From 0e5fc9d7c7903b09872d60ca4d1d7c265bb6d5ee Mon Sep 17 00:00:00 2001 From: Kumar Atish Date: Thu, 16 Nov 2023 17:38:39 +0530 Subject: [PATCH] Add Controlplane changes for NodeNetworkPolicy Signed-off-by: Kumar Atish --- .../antrea/crds/clusternetworkpolicy.yaml | 27 ++ build/yamls/antrea-aks.yml | 27 ++ build/yamls/antrea-crds.yml | 27 ++ build/yamls/antrea-eks.yml | 27 ++ build/yamls/antrea-gke.yml | 27 ++ build/yamls/antrea-ipsec.yml | 27 ++ build/yamls/antrea.yml | 27 ++ .../antrea-multicluster-leader-global.yml | 320 +++++++++++++++++- .../yamls/antrea-multicluster-leader.yml | 320 +++++++++++++++++- ...cluster.crd.antrea.io_resourceexports.yaml | 160 ++++++++- ...cluster.crd.antrea.io_resourceimports.yaml | 160 ++++++++- pkg/apis/crd/v1beta1/types.go | 6 +- pkg/apis/crd/v1beta1/zz_generated.deepcopy.go | 5 + pkg/apiserver/openapi/zz_generated.openapi.go | 8 +- .../networkpolicy/adminnetworkpolicy.go | 4 +- .../networkpolicy/antreanetworkpolicy.go | 2 +- .../networkpolicy/clusternetworkpolicy.go | 16 +- .../clusternetworkpolicy_test.go | 88 +++++ .../networkpolicy/networkpolicy_controller.go | 42 ++- .../networkpolicy_controller_test.go | 209 +++++++++++- 20 files changed, 1440 insertions(+), 89 deletions(-) diff --git a/build/charts/antrea/crds/clusternetworkpolicy.yaml b/build/charts/antrea/crds/clusternetworkpolicy.yaml index f28acf63c97..44236e82f32 100644 --- a/build/charts/antrea/crds/clusternetworkpolicy.yaml +++ b/build/charts/antrea/crds/clusternetworkpolicy.yaml @@ -825,6 +825,33 @@ spec: required: - name - namespace + nodeSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + additionalProperties: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: object ingress: type: array items: diff --git a/build/yamls/antrea-aks.yml b/build/yamls/antrea-aks.yml index f33bf08c677..1ef2c3d9858 100644 --- a/build/yamls/antrea-aks.yml +++ b/build/yamls/antrea-aks.yml @@ -1522,6 +1522,33 @@ spec: required: - name - namespace + nodeSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + additionalProperties: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: object ingress: type: array items: diff --git a/build/yamls/antrea-crds.yml b/build/yamls/antrea-crds.yml index 4aa9e2d2f8a..a215b73db1e 100644 --- a/build/yamls/antrea-crds.yml +++ b/build/yamls/antrea-crds.yml @@ -1515,6 +1515,33 @@ spec: required: - name - namespace + nodeSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + additionalProperties: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: object ingress: type: array items: diff --git a/build/yamls/antrea-eks.yml b/build/yamls/antrea-eks.yml index b01e8967873..93b1aabb4c0 100644 --- a/build/yamls/antrea-eks.yml +++ b/build/yamls/antrea-eks.yml @@ -1522,6 +1522,33 @@ spec: required: - name - namespace + nodeSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + additionalProperties: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: object ingress: type: array items: diff --git a/build/yamls/antrea-gke.yml b/build/yamls/antrea-gke.yml index 774d45b3570..3c6e6672e4d 100644 --- a/build/yamls/antrea-gke.yml +++ b/build/yamls/antrea-gke.yml @@ -1522,6 +1522,33 @@ spec: required: - name - namespace + nodeSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + additionalProperties: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: object ingress: type: array items: diff --git a/build/yamls/antrea-ipsec.yml b/build/yamls/antrea-ipsec.yml index 4a1dd0423b8..c9d98a1ad03 100644 --- a/build/yamls/antrea-ipsec.yml +++ b/build/yamls/antrea-ipsec.yml @@ -1522,6 +1522,33 @@ spec: required: - name - namespace + nodeSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + additionalProperties: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: object ingress: type: array items: diff --git a/build/yamls/antrea.yml b/build/yamls/antrea.yml index 28a9c10267d..be479357a08 100644 --- a/build/yamls/antrea.yml +++ b/build/yamls/antrea.yml @@ -1522,6 +1522,33 @@ spec: required: - name - namespace + nodeSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + additionalProperties: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: object ingress: type: array items: diff --git a/multicluster/build/yamls/antrea-multicluster-leader-global.yml b/multicluster/build/yamls/antrea-multicluster-leader-global.yml index fdd9566627f..4aae9b4e50d 100644 --- a/multicluster/build/yamls/antrea-multicluster-leader-global.yml +++ b/multicluster/build/yamls/antrea-multicluster-leader-global.yml @@ -511,6 +511,52 @@ spec: description: AppliedTo describes the grouping selector of workloads in AppliedTo field. properties: + NodeSelector: + description: Select Nodes in cluster as workloads in AppliedTo + fields. Cannot be set with any other selector. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector + that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are In, + NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. + If the operator is In or NotIn, the values array + must be non-empty. If the operator is Exists + or DoesNotExist, the values array must be empty. + This array is replaced during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. + A single {key,value} in the matchLabels map is equivalent + to an element of matchExpressions, whose key field + is "key", the operator is "In", and the values array + contains only "value". The requirements are ANDed. + type: object + type: object externalEntitySelector: description: Select ExternalEntities from NetworkPolicy's Namespace as workloads in AppliedTo fields. If set with @@ -709,6 +755,55 @@ spec: description: AppliedTo describes the grouping selector of workloads in AppliedTo field. properties: + NodeSelector: + description: Select Nodes in cluster as workloads + in AppliedTo fields. Cannot be set with any other + selector. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. + type: object + type: object externalEntitySelector: description: Select ExternalEntities from NetworkPolicy's Namespace as workloads in AppliedTo fields. If set @@ -1054,8 +1149,8 @@ spec: type: object nodeSelector: description: Select certain Nodes which match the - label selector. A NodeSelector cannot be set in - AppliedTo field or set with any other selector. + label selector. A NodeSelector cannot be set with + any other selector. properties: matchExpressions: description: matchExpressions is a list of label @@ -1461,8 +1556,8 @@ spec: type: object nodeSelector: description: Select certain Nodes which match the - label selector. A NodeSelector cannot be set in - AppliedTo field or set with any other selector. + label selector. A NodeSelector cannot be set with + any other selector. properties: matchExpressions: description: matchExpressions is a list of label @@ -1624,6 +1719,55 @@ spec: description: AppliedTo describes the grouping selector of workloads in AppliedTo field. properties: + NodeSelector: + description: Select Nodes in cluster as workloads + in AppliedTo fields. Cannot be set with any other + selector. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. + type: object + type: object externalEntitySelector: description: Select ExternalEntities from NetworkPolicy's Namespace as workloads in AppliedTo fields. If set @@ -1969,8 +2113,8 @@ spec: type: object nodeSelector: description: Select certain Nodes which match the - label selector. A NodeSelector cannot be set in - AppliedTo field or set with any other selector. + label selector. A NodeSelector cannot be set with + any other selector. properties: matchExpressions: description: matchExpressions is a list of label @@ -2376,8 +2520,8 @@ spec: type: object nodeSelector: description: Select certain Nodes which match the - label selector. A NodeSelector cannot be set in - AppliedTo field or set with any other selector. + label selector. A NodeSelector cannot be set with + any other selector. properties: matchExpressions: description: matchExpressions is a list of label @@ -3278,6 +3422,52 @@ spec: description: AppliedTo describes the grouping selector of workloads in AppliedTo field. properties: + NodeSelector: + description: Select Nodes in cluster as workloads in AppliedTo + fields. Cannot be set with any other selector. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector + that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are In, + NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. + If the operator is In or NotIn, the values array + must be non-empty. If the operator is Exists + or DoesNotExist, the values array must be empty. + This array is replaced during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. + A single {key,value} in the matchLabels map is equivalent + to an element of matchExpressions, whose key field + is "key", the operator is "In", and the values array + contains only "value". The requirements are ANDed. + type: object + type: object externalEntitySelector: description: Select ExternalEntities from NetworkPolicy's Namespace as workloads in AppliedTo fields. If set with @@ -3476,6 +3666,55 @@ spec: description: AppliedTo describes the grouping selector of workloads in AppliedTo field. properties: + NodeSelector: + description: Select Nodes in cluster as workloads + in AppliedTo fields. Cannot be set with any other + selector. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. + type: object + type: object externalEntitySelector: description: Select ExternalEntities from NetworkPolicy's Namespace as workloads in AppliedTo fields. If set @@ -3821,8 +4060,8 @@ spec: type: object nodeSelector: description: Select certain Nodes which match the - label selector. A NodeSelector cannot be set in - AppliedTo field or set with any other selector. + label selector. A NodeSelector cannot be set with + any other selector. properties: matchExpressions: description: matchExpressions is a list of label @@ -4228,8 +4467,8 @@ spec: type: object nodeSelector: description: Select certain Nodes which match the - label selector. A NodeSelector cannot be set in - AppliedTo field or set with any other selector. + label selector. A NodeSelector cannot be set with + any other selector. properties: matchExpressions: description: matchExpressions is a list of label @@ -4391,6 +4630,55 @@ spec: description: AppliedTo describes the grouping selector of workloads in AppliedTo field. properties: + NodeSelector: + description: Select Nodes in cluster as workloads + in AppliedTo fields. Cannot be set with any other + selector. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. + type: object + type: object externalEntitySelector: description: Select ExternalEntities from NetworkPolicy's Namespace as workloads in AppliedTo fields. If set @@ -4736,8 +5024,8 @@ spec: type: object nodeSelector: description: Select certain Nodes which match the - label selector. A NodeSelector cannot be set in - AppliedTo field or set with any other selector. + label selector. A NodeSelector cannot be set with + any other selector. properties: matchExpressions: description: matchExpressions is a list of label @@ -5143,8 +5431,8 @@ spec: type: object nodeSelector: description: Select certain Nodes which match the - label selector. A NodeSelector cannot be set in - AppliedTo field or set with any other selector. + label selector. A NodeSelector cannot be set with + any other selector. properties: matchExpressions: description: matchExpressions is a list of label diff --git a/multicluster/build/yamls/antrea-multicluster-leader.yml b/multicluster/build/yamls/antrea-multicluster-leader.yml index b61e0e84141..295b0da8029 100644 --- a/multicluster/build/yamls/antrea-multicluster-leader.yml +++ b/multicluster/build/yamls/antrea-multicluster-leader.yml @@ -511,6 +511,52 @@ spec: description: AppliedTo describes the grouping selector of workloads in AppliedTo field. properties: + NodeSelector: + description: Select Nodes in cluster as workloads in AppliedTo + fields. Cannot be set with any other selector. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector + that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are In, + NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. + If the operator is In or NotIn, the values array + must be non-empty. If the operator is Exists + or DoesNotExist, the values array must be empty. + This array is replaced during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. + A single {key,value} in the matchLabels map is equivalent + to an element of matchExpressions, whose key field + is "key", the operator is "In", and the values array + contains only "value". The requirements are ANDed. + type: object + type: object externalEntitySelector: description: Select ExternalEntities from NetworkPolicy's Namespace as workloads in AppliedTo fields. If set with @@ -709,6 +755,55 @@ spec: description: AppliedTo describes the grouping selector of workloads in AppliedTo field. properties: + NodeSelector: + description: Select Nodes in cluster as workloads + in AppliedTo fields. Cannot be set with any other + selector. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. + type: object + type: object externalEntitySelector: description: Select ExternalEntities from NetworkPolicy's Namespace as workloads in AppliedTo fields. If set @@ -1054,8 +1149,8 @@ spec: type: object nodeSelector: description: Select certain Nodes which match the - label selector. A NodeSelector cannot be set in - AppliedTo field or set with any other selector. + label selector. A NodeSelector cannot be set with + any other selector. properties: matchExpressions: description: matchExpressions is a list of label @@ -1461,8 +1556,8 @@ spec: type: object nodeSelector: description: Select certain Nodes which match the - label selector. A NodeSelector cannot be set in - AppliedTo field or set with any other selector. + label selector. A NodeSelector cannot be set with + any other selector. properties: matchExpressions: description: matchExpressions is a list of label @@ -1624,6 +1719,55 @@ spec: description: AppliedTo describes the grouping selector of workloads in AppliedTo field. properties: + NodeSelector: + description: Select Nodes in cluster as workloads + in AppliedTo fields. Cannot be set with any other + selector. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. + type: object + type: object externalEntitySelector: description: Select ExternalEntities from NetworkPolicy's Namespace as workloads in AppliedTo fields. If set @@ -1969,8 +2113,8 @@ spec: type: object nodeSelector: description: Select certain Nodes which match the - label selector. A NodeSelector cannot be set in - AppliedTo field or set with any other selector. + label selector. A NodeSelector cannot be set with + any other selector. properties: matchExpressions: description: matchExpressions is a list of label @@ -2376,8 +2520,8 @@ spec: type: object nodeSelector: description: Select certain Nodes which match the - label selector. A NodeSelector cannot be set in - AppliedTo field or set with any other selector. + label selector. A NodeSelector cannot be set with + any other selector. properties: matchExpressions: description: matchExpressions is a list of label @@ -3278,6 +3422,52 @@ spec: description: AppliedTo describes the grouping selector of workloads in AppliedTo field. properties: + NodeSelector: + description: Select Nodes in cluster as workloads in AppliedTo + fields. Cannot be set with any other selector. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector + that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are In, + NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. + If the operator is In or NotIn, the values array + must be non-empty. If the operator is Exists + or DoesNotExist, the values array must be empty. + This array is replaced during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. + A single {key,value} in the matchLabels map is equivalent + to an element of matchExpressions, whose key field + is "key", the operator is "In", and the values array + contains only "value". The requirements are ANDed. + type: object + type: object externalEntitySelector: description: Select ExternalEntities from NetworkPolicy's Namespace as workloads in AppliedTo fields. If set with @@ -3476,6 +3666,55 @@ spec: description: AppliedTo describes the grouping selector of workloads in AppliedTo field. properties: + NodeSelector: + description: Select Nodes in cluster as workloads + in AppliedTo fields. Cannot be set with any other + selector. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. + type: object + type: object externalEntitySelector: description: Select ExternalEntities from NetworkPolicy's Namespace as workloads in AppliedTo fields. If set @@ -3821,8 +4060,8 @@ spec: type: object nodeSelector: description: Select certain Nodes which match the - label selector. A NodeSelector cannot be set in - AppliedTo field or set with any other selector. + label selector. A NodeSelector cannot be set with + any other selector. properties: matchExpressions: description: matchExpressions is a list of label @@ -4228,8 +4467,8 @@ spec: type: object nodeSelector: description: Select certain Nodes which match the - label selector. A NodeSelector cannot be set in - AppliedTo field or set with any other selector. + label selector. A NodeSelector cannot be set with + any other selector. properties: matchExpressions: description: matchExpressions is a list of label @@ -4391,6 +4630,55 @@ spec: description: AppliedTo describes the grouping selector of workloads in AppliedTo field. properties: + NodeSelector: + description: Select Nodes in cluster as workloads + in AppliedTo fields. Cannot be set with any other + selector. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. + type: object + type: object externalEntitySelector: description: Select ExternalEntities from NetworkPolicy's Namespace as workloads in AppliedTo fields. If set @@ -4736,8 +5024,8 @@ spec: type: object nodeSelector: description: Select certain Nodes which match the - label selector. A NodeSelector cannot be set in - AppliedTo field or set with any other selector. + label selector. A NodeSelector cannot be set with + any other selector. properties: matchExpressions: description: matchExpressions is a list of label @@ -5143,8 +5431,8 @@ spec: type: object nodeSelector: description: Select certain Nodes which match the - label selector. A NodeSelector cannot be set in - AppliedTo field or set with any other selector. + label selector. A NodeSelector cannot be set with + any other selector. properties: matchExpressions: description: matchExpressions is a list of label diff --git a/multicluster/config/crd/bases/multicluster.crd.antrea.io_resourceexports.yaml b/multicluster/config/crd/bases/multicluster.crd.antrea.io_resourceexports.yaml index 9b44e3db695..f450e0d94ad 100644 --- a/multicluster/config/crd/bases/multicluster.crd.antrea.io_resourceexports.yaml +++ b/multicluster/config/crd/bases/multicluster.crd.antrea.io_resourceexports.yaml @@ -101,6 +101,52 @@ spec: description: AppliedTo describes the grouping selector of workloads in AppliedTo field. properties: + NodeSelector: + description: Select Nodes in cluster as workloads in AppliedTo + fields. Cannot be set with any other selector. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector + that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are In, + NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. + If the operator is In or NotIn, the values array + must be non-empty. If the operator is Exists + or DoesNotExist, the values array must be empty. + This array is replaced during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. + A single {key,value} in the matchLabels map is equivalent + to an element of matchExpressions, whose key field + is "key", the operator is "In", and the values array + contains only "value". The requirements are ANDed. + type: object + type: object externalEntitySelector: description: Select ExternalEntities from NetworkPolicy's Namespace as workloads in AppliedTo fields. If set with @@ -299,6 +345,55 @@ spec: description: AppliedTo describes the grouping selector of workloads in AppliedTo field. properties: + NodeSelector: + description: Select Nodes in cluster as workloads + in AppliedTo fields. Cannot be set with any other + selector. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. + type: object + type: object externalEntitySelector: description: Select ExternalEntities from NetworkPolicy's Namespace as workloads in AppliedTo fields. If set @@ -644,8 +739,8 @@ spec: type: object nodeSelector: description: Select certain Nodes which match the - label selector. A NodeSelector cannot be set in - AppliedTo field or set with any other selector. + label selector. A NodeSelector cannot be set with + any other selector. properties: matchExpressions: description: matchExpressions is a list of label @@ -1051,8 +1146,8 @@ spec: type: object nodeSelector: description: Select certain Nodes which match the - label selector. A NodeSelector cannot be set in - AppliedTo field or set with any other selector. + label selector. A NodeSelector cannot be set with + any other selector. properties: matchExpressions: description: matchExpressions is a list of label @@ -1214,6 +1309,55 @@ spec: description: AppliedTo describes the grouping selector of workloads in AppliedTo field. properties: + NodeSelector: + description: Select Nodes in cluster as workloads + in AppliedTo fields. Cannot be set with any other + selector. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. + type: object + type: object externalEntitySelector: description: Select ExternalEntities from NetworkPolicy's Namespace as workloads in AppliedTo fields. If set @@ -1559,8 +1703,8 @@ spec: type: object nodeSelector: description: Select certain Nodes which match the - label selector. A NodeSelector cannot be set in - AppliedTo field or set with any other selector. + label selector. A NodeSelector cannot be set with + any other selector. properties: matchExpressions: description: matchExpressions is a list of label @@ -1966,8 +2110,8 @@ spec: type: object nodeSelector: description: Select certain Nodes which match the - label selector. A NodeSelector cannot be set in - AppliedTo field or set with any other selector. + label selector. A NodeSelector cannot be set with + any other selector. properties: matchExpressions: description: matchExpressions is a list of label diff --git a/multicluster/config/crd/bases/multicluster.crd.antrea.io_resourceimports.yaml b/multicluster/config/crd/bases/multicluster.crd.antrea.io_resourceimports.yaml index 155dfeb9901..f6dd03276bd 100644 --- a/multicluster/config/crd/bases/multicluster.crd.antrea.io_resourceimports.yaml +++ b/multicluster/config/crd/bases/multicluster.crd.antrea.io_resourceimports.yaml @@ -99,6 +99,52 @@ spec: description: AppliedTo describes the grouping selector of workloads in AppliedTo field. properties: + NodeSelector: + description: Select Nodes in cluster as workloads in AppliedTo + fields. Cannot be set with any other selector. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector + that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are In, + NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. + If the operator is In or NotIn, the values array + must be non-empty. If the operator is Exists + or DoesNotExist, the values array must be empty. + This array is replaced during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. + A single {key,value} in the matchLabels map is equivalent + to an element of matchExpressions, whose key field + is "key", the operator is "In", and the values array + contains only "value". The requirements are ANDed. + type: object + type: object externalEntitySelector: description: Select ExternalEntities from NetworkPolicy's Namespace as workloads in AppliedTo fields. If set with @@ -297,6 +343,55 @@ spec: description: AppliedTo describes the grouping selector of workloads in AppliedTo field. properties: + NodeSelector: + description: Select Nodes in cluster as workloads + in AppliedTo fields. Cannot be set with any other + selector. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. + type: object + type: object externalEntitySelector: description: Select ExternalEntities from NetworkPolicy's Namespace as workloads in AppliedTo fields. If set @@ -642,8 +737,8 @@ spec: type: object nodeSelector: description: Select certain Nodes which match the - label selector. A NodeSelector cannot be set in - AppliedTo field or set with any other selector. + label selector. A NodeSelector cannot be set with + any other selector. properties: matchExpressions: description: matchExpressions is a list of label @@ -1049,8 +1144,8 @@ spec: type: object nodeSelector: description: Select certain Nodes which match the - label selector. A NodeSelector cannot be set in - AppliedTo field or set with any other selector. + label selector. A NodeSelector cannot be set with + any other selector. properties: matchExpressions: description: matchExpressions is a list of label @@ -1212,6 +1307,55 @@ spec: description: AppliedTo describes the grouping selector of workloads in AppliedTo field. properties: + NodeSelector: + description: Select Nodes in cluster as workloads + in AppliedTo fields. Cannot be set with any other + selector. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. + type: object + type: object externalEntitySelector: description: Select ExternalEntities from NetworkPolicy's Namespace as workloads in AppliedTo fields. If set @@ -1557,8 +1701,8 @@ spec: type: object nodeSelector: description: Select certain Nodes which match the - label selector. A NodeSelector cannot be set in - AppliedTo field or set with any other selector. + label selector. A NodeSelector cannot be set with + any other selector. properties: matchExpressions: description: matchExpressions is a list of label @@ -1964,8 +2108,8 @@ spec: type: object nodeSelector: description: Select certain Nodes which match the - label selector. A NodeSelector cannot be set in - AppliedTo field or set with any other selector. + label selector. A NodeSelector cannot be set with + any other selector. properties: matchExpressions: description: matchExpressions is a list of label diff --git a/pkg/apis/crd/v1beta1/types.go b/pkg/apis/crd/v1beta1/types.go index 77aa05e6d4b..9e40241400f 100644 --- a/pkg/apis/crd/v1beta1/types.go +++ b/pkg/apis/crd/v1beta1/types.go @@ -558,7 +558,7 @@ type NetworkPolicyPeer struct { // +optional ServiceAccount *NamespacedName `json:"serviceAccount,omitempty"` // Select certain Nodes which match the label selector. - // A NodeSelector cannot be set in AppliedTo field or set with any other selector. + // A NodeSelector cannot be set with any other selector. // +optional NodeSelector *metav1.LabelSelector `json:"nodeSelector,omitempty"` // Define scope of the Pod/NamespaceSelector(s) of this peer. @@ -607,6 +607,10 @@ type AppliedTo struct { // Cannot be set with any other selector. // +optional Service *NamespacedName `json:"service,omitempty"` + // Select Nodes in cluster as workloads in AppliedTo fields. + // Cannot be set with any other selector. + // +optional + NodeSelector *metav1.LabelSelector `json:"nodeSelector,omitempty"` } type PeerNamespaces struct { diff --git a/pkg/apis/crd/v1beta1/zz_generated.deepcopy.go b/pkg/apis/crd/v1beta1/zz_generated.deepcopy.go index 25d2e149bb8..404f9fb8360 100644 --- a/pkg/apis/crd/v1beta1/zz_generated.deepcopy.go +++ b/pkg/apis/crd/v1beta1/zz_generated.deepcopy.go @@ -221,6 +221,11 @@ func (in *AppliedTo) DeepCopyInto(out *AppliedTo) { *out = new(NamespacedName) **out = **in } + if in.NodeSelector != nil { + in, out := &in.NodeSelector, &out.NodeSelector + *out = new(v1.LabelSelector) + (*in).DeepCopyInto(*out) + } return } diff --git a/pkg/apiserver/openapi/zz_generated.openapi.go b/pkg/apiserver/openapi/zz_generated.openapi.go index c7f00b2b8a8..fa1140155bf 100644 --- a/pkg/apiserver/openapi/zz_generated.openapi.go +++ b/pkg/apiserver/openapi/zz_generated.openapi.go @@ -2982,6 +2982,12 @@ func schema_pkg_apis_crd_v1beta1_AppliedTo(ref common.ReferenceCallback) common. Ref: ref("antrea.io/antrea/pkg/apis/crd/v1beta1.NamespacedName"), }, }, + "nodeSelector": { + SchemaProps: spec.SchemaProps{ + Description: "Select Nodes in cluster as workloads in AppliedTo fields. Cannot be set with any other selector.", + Ref: ref("k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelector"), + }, + }, }, }, }, @@ -4570,7 +4576,7 @@ func schema_pkg_apis_crd_v1beta1_NetworkPolicyPeer(ref common.ReferenceCallback) }, "nodeSelector": { SchemaProps: spec.SchemaProps{ - Description: "Select certain Nodes which match the label selector. A NodeSelector cannot be set in AppliedTo field or set with any other selector.", + Description: "Select certain Nodes which match the label selector. A NodeSelector cannot be set with any other selector.", Ref: ref("k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelector"), }, }, diff --git a/pkg/controller/networkpolicy/adminnetworkpolicy.go b/pkg/controller/networkpolicy/adminnetworkpolicy.go index acf4d374ee3..3ef269022dc 100644 --- a/pkg/controller/networkpolicy/adminnetworkpolicy.go +++ b/pkg/controller/networkpolicy/adminnetworkpolicy.go @@ -244,9 +244,9 @@ func (n *NetworkPolicyController) processClusterSubject(subject v1alpha1.AdminNe var appliedToGroups []*antreatypes.AppliedToGroup var atg *antreatypes.AppliedToGroup if subject.Pods != nil { - atg = n.createAppliedToGroup("", &subject.Pods.PodSelector, &subject.Pods.NamespaceSelector, nil) + atg = n.createAppliedToGroup("", &subject.Pods.PodSelector, &subject.Pods.NamespaceSelector, nil, nil) } else if subject.Namespaces != nil { - atg = n.createAppliedToGroup("", nil, subject.Namespaces, nil) + atg = n.createAppliedToGroup("", nil, subject.Namespaces, nil, nil) } if atg != nil { appliedToGroups = append(appliedToGroups, atg) diff --git a/pkg/controller/networkpolicy/antreanetworkpolicy.go b/pkg/controller/networkpolicy/antreanetworkpolicy.go index e0af393993d..6ff8e5bbc2a 100644 --- a/pkg/controller/networkpolicy/antreanetworkpolicy.go +++ b/pkg/controller/networkpolicy/antreanetworkpolicy.go @@ -181,7 +181,7 @@ func (n *NetworkPolicyController) processAppliedTo(namespace string, appliedTo [ if at.Group != "" { atg = n.createAppliedToGroupForGroup(namespace, at.Group) } else { - atg = n.createAppliedToGroup(namespace, at.PodSelector, at.NamespaceSelector, at.ExternalEntitySelector) + atg = n.createAppliedToGroup(namespace, at.PodSelector, at.NamespaceSelector, at.ExternalEntitySelector, nil) } if atg != nil { appliedToGroups = append(appliedToGroups, atg) diff --git a/pkg/controller/networkpolicy/clusternetworkpolicy.go b/pkg/controller/networkpolicy/clusternetworkpolicy.go index ae595fd9135..14d24e1417d 100644 --- a/pkg/controller/networkpolicy/clusternetworkpolicy.go +++ b/pkg/controller/networkpolicy/clusternetworkpolicy.go @@ -347,14 +347,14 @@ func (n *NetworkPolicyController) processClusterNetworkPolicy(cnp *crdv1beta1.Cl if hasPerNamespaceRule && len(cnp.Spec.AppliedTo) > 0 { for _, at := range cnp.Spec.AppliedTo { if at.ServiceAccount != nil { - atg := n.createAppliedToGroup(at.ServiceAccount.Namespace, serviceAccountNameToPodSelector(at.ServiceAccount.Name), nil, nil) + atg := n.createAppliedToGroup(at.ServiceAccount.Namespace, serviceAccountNameToPodSelector(at.ServiceAccount.Name), nil, nil, nil) appliedToGroups = mergeAppliedToGroups(appliedToGroups, atg) clusterAppliedToAffectedNS = append(clusterAppliedToAffectedNS, at.ServiceAccount.Namespace) atgForNamespace = append(atgForNamespace, atg) } else { affectedNS := n.getAffectedNamespacesForAppliedTo(at) for _, ns := range affectedNS { - atg := n.createAppliedToGroup(ns, at.PodSelector, nil, at.ExternalEntitySelector) + atg := n.createAppliedToGroup(ns, at.PodSelector, nil, at.ExternalEntitySelector, nil) appliedToGroups = mergeAppliedToGroups(appliedToGroups, atg) clusterAppliedToAffectedNS = append(clusterAppliedToAffectedNS, ns) atgForNamespace = append(atgForNamespace, atg) @@ -422,7 +422,7 @@ func (n *NetworkPolicyController) processClusterNetworkPolicy(cnp *crdv1beta1.Cl // Create a rule for each affected Namespace of appliedTo at rule level for _, at := range cnpRule.AppliedTo { if at.ServiceAccount != nil { - atg := n.createAppliedToGroup(at.ServiceAccount.Namespace, serviceAccountNameToPodSelector(at.ServiceAccount.Name), nil, nil) + atg := n.createAppliedToGroup(at.ServiceAccount.Namespace, serviceAccountNameToPodSelector(at.ServiceAccount.Name), nil, nil, nil) klog.V(4).Infof("Adding a new per-namespace rule with appliedTo %v for rule %d of %s", atg, idx, cnp.Name) peer, ags, selKeys := n.toNamespacedPeerForCRD(perNSPeers, cnp, at.ServiceAccount.Namespace) clusterSetScopeSelectorKeys = clusterSetScopeSelectorKeys.Union(selKeys) @@ -430,7 +430,7 @@ func (n *NetworkPolicyController) processClusterNetworkPolicy(cnp *crdv1beta1.Cl } else { affectedNS := n.getAffectedNamespacesForAppliedTo(at) for _, ns := range affectedNS { - atg := n.createAppliedToGroup(ns, at.PodSelector, nil, at.ExternalEntitySelector) + atg := n.createAppliedToGroup(ns, at.PodSelector, nil, at.ExternalEntitySelector, nil) klog.V(4).Infof("Adding a new per-namespace rule with appliedTo %v for rule %d of %s", atg, idx, cnp.Name) peer, ags, selKeys := n.toNamespacedPeerForCRD(perNSPeers, cnp, ns) clusterSetScopeSelectorKeys = clusterSetScopeSelectorKeys.Union(selKeys) @@ -505,14 +505,16 @@ func (n *NetworkPolicyController) processClusterAppliedTo(appliedTo []crdv1beta1 var appliedToGroups []*antreatypes.AppliedToGroup for _, at := range appliedTo { var atg *antreatypes.AppliedToGroup - if at.Group != "" { + if at.NodeSelector != nil { + atg = n.createAppliedToGroup("", nil, nil, nil, at.NodeSelector) + } else if at.Group != "" { atg = n.createAppliedToGroupForGroup("", at.Group) } else if at.Service != nil { atg = n.createAppliedToGroupForService(at.Service) } else if at.ServiceAccount != nil { - atg = n.createAppliedToGroup(at.ServiceAccount.Namespace, serviceAccountNameToPodSelector(at.ServiceAccount.Name), nil, nil) + atg = n.createAppliedToGroup(at.ServiceAccount.Namespace, serviceAccountNameToPodSelector(at.ServiceAccount.Name), nil, nil, nil) } else { - atg = n.createAppliedToGroup("", at.PodSelector, at.NamespaceSelector, at.ExternalEntitySelector) + atg = n.createAppliedToGroup("", at.PodSelector, at.NamespaceSelector, at.ExternalEntitySelector, nil) } if atg != nil { appliedToGroups = append(appliedToGroups, atg) diff --git a/pkg/controller/networkpolicy/clusternetworkpolicy_test.go b/pkg/controller/networkpolicy/clusternetworkpolicy_test.go index 08c40914817..604f354371d 100644 --- a/pkg/controller/networkpolicy/clusternetworkpolicy_test.go +++ b/pkg/controller/networkpolicy/clusternetworkpolicy_test.go @@ -1686,6 +1686,94 @@ func TestProcessClusterNetworkPolicy(t *testing.T) { expectedAppliedToGroups: 1, expectedAddressGroups: 1, }, + { + name: "apply-to-Node", + inputPolicy: &crdv1beta1.ClusterNetworkPolicy{ + ObjectMeta: metav1.ObjectMeta{Name: "cnpZ", UID: "uidZ"}, + Spec: crdv1beta1.ClusterNetworkPolicySpec{ + AppliedTo: []crdv1beta1.AppliedTo{ + {NodeSelector: &selectorA}, + }, + Priority: p10, + Ingress: []crdv1beta1.Rule{ + { + Ports: []crdv1beta1.NetworkPolicyPort{ + { + Port: &int80, + }, + }, + From: []crdv1beta1.NetworkPolicyPeer{ + { + PodSelector: &selectorB, + NamespaceSelector: &selectorC, + }, + }, + Action: &allowAction, + }, + }, + Egress: []crdv1beta1.Rule{ + { + Ports: []crdv1beta1.NetworkPolicyPort{ + { + Port: &int81, + }, + }, + To: []crdv1beta1.NetworkPolicyPeer{ + { + PodSelector: &selectorB, + NamespaceSelector: &selectorC, + }, + }, + Action: &allowAction, + }, + }, + }, + }, + expectedPolicy: &antreatypes.NetworkPolicy{ + UID: "uidZ", + Name: "uidZ", + SourceRef: &controlplane.NetworkPolicyReference{ + Type: controlplane.AntreaClusterNetworkPolicy, + Name: "cnpZ", + UID: "uidZ", + }, + Priority: &p10, + TierPriority: &DefaultTierPriority, + Rules: []controlplane.NetworkPolicyRule{ + { + Direction: controlplane.DirectionIn, + From: controlplane.NetworkPolicyPeer{ + AddressGroups: []string{getNormalizedUID(antreatypes.NewGroupSelector("", &selectorB, &selectorC, nil, nil).NormalizedName)}, + }, + Services: []controlplane.Service{ + { + Protocol: &protocolTCP, + Port: &int80, + }, + }, + Priority: 0, + Action: &allowAction, + }, + { + Direction: controlplane.DirectionOut, + To: controlplane.NetworkPolicyPeer{ + AddressGroups: []string{getNormalizedUID(antreatypes.NewGroupSelector("", &selectorB, &selectorC, nil, nil).NormalizedName)}, + }, + Services: []controlplane.Service{ + { + Protocol: &protocolTCP, + Port: &int81, + }, + }, + Priority: 0, + Action: &allowAction, + }, + }, + AppliedToGroups: []string{getNormalizedUID(antreatypes.NewGroupSelector("", nil, nil, nil, &selectorA).NormalizedName)}, + }, + expectedAppliedToGroups: 1, + expectedAddressGroups: 1, + }, } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { diff --git a/pkg/controller/networkpolicy/networkpolicy_controller.go b/pkg/controller/networkpolicy/networkpolicy_controller.go index 6c8f3b185f4..3e83e2017f4 100644 --- a/pkg/controller/networkpolicy/networkpolicy_controller.go +++ b/pkg/controller/networkpolicy/networkpolicy_controller.go @@ -600,8 +600,8 @@ func getNormalizedUID(name string) string { } // createAppliedToGroup creates an AppliedToGroup object corresponding to the provided selectors. -func (n *NetworkPolicyController) createAppliedToGroup(npNsName string, pSel, nSel, eSel *metav1.LabelSelector) *antreatypes.AppliedToGroup { - groupSelector := antreatypes.NewGroupSelector(npNsName, pSel, nSel, eSel, nil) +func (n *NetworkPolicyController) createAppliedToGroup(npNsName string, pSel, nSel, eSel, nodeSel *metav1.LabelSelector) *antreatypes.AppliedToGroup { + groupSelector := antreatypes.NewGroupSelector(npNsName, pSel, nSel, eSel, nodeSel) appliedToGroupUID := getNormalizedUID(groupSelector.NormalizedName) // Construct a new AppliedToGroup. appliedToGroup := &antreatypes.AppliedToGroup{ @@ -691,7 +691,7 @@ func (n *NetworkPolicyController) processNetworkPolicy(np *networkingv1.NetworkP // addressGroups tracks all distinct AddressGroups referred to by the K8s NetworkPolicy. addressGroups := map[string]*antreatypes.AddressGroup{} - newAppliedToGroup := n.createAppliedToGroup(np.Namespace, &np.Spec.PodSelector, nil, nil) + newAppliedToGroup := n.createAppliedToGroup(np.Namespace, &np.Spec.PodSelector, nil, nil, nil) appliedToGroups = mergeAppliedToGroups(appliedToGroups, newAppliedToGroup) rules := make([]controlplane.NetworkPolicyRule, 0, len(np.Spec.Ingress)+len(np.Spec.Egress)) // Retrieve Namespace logging annotation. @@ -1115,7 +1115,7 @@ func (c *NetworkPolicyController) getNodeMemberSet(selector labels.Selector) con groupMemberSet := controlplane.GroupMemberSet{} nodes, _ := c.nodeLister.List(selector) for _, node := range nodes { - groupMemberSet.Insert(nodeToGroupMember(node)) + groupMemberSet.Insert(nodeToGroupMember(node, true)) } return groupMemberSet } @@ -1215,14 +1215,16 @@ func podToGroupMember(pod *v1.Pod, includeIP bool) *controlplane.GroupMember { return memberPod } -func nodeToGroupMember(node *v1.Node) (member *controlplane.GroupMember) { +func nodeToGroupMember(node *v1.Node, includeIP bool) (member *controlplane.GroupMember) { member = &controlplane.GroupMember{Node: &controlplane.NodeReference{Name: node.Name}} ips, err := k8s.GetNodeAllAddrs(node) if err != nil { klog.ErrorS(err, "Error getting Node IP addresses", "Node", node.Name) } - for ip := range ips { - member.IPs = append(member.IPs, ipStrToIPAddress(ip)) + if includeIP { + for ip := range ips { + member.IPs = append(member.IPs, ipStrToIPAddress(ip)) + } } return } @@ -1300,7 +1302,7 @@ func (n *NetworkPolicyController) syncAppliedToGroup(key string) error { } klog.V(2).InfoS("Updating existing AppliedToGroup", "Service", *appliedToGroup.Service, "numNodes", appGroupNodeNames.Len()) } else { - pods, externalEntities, err := n.getAppliedToWorkloads(appliedToGroup) + pods, externalEntities, nodes, err := n.getAppliedToWorkloads(appliedToGroup) if err != nil { klog.ErrorS(err, "Error when getting AppliedTo workloads for AppliedToGroup", "AppliedToGroup", appliedToGroup.Name) updatedAppliedToGroup = &antreatypes.AppliedToGroup{ @@ -1342,6 +1344,15 @@ func (n *NetworkPolicyController) syncAppliedToGroup(key string) error { memberSetByNode[entityNodeKey] = entitySet appGroupNodeNames.Insert(entityNodeKey) } + for _, node := range nodes { + nodeSet := memberSetByNode[node.Name] + if nodeSet == nil { + nodeSet = controlplane.GroupMemberSet{} + } + nodeSet.Insert(nodeToGroupMember(node, false)) + memberSetByNode[node.Name] = nodeSet + appGroupNodeNames.Insert(node.Name) + } updatedAppliedToGroup = &antreatypes.AppliedToGroup{ UID: appliedToGroup.UID, Name: appliedToGroup.Name, @@ -1359,18 +1370,23 @@ func (n *NetworkPolicyController) syncAppliedToGroup(key string) error { return nil } -// getAppliedToWorkloads returns a list of workloads (Pods and ExternalEntities) selected by an AppliedToGroup -// for standalone selectors or corresponding to a ClusterGroup. -func (n *NetworkPolicyController) getAppliedToWorkloads(g *antreatypes.AppliedToGroup) ([]*v1.Pod, []*v1alpha2.ExternalEntity, error) { +// getAppliedToWorkloads returns a list of workloads (Pods, ExternalEntities or Nodes) selected by an AppliedToGroup +// for standalone selectors or Pods and ExternalEntities corresponding to a ClusterGroup. +func (n *NetworkPolicyController) getAppliedToWorkloads(g *antreatypes.AppliedToGroup) ([]*v1.Pod, []*v1alpha2.ExternalEntity, []*v1.Node, error) { // Check if an internal Group object exists corresponding to this AppliedToGroup group, found, _ := n.internalGroupStore.Get(g.Name) if found { // This AppliedToGroup is derived from a ClusterGroup. grp := group.(*antreatypes.Group) - return n.getInternalGroupWorkloads(grp) + pods, ees, err := n.getInternalGroupWorkloads(grp) + return pods, ees, nil, err + } + if g.Selector.NodeSelector != nil { + nodes, err := n.nodeLister.List(g.Selector.NodeSelector) + return nil, nil, nodes, err } pods, ees := n.groupingInterface.GetEntities(appliedToGroupType, g.Name) - return pods, ees, nil + return pods, ees, nil, nil } // getInternalGroupWorkloads returns a list of workloads (Pods and ExternalEntities) selected by a ClusterGroup. diff --git a/pkg/controller/networkpolicy/networkpolicy_controller_test.go b/pkg/controller/networkpolicy/networkpolicy_controller_test.go index 622f85c65bb..9459934d557 100644 --- a/pkg/controller/networkpolicy/networkpolicy_controller_test.go +++ b/pkg/controller/networkpolicy/networkpolicy_controller_test.go @@ -2520,6 +2520,7 @@ func TestInternalGroupKeyFunc(t *testing.T) { func TestGetAppliedToWorkloads(t *testing.T) { var emptyEEs []*v1alpha2.ExternalEntity var emptyPods []*corev1.Pod + var emptyNodes []*corev1.Node selectorA := metav1.LabelSelector{MatchLabels: map[string]string{"foo1": "bar1"}} cgA := v1beta1.ClusterGroup{ ObjectMeta: metav1.ObjectMeta{Name: "cgA", UID: "uidA"}, @@ -2569,11 +2570,34 @@ func TestGetAppliedToWorkloads(t *testing.T) { podA.Labels = map[string]string{"foo1": "bar1"} podB := getPod("podB", "nsA", "nodeB", "10.0.0.2", false) podB.Labels = map[string]string{"foo3": "bar3"} + + selectorD := metav1.LabelSelector{ + MatchLabels: map[string]string{ + "foo4": "bar4", + }, + } + nodeSelector, _ := metav1.LabelSelectorAsSelector(&selectorD) + nodeGroup := antreatypes.GroupSelector{ + NodeSelector: nodeSelector, + } + nodeA := &corev1.Node{ + ObjectMeta: metav1.ObjectMeta{ + Name: "nodeA", + Labels: map[string]string{"foo4": "bar4"}, + }, + } + nodeB := &corev1.Node{ + ObjectMeta: metav1.ObjectMeta{ + Name: "nodeB", + Labels: map[string]string{"foo5": "bar5"}, + }, + } tests := []struct { - name string - inATG *antreatypes.AppliedToGroup - expPods []*corev1.Pod - expEEs []*v1alpha2.ExternalEntity + name string + inATG *antreatypes.AppliedToGroup + expPods []*corev1.Pod + expEEs []*v1alpha2.ExternalEntity + expNodes []*corev1.Node }{ { name: "atg-for-cg", @@ -2581,8 +2605,9 @@ func TestGetAppliedToWorkloads(t *testing.T) { Name: cgA.Name, UID: cgA.UID, }, - expPods: []*corev1.Pod{podA}, - expEEs: emptyEEs, + expPods: []*corev1.Pod{podA}, + expEEs: emptyEEs, + expNodes: emptyNodes, }, { name: "atg-for-cg-no-pod-match", @@ -2590,8 +2615,9 @@ func TestGetAppliedToWorkloads(t *testing.T) { Name: cgB.Name, UID: cgB.UID, }, - expPods: emptyPods, - expEEs: emptyEEs, + expPods: emptyPods, + expEEs: emptyEEs, + expNodes: emptyNodes, }, { name: "atg-for-nested-cg-one-child-empty", @@ -2599,8 +2625,9 @@ func TestGetAppliedToWorkloads(t *testing.T) { Name: nestedCG1.Name, UID: nestedCG1.UID, }, - expPods: []*corev1.Pod{podA}, - expEEs: emptyEEs, + expPods: []*corev1.Pod{podA}, + expEEs: emptyEEs, + expNodes: emptyNodes, }, { name: "atg-for-nested-cg-both-children-match-pod", @@ -2608,8 +2635,9 @@ func TestGetAppliedToWorkloads(t *testing.T) { Name: nestedCG2.Name, UID: nestedCG2.UID, }, - expPods: []*corev1.Pod{podA, podB}, - expEEs: emptyEEs, + expPods: []*corev1.Pod{podA, podB}, + expEEs: emptyEEs, + expNodes: emptyNodes, }, { name: "atg-for-nested-cg-children-overlap-pod", @@ -2617,11 +2645,25 @@ func TestGetAppliedToWorkloads(t *testing.T) { Name: nestedCG3.Name, UID: nestedCG3.UID, }, - expPods: []*corev1.Pod{podA, podB}, - expEEs: emptyEEs, + expPods: []*corev1.Pod{podA, podB}, + expEEs: emptyEEs, + expNodes: emptyNodes, + }, + { + name: "atg-for-node", + inATG: &antreatypes.AppliedToGroup{ + Selector: &nodeGroup, + }, + expPods: emptyPods, + expEEs: emptyEEs, + expNodes: []*corev1.Node{nodeA}, }, } - _, c := newController(nil, nil) + _, c := newController([]runtime.Object{nodeA, nodeB}, nil) + stopCh := make(chan struct{}) + defer close(stopCh) + c.informerFactory.Start(stopCh) + c.informerFactory.WaitForCacheSync(stopCh) c.groupingInterface.AddPod(podA) c.groupingInterface.AddPod(podB) clusterGroups := []v1beta1.ClusterGroup{cgA, cgB, cgC, cgD, nestedCG1, nestedCG2} @@ -2632,10 +2674,11 @@ func TestGetAppliedToWorkloads(t *testing.T) { } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { - actualPods, actualEEs, actualErr := c.getAppliedToWorkloads(tt.inATG) + actualPods, actualEEs, actualNodes, actualErr := c.getAppliedToWorkloads(tt.inATG) assert.NoError(t, actualErr) assert.Equal(t, tt.expEEs, actualEEs) assert.Equal(t, tt.expPods, actualPods) + assert.Equal(t, tt.expNodes, actualNodes) }) } } @@ -3782,6 +3825,69 @@ func TestSyncAppliedToGroupWithExternalEntity(t *testing.T) { } } +func TestSyncAppliedToGroupWithNode(t *testing.T) { + selector := metav1.LabelSelector{ + MatchLabels: map[string]string{"foo1": "bar1"}, + } + nodeA := &corev1.Node{ + ObjectMeta: metav1.ObjectMeta{ + Name: "nodeA", + Labels: map[string]string{"foo1": "bar1"}, + }, + } + nodeB := &corev1.Node{ + ObjectMeta: metav1.ObjectMeta{ + Name: "nodeB", + Labels: map[string]string{"foo1": "bar1"}, + }, + } + nodeC := &corev1.Node{ + ObjectMeta: metav1.ObjectMeta{ + Name: "nodeC", + Labels: map[string]string{"foo2": "bar2"}, + }, + } + + _, npc := newController([]runtime.Object{nodeA, nodeB, nodeC}, nil) + stopCh := make(chan struct{}) + defer close(stopCh) + npc.informerFactory.Start(stopCh) + npc.informerFactory.WaitForCacheSync(stopCh) + groupSelector := antreatypes.NewGroupSelector("", nil, nil, nil, &selector) + appGroupID := getNormalizedUID(groupSelector.NormalizedName) + appliedToGroup := &antreatypes.AppliedToGroup{ + Name: appGroupID, + UID: types.UID(appGroupID), + Selector: groupSelector, + } + npc.appliedToGroupStore.Create(appliedToGroup) + npc.syncAppliedToGroup(appGroupID) + + expectedAppliedToGroup := &antreatypes.AppliedToGroup{ + Name: appGroupID, + UID: types.UID(appGroupID), + Selector: groupSelector, + SpanMeta: antreatypes.SpanMeta{ + NodeNames: sets.Set[string](sets.NewString("nodeA", "nodeB")), + }, + GroupMemberByNode: map[string]controlplane.GroupMemberSet{ + "nodeA": controlplane.NewGroupMemberSet(&controlplane.GroupMember{ + Node: &controlplane.NodeReference{ + Name: "nodeA", + }, + }), + "nodeB": controlplane.NewGroupMemberSet(&controlplane.GroupMember{ + Node: &controlplane.NodeReference{ + Name: "nodeB", + }, + }), + }, + } + gotAppliedToGroupObj, _, _ := npc.appliedToGroupStore.Get(appGroupID) + gotAppliedToGroup := gotAppliedToGroupObj.(*antreatypes.AppliedToGroup) + assert.Equal(t, expectedAppliedToGroup, gotAppliedToGroup) +} + func checkQueueItemExistence(t *testing.T, queue workqueue.RateLimitingInterface, items ...string) { require.Equal(t, len(items), queue.Len()) expectedItems := sets.New[string](items...) @@ -3801,3 +3907,74 @@ func checkGroupItemExistence(t *testing.T, store storage.Interface, groups ...st assert.True(t, exists) } } + +func TestNodeToGroupMember(t *testing.T) { + tests := []struct { + name string + node *corev1.Node + includeIP bool + expectedGroupMember *controlplane.GroupMember + }{ + { + name: "node-to-group-member-with-ip", + node: &corev1.Node{ + ObjectMeta: metav1.ObjectMeta{ + Name: "node1", + }, + Spec: corev1.NodeSpec{ + PodCIDR: "172.16.10.0/24", + }, + Status: corev1.NodeStatus{ + Addresses: []corev1.NodeAddress{ + { + Type: corev1.NodeInternalIP, + Address: "192.168.1.2", + }, + }, + }, + }, + includeIP: true, + expectedGroupMember: &controlplane.GroupMember{ + Node: &controlplane.NodeReference{ + Name: "node1", + }, + IPs: []controlplane.IPAddress{ + ipStrToIPAddress("192.168.1.2"), + ipStrToIPAddress("172.16.10.1"), + }, + }, + }, + { + name: "node-to-group-member-without-ip", + node: &corev1.Node{ + ObjectMeta: metav1.ObjectMeta{ + Name: "node2", + }, + Spec: corev1.NodeSpec{ + PodCIDR: "172.16.11.0/24", + }, + Status: corev1.NodeStatus{ + Addresses: []corev1.NodeAddress{ + { + Type: corev1.NodeInternalIP, + Address: "192.168.1.3", + }, + }, + }, + }, + includeIP: false, + expectedGroupMember: &controlplane.GroupMember{ + Node: &controlplane.NodeReference{ + Name: "node2", + }, + }, + }, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + gotMember := nodeToGroupMember(tt.node, tt.includeIP) + assert.Equal(t, tt.expectedGroupMember.Node, gotMember.Node) + assert.ElementsMatch(t, tt.expectedGroupMember.IPs, gotMember.IPs) + }) + } +}