ -53,7 +59,7 @@ type IPBlock struct {
 type NetworkPolicyPeer struct {
 	// ObjectSelector selects peers with the given kind matching the label selector.
 	// Exclusive with other peer specifiers.
-	ObjectSelector ObjectSelector `json:"objectSelector,omitempty"`
+	ObjectSelector *ObjectSelector `json:"objectSelector,omitempty"`
 	// IPBlock specifies the ip block from or to which network traffic may come.
 	IPBlock *IPBlock `json:"ipBlock,omitempty"`
 }

diff --git a/internal/apis/core/v1alpha1/zz_generated.conversion.go b/internal/apis/core/v1alpha1/zz_generated.conversion.go
diff --git a/internal/apis/core/validation/common.go b/internal/apis/core/validation/common.go
@@ -8,7 +8,9 @@ import (
 	"sort"
 
 	"github.com/ironcore-dev/ironcore-net/apimachinery/api/net"
+	"github.com/ironcore-dev/ironcore-net/apimachinery/equality"
 	corev1 "k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/api/validation"
 	"k8s.io/apimachinery/pkg/util/sets"
 	"k8s.io/apimachinery/pkg/util/validation/field"
 )
@@ -35,6 +37,12 @@ var IPFamilies = sets.New(
 	corev1.IPv6Protocol,
 )
 
+var supportedProtocols = sets.New(
+	corev1.ProtocolTCP,
+	corev1.ProtocolUDP,
+	corev1.ProtocolSCTP,
+)
+
 func ValidateIPFamily(ipFamily corev1.IPFamily, fldPath *field.Path) field.ErrorList {
 	return ValidateEnum(IPFamilies, ipFamily, fldPath, "must specify IP family")
 }
@@ -46,3 +54,15 @@ func ValidateIPMatchesFamily(ip net.IP, ipFamily corev1.IPFamily, fldPath *field
 	}
 	return allErrs
 }
+
+func ValidateImmutableField(newVal, oldVal interface{}, fldPath *field.Path) field.ErrorList {
+	var allErrs field.ErrorList
+	if !equality.Semantic.DeepEqual(oldVal, newVal) {
+		allErrs = append(allErrs, field.Forbidden(fldPath, validation.FieldImmutableErrorMsg))
+	}
+	return allErrs
+}
+
+func ValidateProtocol(protocol corev1.Protocol, fldPath *field.Path) field.ErrorList {
+	return ValidateEnum(supportedProtocols, protocol, fldPath, "must specify protocol")
+}