diff --git a/build/charts/antrea/crds/clusternetworkpolicy.yaml b/build/charts/antrea/crds/clusternetworkpolicy.yaml index f28acf63c97..44236e82f32 100644 --- a/build/charts/antrea/crds/clusternetworkpolicy.yaml +++ b/build/charts/antrea/crds/clusternetworkpolicy.yaml @@ -825,6 +825,33 @@ spec: required: - name - namespace + nodeSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + additionalProperties: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: object ingress: type: array items: diff --git a/build/yamls/antrea-aks.yml b/build/yamls/antrea-aks.yml index f33bf08c677..1ef2c3d9858 100644 --- a/build/yamls/antrea-aks.yml +++ b/build/yamls/antrea-aks.yml @@ -1522,6 +1522,33 @@ spec: required: - name - namespace + nodeSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + additionalProperties: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: object ingress: type: array items: diff --git a/build/yamls/antrea-crds.yml b/build/yamls/antrea-crds.yml index 4aa9e2d2f8a..a215b73db1e 100644 --- a/build/yamls/antrea-crds.yml +++ b/build/yamls/antrea-crds.yml @@ -1515,6 +1515,33 @@ spec: required: - name - namespace + nodeSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + additionalProperties: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: object ingress: type: array items: diff --git a/build/yamls/antrea-eks.yml b/build/yamls/antrea-eks.yml index b01e8967873..93b1aabb4c0 100644 --- a/build/yamls/antrea-eks.yml +++ b/build/yamls/antrea-eks.yml @@ -1522,6 +1522,33 @@ spec: required: - name - namespace + nodeSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + additionalProperties: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: object ingress: type: array items: diff --git a/build/yamls/antrea-gke.yml b/build/yamls/antrea-gke.yml index 774d45b3570..3c6e6672e4d 100644 --- a/build/yamls/antrea-gke.yml +++ b/build/yamls/antrea-gke.yml @@ -1522,6 +1522,33 @@ spec: required: - name - namespace + nodeSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + additionalProperties: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: object ingress: type: array items: diff --git a/build/yamls/antrea-ipsec.yml b/build/yamls/antrea-ipsec.yml index 4a1dd0423b8..c9d98a1ad03 100644 --- a/build/yamls/antrea-ipsec.yml +++ b/build/yamls/antrea-ipsec.yml @@ -1522,6 +1522,33 @@ spec: required: - name - namespace + nodeSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + additionalProperties: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: object ingress: type: array items: diff --git a/build/yamls/antrea.yml b/build/yamls/antrea.yml index 28a9c10267d..be479357a08 100644 --- a/build/yamls/antrea.yml +++ b/build/yamls/antrea.yml @@ -1522,6 +1522,33 @@ spec: required: - name - namespace + nodeSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + additionalProperties: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: object ingress: type: array items: diff --git a/multicluster/build/yamls/antrea-multicluster-leader-global.yml b/multicluster/build/yamls/antrea-multicluster-leader-global.yml index fdd9566627f..4aae9b4e50d 100644 --- a/multicluster/build/yamls/antrea-multicluster-leader-global.yml +++ b/multicluster/build/yamls/antrea-multicluster-leader-global.yml @@ -511,6 +511,52 @@ spec: description: AppliedTo describes the grouping selector of workloads in AppliedTo field. properties: + NodeSelector: + description: Select Nodes in cluster as workloads in AppliedTo + fields. Cannot be set with any other selector. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector + that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are In, + NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. + If the operator is In or NotIn, the values array + must be non-empty. If the operator is Exists + or DoesNotExist, the values array must be empty. + This array is replaced during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. + A single {key,value} in the matchLabels map is equivalent + to an element of matchExpressions, whose key field + is "key", the operator is "In", and the values array + contains only "value". The requirements are ANDed. + type: object + type: object externalEntitySelector: description: Select ExternalEntities from NetworkPolicy's Namespace as workloads in AppliedTo fields. If set with @@ -709,6 +755,55 @@ spec: description: AppliedTo describes the grouping selector of workloads in AppliedTo field. properties: + NodeSelector: + description: Select Nodes in cluster as workloads + in AppliedTo fields. Cannot be set with any other + selector. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. + type: object + type: object externalEntitySelector: description: Select ExternalEntities from NetworkPolicy's Namespace as workloads in AppliedTo fields. If set @@ -1054,8 +1149,8 @@ spec: type: object nodeSelector: description: Select certain Nodes which match the - label selector. A NodeSelector cannot be set in - AppliedTo field or set with any other selector. + label selector. A NodeSelector cannot be set with + any other selector. properties: matchExpressions: description: matchExpressions is a list of label @@ -1461,8 +1556,8 @@ spec: type: object nodeSelector: description: Select certain Nodes which match the - label selector. A NodeSelector cannot be set in - AppliedTo field or set with any other selector. + label selector. A NodeSelector cannot be set with + any other selector. properties: matchExpressions: description: matchExpressions is a list of label @@ -1624,6 +1719,55 @@ spec: description: AppliedTo describes the grouping selector of workloads in AppliedTo field. properties: + NodeSelector: + description: Select Nodes in cluster as workloads + in AppliedTo fields. Cannot be set with any other + selector. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. + type: object + type: object externalEntitySelector: description: Select ExternalEntities from NetworkPolicy's Namespace as workloads in AppliedTo fields. If set @@ -1969,8 +2113,8 @@ spec: type: object nodeSelector: description: Select certain Nodes which match the - label selector. A NodeSelector cannot be set in - AppliedTo field or set with any other selector. + label selector. A NodeSelector cannot be set with + any other selector. properties: matchExpressions: description: matchExpressions is a list of label @@ -2376,8 +2520,8 @@ spec: type: object nodeSelector: description: Select certain Nodes which match the - label selector. A NodeSelector cannot be set in - AppliedTo field or set with any other selector. + label selector. A NodeSelector cannot be set with + any other selector. properties: matchExpressions: description: matchExpressions is a list of label @@ -3278,6 +3422,52 @@ spec: description: AppliedTo describes the grouping selector of workloads in AppliedTo field. properties: + NodeSelector: + description: Select Nodes in cluster as workloads in AppliedTo + fields. Cannot be set with any other selector. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector + that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are In, + NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. + If the operator is In or NotIn, the values array + must be non-empty. If the operator is Exists + or DoesNotExist, the values array must be empty. + This array is replaced during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. + A single {key,value} in the matchLabels map is equivalent + to an element of matchExpressions, whose key field + is "key", the operator is "In", and the values array + contains only "value". The requirements are ANDed. + type: object + type: object externalEntitySelector: description: Select ExternalEntities from NetworkPolicy's Namespace as workloads in AppliedTo fields. If set with @@ -3476,6 +3666,55 @@ spec: description: AppliedTo describes the grouping selector of workloads in AppliedTo field. properties: + NodeSelector: + description: Select Nodes in cluster as workloads + in AppliedTo fields. Cannot be set with any other + selector. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. + type: object + type: object externalEntitySelector: description: Select ExternalEntities from NetworkPolicy's Namespace as workloads in AppliedTo fields. If set @@ -3821,8 +4060,8 @@ spec: type: object nodeSelector: description: Select certain Nodes which match the - label selector. A NodeSelector cannot be set in - AppliedTo field or set with any other selector. + label selector. A NodeSelector cannot be set with + any other selector. properties: matchExpressions: description: matchExpressions is a list of label @@ -4228,8 +4467,8 @@ spec: type: object nodeSelector: description: Select certain Nodes which match the - label selector. A NodeSelector cannot be set in - AppliedTo field or set with any other selector. + label selector. A NodeSelector cannot be set with + any other selector. properties: matchExpressions: description: matchExpressions is a list of label @@ -4391,6 +4630,55 @@ spec: description: AppliedTo describes the grouping selector of workloads in AppliedTo field. properties: + NodeSelector: + description: Select Nodes in cluster as workloads + in AppliedTo fields. Cannot be set with any other + selector. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. + type: object + type: object externalEntitySelector: description: Select ExternalEntities from NetworkPolicy's Namespace as workloads in AppliedTo fields. If set @@ -4736,8 +5024,8 @@ spec: type: object nodeSelector: description: Select certain Nodes which match the - label selector. A NodeSelector cannot be set in - AppliedTo field or set with any other selector. + label selector. A NodeSelector cannot be set with + any other selector. properties: matchExpressions: description: matchExpressions is a list of label @@ -5143,8 +5431,8 @@ spec: type: object nodeSelector: description: Select certain Nodes which match the - label selector. A NodeSelector cannot be set in - AppliedTo field or set with any other selector. + label selector. A NodeSelector cannot be set with + any other selector. properties: matchExpressions: description: matchExpressions is a list of label diff --git a/multicluster/build/yamls/antrea-multicluster-leader.yml b/multicluster/build/yamls/antrea-multicluster-leader.yml index b61e0e84141..295b0da8029 100644 --- a/multicluster/build/yamls/antrea-multicluster-leader.yml +++ b/multicluster/build/yamls/antrea-multicluster-leader.yml @@ -511,6 +511,52 @@ spec: description: AppliedTo describes the grouping selector of workloads in AppliedTo field. properties: + NodeSelector: + description: Select Nodes in cluster as workloads in AppliedTo + fields. Cannot be set with any other selector. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector + that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are In, + NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. + If the operator is In or NotIn, the values array + must be non-empty. If the operator is Exists + or DoesNotExist, the values array must be empty. + This array is replaced during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. + A single {key,value} in the matchLabels map is equivalent + to an element of matchExpressions, whose key field + is "key", the operator is "In", and the values array + contains only "value". The requirements are ANDed. + type: object + type: object externalEntitySelector: description: Select ExternalEntities from NetworkPolicy's Namespace as workloads in AppliedTo fields. If set with @@ -709,6 +755,55 @@ spec: description: AppliedTo describes the grouping selector of workloads in AppliedTo field. properties: + NodeSelector: + description: Select Nodes in cluster as workloads + in AppliedTo fields. Cannot be set with any other + selector. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. + type: object + type: object externalEntitySelector: description: Select ExternalEntities from NetworkPolicy's Namespace as workloads in AppliedTo fields. If set @@ -1054,8 +1149,8 @@ spec: type: object nodeSelector: description: Select certain Nodes which match the - label selector. A NodeSelector cannot be set in - AppliedTo field or set with any other selector. + label selector. A NodeSelector cannot be set with + any other selector. properties: matchExpressions: description: matchExpressions is a list of label @@ -1461,8 +1556,8 @@ spec: type: object nodeSelector: description: Select certain Nodes which match the - label selector. A NodeSelector cannot be set in - AppliedTo field or set with any other selector. + label selector. A NodeSelector cannot be set with + any other selector. properties: matchExpressions: description: matchExpressions is a list of label @@ -1624,6 +1719,55 @@ spec: description: AppliedTo describes the grouping selector of workloads in AppliedTo field. properties: + NodeSelector: + description: Select Nodes in cluster as workloads + in AppliedTo fields. Cannot be set with any other + selector. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. + type: object + type: object externalEntitySelector: description: Select ExternalEntities from NetworkPolicy's Namespace as workloads in AppliedTo fields. If set @@ -1969,8 +2113,8 @@ spec: type: object nodeSelector: description: Select certain Nodes which match the - label selector. A NodeSelector cannot be set in - AppliedTo field or set with any other selector. + label selector. A NodeSelector cannot be set with + any other selector. properties: matchExpressions: description: matchExpressions is a list of label @@ -2376,8 +2520,8 @@ spec: type: object nodeSelector: description: Select certain Nodes which match the - label selector. A NodeSelector cannot be set in - AppliedTo field or set with any other selector. + label selector. A NodeSelector cannot be set with + any other selector. properties: matchExpressions: description: matchExpressions is a list of label @@ -3278,6 +3422,52 @@ spec: description: AppliedTo describes the grouping selector of workloads in AppliedTo field. properties: + NodeSelector: + description: Select Nodes in cluster as workloads in AppliedTo + fields. Cannot be set with any other selector. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector + that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are In, + NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. + If the operator is In or NotIn, the values array + must be non-empty. If the operator is Exists + or DoesNotExist, the values array must be empty. + This array is replaced during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. + A single {key,value} in the matchLabels map is equivalent + to an element of matchExpressions, whose key field + is "key", the operator is "In", and the values array + contains only "value". The requirements are ANDed. + type: object + type: object externalEntitySelector: description: Select ExternalEntities from NetworkPolicy's Namespace as workloads in AppliedTo fields. If set with @@ -3476,6 +3666,55 @@ spec: description: AppliedTo describes the grouping selector of workloads in AppliedTo field. properties: + NodeSelector: + description: Select Nodes in cluster as workloads + in AppliedTo fields. Cannot be set with any other + selector. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. + type: object + type: object externalEntitySelector: description: Select ExternalEntities from NetworkPolicy's Namespace as workloads in AppliedTo fields. If set @@ -3821,8 +4060,8 @@ spec: type: object nodeSelector: description: Select certain Nodes which match the - label selector. A NodeSelector cannot be set in - AppliedTo field or set with any other selector. + label selector. A NodeSelector cannot be set with + any other selector. properties: matchExpressions: description: matchExpressions is a list of label @@ -4228,8 +4467,8 @@ spec: type: object nodeSelector: description: Select certain Nodes which match the - label selector. A NodeSelector cannot be set in - AppliedTo field or set with any other selector. + label selector. A NodeSelector cannot be set with + any other selector. properties: matchExpressions: description: matchExpressions is a list of label @@ -4391,6 +4630,55 @@ spec: description: AppliedTo describes the grouping selector of workloads in AppliedTo field. properties: + NodeSelector: + description: Select Nodes in cluster as workloads + in AppliedTo fields. Cannot be set with any other + selector. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. + type: object + type: object externalEntitySelector: description: Select ExternalEntities from NetworkPolicy's Namespace as workloads in AppliedTo fields. If set @@ -4736,8 +5024,8 @@ spec: type: object nodeSelector: description: Select certain Nodes which match the - label selector. A NodeSelector cannot be set in - AppliedTo field or set with any other selector. + label selector. A NodeSelector cannot be set with + any other selector. properties: matchExpressions: description: matchExpressions is a list of label @@ -5143,8 +5431,8 @@ spec: type: object nodeSelector: description: Select certain Nodes which match the - label selector. A NodeSelector cannot be set in - AppliedTo field or set with any other selector. + label selector. A NodeSelector cannot be set with + any other selector. properties: matchExpressions: description: matchExpressions is a list of label diff --git a/multicluster/config/crd/bases/multicluster.crd.antrea.io_resourceexports.yaml b/multicluster/config/crd/bases/multicluster.crd.antrea.io_resourceexports.yaml index 9b44e3db695..f450e0d94ad 100644 --- a/multicluster/config/crd/bases/multicluster.crd.antrea.io_resourceexports.yaml +++ b/multicluster/config/crd/bases/multicluster.crd.antrea.io_resourceexports.yaml @@ -101,6 +101,52 @@ spec: description: AppliedTo describes the grouping selector of workloads in AppliedTo field. properties: + NodeSelector: + description: Select Nodes in cluster as workloads in AppliedTo + fields. Cannot be set with any other selector. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector + that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are In, + NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. + If the operator is In or NotIn, the values array + must be non-empty. If the operator is Exists + or DoesNotExist, the values array must be empty. + This array is replaced during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. + A single {key,value} in the matchLabels map is equivalent + to an element of matchExpressions, whose key field + is "key", the operator is "In", and the values array + contains only "value". The requirements are ANDed. + type: object + type: object externalEntitySelector: description: Select ExternalEntities from NetworkPolicy's Namespace as workloads in AppliedTo fields. If set with @@ -299,6 +345,55 @@ spec: description: AppliedTo describes the grouping selector of workloads in AppliedTo field. properties: + NodeSelector: + description: Select Nodes in cluster as workloads + in AppliedTo fields. Cannot be set with any other + selector. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. + type: object + type: object externalEntitySelector: description: Select ExternalEntities from NetworkPolicy's Namespace as workloads in AppliedTo fields. If set @@ -644,8 +739,8 @@ spec: type: object nodeSelector: description: Select certain Nodes which match the - label selector. A NodeSelector cannot be set in - AppliedTo field or set with any other selector. + label selector. A NodeSelector cannot be set with + any other selector. properties: matchExpressions: description: matchExpressions is a list of label @@ -1051,8 +1146,8 @@ spec: type: object nodeSelector: description: Select certain Nodes which match the - label selector. A NodeSelector cannot be set in - AppliedTo field or set with any other selector. + label selector. A NodeSelector cannot be set with + any other selector. properties: matchExpressions: description: matchExpressions is a list of label @@ -1214,6 +1309,55 @@ spec: description: AppliedTo describes the grouping selector of workloads in AppliedTo field. properties: + NodeSelector: + description: Select Nodes in cluster as workloads + in AppliedTo fields. Cannot be set with any other + selector. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. + type: object + type: object externalEntitySelector: description: Select ExternalEntities from NetworkPolicy's Namespace as workloads in AppliedTo fields. If set @@ -1559,8 +1703,8 @@ spec: type: object nodeSelector: description: Select certain Nodes which match the - label selector. A NodeSelector cannot be set in - AppliedTo field or set with any other selector. + label selector. A NodeSelector cannot be set with + any other selector. properties: matchExpressions: description: matchExpressions is a list of label @@ -1966,8 +2110,8 @@ spec: type: object nodeSelector: description: Select certain Nodes which match the - label selector. A NodeSelector cannot be set in - AppliedTo field or set with any other selector. + label selector. A NodeSelector cannot be set with + any other selector. properties: matchExpressions: description: matchExpressions is a list of label diff --git a/multicluster/config/crd/bases/multicluster.crd.antrea.io_resourceimports.yaml b/multicluster/config/crd/bases/multicluster.crd.antrea.io_resourceimports.yaml index 155dfeb9901..f6dd03276bd 100644 --- a/multicluster/config/crd/bases/multicluster.crd.antrea.io_resourceimports.yaml +++ b/multicluster/config/crd/bases/multicluster.crd.antrea.io_resourceimports.yaml @@ -99,6 +99,52 @@ spec: description: AppliedTo describes the grouping selector of workloads in AppliedTo field. properties: + NodeSelector: + description: Select Nodes in cluster as workloads in AppliedTo + fields. Cannot be set with any other selector. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector + that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are In, + NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. + If the operator is In or NotIn, the values array + must be non-empty. If the operator is Exists + or DoesNotExist, the values array must be empty. + This array is replaced during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. + A single {key,value} in the matchLabels map is equivalent + to an element of matchExpressions, whose key field + is "key", the operator is "In", and the values array + contains only "value". The requirements are ANDed. + type: object + type: object externalEntitySelector: description: Select ExternalEntities from NetworkPolicy's Namespace as workloads in AppliedTo fields. If set with @@ -297,6 +343,55 @@ spec: description: AppliedTo describes the grouping selector of workloads in AppliedTo field. properties: + NodeSelector: + description: Select Nodes in cluster as workloads + in AppliedTo fields. Cannot be set with any other + selector. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. + type: object + type: object externalEntitySelector: description: Select ExternalEntities from NetworkPolicy's Namespace as workloads in AppliedTo fields. If set @@ -642,8 +737,8 @@ spec: type: object nodeSelector: description: Select certain Nodes which match the - label selector. A NodeSelector cannot be set in - AppliedTo field or set with any other selector. + label selector. A NodeSelector cannot be set with + any other selector. properties: matchExpressions: description: matchExpressions is a list of label @@ -1049,8 +1144,8 @@ spec: type: object nodeSelector: description: Select certain Nodes which match the - label selector. A NodeSelector cannot be set in - AppliedTo field or set with any other selector. + label selector. A NodeSelector cannot be set with + any other selector. properties: matchExpressions: description: matchExpressions is a list of label @@ -1212,6 +1307,55 @@ spec: description: AppliedTo describes the grouping selector of workloads in AppliedTo field. properties: + NodeSelector: + description: Select Nodes in cluster as workloads + in AppliedTo fields. Cannot be set with any other + selector. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. + type: object + type: object externalEntitySelector: description: Select ExternalEntities from NetworkPolicy's Namespace as workloads in AppliedTo fields. If set @@ -1557,8 +1701,8 @@ spec: type: object nodeSelector: description: Select certain Nodes which match the - label selector. A NodeSelector cannot be set in - AppliedTo field or set with any other selector. + label selector. A NodeSelector cannot be set with + any other selector. properties: matchExpressions: description: matchExpressions is a list of label @@ -1964,8 +2108,8 @@ spec: type: object nodeSelector: description: Select certain Nodes which match the - label selector. A NodeSelector cannot be set in - AppliedTo field or set with any other selector. + label selector. A NodeSelector cannot be set with + any other selector. properties: matchExpressions: description: matchExpressions is a list of label diff --git a/pkg/apis/crd/v1beta1/types.go b/pkg/apis/crd/v1beta1/types.go index 77aa05e6d4b..9fdbfade68e 100644 --- a/pkg/apis/crd/v1beta1/types.go +++ b/pkg/apis/crd/v1beta1/types.go @@ -558,7 +558,7 @@ type NetworkPolicyPeer struct { // +optional ServiceAccount *NamespacedName `json:"serviceAccount,omitempty"` // Select certain Nodes which match the label selector. - // A NodeSelector cannot be set in AppliedTo field or set with any other selector. + // A NodeSelector cannot be set with any other selector. // +optional NodeSelector *metav1.LabelSelector `json:"nodeSelector,omitempty"` // Define scope of the Pod/NamespaceSelector(s) of this peer. @@ -607,6 +607,10 @@ type AppliedTo struct { // Cannot be set with any other selector. // +optional Service *NamespacedName `json:"service,omitempty"` + // Select Nodes in cluster as workloads in AppliedTo fields. + // Cannot be set with any other selector. + // +optional + NodeSelector *metav1.LabelSelector `json:"NodeSelector,omitempty"` } type PeerNamespaces struct { diff --git a/pkg/apis/crd/v1beta1/zz_generated.deepcopy.go b/pkg/apis/crd/v1beta1/zz_generated.deepcopy.go index 25d2e149bb8..404f9fb8360 100644 --- a/pkg/apis/crd/v1beta1/zz_generated.deepcopy.go +++ b/pkg/apis/crd/v1beta1/zz_generated.deepcopy.go @@ -221,6 +221,11 @@ func (in *AppliedTo) DeepCopyInto(out *AppliedTo) { *out = new(NamespacedName) **out = **in } + if in.NodeSelector != nil { + in, out := &in.NodeSelector, &out.NodeSelector + *out = new(v1.LabelSelector) + (*in).DeepCopyInto(*out) + } return } diff --git a/pkg/apiserver/openapi/zz_generated.openapi.go b/pkg/apiserver/openapi/zz_generated.openapi.go index c7f00b2b8a8..a21de1ea48e 100644 --- a/pkg/apiserver/openapi/zz_generated.openapi.go +++ b/pkg/apiserver/openapi/zz_generated.openapi.go @@ -2982,6 +2982,12 @@ func schema_pkg_apis_crd_v1beta1_AppliedTo(ref common.ReferenceCallback) common. Ref: ref("antrea.io/antrea/pkg/apis/crd/v1beta1.NamespacedName"), }, }, + "NodeSelector": { + SchemaProps: spec.SchemaProps{ + Description: "Select Nodes in cluster as workloads in AppliedTo fields. Cannot be set with any other selector.", + Ref: ref("k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelector"), + }, + }, }, }, }, @@ -4570,7 +4576,7 @@ func schema_pkg_apis_crd_v1beta1_NetworkPolicyPeer(ref common.ReferenceCallback) }, "nodeSelector": { SchemaProps: spec.SchemaProps{ - Description: "Select certain Nodes which match the label selector. A NodeSelector cannot be set in AppliedTo field or set with any other selector.", + Description: "Select certain Nodes which match the label selector. A NodeSelector cannot be set with any other selector.", Ref: ref("k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelector"), }, }, diff --git a/pkg/controller/grouping/group_entity_index.go b/pkg/controller/grouping/group_entity_index.go index 25dda34d5c6..53be6af0bcc 100644 --- a/pkg/controller/grouping/group_entity_index.go +++ b/pkg/controller/grouping/group_entity_index.go @@ -64,7 +64,7 @@ type Interface interface { // The eventHandler is supposed to execute quickly and not perform blocking operation. Blocking operation should be // deferred to a routine that is triggered by the eventHandler, like the eventHandler + workqueue pattern. AddEventHandler(groupType GroupType, handler eventHandler) - // GetEntities returns the selected Pods or ExternalEntities for the given group. + // GetEntities returns the selected Pods and ExternalEntities for the given group. GetEntities(groupType GroupType, name string) ([]*v1.Pod, []*v1alpha2.ExternalEntity) // GetGroupsForPod returns the groups that select the given Pod. GetGroupsForPod(namespace, name string) (map[GroupType][]string, bool) @@ -90,7 +90,7 @@ type Interface interface { DeleteNamespace(namespace *v1.Namespace) // Run starts the index. Run(stopCh <-chan struct{}) - // HasSynced returns true if the interface has been initialized with the full lists of Pods, Namespaces, and + // HasSynced returns true if the interface has been initialized with the full lists of Pods, Namespaces, Nodes and // ExternalEntities. HasSynced() bool } diff --git a/pkg/controller/networkpolicy/adminnetworkpolicy.go b/pkg/controller/networkpolicy/adminnetworkpolicy.go index acf4d374ee3..3ef269022dc 100644 --- a/pkg/controller/networkpolicy/adminnetworkpolicy.go +++ b/pkg/controller/networkpolicy/adminnetworkpolicy.go @@ -244,9 +244,9 @@ func (n *NetworkPolicyController) processClusterSubject(subject v1alpha1.AdminNe var appliedToGroups []*antreatypes.AppliedToGroup var atg *antreatypes.AppliedToGroup if subject.Pods != nil { - atg = n.createAppliedToGroup("", &subject.Pods.PodSelector, &subject.Pods.NamespaceSelector, nil) + atg = n.createAppliedToGroup("", &subject.Pods.PodSelector, &subject.Pods.NamespaceSelector, nil, nil) } else if subject.Namespaces != nil { - atg = n.createAppliedToGroup("", nil, subject.Namespaces, nil) + atg = n.createAppliedToGroup("", nil, subject.Namespaces, nil, nil) } if atg != nil { appliedToGroups = append(appliedToGroups, atg) diff --git a/pkg/controller/networkpolicy/antreanetworkpolicy.go b/pkg/controller/networkpolicy/antreanetworkpolicy.go index e0af393993d..6ff8e5bbc2a 100644 --- a/pkg/controller/networkpolicy/antreanetworkpolicy.go +++ b/pkg/controller/networkpolicy/antreanetworkpolicy.go @@ -181,7 +181,7 @@ func (n *NetworkPolicyController) processAppliedTo(namespace string, appliedTo [ if at.Group != "" { atg = n.createAppliedToGroupForGroup(namespace, at.Group) } else { - atg = n.createAppliedToGroup(namespace, at.PodSelector, at.NamespaceSelector, at.ExternalEntitySelector) + atg = n.createAppliedToGroup(namespace, at.PodSelector, at.NamespaceSelector, at.ExternalEntitySelector, nil) } if atg != nil { appliedToGroups = append(appliedToGroups, atg) diff --git a/pkg/controller/networkpolicy/clusternetworkpolicy.go b/pkg/controller/networkpolicy/clusternetworkpolicy.go index ae595fd9135..14d24e1417d 100644 --- a/pkg/controller/networkpolicy/clusternetworkpolicy.go +++ b/pkg/controller/networkpolicy/clusternetworkpolicy.go @@ -347,14 +347,14 @@ func (n *NetworkPolicyController) processClusterNetworkPolicy(cnp *crdv1beta1.Cl if hasPerNamespaceRule && len(cnp.Spec.AppliedTo) > 0 { for _, at := range cnp.Spec.AppliedTo { if at.ServiceAccount != nil { - atg := n.createAppliedToGroup(at.ServiceAccount.Namespace, serviceAccountNameToPodSelector(at.ServiceAccount.Name), nil, nil) + atg := n.createAppliedToGroup(at.ServiceAccount.Namespace, serviceAccountNameToPodSelector(at.ServiceAccount.Name), nil, nil, nil) appliedToGroups = mergeAppliedToGroups(appliedToGroups, atg) clusterAppliedToAffectedNS = append(clusterAppliedToAffectedNS, at.ServiceAccount.Namespace) atgForNamespace = append(atgForNamespace, atg) } else { affectedNS := n.getAffectedNamespacesForAppliedTo(at) for _, ns := range affectedNS { - atg := n.createAppliedToGroup(ns, at.PodSelector, nil, at.ExternalEntitySelector) + atg := n.createAppliedToGroup(ns, at.PodSelector, nil, at.ExternalEntitySelector, nil) appliedToGroups = mergeAppliedToGroups(appliedToGroups, atg) clusterAppliedToAffectedNS = append(clusterAppliedToAffectedNS, ns) atgForNamespace = append(atgForNamespace, atg) @@ -422,7 +422,7 @@ func (n *NetworkPolicyController) processClusterNetworkPolicy(cnp *crdv1beta1.Cl // Create a rule for each affected Namespace of appliedTo at rule level for _, at := range cnpRule.AppliedTo { if at.ServiceAccount != nil { - atg := n.createAppliedToGroup(at.ServiceAccount.Namespace, serviceAccountNameToPodSelector(at.ServiceAccount.Name), nil, nil) + atg := n.createAppliedToGroup(at.ServiceAccount.Namespace, serviceAccountNameToPodSelector(at.ServiceAccount.Name), nil, nil, nil) klog.V(4).Infof("Adding a new per-namespace rule with appliedTo %v for rule %d of %s", atg, idx, cnp.Name) peer, ags, selKeys := n.toNamespacedPeerForCRD(perNSPeers, cnp, at.ServiceAccount.Namespace) clusterSetScopeSelectorKeys = clusterSetScopeSelectorKeys.Union(selKeys) @@ -430,7 +430,7 @@ func (n *NetworkPolicyController) processClusterNetworkPolicy(cnp *crdv1beta1.Cl } else { affectedNS := n.getAffectedNamespacesForAppliedTo(at) for _, ns := range affectedNS { - atg := n.createAppliedToGroup(ns, at.PodSelector, nil, at.ExternalEntitySelector) + atg := n.createAppliedToGroup(ns, at.PodSelector, nil, at.ExternalEntitySelector, nil) klog.V(4).Infof("Adding a new per-namespace rule with appliedTo %v for rule %d of %s", atg, idx, cnp.Name) peer, ags, selKeys := n.toNamespacedPeerForCRD(perNSPeers, cnp, ns) clusterSetScopeSelectorKeys = clusterSetScopeSelectorKeys.Union(selKeys) @@ -505,14 +505,16 @@ func (n *NetworkPolicyController) processClusterAppliedTo(appliedTo []crdv1beta1 var appliedToGroups []*antreatypes.AppliedToGroup for _, at := range appliedTo { var atg *antreatypes.AppliedToGroup - if at.Group != "" { + if at.NodeSelector != nil { + atg = n.createAppliedToGroup("", nil, nil, nil, at.NodeSelector) + } else if at.Group != "" { atg = n.createAppliedToGroupForGroup("", at.Group) } else if at.Service != nil { atg = n.createAppliedToGroupForService(at.Service) } else if at.ServiceAccount != nil { - atg = n.createAppliedToGroup(at.ServiceAccount.Namespace, serviceAccountNameToPodSelector(at.ServiceAccount.Name), nil, nil) + atg = n.createAppliedToGroup(at.ServiceAccount.Namespace, serviceAccountNameToPodSelector(at.ServiceAccount.Name), nil, nil, nil) } else { - atg = n.createAppliedToGroup("", at.PodSelector, at.NamespaceSelector, at.ExternalEntitySelector) + atg = n.createAppliedToGroup("", at.PodSelector, at.NamespaceSelector, at.ExternalEntitySelector, nil) } if atg != nil { appliedToGroups = append(appliedToGroups, atg) diff --git a/pkg/controller/networkpolicy/networkpolicy_controller.go b/pkg/controller/networkpolicy/networkpolicy_controller.go index 6c8f3b185f4..8aedfb72ecf 100644 --- a/pkg/controller/networkpolicy/networkpolicy_controller.go +++ b/pkg/controller/networkpolicy/networkpolicy_controller.go @@ -600,8 +600,8 @@ func getNormalizedUID(name string) string { } // createAppliedToGroup creates an AppliedToGroup object corresponding to the provided selectors. -func (n *NetworkPolicyController) createAppliedToGroup(npNsName string, pSel, nSel, eSel *metav1.LabelSelector) *antreatypes.AppliedToGroup { - groupSelector := antreatypes.NewGroupSelector(npNsName, pSel, nSel, eSel, nil) +func (n *NetworkPolicyController) createAppliedToGroup(npNsName string, pSel, nSel, eSel, nodeSel *metav1.LabelSelector) *antreatypes.AppliedToGroup { + groupSelector := antreatypes.NewGroupSelector(npNsName, pSel, nSel, eSel, nodeSel) appliedToGroupUID := getNormalizedUID(groupSelector.NormalizedName) // Construct a new AppliedToGroup. appliedToGroup := &antreatypes.AppliedToGroup{ @@ -691,7 +691,7 @@ func (n *NetworkPolicyController) processNetworkPolicy(np *networkingv1.NetworkP // addressGroups tracks all distinct AddressGroups referred to by the K8s NetworkPolicy. addressGroups := map[string]*antreatypes.AddressGroup{} - newAppliedToGroup := n.createAppliedToGroup(np.Namespace, &np.Spec.PodSelector, nil, nil) + newAppliedToGroup := n.createAppliedToGroup(np.Namespace, &np.Spec.PodSelector, nil, nil, nil) appliedToGroups = mergeAppliedToGroups(appliedToGroups, newAppliedToGroup) rules := make([]controlplane.NetworkPolicyRule, 0, len(np.Spec.Ingress)+len(np.Spec.Egress)) // Retrieve Namespace logging annotation. @@ -1115,7 +1115,7 @@ func (c *NetworkPolicyController) getNodeMemberSet(selector labels.Selector) con groupMemberSet := controlplane.GroupMemberSet{} nodes, _ := c.nodeLister.List(selector) for _, node := range nodes { - groupMemberSet.Insert(nodeToGroupMember(node)) + groupMemberSet.Insert(nodeToGroupMember(node, true)) } return groupMemberSet } @@ -1180,6 +1180,23 @@ func (n *NetworkPolicyController) getMemberSetForGroupType(groupType grouping.Gr for _, ee := range externalEntities { groupMemberSet.Insert(externalEntityToGroupMember(ee, true)) } + if groupType == appliedToGroupType { + gKey := string(groupType) + "/" + name + grp, exists, _ := n.appliedToGroupStore.Get(gKey) + if exists { + g, ok := grp.(antreatypes.AppliedToGroup) + if ok { + nodes, err := n.nodeLister.List(g.Selector.NodeSelector) + if err != nil { + klog.ErrorS(err, "Error when getting AppliedTo Nodes for AppliedToGroup", "AppliedToGroup", g.Name) + } else { + for _, node := range nodes { + groupMemberSet.Insert(nodeToGroupMember(node, false)) + } + } + } + } + } return groupMemberSet } @@ -1215,14 +1232,16 @@ func podToGroupMember(pod *v1.Pod, includeIP bool) *controlplane.GroupMember { return memberPod } -func nodeToGroupMember(node *v1.Node) (member *controlplane.GroupMember) { +func nodeToGroupMember(node *v1.Node, includeIP bool) (member *controlplane.GroupMember) { member = &controlplane.GroupMember{Node: &controlplane.NodeReference{Name: node.Name}} ips, err := k8s.GetNodeAllAddrs(node) if err != nil { klog.ErrorS(err, "Error getting Node IP addresses", "Node", node.Name) } - for ip := range ips { - member.IPs = append(member.IPs, ipStrToIPAddress(ip)) + if includeIP { + for ip := range ips { + member.IPs = append(member.IPs, ipStrToIPAddress(ip)) + } } return } @@ -1300,7 +1319,7 @@ func (n *NetworkPolicyController) syncAppliedToGroup(key string) error { } klog.V(2).InfoS("Updating existing AppliedToGroup", "Service", *appliedToGroup.Service, "numNodes", appGroupNodeNames.Len()) } else { - pods, externalEntities, err := n.getAppliedToWorkloads(appliedToGroup) + pods, externalEntities, nodes, err := n.getAppliedToWorkloads(appliedToGroup) if err != nil { klog.ErrorS(err, "Error when getting AppliedTo workloads for AppliedToGroup", "AppliedToGroup", appliedToGroup.Name) updatedAppliedToGroup = &antreatypes.AppliedToGroup{ @@ -1342,6 +1361,15 @@ func (n *NetworkPolicyController) syncAppliedToGroup(key string) error { memberSetByNode[entityNodeKey] = entitySet appGroupNodeNames.Insert(entityNodeKey) } + for _, node := range nodes { + nodeSet := memberSetByNode[node.Name] + if nodeSet == nil { + nodeSet = controlplane.GroupMemberSet{} + } + nodeSet.Insert(nodeToGroupMember(node, true)) + memberSetByNode[node.Name] = nodeSet + appGroupNodeNames.Insert(node.Name) + } updatedAppliedToGroup = &antreatypes.AppliedToGroup{ UID: appliedToGroup.UID, Name: appliedToGroup.Name, @@ -1359,18 +1387,23 @@ func (n *NetworkPolicyController) syncAppliedToGroup(key string) error { return nil } -// getAppliedToWorkloads returns a list of workloads (Pods and ExternalEntities) selected by an AppliedToGroup -// for standalone selectors or corresponding to a ClusterGroup. -func (n *NetworkPolicyController) getAppliedToWorkloads(g *antreatypes.AppliedToGroup) ([]*v1.Pod, []*v1alpha2.ExternalEntity, error) { +// getAppliedToWorkloads returns a list of workloads (Pods, ExternalEntities or Nodes) selected by an AppliedToGroup +// for standalone selectors or Pods and ExternalEntities corresponding to a ClusterGroup. +func (n *NetworkPolicyController) getAppliedToWorkloads(g *antreatypes.AppliedToGroup) ([]*v1.Pod, []*v1alpha2.ExternalEntity, []*v1.Node, error) { // Check if an internal Group object exists corresponding to this AppliedToGroup group, found, _ := n.internalGroupStore.Get(g.Name) if found { // This AppliedToGroup is derived from a ClusterGroup. grp := group.(*antreatypes.Group) - return n.getInternalGroupWorkloads(grp) + pods, ees, err := n.getInternalGroupWorkloads(grp) + return pods, ees, nil, err + } + if g.Selector.NodeSelector != nil { + nodes, err := n.nodeLister.List(g.Selector.NodeSelector) + return nil, nil, nodes, err } pods, ees := n.groupingInterface.GetEntities(appliedToGroupType, g.Name) - return pods, ees, nil + return pods, ees, nil, nil } // getInternalGroupWorkloads returns a list of workloads (Pods and ExternalEntities) selected by a ClusterGroup. diff --git a/pkg/controller/networkpolicy/networkpolicy_controller_test.go b/pkg/controller/networkpolicy/networkpolicy_controller_test.go index 622f85c65bb..4025e76d0bf 100644 --- a/pkg/controller/networkpolicy/networkpolicy_controller_test.go +++ b/pkg/controller/networkpolicy/networkpolicy_controller_test.go @@ -2520,6 +2520,7 @@ func TestInternalGroupKeyFunc(t *testing.T) { func TestGetAppliedToWorkloads(t *testing.T) { var emptyEEs []*v1alpha2.ExternalEntity var emptyPods []*corev1.Pod + var emptyNodes []*corev1.Node selectorA := metav1.LabelSelector{MatchLabels: map[string]string{"foo1": "bar1"}} cgA := v1beta1.ClusterGroup{ ObjectMeta: metav1.ObjectMeta{Name: "cgA", UID: "uidA"}, @@ -2570,10 +2571,11 @@ func TestGetAppliedToWorkloads(t *testing.T) { podB := getPod("podB", "nsA", "nodeB", "10.0.0.2", false) podB.Labels = map[string]string{"foo3": "bar3"} tests := []struct { - name string - inATG *antreatypes.AppliedToGroup - expPods []*corev1.Pod - expEEs []*v1alpha2.ExternalEntity + name string + inATG *antreatypes.AppliedToGroup + expPods []*corev1.Pod + expEEs []*v1alpha2.ExternalEntity + expNodes []*corev1.Node }{ { name: "atg-for-cg", @@ -2581,8 +2583,9 @@ func TestGetAppliedToWorkloads(t *testing.T) { Name: cgA.Name, UID: cgA.UID, }, - expPods: []*corev1.Pod{podA}, - expEEs: emptyEEs, + expPods: []*corev1.Pod{podA}, + expEEs: emptyEEs, + expNodes: emptyNodes, }, { name: "atg-for-cg-no-pod-match", @@ -2590,8 +2593,9 @@ func TestGetAppliedToWorkloads(t *testing.T) { Name: cgB.Name, UID: cgB.UID, }, - expPods: emptyPods, - expEEs: emptyEEs, + expPods: emptyPods, + expEEs: emptyEEs, + expNodes: emptyNodes, }, { name: "atg-for-nested-cg-one-child-empty", @@ -2599,8 +2603,9 @@ func TestGetAppliedToWorkloads(t *testing.T) { Name: nestedCG1.Name, UID: nestedCG1.UID, }, - expPods: []*corev1.Pod{podA}, - expEEs: emptyEEs, + expPods: []*corev1.Pod{podA}, + expEEs: emptyEEs, + expNodes: emptyNodes, }, { name: "atg-for-nested-cg-both-children-match-pod", @@ -2608,8 +2613,9 @@ func TestGetAppliedToWorkloads(t *testing.T) { Name: nestedCG2.Name, UID: nestedCG2.UID, }, - expPods: []*corev1.Pod{podA, podB}, - expEEs: emptyEEs, + expPods: []*corev1.Pod{podA, podB}, + expEEs: emptyEEs, + expNodes: emptyNodes, }, { name: "atg-for-nested-cg-children-overlap-pod", @@ -2617,8 +2623,9 @@ func TestGetAppliedToWorkloads(t *testing.T) { Name: nestedCG3.Name, UID: nestedCG3.UID, }, - expPods: []*corev1.Pod{podA, podB}, - expEEs: emptyEEs, + expPods: []*corev1.Pod{podA, podB}, + expEEs: emptyEEs, + expNodes: emptyNodes, }, } _, c := newController(nil, nil) @@ -2632,10 +2639,11 @@ func TestGetAppliedToWorkloads(t *testing.T) { } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { - actualPods, actualEEs, actualErr := c.getAppliedToWorkloads(tt.inATG) + actualPods, actualEEs, actualNodes, actualErr := c.getAppliedToWorkloads(tt.inATG) assert.NoError(t, actualErr) assert.Equal(t, tt.expEEs, actualEEs) assert.Equal(t, tt.expPods, actualPods) + assert.Equal(t, tt.expNodes, actualNodes) }) } }