diff --git a/build/yamls/antrea-aks.yml b/build/yamls/antrea-aks.yml index fd978be21c0..c4e90da0a64 100644 --- a/build/yamls/antrea-aks.yml +++ b/build/yamls/antrea-aks.yml @@ -377,6 +377,17 @@ metadata: app: antrea name: clusternetworkpolicies.crd.antrea.io spec: + conversion: + strategy: Webhook + webhook: + clientConfig: + service: + name: antrea + namespace: kube-system + path: /convert/clusternetworkpolicy + conversionReviewVersions: + - v1 + - v1beta1 group: crd.antrea.io names: kind: ClusterNetworkPolicy @@ -867,191 +878,737 @@ spec: type: object type: object served: true - storage: true + storage: false subresources: status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - labels: - app: antrea - name: egresses.crd.antrea.io -spec: - group: crd.antrea.io - names: - kind: Egress - plural: egresses - shortNames: - - eg - singular: egress - scope: Cluster - versions: - additionalPrinterColumns: - - description: Specifies the SNAT IP address for the selected workloads. - jsonPath: .spec.egressIP - name: EgressIP + - description: The Tier to which this ClusterNetworkPolicy belongs to. + jsonPath: .spec.tier + name: Tier type: string + - description: The Priority of this ClusterNetworkPolicy relative to other policies. + format: float + jsonPath: .spec.priority + name: Priority + type: number + - description: The total number of Nodes that should realize the NetworkPolicy. + format: int32 + jsonPath: .status.desiredNodesRealized + name: Desired Nodes + type: number + - description: The number of Nodes that have realized the NetworkPolicy. + format: int32 + jsonPath: .status.currentNodesRealized + name: Current Nodes + type: number - jsonPath: .metadata.creationTimestamp name: Age type: date - - description: The Owner Node of egress IP - jsonPath: .status.egressNode - name: Node - type: string name: v1alpha2 schema: openAPIV3Schema: properties: spec: - anyOf: - - required: - - egressIP - - required: - - externalIPPool properties: appliedTo: - properties: - namespaceSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - podSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - egressIP: - oneOf: - - format: ipv4 - - format: ipv6 - type: string - externalIPPool: - type: string - required: - - appliedTo - type: object - status: - properties: - egressNode: - type: string - type: object - required: - - spec - type: object - served: true - storage: true - subresources: - status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - labels: - app: antrea - name: externalentities.crd.antrea.io -spec: - group: crd.antrea.io - names: - kind: ExternalEntity - plural: externalentities - shortNames: - - ee - singular: externalentity - scope: Namespaced - versions: - - name: v1alpha2 - schema: - openAPIV3Schema: - properties: - spec: - properties: - endpoints: items: properties: - ip: - oneOf: - - format: ipv4 - - format: ipv6 - type: string - name: + group: type: string + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + serviceAccount: + properties: + name: + type: string + namespace: + type: string + required: + - name + - namespace + type: object type: object type: array - externalNode: - type: string - ports: + egress: items: properties: - name: - type: string - port: - x-kubernetes-int-or-string: true - protocol: + action: enum: - - TCP - - UDP - - SCTP + - Allow + - Drop + - Reject + - Pass type: string - type: object - type: array - type: object - type: object - served: true - storage: true - - name: v1alpha1 - schema: - openAPIV3Schema: - type: object - served: false - storage: false ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - labels: - app: antrea - name: externalippools.crd.antrea.io + appliedTo: + items: + properties: + group: + type: string + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + serviceAccount: + properties: + name: + type: string + namespace: + type: string + required: + - name + - namespace + type: object + type: object + type: array + enableLogging: + type: boolean + name: + type: string + protocols: + items: + oneOf: + - required: + - tcp + - required: + - udp + - required: + - sctp + - required: + - icmp + properties: + icmp: + properties: + icmpCode: + maximum: 255 + minimum: 0 + type: integer + icmpType: + maximum: 255 + minimum: 0 + type: integer + type: object + sctp: + properties: + endPort: + type: integer + port: + x-kubernetes-int-or-string: true + type: object + tcp: + properties: + endPort: + type: integer + port: + x-kubernetes-int-or-string: true + type: object + udp: + properties: + endPort: + type: integer + port: + x-kubernetes-int-or-string: true + type: object + type: object + type: array + to: + items: + properties: + fqdn: + type: string + group: + type: string + ipBlock: + properties: + cidr: + format: cidr + type: string + type: object + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + namespaces: + properties: + match: + type: string + type: object + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + serviceAccount: + properties: + name: + type: string + namespace: + type: string + required: + - name + - namespace + type: object + type: object + type: array + toServices: + items: + properties: + name: + type: string + namespace: + type: string + required: + - name + - namespace + type: object + type: array + required: + - action + type: object + type: array + ingress: + items: + properties: + action: + enum: + - Allow + - Drop + - Reject + - Pass + type: string + appliedTo: + items: + properties: + group: + type: string + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + serviceAccount: + properties: + name: + type: string + namespace: + type: string + required: + - name + - namespace + type: object + type: object + type: array + enableLogging: + type: boolean + from: + items: + properties: + group: + type: string + ipBlock: + properties: + cidr: + format: cidr + type: string + type: object + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + namespaces: + properties: + match: + enum: + - Self + type: string + type: object + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + serviceAccount: + properties: + name: + type: string + namespace: + type: string + required: + - name + - namespace + type: object + type: object + type: array + name: + type: string + protocols: + items: + oneOf: + - required: + - tcp + - required: + - udp + - required: + - sctp + - required: + - icmp + properties: + icmp: + properties: + icmpCode: + maximum: 255 + minimum: 0 + type: integer + icmpType: + maximum: 255 + minimum: 0 + type: integer + type: object + sctp: + properties: + endPort: + type: integer + port: + x-kubernetes-int-or-string: true + type: object + tcp: + properties: + endPort: + type: integer + port: + x-kubernetes-int-or-string: true + type: object + udp: + properties: + endPort: + type: integer + port: + x-kubernetes-int-or-string: true + type: object + type: object + type: array + required: + - action + type: object + type: array + priority: + format: float + maximum: 10000 + minimum: 1 + type: number + tier: + type: string + required: + - priority + type: object + status: + properties: + currentNodesRealized: + type: integer + desiredNodesRealized: + type: integer + observedGeneration: + type: integer + phase: + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: egresses.crd.antrea.io +spec: + group: crd.antrea.io + names: + kind: Egress + plural: egresses + shortNames: + - eg + singular: egress + scope: Cluster + versions: + - additionalPrinterColumns: + - description: Specifies the SNAT IP address for the selected workloads. + jsonPath: .spec.egressIP + name: EgressIP + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + - description: The Owner Node of egress IP + jsonPath: .status.egressNode + name: Node + type: string + name: v1alpha2 + schema: + openAPIV3Schema: + properties: + spec: + anyOf: + - required: + - egressIP + - required: + - externalIPPool + properties: + appliedTo: + properties: + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + egressIP: + oneOf: + - format: ipv4 + - format: ipv6 + type: string + externalIPPool: + type: string + required: + - appliedTo + type: object + status: + properties: + egressNode: + type: string + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: externalentities.crd.antrea.io +spec: + group: crd.antrea.io + names: + kind: ExternalEntity + plural: externalentities + shortNames: + - ee + singular: externalentity + scope: Namespaced + versions: + - name: v1alpha2 + schema: + openAPIV3Schema: + properties: + spec: + properties: + endpoints: + items: + properties: + ip: + oneOf: + - format: ipv4 + - format: ipv6 + type: string + name: + type: string + type: object + type: array + externalNode: + type: string + ports: + items: + properties: + name: + type: string + port: + x-kubernetes-int-or-string: true + protocol: + enum: + - TCP + - UDP + - SCTP + type: string + type: object + type: array + type: object + type: object + served: true + storage: true + - name: v1alpha1 + schema: + openAPIV3Schema: + type: object + served: false + storage: false +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: externalippools.crd.antrea.io spec: group: crd.antrea.io names: @@ -1159,119 +1716,517 @@ metadata: spec: group: crd.antrea.io names: - kind: IPPool - plural: ippools + kind: IPPool + plural: ippools + shortNames: + - ipp + singular: ippool + scope: Cluster + versions: + - name: v1alpha2 + schema: + openAPIV3Schema: + properties: + spec: + properties: + ipRanges: + items: + oneOf: + - required: + - cidr + - gateway + - prefixLength + - required: + - start + - end + - gateway + - prefixLength + properties: + cidr: + format: cidr + type: string + end: + oneOf: + - format: ipv4 + - format: ipv6 + type: string + gateway: + oneOf: + - format: ipv4 + - format: ipv6 + type: string + prefixLength: + type: integer + start: + oneOf: + - format: ipv4 + - format: ipv6 + type: string + vlan: + type: string + type: object + type: array + ipVersion: + type: integer + required: + - ipVersion + - ipRanges + type: object + status: + properties: + ipAddresses: + items: + properties: + ipAddress: + type: string + owner: + properties: + pod: + properties: + containerID: + type: string + name: + type: string + namespace: + type: string + type: object + statefulSet: + properties: + index: + type: integer + name: + type: string + namespace: + type: string + type: object + type: object + phase: + type: string + type: object + type: array + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: networkpolicies.crd.antrea.io +spec: + conversion: + strategy: Webhook + webhook: + clientConfig: + service: + name: antrea + namespace: kube-system + path: /convert/networkpolicy + conversionReviewVersions: + - v1 + - v1beta1 + group: crd.antrea.io + names: + kind: NetworkPolicy + plural: networkpolicies shortNames: - - ipp - singular: ippool - scope: Cluster + - anp + singular: networkpolicy + scope: Namespaced versions: - - name: v1alpha2 + - additionalPrinterColumns: + - description: The Tier to which this Antrea NetworkPolicy belongs to. + jsonPath: .spec.tier + name: Tier + type: string + - description: The Priority of this Antrea NetworkPolicy relative to other policies. + format: float + jsonPath: .spec.priority + name: Priority + type: number + - description: The total number of Nodes that should realize the NetworkPolicy. + format: int32 + jsonPath: .status.desiredNodesRealized + name: Desired Nodes + type: number + - description: The number of Nodes that have realized the NetworkPolicy. + format: int32 + jsonPath: .status.currentNodesRealized + name: Current Nodes + type: number + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 schema: openAPIV3Schema: properties: spec: properties: - ipRanges: + appliedTo: items: - oneOf: - - required: - - cidr - - gateway - - prefixLength - - required: - - start - - end - - gateway - - prefixLength properties: - cidr: - format: cidr - type: string - end: - oneOf: - - format: ipv4 - - format: ipv6 - type: string - gateway: - oneOf: - - format: ipv4 - - format: ipv6 - type: string - prefixLength: - type: integer - start: - oneOf: - - format: ipv4 - - format: ipv6 + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + egress: + items: + properties: + action: + enum: + - Allow + - Drop + - Reject + - Pass type: string - vlan: + appliedTo: + items: + properties: + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + enableLogging: + type: boolean + name: type: string + ports: + items: + properties: + endPort: + type: integer + port: + x-kubernetes-int-or-string: true + protocol: + enum: + - TCP + - UDP + - SCTP + type: string + type: object + type: array + to: + items: + properties: + externalEntitySelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + fqdn: + type: string + ipBlock: + properties: + cidr: + format: cidr + type: string + type: object + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + toServices: + items: + properties: + name: + type: string + namespace: + type: string + required: + - name + type: object + type: array + required: + - action type: object type: array - ipVersion: - type: integer - required: - - ipVersion - - ipRanges - type: object - status: - properties: - ipAddresses: + ingress: items: properties: - ipAddress: + action: + enum: + - Allow + - Drop + - Reject + - Pass type: string - owner: - properties: - pod: - properties: - containerID: - type: string - name: - type: string - namespace: - type: string - type: object - statefulSet: - properties: - index: - type: integer - name: - type: string - namespace: - type: string - type: object - type: object - phase: + appliedTo: + items: + properties: + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + enableLogging: + type: boolean + from: + items: + properties: + externalEntitySelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + ipBlock: + properties: + cidr: + format: cidr + type: string + type: object + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + name: type: string + ports: + items: + properties: + endPort: + type: integer + port: + x-kubernetes-int-or-string: true + protocol: + enum: + - TCP + - UDP + - SCTP + type: string + type: object + type: array + required: + - action type: object type: array + priority: + format: float + maximum: 10000 + minimum: 1 + type: number + tier: + type: string + required: + - priority + type: object + status: + properties: + currentNodesRealized: + type: integer + desiredNodesRealized: + type: integer + observedGeneration: + type: integer + phase: + type: string type: object - required: - - spec type: object served: true - storage: true + storage: false subresources: status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - labels: - app: antrea - name: networkpolicies.crd.antrea.io -spec: - group: crd.antrea.io - names: - kind: NetworkPolicy - plural: networkpolicies - shortNames: - - anp - singular: networkpolicy - scope: Namespaced - versions: - additionalPrinterColumns: - description: The Tier to which this Antrea NetworkPolicy belongs to. jsonPath: .spec.tier @@ -1295,7 +2250,7 @@ spec: - jsonPath: .metadata.creationTimestamp name: Age type: date - name: v1alpha1 + name: v1alpha2 schema: openAPIV3Schema: properties: @@ -1373,19 +2328,50 @@ spec: type: boolean name: type: string - ports: + protocols: items: + oneOf: + - required: + - tcp + - required: + - udp + - required: + - sctp + - required: + - icmp properties: - endPort: - type: integer - port: - x-kubernetes-int-or-string: true - protocol: - enum: - - TCP - - UDP - - SCTP - type: string + icmp: + properties: + icmpCode: + maximum: 255 + minimum: 0 + type: integer + icmpType: + maximum: 255 + minimum: 0 + type: integer + type: object + sctp: + properties: + endPort: + type: integer + port: + x-kubernetes-int-or-string: true + type: object + tcp: + properties: + endPort: + type: integer + port: + x-kubernetes-int-or-string: true + type: object + udp: + properties: + endPort: + type: integer + port: + x-kubernetes-int-or-string: true + type: object type: object type: array to: @@ -1614,19 +2600,50 @@ spec: type: array name: type: string - ports: + protocols: items: + oneOf: + - required: + - tcp + - required: + - udp + - required: + - sctp + - required: + - icmp properties: - endPort: - type: integer - port: - x-kubernetes-int-or-string: true - protocol: - enum: - - TCP - - UDP - - SCTP - type: string + icmp: + properties: + icmpCode: + maximum: 255 + minimum: 0 + type: integer + icmpType: + maximum: 255 + minimum: 0 + type: integer + type: object + sctp: + properties: + endPort: + type: integer + port: + x-kubernetes-int-or-string: true + type: object + tcp: + properties: + endPort: + type: integer + port: + x-kubernetes-int-or-string: true + type: object + udp: + properties: + endPort: + type: integer + port: + x-kubernetes-int-or-string: true + type: object type: object type: array required: @@ -3459,6 +4476,7 @@ webhooks: - apiGroups: - crd.antrea.io apiVersions: + - v1alpha2 - v1alpha1 operations: - CREATE @@ -3481,6 +4499,7 @@ webhooks: - apiGroups: - crd.antrea.io apiVersions: + - v1alpha2 - v1alpha1 operations: - CREATE diff --git a/build/yamls/antrea-eks.yml b/build/yamls/antrea-eks.yml index c12122cadb9..526be889e81 100644 --- a/build/yamls/antrea-eks.yml +++ b/build/yamls/antrea-eks.yml @@ -377,6 +377,17 @@ metadata: app: antrea name: clusternetworkpolicies.crd.antrea.io spec: + conversion: + strategy: Webhook + webhook: + clientConfig: + service: + name: antrea + namespace: kube-system + path: /convert/clusternetworkpolicy + conversionReviewVersions: + - v1 + - v1beta1 group: crd.antrea.io names: kind: ClusterNetworkPolicy @@ -867,191 +878,737 @@ spec: type: object type: object served: true - storage: true + storage: false subresources: status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - labels: - app: antrea - name: egresses.crd.antrea.io -spec: - group: crd.antrea.io - names: - kind: Egress - plural: egresses - shortNames: - - eg - singular: egress - scope: Cluster - versions: - additionalPrinterColumns: - - description: Specifies the SNAT IP address for the selected workloads. - jsonPath: .spec.egressIP - name: EgressIP + - description: The Tier to which this ClusterNetworkPolicy belongs to. + jsonPath: .spec.tier + name: Tier type: string + - description: The Priority of this ClusterNetworkPolicy relative to other policies. + format: float + jsonPath: .spec.priority + name: Priority + type: number + - description: The total number of Nodes that should realize the NetworkPolicy. + format: int32 + jsonPath: .status.desiredNodesRealized + name: Desired Nodes + type: number + - description: The number of Nodes that have realized the NetworkPolicy. + format: int32 + jsonPath: .status.currentNodesRealized + name: Current Nodes + type: number - jsonPath: .metadata.creationTimestamp name: Age type: date - - description: The Owner Node of egress IP - jsonPath: .status.egressNode - name: Node - type: string name: v1alpha2 schema: openAPIV3Schema: properties: spec: - anyOf: - - required: - - egressIP - - required: - - externalIPPool properties: appliedTo: - properties: - namespaceSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - podSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - egressIP: - oneOf: - - format: ipv4 - - format: ipv6 - type: string - externalIPPool: - type: string - required: - - appliedTo - type: object - status: - properties: - egressNode: - type: string - type: object - required: - - spec - type: object - served: true - storage: true - subresources: - status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - labels: - app: antrea - name: externalentities.crd.antrea.io -spec: - group: crd.antrea.io - names: - kind: ExternalEntity - plural: externalentities - shortNames: - - ee - singular: externalentity - scope: Namespaced - versions: - - name: v1alpha2 - schema: - openAPIV3Schema: - properties: - spec: - properties: - endpoints: items: properties: - ip: - oneOf: - - format: ipv4 - - format: ipv6 - type: string - name: + group: type: string + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + serviceAccount: + properties: + name: + type: string + namespace: + type: string + required: + - name + - namespace + type: object type: object type: array - externalNode: - type: string - ports: + egress: items: properties: - name: - type: string - port: - x-kubernetes-int-or-string: true - protocol: + action: enum: - - TCP - - UDP - - SCTP + - Allow + - Drop + - Reject + - Pass type: string - type: object - type: array - type: object - type: object - served: true - storage: true - - name: v1alpha1 - schema: - openAPIV3Schema: - type: object - served: false - storage: false ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - labels: - app: antrea - name: externalippools.crd.antrea.io + appliedTo: + items: + properties: + group: + type: string + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + serviceAccount: + properties: + name: + type: string + namespace: + type: string + required: + - name + - namespace + type: object + type: object + type: array + enableLogging: + type: boolean + name: + type: string + protocols: + items: + oneOf: + - required: + - tcp + - required: + - udp + - required: + - sctp + - required: + - icmp + properties: + icmp: + properties: + icmpCode: + maximum: 255 + minimum: 0 + type: integer + icmpType: + maximum: 255 + minimum: 0 + type: integer + type: object + sctp: + properties: + endPort: + type: integer + port: + x-kubernetes-int-or-string: true + type: object + tcp: + properties: + endPort: + type: integer + port: + x-kubernetes-int-or-string: true + type: object + udp: + properties: + endPort: + type: integer + port: + x-kubernetes-int-or-string: true + type: object + type: object + type: array + to: + items: + properties: + fqdn: + type: string + group: + type: string + ipBlock: + properties: + cidr: + format: cidr + type: string + type: object + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + namespaces: + properties: + match: + type: string + type: object + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + serviceAccount: + properties: + name: + type: string + namespace: + type: string + required: + - name + - namespace + type: object + type: object + type: array + toServices: + items: + properties: + name: + type: string + namespace: + type: string + required: + - name + - namespace + type: object + type: array + required: + - action + type: object + type: array + ingress: + items: + properties: + action: + enum: + - Allow + - Drop + - Reject + - Pass + type: string + appliedTo: + items: + properties: + group: + type: string + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + serviceAccount: + properties: + name: + type: string + namespace: + type: string + required: + - name + - namespace + type: object + type: object + type: array + enableLogging: + type: boolean + from: + items: + properties: + group: + type: string + ipBlock: + properties: + cidr: + format: cidr + type: string + type: object + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + namespaces: + properties: + match: + enum: + - Self + type: string + type: object + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + serviceAccount: + properties: + name: + type: string + namespace: + type: string + required: + - name + - namespace + type: object + type: object + type: array + name: + type: string + protocols: + items: + oneOf: + - required: + - tcp + - required: + - udp + - required: + - sctp + - required: + - icmp + properties: + icmp: + properties: + icmpCode: + maximum: 255 + minimum: 0 + type: integer + icmpType: + maximum: 255 + minimum: 0 + type: integer + type: object + sctp: + properties: + endPort: + type: integer + port: + x-kubernetes-int-or-string: true + type: object + tcp: + properties: + endPort: + type: integer + port: + x-kubernetes-int-or-string: true + type: object + udp: + properties: + endPort: + type: integer + port: + x-kubernetes-int-or-string: true + type: object + type: object + type: array + required: + - action + type: object + type: array + priority: + format: float + maximum: 10000 + minimum: 1 + type: number + tier: + type: string + required: + - priority + type: object + status: + properties: + currentNodesRealized: + type: integer + desiredNodesRealized: + type: integer + observedGeneration: + type: integer + phase: + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: egresses.crd.antrea.io +spec: + group: crd.antrea.io + names: + kind: Egress + plural: egresses + shortNames: + - eg + singular: egress + scope: Cluster + versions: + - additionalPrinterColumns: + - description: Specifies the SNAT IP address for the selected workloads. + jsonPath: .spec.egressIP + name: EgressIP + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + - description: The Owner Node of egress IP + jsonPath: .status.egressNode + name: Node + type: string + name: v1alpha2 + schema: + openAPIV3Schema: + properties: + spec: + anyOf: + - required: + - egressIP + - required: + - externalIPPool + properties: + appliedTo: + properties: + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + egressIP: + oneOf: + - format: ipv4 + - format: ipv6 + type: string + externalIPPool: + type: string + required: + - appliedTo + type: object + status: + properties: + egressNode: + type: string + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: externalentities.crd.antrea.io +spec: + group: crd.antrea.io + names: + kind: ExternalEntity + plural: externalentities + shortNames: + - ee + singular: externalentity + scope: Namespaced + versions: + - name: v1alpha2 + schema: + openAPIV3Schema: + properties: + spec: + properties: + endpoints: + items: + properties: + ip: + oneOf: + - format: ipv4 + - format: ipv6 + type: string + name: + type: string + type: object + type: array + externalNode: + type: string + ports: + items: + properties: + name: + type: string + port: + x-kubernetes-int-or-string: true + protocol: + enum: + - TCP + - UDP + - SCTP + type: string + type: object + type: array + type: object + type: object + served: true + storage: true + - name: v1alpha1 + schema: + openAPIV3Schema: + type: object + served: false + storage: false +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: externalippools.crd.antrea.io spec: group: crd.antrea.io names: @@ -1159,119 +1716,517 @@ metadata: spec: group: crd.antrea.io names: - kind: IPPool - plural: ippools + kind: IPPool + plural: ippools + shortNames: + - ipp + singular: ippool + scope: Cluster + versions: + - name: v1alpha2 + schema: + openAPIV3Schema: + properties: + spec: + properties: + ipRanges: + items: + oneOf: + - required: + - cidr + - gateway + - prefixLength + - required: + - start + - end + - gateway + - prefixLength + properties: + cidr: + format: cidr + type: string + end: + oneOf: + - format: ipv4 + - format: ipv6 + type: string + gateway: + oneOf: + - format: ipv4 + - format: ipv6 + type: string + prefixLength: + type: integer + start: + oneOf: + - format: ipv4 + - format: ipv6 + type: string + vlan: + type: string + type: object + type: array + ipVersion: + type: integer + required: + - ipVersion + - ipRanges + type: object + status: + properties: + ipAddresses: + items: + properties: + ipAddress: + type: string + owner: + properties: + pod: + properties: + containerID: + type: string + name: + type: string + namespace: + type: string + type: object + statefulSet: + properties: + index: + type: integer + name: + type: string + namespace: + type: string + type: object + type: object + phase: + type: string + type: object + type: array + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: networkpolicies.crd.antrea.io +spec: + conversion: + strategy: Webhook + webhook: + clientConfig: + service: + name: antrea + namespace: kube-system + path: /convert/networkpolicy + conversionReviewVersions: + - v1 + - v1beta1 + group: crd.antrea.io + names: + kind: NetworkPolicy + plural: networkpolicies shortNames: - - ipp - singular: ippool - scope: Cluster + - anp + singular: networkpolicy + scope: Namespaced versions: - - name: v1alpha2 + - additionalPrinterColumns: + - description: The Tier to which this Antrea NetworkPolicy belongs to. + jsonPath: .spec.tier + name: Tier + type: string + - description: The Priority of this Antrea NetworkPolicy relative to other policies. + format: float + jsonPath: .spec.priority + name: Priority + type: number + - description: The total number of Nodes that should realize the NetworkPolicy. + format: int32 + jsonPath: .status.desiredNodesRealized + name: Desired Nodes + type: number + - description: The number of Nodes that have realized the NetworkPolicy. + format: int32 + jsonPath: .status.currentNodesRealized + name: Current Nodes + type: number + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 schema: openAPIV3Schema: properties: spec: properties: - ipRanges: + appliedTo: items: - oneOf: - - required: - - cidr - - gateway - - prefixLength - - required: - - start - - end - - gateway - - prefixLength properties: - cidr: - format: cidr - type: string - end: - oneOf: - - format: ipv4 - - format: ipv6 - type: string - gateway: - oneOf: - - format: ipv4 - - format: ipv6 - type: string - prefixLength: - type: integer - start: - oneOf: - - format: ipv4 - - format: ipv6 + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + egress: + items: + properties: + action: + enum: + - Allow + - Drop + - Reject + - Pass type: string - vlan: + appliedTo: + items: + properties: + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + enableLogging: + type: boolean + name: type: string + ports: + items: + properties: + endPort: + type: integer + port: + x-kubernetes-int-or-string: true + protocol: + enum: + - TCP + - UDP + - SCTP + type: string + type: object + type: array + to: + items: + properties: + externalEntitySelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + fqdn: + type: string + ipBlock: + properties: + cidr: + format: cidr + type: string + type: object + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + toServices: + items: + properties: + name: + type: string + namespace: + type: string + required: + - name + type: object + type: array + required: + - action type: object type: array - ipVersion: - type: integer - required: - - ipVersion - - ipRanges - type: object - status: - properties: - ipAddresses: + ingress: items: properties: - ipAddress: + action: + enum: + - Allow + - Drop + - Reject + - Pass type: string - owner: - properties: - pod: - properties: - containerID: - type: string - name: - type: string - namespace: - type: string - type: object - statefulSet: - properties: - index: - type: integer - name: - type: string - namespace: - type: string - type: object - type: object - phase: + appliedTo: + items: + properties: + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + enableLogging: + type: boolean + from: + items: + properties: + externalEntitySelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + ipBlock: + properties: + cidr: + format: cidr + type: string + type: object + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + name: type: string + ports: + items: + properties: + endPort: + type: integer + port: + x-kubernetes-int-or-string: true + protocol: + enum: + - TCP + - UDP + - SCTP + type: string + type: object + type: array + required: + - action type: object type: array + priority: + format: float + maximum: 10000 + minimum: 1 + type: number + tier: + type: string + required: + - priority + type: object + status: + properties: + currentNodesRealized: + type: integer + desiredNodesRealized: + type: integer + observedGeneration: + type: integer + phase: + type: string type: object - required: - - spec type: object served: true - storage: true + storage: false subresources: status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - labels: - app: antrea - name: networkpolicies.crd.antrea.io -spec: - group: crd.antrea.io - names: - kind: NetworkPolicy - plural: networkpolicies - shortNames: - - anp - singular: networkpolicy - scope: Namespaced - versions: - additionalPrinterColumns: - description: The Tier to which this Antrea NetworkPolicy belongs to. jsonPath: .spec.tier @@ -1295,7 +2250,7 @@ spec: - jsonPath: .metadata.creationTimestamp name: Age type: date - name: v1alpha1 + name: v1alpha2 schema: openAPIV3Schema: properties: @@ -1373,19 +2328,50 @@ spec: type: boolean name: type: string - ports: + protocols: items: + oneOf: + - required: + - tcp + - required: + - udp + - required: + - sctp + - required: + - icmp properties: - endPort: - type: integer - port: - x-kubernetes-int-or-string: true - protocol: - enum: - - TCP - - UDP - - SCTP - type: string + icmp: + properties: + icmpCode: + maximum: 255 + minimum: 0 + type: integer + icmpType: + maximum: 255 + minimum: 0 + type: integer + type: object + sctp: + properties: + endPort: + type: integer + port: + x-kubernetes-int-or-string: true + type: object + tcp: + properties: + endPort: + type: integer + port: + x-kubernetes-int-or-string: true + type: object + udp: + properties: + endPort: + type: integer + port: + x-kubernetes-int-or-string: true + type: object type: object type: array to: @@ -1614,19 +2600,50 @@ spec: type: array name: type: string - ports: + protocols: items: + oneOf: + - required: + - tcp + - required: + - udp + - required: + - sctp + - required: + - icmp properties: - endPort: - type: integer - port: - x-kubernetes-int-or-string: true - protocol: - enum: - - TCP - - UDP - - SCTP - type: string + icmp: + properties: + icmpCode: + maximum: 255 + minimum: 0 + type: integer + icmpType: + maximum: 255 + minimum: 0 + type: integer + type: object + sctp: + properties: + endPort: + type: integer + port: + x-kubernetes-int-or-string: true + type: object + tcp: + properties: + endPort: + type: integer + port: + x-kubernetes-int-or-string: true + type: object + udp: + properties: + endPort: + type: integer + port: + x-kubernetes-int-or-string: true + type: object type: object type: array required: @@ -3461,6 +4478,7 @@ webhooks: - apiGroups: - crd.antrea.io apiVersions: + - v1alpha2 - v1alpha1 operations: - CREATE @@ -3483,6 +4501,7 @@ webhooks: - apiGroups: - crd.antrea.io apiVersions: + - v1alpha2 - v1alpha1 operations: - CREATE diff --git a/build/yamls/antrea-gke.yml b/build/yamls/antrea-gke.yml index 1d539f4f9c9..ece03cedf90 100644 --- a/build/yamls/antrea-gke.yml +++ b/build/yamls/antrea-gke.yml @@ -377,6 +377,17 @@ metadata: app: antrea name: clusternetworkpolicies.crd.antrea.io spec: + conversion: + strategy: Webhook + webhook: + clientConfig: + service: + name: antrea + namespace: kube-system + path: /convert/clusternetworkpolicy + conversionReviewVersions: + - v1 + - v1beta1 group: crd.antrea.io names: kind: ClusterNetworkPolicy @@ -867,191 +878,737 @@ spec: type: object type: object served: true - storage: true + storage: false subresources: status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - labels: - app: antrea - name: egresses.crd.antrea.io -spec: - group: crd.antrea.io - names: - kind: Egress - plural: egresses - shortNames: - - eg - singular: egress - scope: Cluster - versions: - additionalPrinterColumns: - - description: Specifies the SNAT IP address for the selected workloads. - jsonPath: .spec.egressIP - name: EgressIP + - description: The Tier to which this ClusterNetworkPolicy belongs to. + jsonPath: .spec.tier + name: Tier type: string + - description: The Priority of this ClusterNetworkPolicy relative to other policies. + format: float + jsonPath: .spec.priority + name: Priority + type: number + - description: The total number of Nodes that should realize the NetworkPolicy. + format: int32 + jsonPath: .status.desiredNodesRealized + name: Desired Nodes + type: number + - description: The number of Nodes that have realized the NetworkPolicy. + format: int32 + jsonPath: .status.currentNodesRealized + name: Current Nodes + type: number - jsonPath: .metadata.creationTimestamp name: Age type: date - - description: The Owner Node of egress IP - jsonPath: .status.egressNode - name: Node - type: string name: v1alpha2 schema: openAPIV3Schema: properties: spec: - anyOf: - - required: - - egressIP - - required: - - externalIPPool properties: appliedTo: - properties: - namespaceSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - podSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - egressIP: - oneOf: - - format: ipv4 - - format: ipv6 - type: string - externalIPPool: - type: string - required: - - appliedTo - type: object - status: - properties: - egressNode: - type: string - type: object - required: - - spec - type: object - served: true - storage: true - subresources: - status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - labels: - app: antrea - name: externalentities.crd.antrea.io -spec: - group: crd.antrea.io - names: - kind: ExternalEntity - plural: externalentities - shortNames: - - ee - singular: externalentity - scope: Namespaced - versions: - - name: v1alpha2 - schema: - openAPIV3Schema: - properties: - spec: - properties: - endpoints: items: properties: - ip: - oneOf: - - format: ipv4 - - format: ipv6 - type: string - name: + group: type: string + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + serviceAccount: + properties: + name: + type: string + namespace: + type: string + required: + - name + - namespace + type: object type: object type: array - externalNode: - type: string - ports: + egress: items: properties: - name: - type: string - port: - x-kubernetes-int-or-string: true - protocol: + action: enum: - - TCP - - UDP - - SCTP + - Allow + - Drop + - Reject + - Pass type: string - type: object - type: array - type: object - type: object - served: true - storage: true - - name: v1alpha1 - schema: - openAPIV3Schema: - type: object - served: false - storage: false ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - labels: - app: antrea - name: externalippools.crd.antrea.io + appliedTo: + items: + properties: + group: + type: string + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + serviceAccount: + properties: + name: + type: string + namespace: + type: string + required: + - name + - namespace + type: object + type: object + type: array + enableLogging: + type: boolean + name: + type: string + protocols: + items: + oneOf: + - required: + - tcp + - required: + - udp + - required: + - sctp + - required: + - icmp + properties: + icmp: + properties: + icmpCode: + maximum: 255 + minimum: 0 + type: integer + icmpType: + maximum: 255 + minimum: 0 + type: integer + type: object + sctp: + properties: + endPort: + type: integer + port: + x-kubernetes-int-or-string: true + type: object + tcp: + properties: + endPort: + type: integer + port: + x-kubernetes-int-or-string: true + type: object + udp: + properties: + endPort: + type: integer + port: + x-kubernetes-int-or-string: true + type: object + type: object + type: array + to: + items: + properties: + fqdn: + type: string + group: + type: string + ipBlock: + properties: + cidr: + format: cidr + type: string + type: object + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + namespaces: + properties: + match: + type: string + type: object + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + serviceAccount: + properties: + name: + type: string + namespace: + type: string + required: + - name + - namespace + type: object + type: object + type: array + toServices: + items: + properties: + name: + type: string + namespace: + type: string + required: + - name + - namespace + type: object + type: array + required: + - action + type: object + type: array + ingress: + items: + properties: + action: + enum: + - Allow + - Drop + - Reject + - Pass + type: string + appliedTo: + items: + properties: + group: + type: string + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + serviceAccount: + properties: + name: + type: string + namespace: + type: string + required: + - name + - namespace + type: object + type: object + type: array + enableLogging: + type: boolean + from: + items: + properties: + group: + type: string + ipBlock: + properties: + cidr: + format: cidr + type: string + type: object + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + namespaces: + properties: + match: + enum: + - Self + type: string + type: object + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + serviceAccount: + properties: + name: + type: string + namespace: + type: string + required: + - name + - namespace + type: object + type: object + type: array + name: + type: string + protocols: + items: + oneOf: + - required: + - tcp + - required: + - udp + - required: + - sctp + - required: + - icmp + properties: + icmp: + properties: + icmpCode: + maximum: 255 + minimum: 0 + type: integer + icmpType: + maximum: 255 + minimum: 0 + type: integer + type: object + sctp: + properties: + endPort: + type: integer + port: + x-kubernetes-int-or-string: true + type: object + tcp: + properties: + endPort: + type: integer + port: + x-kubernetes-int-or-string: true + type: object + udp: + properties: + endPort: + type: integer + port: + x-kubernetes-int-or-string: true + type: object + type: object + type: array + required: + - action + type: object + type: array + priority: + format: float + maximum: 10000 + minimum: 1 + type: number + tier: + type: string + required: + - priority + type: object + status: + properties: + currentNodesRealized: + type: integer + desiredNodesRealized: + type: integer + observedGeneration: + type: integer + phase: + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: egresses.crd.antrea.io +spec: + group: crd.antrea.io + names: + kind: Egress + plural: egresses + shortNames: + - eg + singular: egress + scope: Cluster + versions: + - additionalPrinterColumns: + - description: Specifies the SNAT IP address for the selected workloads. + jsonPath: .spec.egressIP + name: EgressIP + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + - description: The Owner Node of egress IP + jsonPath: .status.egressNode + name: Node + type: string + name: v1alpha2 + schema: + openAPIV3Schema: + properties: + spec: + anyOf: + - required: + - egressIP + - required: + - externalIPPool + properties: + appliedTo: + properties: + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + egressIP: + oneOf: + - format: ipv4 + - format: ipv6 + type: string + externalIPPool: + type: string + required: + - appliedTo + type: object + status: + properties: + egressNode: + type: string + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: externalentities.crd.antrea.io +spec: + group: crd.antrea.io + names: + kind: ExternalEntity + plural: externalentities + shortNames: + - ee + singular: externalentity + scope: Namespaced + versions: + - name: v1alpha2 + schema: + openAPIV3Schema: + properties: + spec: + properties: + endpoints: + items: + properties: + ip: + oneOf: + - format: ipv4 + - format: ipv6 + type: string + name: + type: string + type: object + type: array + externalNode: + type: string + ports: + items: + properties: + name: + type: string + port: + x-kubernetes-int-or-string: true + protocol: + enum: + - TCP + - UDP + - SCTP + type: string + type: object + type: array + type: object + type: object + served: true + storage: true + - name: v1alpha1 + schema: + openAPIV3Schema: + type: object + served: false + storage: false +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: externalippools.crd.antrea.io spec: group: crd.antrea.io names: @@ -1159,119 +1716,517 @@ metadata: spec: group: crd.antrea.io names: - kind: IPPool - plural: ippools + kind: IPPool + plural: ippools + shortNames: + - ipp + singular: ippool + scope: Cluster + versions: + - name: v1alpha2 + schema: + openAPIV3Schema: + properties: + spec: + properties: + ipRanges: + items: + oneOf: + - required: + - cidr + - gateway + - prefixLength + - required: + - start + - end + - gateway + - prefixLength + properties: + cidr: + format: cidr + type: string + end: + oneOf: + - format: ipv4 + - format: ipv6 + type: string + gateway: + oneOf: + - format: ipv4 + - format: ipv6 + type: string + prefixLength: + type: integer + start: + oneOf: + - format: ipv4 + - format: ipv6 + type: string + vlan: + type: string + type: object + type: array + ipVersion: + type: integer + required: + - ipVersion + - ipRanges + type: object + status: + properties: + ipAddresses: + items: + properties: + ipAddress: + type: string + owner: + properties: + pod: + properties: + containerID: + type: string + name: + type: string + namespace: + type: string + type: object + statefulSet: + properties: + index: + type: integer + name: + type: string + namespace: + type: string + type: object + type: object + phase: + type: string + type: object + type: array + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: networkpolicies.crd.antrea.io +spec: + conversion: + strategy: Webhook + webhook: + clientConfig: + service: + name: antrea + namespace: kube-system + path: /convert/networkpolicy + conversionReviewVersions: + - v1 + - v1beta1 + group: crd.antrea.io + names: + kind: NetworkPolicy + plural: networkpolicies shortNames: - - ipp - singular: ippool - scope: Cluster + - anp + singular: networkpolicy + scope: Namespaced versions: - - name: v1alpha2 + - additionalPrinterColumns: + - description: The Tier to which this Antrea NetworkPolicy belongs to. + jsonPath: .spec.tier + name: Tier + type: string + - description: The Priority of this Antrea NetworkPolicy relative to other policies. + format: float + jsonPath: .spec.priority + name: Priority + type: number + - description: The total number of Nodes that should realize the NetworkPolicy. + format: int32 + jsonPath: .status.desiredNodesRealized + name: Desired Nodes + type: number + - description: The number of Nodes that have realized the NetworkPolicy. + format: int32 + jsonPath: .status.currentNodesRealized + name: Current Nodes + type: number + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 schema: openAPIV3Schema: properties: spec: properties: - ipRanges: + appliedTo: items: - oneOf: - - required: - - cidr - - gateway - - prefixLength - - required: - - start - - end - - gateway - - prefixLength properties: - cidr: - format: cidr - type: string - end: - oneOf: - - format: ipv4 - - format: ipv6 - type: string - gateway: - oneOf: - - format: ipv4 - - format: ipv6 - type: string - prefixLength: - type: integer - start: - oneOf: - - format: ipv4 - - format: ipv6 + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + egress: + items: + properties: + action: + enum: + - Allow + - Drop + - Reject + - Pass type: string - vlan: + appliedTo: + items: + properties: + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + enableLogging: + type: boolean + name: type: string + ports: + items: + properties: + endPort: + type: integer + port: + x-kubernetes-int-or-string: true + protocol: + enum: + - TCP + - UDP + - SCTP + type: string + type: object + type: array + to: + items: + properties: + externalEntitySelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + fqdn: + type: string + ipBlock: + properties: + cidr: + format: cidr + type: string + type: object + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + toServices: + items: + properties: + name: + type: string + namespace: + type: string + required: + - name + type: object + type: array + required: + - action type: object type: array - ipVersion: - type: integer - required: - - ipVersion - - ipRanges - type: object - status: - properties: - ipAddresses: + ingress: items: properties: - ipAddress: + action: + enum: + - Allow + - Drop + - Reject + - Pass type: string - owner: - properties: - pod: - properties: - containerID: - type: string - name: - type: string - namespace: - type: string - type: object - statefulSet: - properties: - index: - type: integer - name: - type: string - namespace: - type: string - type: object - type: object - phase: + appliedTo: + items: + properties: + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + enableLogging: + type: boolean + from: + items: + properties: + externalEntitySelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + ipBlock: + properties: + cidr: + format: cidr + type: string + type: object + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + name: type: string + ports: + items: + properties: + endPort: + type: integer + port: + x-kubernetes-int-or-string: true + protocol: + enum: + - TCP + - UDP + - SCTP + type: string + type: object + type: array + required: + - action type: object type: array + priority: + format: float + maximum: 10000 + minimum: 1 + type: number + tier: + type: string + required: + - priority + type: object + status: + properties: + currentNodesRealized: + type: integer + desiredNodesRealized: + type: integer + observedGeneration: + type: integer + phase: + type: string type: object - required: - - spec type: object served: true - storage: true + storage: false subresources: status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - labels: - app: antrea - name: networkpolicies.crd.antrea.io -spec: - group: crd.antrea.io - names: - kind: NetworkPolicy - plural: networkpolicies - shortNames: - - anp - singular: networkpolicy - scope: Namespaced - versions: - additionalPrinterColumns: - description: The Tier to which this Antrea NetworkPolicy belongs to. jsonPath: .spec.tier @@ -1295,7 +2250,7 @@ spec: - jsonPath: .metadata.creationTimestamp name: Age type: date - name: v1alpha1 + name: v1alpha2 schema: openAPIV3Schema: properties: @@ -1373,19 +2328,50 @@ spec: type: boolean name: type: string - ports: + protocols: items: + oneOf: + - required: + - tcp + - required: + - udp + - required: + - sctp + - required: + - icmp properties: - endPort: - type: integer - port: - x-kubernetes-int-or-string: true - protocol: - enum: - - TCP - - UDP - - SCTP - type: string + icmp: + properties: + icmpCode: + maximum: 255 + minimum: 0 + type: integer + icmpType: + maximum: 255 + minimum: 0 + type: integer + type: object + sctp: + properties: + endPort: + type: integer + port: + x-kubernetes-int-or-string: true + type: object + tcp: + properties: + endPort: + type: integer + port: + x-kubernetes-int-or-string: true + type: object + udp: + properties: + endPort: + type: integer + port: + x-kubernetes-int-or-string: true + type: object type: object type: array to: @@ -1614,19 +2600,50 @@ spec: type: array name: type: string - ports: + protocols: items: + oneOf: + - required: + - tcp + - required: + - udp + - required: + - sctp + - required: + - icmp properties: - endPort: - type: integer - port: - x-kubernetes-int-or-string: true - protocol: - enum: - - TCP - - UDP - - SCTP - type: string + icmp: + properties: + icmpCode: + maximum: 255 + minimum: 0 + type: integer + icmpType: + maximum: 255 + minimum: 0 + type: integer + type: object + sctp: + properties: + endPort: + type: integer + port: + x-kubernetes-int-or-string: true + type: object + tcp: + properties: + endPort: + type: integer + port: + x-kubernetes-int-or-string: true + type: object + udp: + properties: + endPort: + type: integer + port: + x-kubernetes-int-or-string: true + type: object type: object type: array required: @@ -3459,6 +4476,7 @@ webhooks: - apiGroups: - crd.antrea.io apiVersions: + - v1alpha2 - v1alpha1 operations: - CREATE @@ -3481,6 +4499,7 @@ webhooks: - apiGroups: - crd.antrea.io apiVersions: + - v1alpha2 - v1alpha1 operations: - CREATE diff --git a/build/yamls/antrea-ipsec.yml b/build/yamls/antrea-ipsec.yml index f16228cf370..f572d8e8a57 100644 --- a/build/yamls/antrea-ipsec.yml +++ b/build/yamls/antrea-ipsec.yml @@ -377,6 +377,17 @@ metadata: app: antrea name: clusternetworkpolicies.crd.antrea.io spec: + conversion: + strategy: Webhook + webhook: + clientConfig: + service: + name: antrea + namespace: kube-system + path: /convert/clusternetworkpolicy + conversionReviewVersions: + - v1 + - v1beta1 group: crd.antrea.io names: kind: ClusterNetworkPolicy @@ -867,191 +878,737 @@ spec: type: object type: object served: true - storage: true + storage: false subresources: status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - labels: - app: antrea - name: egresses.crd.antrea.io -spec: - group: crd.antrea.io - names: - kind: Egress - plural: egresses - shortNames: - - eg - singular: egress - scope: Cluster - versions: - additionalPrinterColumns: - - description: Specifies the SNAT IP address for the selected workloads. - jsonPath: .spec.egressIP - name: EgressIP + - description: The Tier to which this ClusterNetworkPolicy belongs to. + jsonPath: .spec.tier + name: Tier type: string + - description: The Priority of this ClusterNetworkPolicy relative to other policies. + format: float + jsonPath: .spec.priority + name: Priority + type: number + - description: The total number of Nodes that should realize the NetworkPolicy. + format: int32 + jsonPath: .status.desiredNodesRealized + name: Desired Nodes + type: number + - description: The number of Nodes that have realized the NetworkPolicy. + format: int32 + jsonPath: .status.currentNodesRealized + name: Current Nodes + type: number - jsonPath: .metadata.creationTimestamp name: Age type: date - - description: The Owner Node of egress IP - jsonPath: .status.egressNode - name: Node - type: string name: v1alpha2 schema: openAPIV3Schema: properties: spec: - anyOf: - - required: - - egressIP - - required: - - externalIPPool properties: appliedTo: - properties: - namespaceSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - podSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - egressIP: - oneOf: - - format: ipv4 - - format: ipv6 - type: string - externalIPPool: - type: string - required: - - appliedTo - type: object - status: - properties: - egressNode: - type: string - type: object - required: - - spec - type: object - served: true - storage: true - subresources: - status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - labels: - app: antrea - name: externalentities.crd.antrea.io -spec: - group: crd.antrea.io - names: - kind: ExternalEntity - plural: externalentities - shortNames: - - ee - singular: externalentity - scope: Namespaced - versions: - - name: v1alpha2 - schema: - openAPIV3Schema: - properties: - spec: - properties: - endpoints: items: properties: - ip: - oneOf: - - format: ipv4 - - format: ipv6 - type: string - name: + group: type: string + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + serviceAccount: + properties: + name: + type: string + namespace: + type: string + required: + - name + - namespace + type: object type: object type: array - externalNode: - type: string - ports: + egress: items: properties: - name: - type: string - port: - x-kubernetes-int-or-string: true - protocol: + action: enum: - - TCP - - UDP - - SCTP + - Allow + - Drop + - Reject + - Pass type: string - type: object - type: array - type: object - type: object - served: true - storage: true - - name: v1alpha1 - schema: - openAPIV3Schema: - type: object - served: false - storage: false ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - labels: - app: antrea - name: externalippools.crd.antrea.io + appliedTo: + items: + properties: + group: + type: string + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + serviceAccount: + properties: + name: + type: string + namespace: + type: string + required: + - name + - namespace + type: object + type: object + type: array + enableLogging: + type: boolean + name: + type: string + protocols: + items: + oneOf: + - required: + - tcp + - required: + - udp + - required: + - sctp + - required: + - icmp + properties: + icmp: + properties: + icmpCode: + maximum: 255 + minimum: 0 + type: integer + icmpType: + maximum: 255 + minimum: 0 + type: integer + type: object + sctp: + properties: + endPort: + type: integer + port: + x-kubernetes-int-or-string: true + type: object + tcp: + properties: + endPort: + type: integer + port: + x-kubernetes-int-or-string: true + type: object + udp: + properties: + endPort: + type: integer + port: + x-kubernetes-int-or-string: true + type: object + type: object + type: array + to: + items: + properties: + fqdn: + type: string + group: + type: string + ipBlock: + properties: + cidr: + format: cidr + type: string + type: object + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + namespaces: + properties: + match: + type: string + type: object + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + serviceAccount: + properties: + name: + type: string + namespace: + type: string + required: + - name + - namespace + type: object + type: object + type: array + toServices: + items: + properties: + name: + type: string + namespace: + type: string + required: + - name + - namespace + type: object + type: array + required: + - action + type: object + type: array + ingress: + items: + properties: + action: + enum: + - Allow + - Drop + - Reject + - Pass + type: string + appliedTo: + items: + properties: + group: + type: string + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + serviceAccount: + properties: + name: + type: string + namespace: + type: string + required: + - name + - namespace + type: object + type: object + type: array + enableLogging: + type: boolean + from: + items: + properties: + group: + type: string + ipBlock: + properties: + cidr: + format: cidr + type: string + type: object + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + namespaces: + properties: + match: + enum: + - Self + type: string + type: object + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + serviceAccount: + properties: + name: + type: string + namespace: + type: string + required: + - name + - namespace + type: object + type: object + type: array + name: + type: string + protocols: + items: + oneOf: + - required: + - tcp + - required: + - udp + - required: + - sctp + - required: + - icmp + properties: + icmp: + properties: + icmpCode: + maximum: 255 + minimum: 0 + type: integer + icmpType: + maximum: 255 + minimum: 0 + type: integer + type: object + sctp: + properties: + endPort: + type: integer + port: + x-kubernetes-int-or-string: true + type: object + tcp: + properties: + endPort: + type: integer + port: + x-kubernetes-int-or-string: true + type: object + udp: + properties: + endPort: + type: integer + port: + x-kubernetes-int-or-string: true + type: object + type: object + type: array + required: + - action + type: object + type: array + priority: + format: float + maximum: 10000 + minimum: 1 + type: number + tier: + type: string + required: + - priority + type: object + status: + properties: + currentNodesRealized: + type: integer + desiredNodesRealized: + type: integer + observedGeneration: + type: integer + phase: + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: egresses.crd.antrea.io +spec: + group: crd.antrea.io + names: + kind: Egress + plural: egresses + shortNames: + - eg + singular: egress + scope: Cluster + versions: + - additionalPrinterColumns: + - description: Specifies the SNAT IP address for the selected workloads. + jsonPath: .spec.egressIP + name: EgressIP + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + - description: The Owner Node of egress IP + jsonPath: .status.egressNode + name: Node + type: string + name: v1alpha2 + schema: + openAPIV3Schema: + properties: + spec: + anyOf: + - required: + - egressIP + - required: + - externalIPPool + properties: + appliedTo: + properties: + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + egressIP: + oneOf: + - format: ipv4 + - format: ipv6 + type: string + externalIPPool: + type: string + required: + - appliedTo + type: object + status: + properties: + egressNode: + type: string + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: externalentities.crd.antrea.io +spec: + group: crd.antrea.io + names: + kind: ExternalEntity + plural: externalentities + shortNames: + - ee + singular: externalentity + scope: Namespaced + versions: + - name: v1alpha2 + schema: + openAPIV3Schema: + properties: + spec: + properties: + endpoints: + items: + properties: + ip: + oneOf: + - format: ipv4 + - format: ipv6 + type: string + name: + type: string + type: object + type: array + externalNode: + type: string + ports: + items: + properties: + name: + type: string + port: + x-kubernetes-int-or-string: true + protocol: + enum: + - TCP + - UDP + - SCTP + type: string + type: object + type: array + type: object + type: object + served: true + storage: true + - name: v1alpha1 + schema: + openAPIV3Schema: + type: object + served: false + storage: false +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: externalippools.crd.antrea.io spec: group: crd.antrea.io names: @@ -1159,119 +1716,517 @@ metadata: spec: group: crd.antrea.io names: - kind: IPPool - plural: ippools + kind: IPPool + plural: ippools + shortNames: + - ipp + singular: ippool + scope: Cluster + versions: + - name: v1alpha2 + schema: + openAPIV3Schema: + properties: + spec: + properties: + ipRanges: + items: + oneOf: + - required: + - cidr + - gateway + - prefixLength + - required: + - start + - end + - gateway + - prefixLength + properties: + cidr: + format: cidr + type: string + end: + oneOf: + - format: ipv4 + - format: ipv6 + type: string + gateway: + oneOf: + - format: ipv4 + - format: ipv6 + type: string + prefixLength: + type: integer + start: + oneOf: + - format: ipv4 + - format: ipv6 + type: string + vlan: + type: string + type: object + type: array + ipVersion: + type: integer + required: + - ipVersion + - ipRanges + type: object + status: + properties: + ipAddresses: + items: + properties: + ipAddress: + type: string + owner: + properties: + pod: + properties: + containerID: + type: string + name: + type: string + namespace: + type: string + type: object + statefulSet: + properties: + index: + type: integer + name: + type: string + namespace: + type: string + type: object + type: object + phase: + type: string + type: object + type: array + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: networkpolicies.crd.antrea.io +spec: + conversion: + strategy: Webhook + webhook: + clientConfig: + service: + name: antrea + namespace: kube-system + path: /convert/networkpolicy + conversionReviewVersions: + - v1 + - v1beta1 + group: crd.antrea.io + names: + kind: NetworkPolicy + plural: networkpolicies shortNames: - - ipp - singular: ippool - scope: Cluster + - anp + singular: networkpolicy + scope: Namespaced versions: - - name: v1alpha2 + - additionalPrinterColumns: + - description: The Tier to which this Antrea NetworkPolicy belongs to. + jsonPath: .spec.tier + name: Tier + type: string + - description: The Priority of this Antrea NetworkPolicy relative to other policies. + format: float + jsonPath: .spec.priority + name: Priority + type: number + - description: The total number of Nodes that should realize the NetworkPolicy. + format: int32 + jsonPath: .status.desiredNodesRealized + name: Desired Nodes + type: number + - description: The number of Nodes that have realized the NetworkPolicy. + format: int32 + jsonPath: .status.currentNodesRealized + name: Current Nodes + type: number + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 schema: openAPIV3Schema: properties: spec: properties: - ipRanges: + appliedTo: items: - oneOf: - - required: - - cidr - - gateway - - prefixLength - - required: - - start - - end - - gateway - - prefixLength properties: - cidr: - format: cidr - type: string - end: - oneOf: - - format: ipv4 - - format: ipv6 - type: string - gateway: - oneOf: - - format: ipv4 - - format: ipv6 - type: string - prefixLength: - type: integer - start: - oneOf: - - format: ipv4 - - format: ipv6 + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + egress: + items: + properties: + action: + enum: + - Allow + - Drop + - Reject + - Pass type: string - vlan: + appliedTo: + items: + properties: + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + enableLogging: + type: boolean + name: type: string + ports: + items: + properties: + endPort: + type: integer + port: + x-kubernetes-int-or-string: true + protocol: + enum: + - TCP + - UDP + - SCTP + type: string + type: object + type: array + to: + items: + properties: + externalEntitySelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + fqdn: + type: string + ipBlock: + properties: + cidr: + format: cidr + type: string + type: object + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + toServices: + items: + properties: + name: + type: string + namespace: + type: string + required: + - name + type: object + type: array + required: + - action type: object type: array - ipVersion: - type: integer - required: - - ipVersion - - ipRanges - type: object - status: - properties: - ipAddresses: + ingress: items: properties: - ipAddress: + action: + enum: + - Allow + - Drop + - Reject + - Pass type: string - owner: - properties: - pod: - properties: - containerID: - type: string - name: - type: string - namespace: - type: string - type: object - statefulSet: - properties: - index: - type: integer - name: - type: string - namespace: - type: string - type: object - type: object - phase: + appliedTo: + items: + properties: + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + enableLogging: + type: boolean + from: + items: + properties: + externalEntitySelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + ipBlock: + properties: + cidr: + format: cidr + type: string + type: object + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + name: type: string + ports: + items: + properties: + endPort: + type: integer + port: + x-kubernetes-int-or-string: true + protocol: + enum: + - TCP + - UDP + - SCTP + type: string + type: object + type: array + required: + - action type: object type: array + priority: + format: float + maximum: 10000 + minimum: 1 + type: number + tier: + type: string + required: + - priority + type: object + status: + properties: + currentNodesRealized: + type: integer + desiredNodesRealized: + type: integer + observedGeneration: + type: integer + phase: + type: string type: object - required: - - spec type: object served: true - storage: true + storage: false subresources: status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - labels: - app: antrea - name: networkpolicies.crd.antrea.io -spec: - group: crd.antrea.io - names: - kind: NetworkPolicy - plural: networkpolicies - shortNames: - - anp - singular: networkpolicy - scope: Namespaced - versions: - additionalPrinterColumns: - description: The Tier to which this Antrea NetworkPolicy belongs to. jsonPath: .spec.tier @@ -1295,7 +2250,7 @@ spec: - jsonPath: .metadata.creationTimestamp name: Age type: date - name: v1alpha1 + name: v1alpha2 schema: openAPIV3Schema: properties: @@ -1373,19 +2328,50 @@ spec: type: boolean name: type: string - ports: + protocols: items: + oneOf: + - required: + - tcp + - required: + - udp + - required: + - sctp + - required: + - icmp properties: - endPort: - type: integer - port: - x-kubernetes-int-or-string: true - protocol: - enum: - - TCP - - UDP - - SCTP - type: string + icmp: + properties: + icmpCode: + maximum: 255 + minimum: 0 + type: integer + icmpType: + maximum: 255 + minimum: 0 + type: integer + type: object + sctp: + properties: + endPort: + type: integer + port: + x-kubernetes-int-or-string: true + type: object + tcp: + properties: + endPort: + type: integer + port: + x-kubernetes-int-or-string: true + type: object + udp: + properties: + endPort: + type: integer + port: + x-kubernetes-int-or-string: true + type: object type: object type: array to: @@ -1614,19 +2600,50 @@ spec: type: array name: type: string - ports: + protocols: items: + oneOf: + - required: + - tcp + - required: + - udp + - required: + - sctp + - required: + - icmp properties: - endPort: - type: integer - port: - x-kubernetes-int-or-string: true - protocol: - enum: - - TCP - - UDP - - SCTP - type: string + icmp: + properties: + icmpCode: + maximum: 255 + minimum: 0 + type: integer + icmpType: + maximum: 255 + minimum: 0 + type: integer + type: object + sctp: + properties: + endPort: + type: integer + port: + x-kubernetes-int-or-string: true + type: object + tcp: + properties: + endPort: + type: integer + port: + x-kubernetes-int-or-string: true + type: object + udp: + properties: + endPort: + type: integer + port: + x-kubernetes-int-or-string: true + type: object type: object type: array required: @@ -3508,6 +4525,7 @@ webhooks: - apiGroups: - crd.antrea.io apiVersions: + - v1alpha2 - v1alpha1 operations: - CREATE @@ -3530,6 +4548,7 @@ webhooks: - apiGroups: - crd.antrea.io apiVersions: + - v1alpha2 - v1alpha1 operations: - CREATE diff --git a/build/yamls/antrea-kind.yml b/build/yamls/antrea-kind.yml index a86fba2d046..8787543e777 100644 --- a/build/yamls/antrea-kind.yml +++ b/build/yamls/antrea-kind.yml @@ -377,6 +377,17 @@ metadata: app: antrea name: clusternetworkpolicies.crd.antrea.io spec: + conversion: + strategy: Webhook + webhook: + clientConfig: + service: + name: antrea + namespace: kube-system + path: /convert/clusternetworkpolicy + conversionReviewVersions: + - v1 + - v1beta1 group: crd.antrea.io names: kind: ClusterNetworkPolicy @@ -867,191 +878,737 @@ spec: type: object type: object served: true - storage: true + storage: false subresources: status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - labels: - app: antrea - name: egresses.crd.antrea.io -spec: - group: crd.antrea.io - names: - kind: Egress - plural: egresses - shortNames: - - eg - singular: egress - scope: Cluster - versions: - additionalPrinterColumns: - - description: Specifies the SNAT IP address for the selected workloads. - jsonPath: .spec.egressIP - name: EgressIP + - description: The Tier to which this ClusterNetworkPolicy belongs to. + jsonPath: .spec.tier + name: Tier type: string + - description: The Priority of this ClusterNetworkPolicy relative to other policies. + format: float + jsonPath: .spec.priority + name: Priority + type: number + - description: The total number of Nodes that should realize the NetworkPolicy. + format: int32 + jsonPath: .status.desiredNodesRealized + name: Desired Nodes + type: number + - description: The number of Nodes that have realized the NetworkPolicy. + format: int32 + jsonPath: .status.currentNodesRealized + name: Current Nodes + type: number - jsonPath: .metadata.creationTimestamp name: Age type: date - - description: The Owner Node of egress IP - jsonPath: .status.egressNode - name: Node - type: string name: v1alpha2 schema: openAPIV3Schema: properties: spec: - anyOf: - - required: - - egressIP - - required: - - externalIPPool properties: appliedTo: - properties: - namespaceSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - podSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - egressIP: - oneOf: - - format: ipv4 - - format: ipv6 - type: string - externalIPPool: - type: string - required: - - appliedTo - type: object - status: - properties: - egressNode: - type: string - type: object - required: - - spec - type: object - served: true - storage: true - subresources: - status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - labels: - app: antrea - name: externalentities.crd.antrea.io -spec: - group: crd.antrea.io - names: - kind: ExternalEntity - plural: externalentities - shortNames: - - ee - singular: externalentity - scope: Namespaced - versions: - - name: v1alpha2 - schema: - openAPIV3Schema: - properties: - spec: - properties: - endpoints: items: properties: - ip: - oneOf: - - format: ipv4 - - format: ipv6 - type: string - name: + group: type: string + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + serviceAccount: + properties: + name: + type: string + namespace: + type: string + required: + - name + - namespace + type: object type: object type: array - externalNode: - type: string - ports: + egress: items: properties: - name: - type: string - port: - x-kubernetes-int-or-string: true - protocol: + action: enum: - - TCP - - UDP - - SCTP + - Allow + - Drop + - Reject + - Pass type: string - type: object - type: array - type: object - type: object - served: true - storage: true - - name: v1alpha1 - schema: - openAPIV3Schema: - type: object - served: false - storage: false ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - labels: - app: antrea - name: externalippools.crd.antrea.io + appliedTo: + items: + properties: + group: + type: string + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + serviceAccount: + properties: + name: + type: string + namespace: + type: string + required: + - name + - namespace + type: object + type: object + type: array + enableLogging: + type: boolean + name: + type: string + protocols: + items: + oneOf: + - required: + - tcp + - required: + - udp + - required: + - sctp + - required: + - icmp + properties: + icmp: + properties: + icmpCode: + maximum: 255 + minimum: 0 + type: integer + icmpType: + maximum: 255 + minimum: 0 + type: integer + type: object + sctp: + properties: + endPort: + type: integer + port: + x-kubernetes-int-or-string: true + type: object + tcp: + properties: + endPort: + type: integer + port: + x-kubernetes-int-or-string: true + type: object + udp: + properties: + endPort: + type: integer + port: + x-kubernetes-int-or-string: true + type: object + type: object + type: array + to: + items: + properties: + fqdn: + type: string + group: + type: string + ipBlock: + properties: + cidr: + format: cidr + type: string + type: object + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + namespaces: + properties: + match: + type: string + type: object + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + serviceAccount: + properties: + name: + type: string + namespace: + type: string + required: + - name + - namespace + type: object + type: object + type: array + toServices: + items: + properties: + name: + type: string + namespace: + type: string + required: + - name + - namespace + type: object + type: array + required: + - action + type: object + type: array + ingress: + items: + properties: + action: + enum: + - Allow + - Drop + - Reject + - Pass + type: string + appliedTo: + items: + properties: + group: + type: string + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + serviceAccount: + properties: + name: + type: string + namespace: + type: string + required: + - name + - namespace + type: object + type: object + type: array + enableLogging: + type: boolean + from: + items: + properties: + group: + type: string + ipBlock: + properties: + cidr: + format: cidr + type: string + type: object + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + namespaces: + properties: + match: + enum: + - Self + type: string + type: object + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + serviceAccount: + properties: + name: + type: string + namespace: + type: string + required: + - name + - namespace + type: object + type: object + type: array + name: + type: string + protocols: + items: + oneOf: + - required: + - tcp + - required: + - udp + - required: + - sctp + - required: + - icmp + properties: + icmp: + properties: + icmpCode: + maximum: 255 + minimum: 0 + type: integer + icmpType: + maximum: 255 + minimum: 0 + type: integer + type: object + sctp: + properties: + endPort: + type: integer + port: + x-kubernetes-int-or-string: true + type: object + tcp: + properties: + endPort: + type: integer + port: + x-kubernetes-int-or-string: true + type: object + udp: + properties: + endPort: + type: integer + port: + x-kubernetes-int-or-string: true + type: object + type: object + type: array + required: + - action + type: object + type: array + priority: + format: float + maximum: 10000 + minimum: 1 + type: number + tier: + type: string + required: + - priority + type: object + status: + properties: + currentNodesRealized: + type: integer + desiredNodesRealized: + type: integer + observedGeneration: + type: integer + phase: + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: egresses.crd.antrea.io +spec: + group: crd.antrea.io + names: + kind: Egress + plural: egresses + shortNames: + - eg + singular: egress + scope: Cluster + versions: + - additionalPrinterColumns: + - description: Specifies the SNAT IP address for the selected workloads. + jsonPath: .spec.egressIP + name: EgressIP + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + - description: The Owner Node of egress IP + jsonPath: .status.egressNode + name: Node + type: string + name: v1alpha2 + schema: + openAPIV3Schema: + properties: + spec: + anyOf: + - required: + - egressIP + - required: + - externalIPPool + properties: + appliedTo: + properties: + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + egressIP: + oneOf: + - format: ipv4 + - format: ipv6 + type: string + externalIPPool: + type: string + required: + - appliedTo + type: object + status: + properties: + egressNode: + type: string + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: externalentities.crd.antrea.io +spec: + group: crd.antrea.io + names: + kind: ExternalEntity + plural: externalentities + shortNames: + - ee + singular: externalentity + scope: Namespaced + versions: + - name: v1alpha2 + schema: + openAPIV3Schema: + properties: + spec: + properties: + endpoints: + items: + properties: + ip: + oneOf: + - format: ipv4 + - format: ipv6 + type: string + name: + type: string + type: object + type: array + externalNode: + type: string + ports: + items: + properties: + name: + type: string + port: + x-kubernetes-int-or-string: true + protocol: + enum: + - TCP + - UDP + - SCTP + type: string + type: object + type: array + type: object + type: object + served: true + storage: true + - name: v1alpha1 + schema: + openAPIV3Schema: + type: object + served: false + storage: false +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: externalippools.crd.antrea.io spec: group: crd.antrea.io names: @@ -1159,119 +1716,517 @@ metadata: spec: group: crd.antrea.io names: - kind: IPPool - plural: ippools + kind: IPPool + plural: ippools + shortNames: + - ipp + singular: ippool + scope: Cluster + versions: + - name: v1alpha2 + schema: + openAPIV3Schema: + properties: + spec: + properties: + ipRanges: + items: + oneOf: + - required: + - cidr + - gateway + - prefixLength + - required: + - start + - end + - gateway + - prefixLength + properties: + cidr: + format: cidr + type: string + end: + oneOf: + - format: ipv4 + - format: ipv6 + type: string + gateway: + oneOf: + - format: ipv4 + - format: ipv6 + type: string + prefixLength: + type: integer + start: + oneOf: + - format: ipv4 + - format: ipv6 + type: string + vlan: + type: string + type: object + type: array + ipVersion: + type: integer + required: + - ipVersion + - ipRanges + type: object + status: + properties: + ipAddresses: + items: + properties: + ipAddress: + type: string + owner: + properties: + pod: + properties: + containerID: + type: string + name: + type: string + namespace: + type: string + type: object + statefulSet: + properties: + index: + type: integer + name: + type: string + namespace: + type: string + type: object + type: object + phase: + type: string + type: object + type: array + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: networkpolicies.crd.antrea.io +spec: + conversion: + strategy: Webhook + webhook: + clientConfig: + service: + name: antrea + namespace: kube-system + path: /convert/networkpolicy + conversionReviewVersions: + - v1 + - v1beta1 + group: crd.antrea.io + names: + kind: NetworkPolicy + plural: networkpolicies shortNames: - - ipp - singular: ippool - scope: Cluster + - anp + singular: networkpolicy + scope: Namespaced versions: - - name: v1alpha2 + - additionalPrinterColumns: + - description: The Tier to which this Antrea NetworkPolicy belongs to. + jsonPath: .spec.tier + name: Tier + type: string + - description: The Priority of this Antrea NetworkPolicy relative to other policies. + format: float + jsonPath: .spec.priority + name: Priority + type: number + - description: The total number of Nodes that should realize the NetworkPolicy. + format: int32 + jsonPath: .status.desiredNodesRealized + name: Desired Nodes + type: number + - description: The number of Nodes that have realized the NetworkPolicy. + format: int32 + jsonPath: .status.currentNodesRealized + name: Current Nodes + type: number + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 schema: openAPIV3Schema: properties: spec: properties: - ipRanges: + appliedTo: items: - oneOf: - - required: - - cidr - - gateway - - prefixLength - - required: - - start - - end - - gateway - - prefixLength properties: - cidr: - format: cidr - type: string - end: - oneOf: - - format: ipv4 - - format: ipv6 - type: string - gateway: - oneOf: - - format: ipv4 - - format: ipv6 - type: string - prefixLength: - type: integer - start: - oneOf: - - format: ipv4 - - format: ipv6 + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + egress: + items: + properties: + action: + enum: + - Allow + - Drop + - Reject + - Pass type: string - vlan: + appliedTo: + items: + properties: + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + enableLogging: + type: boolean + name: type: string + ports: + items: + properties: + endPort: + type: integer + port: + x-kubernetes-int-or-string: true + protocol: + enum: + - TCP + - UDP + - SCTP + type: string + type: object + type: array + to: + items: + properties: + externalEntitySelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + fqdn: + type: string + ipBlock: + properties: + cidr: + format: cidr + type: string + type: object + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + toServices: + items: + properties: + name: + type: string + namespace: + type: string + required: + - name + type: object + type: array + required: + - action type: object type: array - ipVersion: - type: integer - required: - - ipVersion - - ipRanges - type: object - status: - properties: - ipAddresses: + ingress: items: properties: - ipAddress: + action: + enum: + - Allow + - Drop + - Reject + - Pass type: string - owner: - properties: - pod: - properties: - containerID: - type: string - name: - type: string - namespace: - type: string - type: object - statefulSet: - properties: - index: - type: integer - name: - type: string - namespace: - type: string - type: object - type: object - phase: + appliedTo: + items: + properties: + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + enableLogging: + type: boolean + from: + items: + properties: + externalEntitySelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + ipBlock: + properties: + cidr: + format: cidr + type: string + type: object + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + name: type: string + ports: + items: + properties: + endPort: + type: integer + port: + x-kubernetes-int-or-string: true + protocol: + enum: + - TCP + - UDP + - SCTP + type: string + type: object + type: array + required: + - action type: object type: array + priority: + format: float + maximum: 10000 + minimum: 1 + type: number + tier: + type: string + required: + - priority + type: object + status: + properties: + currentNodesRealized: + type: integer + desiredNodesRealized: + type: integer + observedGeneration: + type: integer + phase: + type: string type: object - required: - - spec type: object served: true - storage: true + storage: false subresources: status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - labels: - app: antrea - name: networkpolicies.crd.antrea.io -spec: - group: crd.antrea.io - names: - kind: NetworkPolicy - plural: networkpolicies - shortNames: - - anp - singular: networkpolicy - scope: Namespaced - versions: - additionalPrinterColumns: - description: The Tier to which this Antrea NetworkPolicy belongs to. jsonPath: .spec.tier @@ -1295,7 +2250,7 @@ spec: - jsonPath: .metadata.creationTimestamp name: Age type: date - name: v1alpha1 + name: v1alpha2 schema: openAPIV3Schema: properties: @@ -1373,19 +2328,50 @@ spec: type: boolean name: type: string - ports: + protocols: items: + oneOf: + - required: + - tcp + - required: + - udp + - required: + - sctp + - required: + - icmp properties: - endPort: - type: integer - port: - x-kubernetes-int-or-string: true - protocol: - enum: - - TCP - - UDP - - SCTP - type: string + icmp: + properties: + icmpCode: + maximum: 255 + minimum: 0 + type: integer + icmpType: + maximum: 255 + minimum: 0 + type: integer + type: object + sctp: + properties: + endPort: + type: integer + port: + x-kubernetes-int-or-string: true + type: object + tcp: + properties: + endPort: + type: integer + port: + x-kubernetes-int-or-string: true + type: object + udp: + properties: + endPort: + type: integer + port: + x-kubernetes-int-or-string: true + type: object type: object type: array to: @@ -1614,19 +2600,50 @@ spec: type: array name: type: string - ports: + protocols: items: + oneOf: + - required: + - tcp + - required: + - udp + - required: + - sctp + - required: + - icmp properties: - endPort: - type: integer - port: - x-kubernetes-int-or-string: true - protocol: - enum: - - TCP - - UDP - - SCTP - type: string + icmp: + properties: + icmpCode: + maximum: 255 + minimum: 0 + type: integer + icmpType: + maximum: 255 + minimum: 0 + type: integer + type: object + sctp: + properties: + endPort: + type: integer + port: + x-kubernetes-int-or-string: true + type: object + tcp: + properties: + endPort: + type: integer + port: + x-kubernetes-int-or-string: true + type: object + udp: + properties: + endPort: + type: integer + port: + x-kubernetes-int-or-string: true + type: object type: object type: array required: @@ -3460,6 +4477,7 @@ webhooks: - apiGroups: - crd.antrea.io apiVersions: + - v1alpha2 - v1alpha1 operations: - CREATE @@ -3482,6 +4500,7 @@ webhooks: - apiGroups: - crd.antrea.io apiVersions: + - v1alpha2 - v1alpha1 operations: - CREATE diff --git a/build/yamls/antrea.yml b/build/yamls/antrea.yml index 2f66d1a14f3..5f1f4c7cf60 100644 --- a/build/yamls/antrea.yml +++ b/build/yamls/antrea.yml @@ -377,6 +377,17 @@ metadata: app: antrea name: clusternetworkpolicies.crd.antrea.io spec: + conversion: + strategy: Webhook + webhook: + clientConfig: + service: + name: antrea + namespace: kube-system + path: /convert/clusternetworkpolicy + conversionReviewVersions: + - v1 + - v1beta1 group: crd.antrea.io names: kind: ClusterNetworkPolicy @@ -867,191 +878,737 @@ spec: type: object type: object served: true - storage: true + storage: false subresources: status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - labels: - app: antrea - name: egresses.crd.antrea.io -spec: - group: crd.antrea.io - names: - kind: Egress - plural: egresses - shortNames: - - eg - singular: egress - scope: Cluster - versions: - additionalPrinterColumns: - - description: Specifies the SNAT IP address for the selected workloads. - jsonPath: .spec.egressIP - name: EgressIP + - description: The Tier to which this ClusterNetworkPolicy belongs to. + jsonPath: .spec.tier + name: Tier type: string + - description: The Priority of this ClusterNetworkPolicy relative to other policies. + format: float + jsonPath: .spec.priority + name: Priority + type: number + - description: The total number of Nodes that should realize the NetworkPolicy. + format: int32 + jsonPath: .status.desiredNodesRealized + name: Desired Nodes + type: number + - description: The number of Nodes that have realized the NetworkPolicy. + format: int32 + jsonPath: .status.currentNodesRealized + name: Current Nodes + type: number - jsonPath: .metadata.creationTimestamp name: Age type: date - - description: The Owner Node of egress IP - jsonPath: .status.egressNode - name: Node - type: string name: v1alpha2 schema: openAPIV3Schema: properties: spec: - anyOf: - - required: - - egressIP - - required: - - externalIPPool properties: appliedTo: - properties: - namespaceSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - podSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - egressIP: - oneOf: - - format: ipv4 - - format: ipv6 - type: string - externalIPPool: - type: string - required: - - appliedTo - type: object - status: - properties: - egressNode: - type: string - type: object - required: - - spec - type: object - served: true - storage: true - subresources: - status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - labels: - app: antrea - name: externalentities.crd.antrea.io -spec: - group: crd.antrea.io - names: - kind: ExternalEntity - plural: externalentities - shortNames: - - ee - singular: externalentity - scope: Namespaced - versions: - - name: v1alpha2 - schema: - openAPIV3Schema: - properties: - spec: - properties: - endpoints: items: properties: - ip: - oneOf: - - format: ipv4 - - format: ipv6 - type: string - name: + group: type: string + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + serviceAccount: + properties: + name: + type: string + namespace: + type: string + required: + - name + - namespace + type: object type: object type: array - externalNode: - type: string - ports: + egress: items: properties: - name: - type: string - port: - x-kubernetes-int-or-string: true - protocol: + action: enum: - - TCP - - UDP - - SCTP + - Allow + - Drop + - Reject + - Pass type: string - type: object - type: array - type: object - type: object - served: true - storage: true - - name: v1alpha1 - schema: - openAPIV3Schema: - type: object - served: false - storage: false ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - labels: - app: antrea - name: externalippools.crd.antrea.io + appliedTo: + items: + properties: + group: + type: string + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + serviceAccount: + properties: + name: + type: string + namespace: + type: string + required: + - name + - namespace + type: object + type: object + type: array + enableLogging: + type: boolean + name: + type: string + protocols: + items: + oneOf: + - required: + - tcp + - required: + - udp + - required: + - sctp + - required: + - icmp + properties: + icmp: + properties: + icmpCode: + maximum: 255 + minimum: 0 + type: integer + icmpType: + maximum: 255 + minimum: 0 + type: integer + type: object + sctp: + properties: + endPort: + type: integer + port: + x-kubernetes-int-or-string: true + type: object + tcp: + properties: + endPort: + type: integer + port: + x-kubernetes-int-or-string: true + type: object + udp: + properties: + endPort: + type: integer + port: + x-kubernetes-int-or-string: true + type: object + type: object + type: array + to: + items: + properties: + fqdn: + type: string + group: + type: string + ipBlock: + properties: + cidr: + format: cidr + type: string + type: object + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + namespaces: + properties: + match: + type: string + type: object + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + serviceAccount: + properties: + name: + type: string + namespace: + type: string + required: + - name + - namespace + type: object + type: object + type: array + toServices: + items: + properties: + name: + type: string + namespace: + type: string + required: + - name + - namespace + type: object + type: array + required: + - action + type: object + type: array + ingress: + items: + properties: + action: + enum: + - Allow + - Drop + - Reject + - Pass + type: string + appliedTo: + items: + properties: + group: + type: string + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + serviceAccount: + properties: + name: + type: string + namespace: + type: string + required: + - name + - namespace + type: object + type: object + type: array + enableLogging: + type: boolean + from: + items: + properties: + group: + type: string + ipBlock: + properties: + cidr: + format: cidr + type: string + type: object + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + namespaces: + properties: + match: + enum: + - Self + type: string + type: object + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + serviceAccount: + properties: + name: + type: string + namespace: + type: string + required: + - name + - namespace + type: object + type: object + type: array + name: + type: string + protocols: + items: + oneOf: + - required: + - tcp + - required: + - udp + - required: + - sctp + - required: + - icmp + properties: + icmp: + properties: + icmpCode: + maximum: 255 + minimum: 0 + type: integer + icmpType: + maximum: 255 + minimum: 0 + type: integer + type: object + sctp: + properties: + endPort: + type: integer + port: + x-kubernetes-int-or-string: true + type: object + tcp: + properties: + endPort: + type: integer + port: + x-kubernetes-int-or-string: true + type: object + udp: + properties: + endPort: + type: integer + port: + x-kubernetes-int-or-string: true + type: object + type: object + type: array + required: + - action + type: object + type: array + priority: + format: float + maximum: 10000 + minimum: 1 + type: number + tier: + type: string + required: + - priority + type: object + status: + properties: + currentNodesRealized: + type: integer + desiredNodesRealized: + type: integer + observedGeneration: + type: integer + phase: + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: egresses.crd.antrea.io +spec: + group: crd.antrea.io + names: + kind: Egress + plural: egresses + shortNames: + - eg + singular: egress + scope: Cluster + versions: + - additionalPrinterColumns: + - description: Specifies the SNAT IP address for the selected workloads. + jsonPath: .spec.egressIP + name: EgressIP + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + - description: The Owner Node of egress IP + jsonPath: .status.egressNode + name: Node + type: string + name: v1alpha2 + schema: + openAPIV3Schema: + properties: + spec: + anyOf: + - required: + - egressIP + - required: + - externalIPPool + properties: + appliedTo: + properties: + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + egressIP: + oneOf: + - format: ipv4 + - format: ipv6 + type: string + externalIPPool: + type: string + required: + - appliedTo + type: object + status: + properties: + egressNode: + type: string + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: externalentities.crd.antrea.io +spec: + group: crd.antrea.io + names: + kind: ExternalEntity + plural: externalentities + shortNames: + - ee + singular: externalentity + scope: Namespaced + versions: + - name: v1alpha2 + schema: + openAPIV3Schema: + properties: + spec: + properties: + endpoints: + items: + properties: + ip: + oneOf: + - format: ipv4 + - format: ipv6 + type: string + name: + type: string + type: object + type: array + externalNode: + type: string + ports: + items: + properties: + name: + type: string + port: + x-kubernetes-int-or-string: true + protocol: + enum: + - TCP + - UDP + - SCTP + type: string + type: object + type: array + type: object + type: object + served: true + storage: true + - name: v1alpha1 + schema: + openAPIV3Schema: + type: object + served: false + storage: false +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: externalippools.crd.antrea.io spec: group: crd.antrea.io names: @@ -1159,119 +1716,517 @@ metadata: spec: group: crd.antrea.io names: - kind: IPPool - plural: ippools + kind: IPPool + plural: ippools + shortNames: + - ipp + singular: ippool + scope: Cluster + versions: + - name: v1alpha2 + schema: + openAPIV3Schema: + properties: + spec: + properties: + ipRanges: + items: + oneOf: + - required: + - cidr + - gateway + - prefixLength + - required: + - start + - end + - gateway + - prefixLength + properties: + cidr: + format: cidr + type: string + end: + oneOf: + - format: ipv4 + - format: ipv6 + type: string + gateway: + oneOf: + - format: ipv4 + - format: ipv6 + type: string + prefixLength: + type: integer + start: + oneOf: + - format: ipv4 + - format: ipv6 + type: string + vlan: + type: string + type: object + type: array + ipVersion: + type: integer + required: + - ipVersion + - ipRanges + type: object + status: + properties: + ipAddresses: + items: + properties: + ipAddress: + type: string + owner: + properties: + pod: + properties: + containerID: + type: string + name: + type: string + namespace: + type: string + type: object + statefulSet: + properties: + index: + type: integer + name: + type: string + namespace: + type: string + type: object + type: object + phase: + type: string + type: object + type: array + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: networkpolicies.crd.antrea.io +spec: + conversion: + strategy: Webhook + webhook: + clientConfig: + service: + name: antrea + namespace: kube-system + path: /convert/networkpolicy + conversionReviewVersions: + - v1 + - v1beta1 + group: crd.antrea.io + names: + kind: NetworkPolicy + plural: networkpolicies shortNames: - - ipp - singular: ippool - scope: Cluster + - anp + singular: networkpolicy + scope: Namespaced versions: - - name: v1alpha2 + - additionalPrinterColumns: + - description: The Tier to which this Antrea NetworkPolicy belongs to. + jsonPath: .spec.tier + name: Tier + type: string + - description: The Priority of this Antrea NetworkPolicy relative to other policies. + format: float + jsonPath: .spec.priority + name: Priority + type: number + - description: The total number of Nodes that should realize the NetworkPolicy. + format: int32 + jsonPath: .status.desiredNodesRealized + name: Desired Nodes + type: number + - description: The number of Nodes that have realized the NetworkPolicy. + format: int32 + jsonPath: .status.currentNodesRealized + name: Current Nodes + type: number + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 schema: openAPIV3Schema: properties: spec: properties: - ipRanges: + appliedTo: items: - oneOf: - - required: - - cidr - - gateway - - prefixLength - - required: - - start - - end - - gateway - - prefixLength properties: - cidr: - format: cidr - type: string - end: - oneOf: - - format: ipv4 - - format: ipv6 - type: string - gateway: - oneOf: - - format: ipv4 - - format: ipv6 - type: string - prefixLength: - type: integer - start: - oneOf: - - format: ipv4 - - format: ipv6 + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + egress: + items: + properties: + action: + enum: + - Allow + - Drop + - Reject + - Pass type: string - vlan: + appliedTo: + items: + properties: + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + enableLogging: + type: boolean + name: type: string + ports: + items: + properties: + endPort: + type: integer + port: + x-kubernetes-int-or-string: true + protocol: + enum: + - TCP + - UDP + - SCTP + type: string + type: object + type: array + to: + items: + properties: + externalEntitySelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + fqdn: + type: string + ipBlock: + properties: + cidr: + format: cidr + type: string + type: object + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + toServices: + items: + properties: + name: + type: string + namespace: + type: string + required: + - name + type: object + type: array + required: + - action type: object type: array - ipVersion: - type: integer - required: - - ipVersion - - ipRanges - type: object - status: - properties: - ipAddresses: + ingress: items: properties: - ipAddress: + action: + enum: + - Allow + - Drop + - Reject + - Pass type: string - owner: - properties: - pod: - properties: - containerID: - type: string - name: - type: string - namespace: - type: string - type: object - statefulSet: - properties: - index: - type: integer - name: - type: string - namespace: - type: string - type: object - type: object - phase: + appliedTo: + items: + properties: + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + enableLogging: + type: boolean + from: + items: + properties: + externalEntitySelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + ipBlock: + properties: + cidr: + format: cidr + type: string + type: object + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + name: type: string + ports: + items: + properties: + endPort: + type: integer + port: + x-kubernetes-int-or-string: true + protocol: + enum: + - TCP + - UDP + - SCTP + type: string + type: object + type: array + required: + - action type: object type: array + priority: + format: float + maximum: 10000 + minimum: 1 + type: number + tier: + type: string + required: + - priority + type: object + status: + properties: + currentNodesRealized: + type: integer + desiredNodesRealized: + type: integer + observedGeneration: + type: integer + phase: + type: string type: object - required: - - spec type: object served: true - storage: true + storage: false subresources: status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - labels: - app: antrea - name: networkpolicies.crd.antrea.io -spec: - group: crd.antrea.io - names: - kind: NetworkPolicy - plural: networkpolicies - shortNames: - - anp - singular: networkpolicy - scope: Namespaced - versions: - additionalPrinterColumns: - description: The Tier to which this Antrea NetworkPolicy belongs to. jsonPath: .spec.tier @@ -1295,7 +2250,7 @@ spec: - jsonPath: .metadata.creationTimestamp name: Age type: date - name: v1alpha1 + name: v1alpha2 schema: openAPIV3Schema: properties: @@ -1373,19 +2328,50 @@ spec: type: boolean name: type: string - ports: + protocols: items: + oneOf: + - required: + - tcp + - required: + - udp + - required: + - sctp + - required: + - icmp properties: - endPort: - type: integer - port: - x-kubernetes-int-or-string: true - protocol: - enum: - - TCP - - UDP - - SCTP - type: string + icmp: + properties: + icmpCode: + maximum: 255 + minimum: 0 + type: integer + icmpType: + maximum: 255 + minimum: 0 + type: integer + type: object + sctp: + properties: + endPort: + type: integer + port: + x-kubernetes-int-or-string: true + type: object + tcp: + properties: + endPort: + type: integer + port: + x-kubernetes-int-or-string: true + type: object + udp: + properties: + endPort: + type: integer + port: + x-kubernetes-int-or-string: true + type: object type: object type: array to: @@ -1614,19 +2600,50 @@ spec: type: array name: type: string - ports: + protocols: items: + oneOf: + - required: + - tcp + - required: + - udp + - required: + - sctp + - required: + - icmp properties: - endPort: - type: integer - port: - x-kubernetes-int-or-string: true - protocol: - enum: - - TCP - - UDP - - SCTP - type: string + icmp: + properties: + icmpCode: + maximum: 255 + minimum: 0 + type: integer + icmpType: + maximum: 255 + minimum: 0 + type: integer + type: object + sctp: + properties: + endPort: + type: integer + port: + x-kubernetes-int-or-string: true + type: object + tcp: + properties: + endPort: + type: integer + port: + x-kubernetes-int-or-string: true + type: object + udp: + properties: + endPort: + type: integer + port: + x-kubernetes-int-or-string: true + type: object type: object type: array required: @@ -3464,6 +4481,7 @@ webhooks: - apiGroups: - crd.antrea.io apiVersions: + - v1alpha2 - v1alpha1 operations: - CREATE @@ -3486,6 +4504,7 @@ webhooks: - apiGroups: - crd.antrea.io apiVersions: + - v1alpha2 - v1alpha1 operations: - CREATE diff --git a/build/yamls/base/controller.yml b/build/yamls/base/controller.yml index 7ce4a28da36..c5e7e49b73a 100644 --- a/build/yamls/base/controller.yml +++ b/build/yamls/base/controller.yml @@ -102,7 +102,7 @@ webhooks: rules: - operations: ["CREATE", "UPDATE"] apiGroups: ["crd.antrea.io"] - apiVersions: ["v1alpha1"] + apiVersions: ["v1alpha2", "v1alpha1"] resources: ["clusternetworkpolicies"] scope: "Cluster" admissionReviewVersions: ["v1", "v1beta1"] @@ -117,7 +117,7 @@ webhooks: rules: - operations: ["CREATE", "UPDATE"] apiGroups: ["crd.antrea.io"] - apiVersions: ["v1alpha1"] + apiVersions: ["v1alpha2", "v1alpha1"] resources: ["networkpolicies"] scope: "Namespaced" admissionReviewVersions: ["v1", "v1beta1"] diff --git a/build/yamls/base/crds.yml b/build/yamls/base/crds.yml index eb653d73fd5..c95b57e304d 100644 --- a/build/yamls/base/crds.yml +++ b/build/yamls/base/crds.yml @@ -718,7 +718,7 @@ spec: versions: - name: v1alpha1 served: true - storage: true + storage: false additionalPrinterColumns: - name: Tier type: string @@ -1193,47 +1193,32 @@ spec: type: integer subresources: status: {} - scope: Cluster - names: - plural: clusternetworkpolicies - singular: clusternetworkpolicy - kind: ClusterNetworkPolicy - shortNames: - - acnp ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: networkpolicies.crd.antrea.io -spec: - group: crd.antrea.io - versions: - - name: v1alpha1 + - name: v1alpha2 served: true storage: true additionalPrinterColumns: - - name: Tier - type: string - description: The Tier to which this Antrea NetworkPolicy belongs to. - jsonPath: .spec.tier - - name: Priority - type: number - format: float - description: The Priority of this Antrea NetworkPolicy relative to other policies. - jsonPath: .spec.priority - - name: Desired Nodes - type: number - format: int32 - description: The total number of Nodes that should realize the NetworkPolicy. - jsonPath: .status.desiredNodesRealized - - name: Current Nodes - type: number - format: int32 - description: The number of Nodes that have realized the NetworkPolicy. - jsonPath: .status.currentNodesRealized - - name: Age - type: date - jsonPath: .metadata.creationTimestamp + - name: Tier + type: string + description: The Tier to which this ClusterNetworkPolicy belongs to. + jsonPath: .spec.tier + - name: Priority + type: number + format: float + description: The Priority of this ClusterNetworkPolicy relative to other policies. + jsonPath: .spec.priority + - name: Desired Nodes + type: number + format: int32 + description: The total number of Nodes that should realize the NetworkPolicy. + jsonPath: .status.desiredNodesRealized + - name: Current Nodes + type: number + format: int32 + description: The number of Nodes that have realized the NetworkPolicy. + jsonPath: .status.currentNodesRealized + - name: Age + type: date + jsonPath: .metadata.creationTimestamp schema: openAPIV3Schema: type: object @@ -1241,7 +1226,7 @@ spec: spec: # Ensure that Spec.Priority field is set required: - - priority + - priority type: object properties: tier: @@ -1256,7 +1241,7 @@ spec: type: array items: type: object - # Ensure that Spec.AppliedTo does not allow NamespaceSelector/IPBlock field + # Ensure that Spec.AppliedTo does not allow IPBlock field properties: podSelector: type: object @@ -1270,10 +1255,34 @@ spec: type: string operator: enum: - - In - - NotIn - - Exists - - DoesNotExist + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + namespaceSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist type: string values: type: array @@ -1282,18 +1291,30 @@ spec: pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" matchLabels: x-kubernetes-preserve-unknown-fields: true + group: + type: string + serviceAccount: + type: object + properties: + name: + type: string + namespace: + type: string + required: + - name + - namespace ingress: type: array items: type: object required: - - action + - action properties: appliedTo: type: array items: type: object - # Ensure that rule AppliedTo does not allow NamespaceSelector/IPBlock field + # Ensure that rule AppliedTo does not allow IPBlock field properties: podSelector: type: object @@ -1307,10 +1328,10 @@ spec: type: string operator: enum: - - In - - NotIn - - Exists - - DoesNotExist + - In + - NotIn + - Exists + - DoesNotExist type: string values: type: array @@ -1319,28 +1340,7 @@ spec: pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" matchLabels: x-kubernetes-preserve-unknown-fields: true - # Ensure that Action field allows only ALLOW, DROP and REJECT values - action: - type: string - enum: ['Allow', 'Drop', 'Reject', 'Pass'] - ports: - type: array - items: - type: object - properties: - protocol: - type: string - enum: ['TCP', 'UDP', 'SCTP'] - port: - x-kubernetes-int-or-string: true - endPort: - type: integer - from: - type: array - items: - type: object - properties: - podSelector: + namespaceSelector: type: object properties: matchExpressions: @@ -1352,10 +1352,10 @@ spec: type: string operator: enum: - - In - - NotIn - - Exists - - DoesNotExist + - In + - NotIn + - Exists + - DoesNotExist type: string values: type: array @@ -1364,7 +1364,70 @@ spec: pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" matchLabels: x-kubernetes-preserve-unknown-fields: true - namespaceSelector: + group: + type: string + serviceAccount: + type: object + properties: + name: + type: string + namespace: + type: string + required: + - name + - namespace + # Ensure that Action field allows only ALLOW, DROP and REJECT values + action: + type: string + enum: ['Allow', 'Drop', 'Reject', 'Pass'] + protocols: + type: array + items: + type: object + oneOf: + - required: [tcp] + - required: [udp] + - required: [sctp] + - required: [icmp] + properties: + tcp: + type: object + properties: + port: + x-kubernetes-int-or-string: true + endPort: + type: integer + udp: + type: object + properties: + port: + x-kubernetes-int-or-string: true + endPort: + type: integer + sctp: + type: object + properties: + port: + x-kubernetes-int-or-string: true + endPort: + type: integer + icmp: + type: object + properties: + icmpType: + type: integer + minimum: 0 + maximum: 255 + icmpCode: + type: integer + minimum: 0 + maximum: 255 + from: + type: array + items: + type: object + properties: + podSelector: type: object properties: matchExpressions: @@ -1376,10 +1439,10 @@ spec: type: string operator: enum: - - In - - NotIn - - Exists - - DoesNotExist + - In + - NotIn + - Exists + - DoesNotExist type: string values: type: array @@ -1388,7 +1451,7 @@ spec: pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" matchLabels: x-kubernetes-preserve-unknown-fields: true - externalEntitySelector: + namespaceSelector: type: object properties: matchExpressions: @@ -1400,10 +1463,10 @@ spec: type: string operator: enum: - - In - - NotIn - - Exists - - DoesNotExist + - In + - NotIn + - Exists + - DoesNotExist type: string values: type: array @@ -1412,12 +1475,31 @@ spec: pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" matchLabels: x-kubernetes-preserve-unknown-fields: true + namespaces: + type: object + properties: + match: + enum: + - Self + type: string ipBlock: type: object properties: cidr: type: string format: cidr + group: + type: string + serviceAccount: + type: object + properties: + name: + type: string + namespace: + type: string + required: + - name + - namespace name: type: string enableLogging: @@ -1427,13 +1509,13 @@ spec: items: type: object required: - - action + - action properties: appliedTo: type: array items: type: object - # Ensure that rule AppliedTo does not allow NamespaceSelector/IPBlock field + # Ensure that rule AppliedTo does not allow IPBlock field properties: podSelector: type: object @@ -1447,10 +1529,34 @@ spec: type: string operator: enum: - - In - - NotIn - - Exists - - DoesNotExist + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + namespaceSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist type: string values: type: array @@ -1459,23 +1565,64 @@ spec: pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" matchLabels: x-kubernetes-preserve-unknown-fields: true + group: + type: string + serviceAccount: + type: object + properties: + name: + type: string + namespace: + type: string + required: + - name + - namespace # Ensure that Action field allows only ALLOW, DROP and REJECT values action: type: string enum: ['Allow', 'Drop', 'Reject', 'Pass'] - ports: + protocols: type: array items: type: object + oneOf: + - required: [tcp] + - required: [udp] + - required: [sctp] + - required: [icmp] properties: - # Ensure that Protocol field allows only TCP, UDP and SCTP values - protocol: - type: string - enum: ['TCP', 'UDP', 'SCTP'] - port: - x-kubernetes-int-or-string: true - endPort: - type: integer + tcp: + type: object + properties: + port: + x-kubernetes-int-or-string: true + endPort: + type: integer + udp: + type: object + properties: + port: + x-kubernetes-int-or-string: true + endPort: + type: integer + sctp: + type: object + properties: + port: + x-kubernetes-int-or-string: true + endPort: + type: integer + icmp: + type: object + properties: + icmpType: + type: integer + minimum: 0 + maximum: 255 + icmpCode: + type: integer + minimum: 0 + maximum: 255 to: type: array items: @@ -1493,10 +1640,10 @@ spec: type: string operator: enum: - - In - - NotIn - - Exists - - DoesNotExist + - In + - NotIn + - Exists + - DoesNotExist type: string values: type: array @@ -1517,10 +1664,10 @@ spec: type: string operator: enum: - - In - - NotIn - - Exists - - DoesNotExist + - In + - NotIn + - Exists + - DoesNotExist type: string values: type: array @@ -1529,20 +1676,254 @@ spec: pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" matchLabels: x-kubernetes-preserve-unknown-fields: true - externalEntitySelector: + namespaces: type: object properties: - matchExpressions: - type: array - items: - type: object - properties: - key: - type: string - operator: - enum: - - In - - NotIn + match: + type: string + ipBlock: + type: object + properties: + cidr: + type: string + format: cidr + group: + type: string + fqdn: + type: string + serviceAccount: + type: object + properties: + name: + type: string + namespace: + type: string + required: + - name + - namespace + toServices: + type: array + items: + type: object + required: + - name + - namespace + properties: + name: + type: string + namespace: + type: string + name: + type: string + enableLogging: + type: boolean + status: + type: object + properties: + phase: + type: string + observedGeneration: + type: integer + currentNodesRealized: + type: integer + desiredNodesRealized: + type: integer + subresources: + status: {} + conversion: + strategy: Webhook + webhook: + conversionReviewVersions: ["v1", "v1beta1"] + clientConfig: + service: + name: "antrea" + namespace: "kube-system" + path: "/convert/clusternetworkpolicy" + scope: Cluster + names: + plural: clusternetworkpolicies + singular: clusternetworkpolicy + kind: ClusterNetworkPolicy + shortNames: + - acnp +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: networkpolicies.crd.antrea.io +spec: + group: crd.antrea.io + versions: + - name: v1alpha1 + served: true + storage: false + additionalPrinterColumns: + - name: Tier + type: string + description: The Tier to which this Antrea NetworkPolicy belongs to. + jsonPath: .spec.tier + - name: Priority + type: number + format: float + description: The Priority of this Antrea NetworkPolicy relative to other policies. + jsonPath: .spec.priority + - name: Desired Nodes + type: number + format: int32 + description: The total number of Nodes that should realize the NetworkPolicy. + jsonPath: .status.desiredNodesRealized + - name: Current Nodes + type: number + format: int32 + description: The number of Nodes that have realized the NetworkPolicy. + jsonPath: .status.currentNodesRealized + - name: Age + type: date + jsonPath: .metadata.creationTimestamp + schema: + openAPIV3Schema: + type: object + properties: + spec: + # Ensure that Spec.Priority field is set + required: + - priority + type: object + properties: + tier: + type: string + priority: + type: number + format: float + # Ensure that Spec.Priority field is between 1 and 10000 + minimum: 1.0 + maximum: 10000.0 + appliedTo: + type: array + items: + type: object + # Ensure that Spec.AppliedTo does not allow NamespaceSelector/IPBlock field + properties: + podSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + ingress: + type: array + items: + type: object + required: + - action + properties: + appliedTo: + type: array + items: + type: object + # Ensure that rule AppliedTo does not allow NamespaceSelector/IPBlock field + properties: + podSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + # Ensure that Action field allows only ALLOW, DROP and REJECT values + action: + type: string + enum: ['Allow', 'Drop', 'Reject', 'Pass'] + ports: + type: array + items: + type: object + properties: + protocol: + type: string + enum: ['TCP', 'UDP', 'SCTP'] + port: + x-kubernetes-int-or-string: true + endPort: + type: integer + from: + type: array + items: + type: object + properties: + podSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + namespaceSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn - Exists - DoesNotExist type: string @@ -1553,6 +1934,611 @@ spec: pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" matchLabels: x-kubernetes-preserve-unknown-fields: true + externalEntitySelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + ipBlock: + type: object + properties: + cidr: + type: string + format: cidr + name: + type: string + enableLogging: + type: boolean + egress: + type: array + items: + type: object + required: + - action + properties: + appliedTo: + type: array + items: + type: object + # Ensure that rule AppliedTo does not allow NamespaceSelector/IPBlock field + properties: + podSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + # Ensure that Action field allows only ALLOW, DROP and REJECT values + action: + type: string + enum: ['Allow', 'Drop', 'Reject', 'Pass'] + ports: + type: array + items: + type: object + properties: + # Ensure that Protocol field allows only TCP, UDP and SCTP values + protocol: + type: string + enum: ['TCP', 'UDP', 'SCTP'] + port: + x-kubernetes-int-or-string: true + endPort: + type: integer + to: + type: array + items: + type: object + properties: + podSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + namespaceSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + externalEntitySelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + ipBlock: + type: object + properties: + cidr: + type: string + format: cidr + fqdn: + type: string + toServices: + type: array + items: + type: object + required: + - name + properties: + name: + type: string + namespace: + type: string + name: + type: string + enableLogging: + type: boolean + status: + type: object + properties: + phase: + type: string + observedGeneration: + type: integer + currentNodesRealized: + type: integer + desiredNodesRealized: + type: integer + subresources: + status: {} + - name: v1alpha2 + served: true + storage: true + additionalPrinterColumns: + - name: Tier + type: string + description: The Tier to which this Antrea NetworkPolicy belongs to. + jsonPath: .spec.tier + - name: Priority + type: number + format: float + description: The Priority of this Antrea NetworkPolicy relative to other policies. + jsonPath: .spec.priority + - name: Desired Nodes + type: number + format: int32 + description: The total number of Nodes that should realize the NetworkPolicy. + jsonPath: .status.desiredNodesRealized + - name: Current Nodes + type: number + format: int32 + description: The number of Nodes that have realized the NetworkPolicy. + jsonPath: .status.currentNodesRealized + - name: Age + type: date + jsonPath: .metadata.creationTimestamp + schema: + openAPIV3Schema: + type: object + properties: + spec: + # Ensure that Spec.Priority field is set + required: + - priority + type: object + properties: + tier: + type: string + priority: + type: number + format: float + # Ensure that Spec.Priority field is between 1 and 10000 + minimum: 1.0 + maximum: 10000.0 + appliedTo: + type: array + items: + type: object + # Ensure that Spec.AppliedTo does not allow NamespaceSelector/IPBlock field + properties: + podSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + ingress: + type: array + items: + type: object + required: + - action + properties: + appliedTo: + type: array + items: + type: object + # Ensure that rule AppliedTo does not allow NamespaceSelector/IPBlock field + properties: + podSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + # Ensure that Action field allows only ALLOW, DROP and REJECT values + action: + type: string + enum: ['Allow', 'Drop', 'Reject', 'Pass'] + protocols: + type: array + items: + type: object + oneOf: + - required: [tcp] + - required: [udp] + - required: [sctp] + - required: [icmp] + properties: + tcp: + type: object + properties: + port: + x-kubernetes-int-or-string: true + endPort: + type: integer + udp: + type: object + properties: + port: + x-kubernetes-int-or-string: true + endPort: + type: integer + sctp: + type: object + properties: + port: + x-kubernetes-int-or-string: true + endPort: + type: integer + icmp: + type: object + properties: + icmpType: + type: integer + minimum: 0 + maximum: 255 + icmpCode: + type: integer + minimum: 0 + maximum: 255 + from: + type: array + items: + type: object + properties: + podSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + namespaceSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + externalEntitySelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + ipBlock: + type: object + properties: + cidr: + type: string + format: cidr + name: + type: string + enableLogging: + type: boolean + egress: + type: array + items: + type: object + required: + - action + properties: + appliedTo: + type: array + items: + type: object + # Ensure that rule AppliedTo does not allow NamespaceSelector/IPBlock field + properties: + podSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + # Ensure that Action field allows only ALLOW, DROP and REJECT values + action: + type: string + enum: ['Allow', 'Drop', 'Reject', 'Pass'] + protocols: + type: array + items: + type: object + oneOf: + - required: [tcp] + - required: [udp] + - required: [sctp] + - required: [icmp] + properties: + tcp: + type: object + properties: + port: + x-kubernetes-int-or-string: true + endPort: + type: integer + udp: + type: object + properties: + port: + x-kubernetes-int-or-string: true + endPort: + type: integer + sctp: + type: object + properties: + port: + x-kubernetes-int-or-string: true + endPort: + type: integer + icmp: + type: object + properties: + icmpType: + type: integer + minimum: 0 + maximum: 255 + icmpCode: + type: integer + minimum: 0 + maximum: 255 + to: + type: array + items: + type: object + properties: + podSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + namespaceSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + externalEntitySelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true ipBlock: type: object properties: @@ -1589,6 +2575,15 @@ spec: type: integer subresources: status: {} + conversion: + strategy: Webhook + webhook: + conversionReviewVersions: ["v1", "v1beta1"] + clientConfig: + service: + name: "antrea" + namespace: "kube-system" + path: "/convert/networkpolicy" scope: Namespaced names: plural: networkpolicies diff --git a/cmd/antrea-controller/controller.go b/cmd/antrea-controller/controller.go index 60a726591af..e354300c589 100644 --- a/cmd/antrea-controller/controller.go +++ b/cmd/antrea-controller/controller.go @@ -96,6 +96,8 @@ var allowedPaths = []string{ "/validate/egress", "/validate/ippool", "/convert/clustergroup", + "/convert/clusternetworkpolicy", + "/convert/networkpolicy", } // run starts Antrea Controller with the given options and waits for termination signal. @@ -115,9 +117,9 @@ func run(o *Options) error { serviceInformer := informerFactory.Core().V1().Services() networkPolicyInformer := informerFactory.Networking().V1().NetworkPolicies() nodeInformer := informerFactory.Core().V1().Nodes() - cnpInformer := crdInformerFactory.Crd().V1alpha1().ClusterNetworkPolicies() + cnpInformer := crdInformerFactory.Crd().V1alpha2().ClusterNetworkPolicies() eeInformer := crdInformerFactory.Crd().V1alpha2().ExternalEntities() - anpInformer := crdInformerFactory.Crd().V1alpha1().NetworkPolicies() + anpInformer := crdInformerFactory.Crd().V1alpha2().NetworkPolicies() tierInformer := crdInformerFactory.Crd().V1alpha1().Tiers() tfInformer := crdInformerFactory.Crd().V1alpha1().Traceflows() cgInformer := crdInformerFactory.Crd().V1alpha3().ClusterGroups() diff --git a/go.mod b/go.mod index 73ccd838ae9..759df86bf70 100644 --- a/go.mod +++ b/go.mod @@ -3,8 +3,8 @@ module antrea.io/antrea go 1.17 require ( - antrea.io/libOpenflow v0.6.1 - antrea.io/ofnet v0.2.3 + antrea.io/libOpenflow v0.6.2 + antrea.io/ofnet v0.5.2 github.com/Mellanox/sriovnet v1.0.2 github.com/Microsoft/go-winio v0.4.16-0.20201130162521-d1ffc52c7331 github.com/Microsoft/hcsshim v0.8.9 diff --git a/go.sum b/go.sum index 10751fffa9e..ae52c6e5e54 100644 --- a/go.sum +++ b/go.sum @@ -1,8 +1,7 @@ -antrea.io/libOpenflow v0.5.2/go.mod h1:CzEJZxDNAupiGxeL5VOw92PsxfyvehEAvE3PiC6gr8o= -antrea.io/libOpenflow v0.6.1 h1:RjYKz8WJTjerqu/J9ASygv+oF7Bu0jhIiqLnIIyZPhs= -antrea.io/libOpenflow v0.6.1/go.mod h1:CzEJZxDNAupiGxeL5VOw92PsxfyvehEAvE3PiC6gr8o= -antrea.io/ofnet v0.2.3 h1:wxXOqWaT5swtn9Ly6hV7pqvIgfmrr3aQfCGVQqHykr4= -antrea.io/ofnet v0.2.3/go.mod h1:jW4ICTvGjLO+Qr6GG/Glmjy34k6k/TfVlQhOm76UH84= +antrea.io/libOpenflow v0.6.2 h1:1JMSJ7Lp7yOhKybHey9VDtRI6JuIgkhUWJBX5GIFY9I= +antrea.io/libOpenflow v0.6.2/go.mod h1:CzEJZxDNAupiGxeL5VOw92PsxfyvehEAvE3PiC6gr8o= +antrea.io/ofnet v0.5.2 h1:xv5ncYeOudJPjdH1SjFoYoflTgQ2XX5Rg1Arva7ittg= +antrea.io/ofnet v0.5.2/go.mod h1:8TJVF6MLe9/gZ/KbhGUvULs9/TxssepEaYEe+o1SEgs= cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw= cloud.google.com/go v0.34.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw= cloud.google.com/go v0.38.0/go.mod h1:990N+gfupTy94rShfmMCWGDn0LpTmnzTp2qbd1dvSRU= diff --git a/pkg/agent/openflow/network_policy.go b/pkg/agent/openflow/network_policy.go index fea261c7e6f..0713d15affe 100644 --- a/pkg/agent/openflow/network_policy.go +++ b/pkg/agent/openflow/network_policy.go @@ -51,6 +51,10 @@ var ( MatchTCPv6SrcPort = types.NewMatchKey(binding.ProtocolTCPv6, types.L4PortAddr, "tp_src") MatchUDPSrcPort = types.NewMatchKey(binding.ProtocolUDP, types.L4PortAddr, "tp_src") MatchUDPv6SrcPort = types.NewMatchKey(binding.ProtocolUDPv6, types.L4PortAddr, "tp_src") + MatchICMPType = types.NewMatchKey(binding.ProtocolICMP, types.ICMPAddr, "icmp_type") + MatchICMPCode = types.NewMatchKey(binding.ProtocolICMP, types.ICMPAddr, "icmp_code") + MatchICMPv6Type = types.NewMatchKey(binding.ProtocolICMPv6, types.ICMPAddr, "icmpv6_type") + MatchICMPv6Code = types.NewMatchKey(binding.ProtocolICMPv6, types.ICMPAddr, "icmpv6_code") MatchServiceGroupID = types.NewMatchKey(binding.ProtocolIP, types.ServiceGroupIDAddr, "reg7[0..31]") Unsupported = types.NewMatchKey(binding.ProtocolIP, types.UnSupported, "unknown") @@ -203,13 +207,17 @@ func newConjunctionNotFound(conjunctionID uint32) *ConjunctionNotFound { type conjunctiveMatch struct { tableID uint8 priority *uint16 + matchPairs []matchPair +} + +type matchPair struct { matchKey *types.MatchKey matchValue interface{} } -func (m *conjunctiveMatch) generateGlobalMapKey() string { - var valueStr, priorityStr string +func (m *matchPair) KeyString() string { matchType := m.matchKey + var valueStr string switch v := m.matchValue.(type) { case net.IP: // Use the unique format "x.x.x.x/xx" for IP address and IP net, to avoid generating two different global map @@ -245,16 +253,28 @@ func (m *conjunctiveMatch) generateGlobalMapKey() string { // To normalize the key, set full mask while a single port is provided. valueStr = fmt.Sprintf("%d/65535", bitRange.Value) } + case *int32: + // This cases include the matchValue is ICMPType or ICMPCode. + valueStr = fmt.Sprintf("%d", *m.matchValue.(*int32)) default: // The default cases include the matchValue is an ofport Number. valueStr = fmt.Sprintf("%s", m.matchValue) } + return fmt.Sprintf("%v=%s", matchType, valueStr) +} + +func (m *conjunctiveMatch) generateGlobalMapKey() string { + var priorityStr string + var matchPairStrList []string + for _, eachMatchPair := range m.matchPairs { + matchPairStrList = append(matchPairStrList, eachMatchPair.KeyString()) + } if m.priority == nil { priorityStr = strconv.Itoa(int(priorityNormal)) } else { priorityStr = strconv.Itoa(int(*m.priority)) } - return fmt.Sprintf("table:%d,priority:%s,type:%v,value:%s", m.tableID, priorityStr, matchType, valueStr) + return fmt.Sprintf("table:%d,priority:%s,matchPair:%s", m.tableID, priorityStr, strings.Join(matchPairStrList, ",")) } // changeType is generally used to describe the change type of a conjMatchFlowContext. It is also used in "flowChange" @@ -329,7 +349,7 @@ func (ctx *conjMatchFlowContext) createOrUpdateConjunctiveMatchFlow(actions []*c // Create the conjunctive match flow entry. The actions here should not be empty for either add or update case. // The expected operation for a new Openflow entry should be "insertion". - flow := ctx.client.conjunctiveMatchFlow(ctx.tableID, ctx.matchKey, ctx.matchValue, ctx.priority, actions) + flow := ctx.client.conjunctiveMatchFlow(ctx.tableID, ctx.matchPairs, ctx.priority, actions) return &flowChange{ flow: flow, changeType: insertion, @@ -616,7 +636,7 @@ func (c *clause) addConjunctiveMatchFlow(client *client, match *conjunctiveMatch // Generate the default drop flow if dropTable is not nil and the default drop flow is not set yet. if c.dropTable != nil && context.dropFlow == nil { dropFlow = &flowChange{ - flow: context.client.defaultDropFlow(c.dropTable, match.matchKey, match.matchValue), + flow: context.client.defaultDropFlow(c.dropTable, match.matchPairs), changeType: insertion, } } @@ -655,8 +675,7 @@ func generateAddressConjMatch(ruleTableID uint8, addr types.Address, addrType ty matchValue := addr.GetValue() match := &conjunctiveMatch{ tableID: ruleTableID, - matchKey: matchKey, - matchValue: matchValue, + matchPairs: []matchPair{{matchKey: matchKey, matchValue: matchValue}}, priority: priority, } return match @@ -710,22 +729,99 @@ func getServiceMatchType(protocol *v1beta2.Protocol, ipv4Enabled, ipv6Enabled, m return matchKeys } -func generateServicePortConjMatches(ruleTableID uint8, service v1beta2.Service, priority *uint16, ipv4Enabled, ipv6Enabled, matchSrc bool) []*conjunctiveMatch { - matchKeys := getServiceMatchType(service.Protocol, ipv4Enabled, ipv6Enabled, matchSrc) - ovsBitRanges := serviceToBitRanges(service) +func generateServiceConjMatches(ruleTableID uint8, service v1beta2.Service, priority *uint16, ipv4Enabled, ipv6Enabled, matchSrc bool) []*conjunctiveMatch { var matches []*conjunctiveMatch - for _, matchKey := range matchKeys { + conjMatchesMatchPairs := getServiceMatchPairs(service, ipv4Enabled, ipv6Enabled, matchSrc) + for _, conjMatchMatchPairs := range conjMatchesMatchPairs { + matches = append(matches, + &conjunctiveMatch{ + tableID: ruleTableID, + matchPairs: conjMatchMatchPairs, + priority: priority, + }) + } + return matches +} + +func getServiceMatchPairs(service v1beta2.Service, ipv4Enabled, ipv6Enabled, matchSrc bool) [][]matchPair { + var conjMatchesMatchPairs [][]matchPair + ovsBitRanges := serviceToBitRanges(service) + addL4MatchPairs := func(matchKey *types.MatchKey) { for _, ovsBitRange := range ovsBitRanges { - matches = append(matches, - &conjunctiveMatch{ - tableID: ruleTableID, - matchKey: matchKey, - matchValue: ovsBitRange, - priority: priority, - }) + conjMatchesMatchPairs = append(conjMatchesMatchPairs, []matchPair{{matchKey: matchKey, matchValue: ovsBitRange}}) } } - return matches + switch *service.Protocol { + case v1beta2.ProtocolTCP: + if !matchSrc { + if ipv4Enabled { + addL4MatchPairs(MatchTCPDstPort) + } + if ipv6Enabled { + addL4MatchPairs(MatchTCPv6DstPort) + } + } else { + if ipv4Enabled { + addL4MatchPairs(MatchTCPSrcPort) + } + if ipv6Enabled { + addL4MatchPairs(MatchTCPv6SrcPort) + } + } + case v1beta2.ProtocolUDP: + if !matchSrc { + if ipv4Enabled { + addL4MatchPairs(MatchUDPDstPort) + } + if ipv6Enabled { + addL4MatchPairs(MatchUDPv6DstPort) + } + } else { + if ipv4Enabled { + addL4MatchPairs(MatchUDPSrcPort) + } + if ipv6Enabled { + addL4MatchPairs(MatchUDPv6SrcPort) + } + } + case v1beta2.ProtocolSCTP: + if ipv4Enabled { + addL4MatchPairs(MatchSCTPDstPort) + } + if ipv6Enabled { + addL4MatchPairs(MatchSCTPv6DstPort) + } + case v1beta2.ProtocolICMP: + if ipv4Enabled { + var matchPairs []matchPair + if service.ICMPType != nil { + matchPairs = append(matchPairs, matchPair{matchKey: MatchICMPType, matchValue: service.ICMPType}) + } + if service.ICMPCode != nil { + matchPairs = append(matchPairs, matchPair{matchKey: MatchICMPCode, matchValue: service.ICMPCode}) + } + if len(matchPairs) == 0 { + matchPairs = append(matchPairs, matchPair{matchKey: MatchICMPType, matchValue: nil}) + } + conjMatchesMatchPairs = append(conjMatchesMatchPairs, matchPairs) + } + if ipv6Enabled { + var matchPairs []matchPair + if service.ICMPType != nil { + matchPairs = append(matchPairs, matchPair{matchKey: MatchICMPv6Type, matchValue: service.ICMPType}) + } + if service.ICMPCode != nil { + matchPairs = append(matchPairs, matchPair{matchKey: MatchICMPv6Code, matchValue: service.ICMPCode}) + } + if len(matchPairs) == 0 { + matchPairs = append(matchPairs, matchPair{matchKey: MatchICMPv6Type, matchValue: nil}) + } + conjMatchesMatchPairs = append(conjMatchesMatchPairs, matchPairs) + } + default: + addL4MatchPairs(MatchTCPDstPort) + } + return conjMatchesMatchPairs } // serviceToBitRanges converts a Service to a list of BitRange. @@ -782,7 +878,7 @@ func (c *clause) addAddrFlows(client *client, addrType types.AddressType, addres func (c *clause) addServiceFlows(client *client, ports []v1beta2.Service, priority *uint16, matchSrc bool) []*conjMatchFlowContextChange { var conjMatchFlowContextChanges []*conjMatchFlowContextChange for _, port := range ports { - matches := generateServicePortConjMatches(c.ruleTable.GetID(), port, priority, client.networkConfig.IPv4Enabled, client.networkConfig.IPv6Enabled, matchSrc) + matches := generateServiceConjMatches(c.ruleTable.GetID(), port, priority, client.networkConfig.IPv4Enabled, client.networkConfig.IPv6Enabled, matchSrc) for _, match := range matches { ctxChange := c.addConjunctiveMatchFlow(client, match) conjMatchFlowContextChanges = append(conjMatchFlowContextChanges, ctxChange) @@ -995,7 +1091,7 @@ func (c *client) addRuleToConjunctiveMatch(conj *policyRuleConjunction, rule *ty } if conj.serviceClause != nil { for _, port := range rule.Service { - matches := generateServicePortConjMatches(conj.serviceClause.ruleTable.GetID(), port, rule.Priority, c.networkConfig.IPv4Enabled, c.networkConfig.IPv6Enabled, false) + matches := generateServiceConjMatches(conj.serviceClause.ruleTable.GetID(), port, rule.Priority, c.networkConfig.IPv4Enabled, c.networkConfig.IPv6Enabled, false) for _, match := range matches { c.addActionToConjunctiveMatch(conj.serviceClause, match) } @@ -1025,7 +1121,7 @@ func (c *client) addActionToConjunctiveMatch(clause *clause, match *conjunctiveM } // Generate the default drop flow if dropTable is not nil. if clause.dropTable != nil { - context.dropFlow = context.client.defaultDropFlow(clause.dropTable, match.matchKey, match.matchValue) + context.dropFlow = context.client.defaultDropFlow(clause.dropTable, match.matchPairs) } c.globalConjMatchFlowCache[matcherKey] = context } @@ -1068,7 +1164,7 @@ func (c *client) BatchInstallPolicyRuleFlows(ofPolicyRules []*types.PolicyRule) for _, action := range ctx.actions { actions = append(actions, action) } - ctx.flow = c.conjunctiveMatchFlow(ctx.tableID, ctx.matchKey, ctx.matchValue, ctx.priority, actions) + ctx.flow = c.conjunctiveMatchFlow(ctx.tableID, ctx.matchPairs, ctx.priority, actions) allFlows = append(allFlows, ctx.flow) } if ctx.dropFlow != nil { diff --git a/pkg/agent/openflow/pipeline.go b/pkg/agent/openflow/pipeline.go index 06a7a9db641..6a9c6b6c9c1 100644 --- a/pkg/agent/openflow/pipeline.go +++ b/pkg/agent/openflow/pipeline.go @@ -1993,6 +1993,26 @@ func (c *client) addFlowMatch(fb binding.FlowBuilder, matchKey *types.MatchKey, if portValue.Value > 0 { fb = fb.MatchSrcPort(portValue.Value, portValue.Mask) } + case MatchICMPType: + fb = fb.MatchProtocol(matchKey.GetOFProtocol()) + if matchValue != nil { + fb = fb.MatchICMPType(uint8(*matchValue.(*int32))) + } + case MatchICMPCode: + fb = fb.MatchProtocol(matchKey.GetOFProtocol()) + if matchValue != nil { + fb = fb.MatchICMPCode(uint8(*matchValue.(*int32))) + } + case MatchICMPv6Type: + fb = fb.MatchProtocol(matchKey.GetOFProtocol()) + if matchValue != nil { + fb = fb.MatchICMPv6Type(uint8(*matchValue.(*int32))) + } + case MatchICMPv6Code: + fb = fb.MatchProtocol(matchKey.GetOFProtocol()) + if matchValue != nil { + fb = fb.MatchICMPv6Code(uint8(*matchValue.(*int32))) + } case MatchServiceGroupID: fb = fb.MatchRegFieldWithValue(ServiceGroupIDField, matchValue.(uint32)) } @@ -2015,7 +2035,7 @@ func (c *client) conjunctionExceptionFlow(conjunctionID uint32, tableID uint8, n } // conjunctiveMatchFlow generates the flow to set conjunctive actions if the match condition is matched. -func (c *client) conjunctiveMatchFlow(tableID uint8, matchKey *types.MatchKey, matchValue interface{}, priority *uint16, actions []*conjunctiveAction) binding.Flow { +func (c *client) conjunctiveMatchFlow(tableID uint8, matchPairs []matchPair, priority *uint16, actions []*conjunctiveAction) binding.Flow { var ofPriority uint16 if priority != nil { ofPriority = *priority @@ -2023,7 +2043,9 @@ func (c *client) conjunctiveMatchFlow(tableID uint8, matchKey *types.MatchKey, m ofPriority = priorityNormal } fb := getTableByID(tableID).BuildFlow(ofPriority) - fb = c.addFlowMatch(fb, matchKey, matchValue) + for _, eachMatchPair := range matchPairs { + fb = c.addFlowMatch(fb, eachMatchPair.matchKey, eachMatchPair.matchValue) + } if c.deterministic { sort.Sort(conjunctiveActionsInOrder(actions)) } @@ -2034,19 +2056,20 @@ func (c *client) conjunctiveMatchFlow(tableID uint8, matchKey *types.MatchKey, m } // defaultDropFlow generates the flow to drop packets if the match condition is matched. -func (c *client) defaultDropFlow(table binding.Table, matchKey *types.MatchKey, matchValue interface{}) binding.Flow { +func (c *client) defaultDropFlow(table binding.Table, matchPairs []matchPair) binding.Flow { fb := table.BuildFlow(priorityNormal) + for _, eachMatchPair := range matchPairs { + fb = c.addFlowMatch(fb, eachMatchPair.matchKey, eachMatchPair.matchValue) + } if c.enableDenyTracking { - return c.addFlowMatch(fb, matchKey, matchValue). - Action().Drop(). + return fb.Action().Drop(). Action().LoadRegMark(DispositionDropRegMark). Action().LoadRegMark(CustomReasonDenyRegMark). Action().SendToController(uint8(PacketInReasonNP)). Cookie(c.cookieAllocator.Request(cookie.Default).Raw()). Done() } - return c.addFlowMatch(fb, matchKey, matchValue). - Action().Drop(). + return fb.Action().Drop(). Cookie(c.cookieAllocator.Request(cookie.Default).Raw()). Done() } diff --git a/pkg/agent/types/networkpolicy.go b/pkg/agent/types/networkpolicy.go index 4bac731c221..a0a90d1bb13 100644 --- a/pkg/agent/types/networkpolicy.go +++ b/pkg/agent/types/networkpolicy.go @@ -53,6 +53,7 @@ const ( IPNetAddr OFPortAddr L4PortAddr + ICMPAddr ServiceGroupIDAddr UnSupported ) diff --git a/pkg/apis/controlplane/types.go b/pkg/apis/controlplane/types.go index a598d860c4e..0810b706023 100644 --- a/pkg/apis/controlplane/types.go +++ b/pkg/apis/controlplane/types.go @@ -246,21 +246,29 @@ const ( ProtocolUDP Protocol = "UDP" // ProtocolSCTP is the SCTP protocol. ProtocolSCTP Protocol = "SCTP" + // ProtocolICMP is the ICMP protocol. + ProtocolICMP Protocol = "ICMP" ) // Service describes a port to allow traffic on. type Service struct { - // The protocol (TCP, UDP, or SCTP) which traffic must match. If not specified, this + // The protocol (TCP, UDP, SCTP, or ICMP) which traffic must match. If not specified, this // field defaults to TCP. // +optional Protocol *Protocol - // The port name or number on the given protocol. If not specified, this matches all port numbers. + // Port and EndPort can only be specified, when the Protocol is TCP, UDP, or SCTP. + // Port defines the port name or number on the given protocol. If not specified + // and the Protocol is TCP, UDP, or SCTP, this matches all port numbers. // +optional Port *intstr.IntOrString // EndPort defines the end of the port range, being the end included within the range. // It can only be specified when a numerical `port` is specified. // +optional EndPort *int32 + // ICMPType and ICMPCode can only be specified, when the Protocol is ICMP. If they + // both are not specified and the Protocol is ICMP, this matches all ICMP traffic. + ICMPType *int32 + ICMPCode *int32 } // NetworkPolicyPeer describes a peer of NetworkPolicyRules. diff --git a/pkg/apis/controlplane/v1beta2/generated.pb.go b/pkg/apis/controlplane/v1beta2/generated.pb.go index ea273ba182b..fe6df1e155f 100644 --- a/pkg/apis/controlplane/v1beta2/generated.pb.go +++ b/pkg/apis/controlplane/v1beta2/generated.pb.go @@ -1,4 +1,4 @@ -// Copyright 2021 Antrea Authors +// Copyright 2022 Antrea Authors // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. @@ -896,126 +896,128 @@ func init() { } var fileDescriptor_fbaa7d016762fa1d = []byte{ - // 1892 bytes of a gzipped FileDescriptorProto - 0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xec, 0x59, 0x4d, 0x6c, 0x23, 0x49, - 0x15, 0x4e, 0xfb, 0x27, 0x89, 0x5f, 0x9c, 0xc4, 0xa9, 0xec, 0x30, 0x66, 0x19, 0xec, 0x6c, 0xf3, - 0xa3, 0x1c, 0xd8, 0xf6, 0x26, 0xcc, 0xee, 0x0c, 0xec, 0x0f, 0xc4, 0x9b, 0x4c, 0x64, 0x69, 0xd6, - 0x6b, 0x2a, 0x59, 0x8d, 0x84, 0x58, 0xd8, 0x4e, 0x77, 0xd9, 0x69, 0xd2, 0xee, 0x6a, 0xba, 0xcb, - 0x61, 0x22, 0x24, 0xb4, 0x08, 0x38, 0x2c, 0x20, 0xc1, 0x8d, 0x33, 0x27, 0x2e, 0x9c, 0xb9, 0x73, - 0x40, 0x1a, 0x71, 0x5a, 0x84, 0x10, 0x7b, 0xb2, 0x18, 0x23, 0x40, 0x1c, 0xb8, 0x71, 0xca, 0x5e, - 0x50, 0x55, 0x57, 0xff, 0x3a, 0x9e, 0x8c, 0x27, 0x99, 0x20, 0xb1, 0x7b, 0xb2, 0xbb, 0xea, 0xbd, - 0xf7, 0xbd, 0x57, 0xdf, 0xab, 0xf7, 0xaa, 0xba, 0xe1, 0x35, 0xdd, 0x61, 0x1e, 0xd1, 0x35, 0x8b, - 0x36, 0x82, 0x7f, 0x0d, 0xf7, 0xa8, 0xd7, 0xd0, 0x5d, 0xcb, 0x6f, 0x18, 0xd4, 0x61, 0x1e, 0xb5, - 0x5d, 0x5b, 0x77, 0x48, 0xe3, 0x78, 0xe3, 0x80, 0x30, 0x7d, 0xb3, 0xd1, 0x23, 0x0e, 0xf1, 0x74, - 0x46, 0x4c, 0xcd, 0xf5, 0x28, 0xa3, 0x48, 0x0b, 0xb4, 0xbe, 0x65, 0x51, 0xf9, 0x4f, 0x73, 0x8f, - 0x7a, 0x1a, 0xd7, 0xd7, 0x92, 0xfa, 0x9a, 0xd4, 0x7f, 0xf6, 0xf6, 0x64, 0x3c, 0x9f, 0xe9, 0xcc, - 0x6f, 0x1c, 0x6f, 0xe8, 0xb6, 0x7b, 0xa8, 0x6f, 0x64, 0x91, 0x9e, 0x7d, 0xbe, 0x67, 0xb1, 0xc3, - 0xc1, 0x81, 0x66, 0xd0, 0x7e, 0xa3, 0x47, 0x7b, 0xb4, 0x21, 0x86, 0x0f, 0x06, 0x5d, 0xf1, 0x24, - 0x1e, 0xc4, 0x3f, 0x29, 0x7e, 0xf3, 0xe8, 0xb6, 0x2f, 0x50, 0x5c, 0xab, 0xaf, 0x1b, 0x87, 0x96, - 0x43, 0xbc, 0x93, 0x18, 0xab, 0x4f, 0x98, 0xde, 0x38, 0x1e, 0x07, 0x69, 0x4c, 0xd2, 0xf2, 0x06, - 0x0e, 0xb3, 0xfa, 0x64, 0x4c, 0xe1, 0xa5, 0xf3, 0x14, 0x7c, 0xe3, 0x90, 0xf4, 0xf5, 0x31, 0xbd, - 0x2f, 0x4e, 0xd2, 0x1b, 0x30, 0xcb, 0x6e, 0x58, 0x0e, 0xf3, 0x99, 0x97, 0x55, 0x52, 0xff, 0xa9, - 0x40, 0x79, 0xcb, 0x34, 0x3d, 0xe2, 0xfb, 0xbb, 0x1e, 0x1d, 0xb8, 0xe8, 0x1d, 0x98, 0xe7, 0x91, - 0x98, 0x3a, 0xd3, 0xab, 0xca, 0x9a, 0xb2, 0xbe, 0xb0, 0xf9, 0x82, 0x16, 0x18, 0xd6, 0x92, 0x86, - 0x63, 0x4e, 0xb8, 0xb4, 0x76, 0xbc, 0xa1, 0xbd, 0x79, 0xf0, 0x6d, 0x62, 0xb0, 0x37, 0x08, 0xd3, - 0x9b, 0xe8, 0xc1, 0xb0, 0x3e, 0x33, 0x1a, 0xd6, 0x21, 0x1e, 0xc3, 0x91, 0x55, 0x34, 0x80, 0x72, - 0x8f, 0x43, 0xbd, 0x41, 0xfa, 0x07, 0xc4, 0xf3, 0xab, 0xb9, 0xb5, 0xfc, 0xfa, 0xc2, 0xe6, 0xcb, - 0x53, 0xd2, 0xae, 0xed, 0xc6, 0x36, 0x9a, 0xcf, 0x48, 0xc0, 0x72, 0x62, 0xd0, 0xc7, 0x29, 0x18, - 0xf5, 0x4f, 0x0a, 0x54, 0x92, 0x91, 0xde, 0xb5, 0x7c, 0x86, 0xbe, 0x31, 0x16, 0xad, 0xf6, 0x78, - 0xd1, 0x72, 0x6d, 0x11, 0x6b, 0x45, 0x42, 0xcf, 0x87, 0x23, 0x89, 0x48, 0x75, 0x28, 0x5a, 0x8c, - 0xf4, 0xc3, 0x10, 0x5f, 0x99, 0x36, 0xc4, 0xa4, 0xbb, 0xcd, 0x45, 0x09, 0x54, 0x6c, 0x71, 0x93, - 0x38, 0xb0, 0xac, 0xbe, 0x97, 0x87, 0x95, 0xa4, 0x58, 0x47, 0x67, 0xc6, 0xe1, 0x15, 0x90, 0xf8, - 0x23, 0x05, 0x56, 0x74, 0xd3, 0x24, 0xe6, 0xee, 0x25, 0x53, 0xf9, 0x49, 0x09, 0xcb, 0xa3, 0x4a, - 0x5b, 0xc7, 0xe3, 0x80, 0xe8, 0x27, 0x0a, 0xac, 0x7a, 0xa4, 0x4f, 0x8f, 0x33, 0x8e, 0xe4, 0x2f, - 0xee, 0xc8, 0xa7, 0xa4, 0x23, 0xab, 0x78, 0xdc, 0x3e, 0x3e, 0x0b, 0x54, 0xfd, 0x97, 0x02, 0x4b, - 0x5b, 0xae, 0x6b, 0x5b, 0xc4, 0xdc, 0xa7, 0xff, 0xe7, 0xbb, 0xe9, 0x2f, 0x0a, 0xa0, 0x74, 0xac, - 0x57, 0xb0, 0x9f, 0x8c, 0xf4, 0x7e, 0x7a, 0x6d, 0xea, 0xfd, 0x94, 0x72, 0x78, 0xc2, 0x8e, 0xfa, - 0x69, 0x1e, 0x56, 0xd3, 0x82, 0x1f, 0xef, 0xa9, 0xff, 0xdd, 0x9e, 0xfa, 0x30, 0x07, 0xab, 0xaf, - 0xdb, 0x03, 0x9f, 0x11, 0x2f, 0xe5, 0xe4, 0xd3, 0x67, 0xe3, 0x07, 0x0a, 0x54, 0x48, 0xb7, 0x4b, - 0x0c, 0x66, 0x1d, 0x93, 0x4b, 0x24, 0xa3, 0x2a, 0x51, 0x2b, 0x3b, 0x19, 0xe3, 0x78, 0x0c, 0x0e, - 0x7d, 0x1f, 0x56, 0xa2, 0xb1, 0x56, 0xa7, 0x69, 0x53, 0xe3, 0x28, 0xe4, 0xe1, 0xc5, 0x69, 0x7d, - 0x68, 0x75, 0xda, 0x84, 0xc5, 0xa9, 0xb0, 0x93, 0xb5, 0x8b, 0xc7, 0xa1, 0xd4, 0x7f, 0x28, 0xb0, - 0xb0, 0xd3, 0xfb, 0x08, 0x1c, 0x0e, 0xfe, 0xa8, 0xc0, 0x72, 0x22, 0xd0, 0x2b, 0xa8, 0x65, 0xef, - 0xa4, 0x6b, 0xd9, 0xd4, 0x11, 0x26, 0xbc, 0x9d, 0x50, 0xc8, 0x7e, 0x96, 0x87, 0x4a, 0x42, 0x2a, - 0xa8, 0x62, 0x26, 0x00, 0x8d, 0xd6, 0xfd, 0x52, 0x39, 0x4c, 0xd8, 0xfd, 0xb8, 0x92, 0x9d, 0x51, - 0xc9, 0x6c, 0xb8, 0xbe, 0x73, 0x9f, 0x11, 0xcf, 0xd1, 0xed, 0x1d, 0x87, 0x59, 0xec, 0x04, 0x93, - 0x2e, 0xf1, 0x88, 0x63, 0x10, 0xb4, 0x06, 0x05, 0x47, 0xef, 0x13, 0x41, 0x47, 0xa9, 0x59, 0x96, - 0xa6, 0x0b, 0x6d, 0xbd, 0x4f, 0xb0, 0x98, 0x41, 0x0d, 0x28, 0xf1, 0x5f, 0xdf, 0xd5, 0x0d, 0x52, - 0xcd, 0x09, 0xb1, 0x15, 0x29, 0x56, 0x6a, 0x87, 0x13, 0x38, 0x96, 0x51, 0x3f, 0x54, 0xa0, 0x22, - 0xe0, 0xb7, 0x7c, 0x9f, 0x1a, 0x96, 0xce, 0x2c, 0xea, 0x5c, 0x4d, 0x0b, 0xab, 0xe8, 0x12, 0x51, - 0xc6, 0xff, 0xc4, 0xdd, 0x5a, 0x68, 0x47, 0x8b, 0x14, 0xd7, 0xcd, 0xad, 0x8c, 0x7d, 0x3c, 0x86, - 0xa8, 0xfe, 0x27, 0x07, 0x0b, 0x89, 0xc5, 0x47, 0xf7, 0x20, 0xef, 0x52, 0x53, 0xc6, 0x3c, 0xf5, - 0x31, 0xbc, 0x43, 0xcd, 0xd8, 0x8d, 0xb9, 0xd1, 0xb0, 0x9e, 0xe7, 0x23, 0xdc, 0x22, 0xfa, 0xa1, - 0x02, 0x4b, 0x24, 0xc5, 0xaa, 0x60, 0x67, 0x61, 0x73, 0x77, 0xea, 0xfd, 0x7c, 0x76, 0x6e, 0x34, - 0xd1, 0x68, 0x58, 0x5f, 0xca, 0x4c, 0x66, 0x20, 0xd1, 0xe7, 0x21, 0x6f, 0xb9, 0x41, 0x5a, 0x97, - 0x9b, 0xcf, 0x70, 0x07, 0x5b, 0x1d, 0xff, 0x74, 0x58, 0x2f, 0xb5, 0x3a, 0xf2, 0x6e, 0x80, 0xb9, - 0x00, 0xfa, 0x26, 0x14, 0x5d, 0xea, 0x31, 0xbf, 0x5a, 0x10, 0x8c, 0x7c, 0x69, 0x5a, 0x1f, 0x79, - 0xa6, 0x99, 0x1d, 0xea, 0xb1, 0xb8, 0xe2, 0xf0, 0x27, 0x1f, 0x07, 0x66, 0xd5, 0x5f, 0x2b, 0xb0, - 0x94, 0x66, 0x2d, 0x9d, 0xb8, 0xca, 0xf9, 0x89, 0x1b, 0xed, 0x85, 0xdc, 0xc4, 0xbd, 0xd0, 0x84, - 0xfc, 0xc0, 0x32, 0xab, 0x79, 0x21, 0xf0, 0x82, 0x14, 0xc8, 0xbf, 0xd5, 0xda, 0x3e, 0x1d, 0xd6, - 0x9f, 0x9b, 0x74, 0x07, 0x66, 0x27, 0x2e, 0xf1, 0xb5, 0xb7, 0x5a, 0xdb, 0x98, 0x2b, 0xab, 0xbf, - 0x53, 0x60, 0x4e, 0x76, 0x39, 0x74, 0x0f, 0x0a, 0x86, 0x65, 0x7a, 0x32, 0x3b, 0x9e, 0xb0, 0xaf, - 0x46, 0x8e, 0xbe, 0xde, 0xda, 0xc6, 0x58, 0x18, 0x44, 0x6f, 0xc3, 0x2c, 0xb9, 0x6f, 0x10, 0x97, - 0xc9, 0x1d, 0xf0, 0x84, 0xa6, 0x97, 0xa4, 0xe9, 0xd9, 0x1d, 0x61, 0x0c, 0x4b, 0xa3, 0x6a, 0x17, - 0x8a, 0x42, 0x00, 0x7d, 0x06, 0x72, 0x96, 0x2b, 0xdc, 0x2f, 0x37, 0x57, 0x47, 0xc3, 0x7a, 0xae, - 0xd5, 0x49, 0x93, 0x9f, 0xb3, 0x5c, 0x74, 0x1b, 0xca, 0xae, 0x47, 0xba, 0xd6, 0xfd, 0xbb, 0xc4, - 0xe9, 0xb1, 0x43, 0xb1, 0xbe, 0xc5, 0xb8, 0x37, 0x76, 0x12, 0x73, 0x38, 0x25, 0xa9, 0xbe, 0xa7, - 0x40, 0x29, 0x62, 0x9e, 0xf3, 0xc3, 0xc9, 0x16, 0x70, 0xc5, 0x38, 0x6c, 0x3e, 0x87, 0xc5, 0xcc, - 0x63, 0x30, 0x78, 0x1b, 0xe6, 0xc5, 0xdb, 0x07, 0x83, 0xda, 0x92, 0xc6, 0x1b, 0x61, 0xa7, 0xec, - 0xc8, 0xf1, 0xd3, 0xc4, 0x7f, 0x1c, 0x49, 0xab, 0xff, 0xce, 0xc3, 0x62, 0x9b, 0xb0, 0xef, 0x52, - 0xef, 0xa8, 0x43, 0x6d, 0xcb, 0x38, 0xb9, 0x82, 0x9a, 0xd6, 0x85, 0xa2, 0x37, 0xb0, 0x49, 0x58, - 0xc7, 0xb6, 0xa6, 0xde, 0x35, 0x49, 0x7f, 0xf1, 0xc0, 0x26, 0xf1, 0xee, 0xe1, 0x4f, 0x3e, 0x0e, - 0xcc, 0xa3, 0x57, 0x61, 0x59, 0x4f, 0xdd, 0x3b, 0x82, 0x1d, 0x5d, 0x12, 0x9c, 0x2e, 0xa7, 0xaf, - 0x24, 0x3e, 0xce, 0xca, 0xa2, 0x75, 0xbe, 0xa8, 0x16, 0xf5, 0x78, 0x0d, 0x2a, 0xac, 0x29, 0xeb, - 0x4a, 0xb3, 0x1c, 0x2c, 0x68, 0x30, 0x86, 0xa3, 0x59, 0x74, 0x13, 0xca, 0xcc, 0x22, 0x5e, 0x38, - 0x53, 0x2d, 0x0a, 0x2a, 0x2b, 0x3c, 0x0d, 0xf6, 0x13, 0xe3, 0x38, 0x25, 0x85, 0x7c, 0x28, 0xf9, - 0x74, 0xe0, 0x19, 0x04, 0x93, 0x6e, 0x75, 0x56, 0xac, 0xf4, 0x9d, 0x8b, 0x2d, 0x45, 0x54, 0xe3, - 0x16, 0x79, 0x35, 0xd8, 0x0b, 0x8d, 0xe3, 0x18, 0x47, 0xfd, 0xb3, 0x02, 0x2b, 0x29, 0xa5, 0x2b, - 0x38, 0x99, 0x1d, 0xa4, 0x4f, 0x66, 0xaf, 0x5e, 0x28, 0xc8, 0x09, 0x67, 0xb3, 0xef, 0xc1, 0xf5, - 0x94, 0x58, 0x9b, 0x9a, 0x64, 0x8f, 0xe9, 0x6c, 0xe0, 0xa3, 0x2f, 0xc0, 0xbc, 0x43, 0x4d, 0xd2, - 0x8e, 0x0f, 0x04, 0x91, 0xb3, 0x6d, 0x39, 0x8e, 0x23, 0x09, 0xb4, 0x09, 0x20, 0x5f, 0xe9, 0x59, - 0xd4, 0x11, 0x5b, 0x2e, 0x1f, 0xa7, 0xf3, 0x6e, 0x34, 0x83, 0x13, 0x52, 0xea, 0x1f, 0x72, 0x99, - 0x45, 0xed, 0x10, 0xe2, 0xa1, 0x5b, 0xb0, 0xa8, 0x27, 0x5e, 0x24, 0xf9, 0x55, 0x45, 0x24, 0xdf, - 0xca, 0x68, 0x58, 0x5f, 0x4c, 0xbe, 0x61, 0xf2, 0x71, 0x5a, 0x0e, 0x11, 0x98, 0xb7, 0x5c, 0x79, - 0x37, 0x09, 0x96, 0xec, 0xd6, 0xf4, 0x85, 0x4e, 0xe8, 0xc7, 0x91, 0x46, 0x97, 0x92, 0xc8, 0x34, - 0xaa, 0x43, 0xb1, 0xfb, 0x1d, 0xd3, 0x09, 0x37, 0x45, 0x89, 0xaf, 0xe9, 0x9d, 0xaf, 0x6d, 0xb7, - 0x7d, 0x1c, 0x8c, 0x23, 0x06, 0xc0, 0xe8, 0x1e, 0xf1, 0x8e, 0x2d, 0x83, 0x84, 0x2d, 0xee, 0xab, - 0xd3, 0x7a, 0x22, 0xf5, 0x13, 0xfd, 0x37, 0x5c, 0xcc, 0xfd, 0xc8, 0x36, 0x4e, 0xe0, 0xf0, 0x2b, - 0xd2, 0x27, 0xce, 0x4e, 0x6b, 0xf4, 0x22, 0x14, 0x78, 0xdb, 0x91, 0x2c, 0x3e, 0x17, 0x16, 0xc2, - 0xfd, 0x13, 0x97, 0x9c, 0x0e, 0xeb, 0x69, 0x0a, 0xf8, 0x20, 0x16, 0xe2, 0x53, 0x9f, 0xf5, 0xa2, - 0x82, 0x9b, 0x3f, 0xaf, 0x65, 0x16, 0x2e, 0xd2, 0x32, 0x7f, 0x55, 0xcc, 0x64, 0x0d, 0x2f, 0x5e, - 0xe8, 0x15, 0x28, 0x99, 0x96, 0xc7, 0xaf, 0x8d, 0xd4, 0x91, 0x81, 0xd6, 0x42, 0x67, 0xb7, 0xc3, - 0x89, 0xd3, 0xe4, 0x03, 0x8e, 0x15, 0x90, 0x01, 0x85, 0xae, 0x47, 0xfb, 0xf2, 0xcc, 0x74, 0xb1, - 0xca, 0xca, 0x93, 0x38, 0x0e, 0xfe, 0x8e, 0x47, 0xfb, 0x58, 0x18, 0x47, 0x6f, 0x43, 0x8e, 0x51, - 0xb1, 0x38, 0x97, 0x02, 0x01, 0x12, 0x22, 0xb7, 0x4f, 0x71, 0x8e, 0x51, 0x9e, 0xfe, 0x7e, 0x3a, - 0xe9, 0x6e, 0x3d, 0x61, 0xd2, 0xc5, 0xe9, 0x1f, 0x65, 0x5a, 0x64, 0x9a, 0x97, 0x05, 0x37, 0x53, - 0xb0, 0xe3, 0x9e, 0x39, 0x56, 0xe2, 0xef, 0xc1, 0xac, 0x1e, 0x70, 0x32, 0x2b, 0x38, 0xf9, 0x0a, - 0x3f, 0x3f, 0x6c, 0x85, 0x64, 0x6c, 0x3c, 0xe2, 0x0b, 0x8d, 0x67, 0x46, 0xdf, 0x4b, 0x34, 0xce, - 0x70, 0xa0, 0x84, 0xa5, 0x39, 0xf4, 0x32, 0x2c, 0x12, 0x47, 0x3f, 0xb0, 0xc9, 0x5d, 0xda, 0xeb, - 0x59, 0x4e, 0xaf, 0x3a, 0xb7, 0xa6, 0xac, 0xcf, 0x37, 0xaf, 0x49, 0x5f, 0x16, 0x77, 0x92, 0x93, - 0x38, 0x2d, 0x7b, 0x56, 0x87, 0x9b, 0x9f, 0xa2, 0xc3, 0x85, 0x79, 0x5e, 0x9a, 0x94, 0xe7, 0xea, - 0xcf, 0xf3, 0x80, 0x52, 0x8c, 0xf1, 0x9a, 0xea, 0xf3, 0x53, 0xfa, 0xa2, 0x93, 0x1c, 0x96, 0x5d, - 0xe3, 0xb2, 0xfa, 0x57, 0x14, 0x7d, 0x7a, 0x3e, 0x8d, 0x89, 0x5c, 0x28, 0x33, 0x4f, 0xef, 0x76, - 0x2d, 0x43, 0x78, 0x25, 0x93, 0xfe, 0xa5, 0x47, 0xf8, 0x20, 0x3e, 0x5f, 0x69, 0x11, 0x1d, 0xfb, - 0x09, 0xed, 0xf8, 0xe4, 0x96, 0x1c, 0xc5, 0x29, 0x04, 0xf4, 0xae, 0x02, 0x15, 0x7e, 0xb6, 0x48, - 0x8a, 0xc8, 0xcb, 0xef, 0x97, 0x1f, 0x1f, 0x16, 0x67, 0x2c, 0xc4, 0x37, 0xb1, 0xec, 0x0c, 0x1e, - 0x43, 0x53, 0xff, 0xae, 0xc0, 0xea, 0x18, 0x23, 0x83, 0xab, 0x78, 0x7f, 0x67, 0x43, 0x91, 0x77, - 0xc9, 0xb0, 0x27, 0xed, 0x5e, 0x88, 0xeb, 0xb8, 0x3f, 0xc7, 0x0d, 0x9d, 0x8f, 0xf9, 0x38, 0x00, - 0x51, 0x7f, 0x5f, 0x80, 0x4a, 0x28, 0xe4, 0xef, 0x0d, 0xfa, 0x7d, 0xdd, 0xbb, 0x8a, 0xb3, 0xe9, - 0x8f, 0x15, 0x58, 0x4e, 0x66, 0x99, 0x15, 0xc5, 0xdb, 0xbc, 0x50, 0xbc, 0x01, 0xd1, 0xd7, 0x25, - 0xf6, 0x72, 0x3b, 0x0d, 0x81, 0xb3, 0x98, 0xe8, 0x37, 0x0a, 0xdc, 0x08, 0x50, 0xe4, 0xcb, 0xda, - 0x8c, 0x86, 0xcc, 0xba, 0xcb, 0x70, 0xea, 0xb3, 0xd2, 0xa9, 0x1b, 0x5b, 0x8f, 0xc0, 0xc3, 0x8f, - 0xf4, 0x06, 0xfd, 0x52, 0x81, 0x6b, 0x81, 0x40, 0xd6, 0xcf, 0xc2, 0xa5, 0xf9, 0xf9, 0x69, 0xe9, - 0xe7, 0xb5, 0xad, 0xb3, 0x80, 0xf0, 0xd9, 0xf8, 0xaa, 0x0e, 0xe5, 0xe4, 0xeb, 0x86, 0xa7, 0xf1, - 0x6a, 0xe8, 0xb7, 0x0a, 0xcc, 0xc9, 0x06, 0x83, 0x6e, 0x26, 0x6e, 0x62, 0x01, 0x44, 0xf5, 0xfc, - 0x5b, 0x18, 0x6a, 0xcb, 0x3b, 0x60, 0xee, 0x9c, 0x9c, 0x1e, 0x30, 0xcb, 0xd6, 0x82, 0x0f, 0xcf, - 0x5a, 0xcb, 0x61, 0x6f, 0x7a, 0x7b, 0xcc, 0xb3, 0x9c, 0x5e, 0x73, 0x3e, 0x73, 0x63, 0xfc, 0x1c, - 0xcc, 0x11, 0x47, 0x5c, 0x2f, 0x45, 0x9b, 0x2e, 0x36, 0x17, 0x46, 0xc3, 0xfa, 0xdc, 0x4e, 0x30, - 0x84, 0xc3, 0x39, 0x95, 0x40, 0x25, 0x7b, 0x3c, 0x7b, 0x0a, 0xeb, 0xd3, 0x7c, 0xfe, 0xc1, 0xc3, - 0xda, 0xcc, 0xfb, 0x0f, 0x6b, 0x33, 0x1f, 0x3c, 0xac, 0xcd, 0xbc, 0x3b, 0xaa, 0x29, 0x0f, 0x46, - 0x35, 0xe5, 0xfd, 0x51, 0x4d, 0xf9, 0x60, 0x54, 0x53, 0xfe, 0x3a, 0xaa, 0x29, 0xbf, 0xf8, 0x5b, - 0x6d, 0xe6, 0xeb, 0x73, 0x92, 0xfa, 0xff, 0x06, 0x00, 0x00, 0xff, 0xff, 0xbe, 0xe6, 0x40, 0xcb, - 0xef, 0x20, 0x00, 0x00, + // 1926 bytes of a gzipped FileDescriptorProto + 0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xec, 0x59, 0xcd, 0x6f, 0x23, 0x49, + 0x15, 0x4f, 0xfb, 0x23, 0x89, 0x5f, 0x9c, 0xc4, 0xa9, 0xec, 0x30, 0x66, 0x19, 0xec, 0x6c, 0xf3, + 0xa1, 0x1c, 0xd8, 0xf6, 0x26, 0xcc, 0xee, 0x0c, 0xec, 0x07, 0xc4, 0x93, 0x4c, 0x64, 0x69, 0xc6, + 0x6b, 0x2a, 0x59, 0x8d, 0x84, 0x58, 0xd8, 0x4e, 0x77, 0xd9, 0x69, 0x62, 0x77, 0x35, 0xdd, 0xe5, + 0x30, 0x11, 0x12, 0x5a, 0x04, 0x1c, 0x76, 0x41, 0x82, 0x1b, 0x67, 0x4e, 0x5c, 0xf8, 0x27, 0x38, + 0x20, 0x8d, 0x38, 0x2d, 0x42, 0x88, 0x3d, 0x59, 0x8c, 0x11, 0x20, 0x0e, 0xdc, 0x38, 0x65, 0x2f, + 0xa8, 0xaa, 0xab, 0x3f, 0x1d, 0x4f, 0xc6, 0x49, 0xc6, 0x48, 0xec, 0x9e, 0xec, 0xae, 0x7a, 0xef, + 0xfd, 0xde, 0xab, 0xf7, 0xea, 0x7d, 0x74, 0xc3, 0x1b, 0xba, 0xcd, 0x5c, 0xa2, 0x6b, 0x16, 0xad, + 0xf9, 0xff, 0x6a, 0xce, 0x51, 0xa7, 0xa6, 0x3b, 0x96, 0x57, 0x33, 0xa8, 0xcd, 0x5c, 0xda, 0x75, + 0xba, 0xba, 0x4d, 0x6a, 0xc7, 0x1b, 0x07, 0x84, 0xe9, 0x9b, 0xb5, 0x0e, 0xb1, 0x89, 0xab, 0x33, + 0x62, 0x6a, 0x8e, 0x4b, 0x19, 0x45, 0x9a, 0xcf, 0xf5, 0x1d, 0x8b, 0xca, 0x7f, 0x9a, 0x73, 0xd4, + 0xd1, 0x38, 0xbf, 0x16, 0xe7, 0xd7, 0x24, 0xff, 0xf3, 0xb7, 0xc7, 0xe3, 0x79, 0x4c, 0x67, 0x5e, + 0xed, 0x78, 0x43, 0xef, 0x3a, 0x87, 0xfa, 0x46, 0x1a, 0xe9, 0xf9, 0x17, 0x3b, 0x16, 0x3b, 0xec, + 0x1f, 0x68, 0x06, 0xed, 0xd5, 0x3a, 0xb4, 0x43, 0x6b, 0x62, 0xf9, 0xa0, 0xdf, 0x16, 0x4f, 0xe2, + 0x41, 0xfc, 0x93, 0xe4, 0x37, 0x8f, 0x6e, 0x7b, 0x02, 0xc5, 0xb1, 0x7a, 0xba, 0x71, 0x68, 0xd9, + 0xc4, 0x3d, 0x89, 0xb0, 0x7a, 0x84, 0xe9, 0xb5, 0xe3, 0x51, 0x90, 0xda, 0x38, 0x2e, 0xb7, 0x6f, + 0x33, 0xab, 0x47, 0x46, 0x18, 0x5e, 0x39, 0x8f, 0xc1, 0x33, 0x0e, 0x49, 0x4f, 0x1f, 0xe1, 0xfb, + 0xf2, 0x38, 0xbe, 0x3e, 0xb3, 0xba, 0x35, 0xcb, 0x66, 0x1e, 0x73, 0xd3, 0x4c, 0xea, 0x3f, 0x15, + 0x28, 0x6e, 0x99, 0xa6, 0x4b, 0x3c, 0x6f, 0xd7, 0xa5, 0x7d, 0x07, 0xbd, 0x03, 0xf3, 0xdc, 0x12, + 0x53, 0x67, 0x7a, 0x59, 0x59, 0x53, 0xd6, 0x17, 0x36, 0x5f, 0xd2, 0x7c, 0xc1, 0x5a, 0x5c, 0x70, + 0xe4, 0x13, 0x4e, 0xad, 0x1d, 0x6f, 0x68, 0x6f, 0x1e, 0x7c, 0x97, 0x18, 0xec, 0x3e, 0x61, 0x7a, + 0x1d, 0x3d, 0x1a, 0x54, 0x67, 0x86, 0x83, 0x2a, 0x44, 0x6b, 0x38, 0x94, 0x8a, 0xfa, 0x50, 0xec, + 0x70, 0xa8, 0xfb, 0xa4, 0x77, 0x40, 0x5c, 0xaf, 0x9c, 0x59, 0xcb, 0xae, 0x2f, 0x6c, 0xbe, 0x3a, + 0xa1, 0xdb, 0xb5, 0xdd, 0x48, 0x46, 0xfd, 0x39, 0x09, 0x58, 0x8c, 0x2d, 0x7a, 0x38, 0x01, 0xa3, + 0xfe, 0x49, 0x81, 0x52, 0xdc, 0xd2, 0x7b, 0x96, 0xc7, 0xd0, 0xb7, 0x46, 0xac, 0xd5, 0x9e, 0xce, + 0x5a, 0xce, 0x2d, 0x6c, 0x2d, 0x49, 0xe8, 0xf9, 0x60, 0x25, 0x66, 0xa9, 0x0e, 0x79, 0x8b, 0x91, + 0x5e, 0x60, 0xe2, 0x6b, 0x93, 0x9a, 0x18, 0x57, 0xb7, 0xbe, 0x28, 0x81, 0xf2, 0x0d, 0x2e, 0x12, + 0xfb, 0x92, 0xd5, 0xf7, 0xb2, 0xb0, 0x12, 0x27, 0x6b, 0xe9, 0xcc, 0x38, 0x9c, 0x82, 0x13, 0x7f, + 0xa2, 0xc0, 0x8a, 0x6e, 0x9a, 0xc4, 0xdc, 0xbd, 0x62, 0x57, 0x7e, 0x5a, 0xc2, 0x72, 0xab, 0x92, + 0xd2, 0xf1, 0x28, 0x20, 0x7a, 0x5f, 0x81, 0x55, 0x97, 0xf4, 0xe8, 0x71, 0x4a, 0x91, 0xec, 0xe5, + 0x15, 0xf9, 0x8c, 0x54, 0x64, 0x15, 0x8f, 0xca, 0xc7, 0x67, 0x81, 0xaa, 0xff, 0x52, 0x60, 0x69, + 0xcb, 0x71, 0xba, 0x16, 0x31, 0xf7, 0xe9, 0xff, 0xf9, 0x6d, 0xfa, 0x8b, 0x02, 0x28, 0x69, 0xeb, + 0x14, 0xee, 0x93, 0x91, 0xbc, 0x4f, 0x6f, 0x4c, 0x7c, 0x9f, 0x12, 0x0a, 0x8f, 0xb9, 0x51, 0x3f, + 0xcb, 0xc2, 0x6a, 0x92, 0xf0, 0x93, 0x3b, 0xf5, 0xbf, 0xbb, 0x53, 0x1f, 0x65, 0x60, 0xf5, 0x4e, + 0xb7, 0xef, 0x31, 0xe2, 0x26, 0x94, 0x7c, 0xf6, 0xde, 0xf8, 0x91, 0x02, 0x25, 0xd2, 0x6e, 0x13, + 0x83, 0x59, 0xc7, 0xe4, 0x0a, 0x9d, 0x51, 0x96, 0xa8, 0xa5, 0x9d, 0x94, 0x70, 0x3c, 0x02, 0x87, + 0x7e, 0x08, 0x2b, 0xe1, 0x5a, 0xa3, 0x55, 0xef, 0x52, 0xe3, 0x28, 0xf0, 0xc3, 0xcb, 0x93, 0xea, + 0xd0, 0x68, 0x35, 0x09, 0x8b, 0x42, 0x61, 0x27, 0x2d, 0x17, 0x8f, 0x42, 0xa9, 0xff, 0x50, 0x60, + 0x61, 0xa7, 0xf3, 0x31, 0x68, 0x0e, 0xfe, 0xa8, 0xc0, 0x72, 0xcc, 0xd0, 0x29, 0xe4, 0xb2, 0x77, + 0x92, 0xb9, 0x6c, 0x62, 0x0b, 0x63, 0xda, 0x8e, 0x49, 0x64, 0x3f, 0xcf, 0x42, 0x29, 0x46, 0xe5, + 0x67, 0x31, 0x13, 0x80, 0x86, 0xe7, 0x7e, 0xa5, 0x3e, 0x8c, 0xc9, 0xfd, 0x24, 0x93, 0x9d, 0x91, + 0xc9, 0xba, 0x70, 0x7d, 0xe7, 0x21, 0x23, 0xae, 0xad, 0x77, 0x77, 0x6c, 0x66, 0xb1, 0x13, 0x4c, + 0xda, 0xc4, 0x25, 0xb6, 0x41, 0xd0, 0x1a, 0xe4, 0x6c, 0xbd, 0x47, 0x84, 0x3b, 0x0a, 0xf5, 0xa2, + 0x14, 0x9d, 0x6b, 0xea, 0x3d, 0x82, 0xc5, 0x0e, 0xaa, 0x41, 0x81, 0xff, 0x7a, 0x8e, 0x6e, 0x90, + 0x72, 0x46, 0x90, 0xad, 0x48, 0xb2, 0x42, 0x33, 0xd8, 0xc0, 0x11, 0x8d, 0xfa, 0x91, 0x02, 0x25, + 0x01, 0xbf, 0xe5, 0x79, 0xd4, 0xb0, 0x74, 0x66, 0x51, 0x7b, 0x3a, 0x25, 0xac, 0xa4, 0x4b, 0x44, + 0x69, 0xff, 0x85, 0xab, 0xb5, 0xe0, 0x0e, 0x0f, 0x29, 0xca, 0x9b, 0x5b, 0x29, 0xf9, 0x78, 0x04, + 0x51, 0xfd, 0x4f, 0x06, 0x16, 0x62, 0x87, 0x8f, 0x1e, 0x40, 0xd6, 0xa1, 0xa6, 0xb4, 0x79, 0xe2, + 0x36, 0xbc, 0x45, 0xcd, 0x48, 0x8d, 0xb9, 0xe1, 0xa0, 0x9a, 0xe5, 0x2b, 0x5c, 0x22, 0xfa, 0xb1, + 0x02, 0x4b, 0x24, 0xe1, 0x55, 0xe1, 0x9d, 0x85, 0xcd, 0xdd, 0x89, 0xef, 0xf3, 0xd9, 0xb1, 0x51, + 0x47, 0xc3, 0x41, 0x75, 0x29, 0xb5, 0x99, 0x82, 0x44, 0x5f, 0x84, 0xac, 0xe5, 0xf8, 0x61, 0x5d, + 0xac, 0x3f, 0xc7, 0x15, 0x6c, 0xb4, 0xbc, 0xd3, 0x41, 0xb5, 0xd0, 0x68, 0xc9, 0xd9, 0x00, 0x73, + 0x02, 0xf4, 0x6d, 0xc8, 0x3b, 0xd4, 0x65, 0x5e, 0x39, 0x27, 0x3c, 0xf2, 0x95, 0x49, 0x75, 0xe4, + 0x91, 0x66, 0xb6, 0xa8, 0xcb, 0xa2, 0x8c, 0xc3, 0x9f, 0x3c, 0xec, 0x8b, 0x55, 0x7f, 0xa3, 0xc0, + 0x52, 0xd2, 0x6b, 0xc9, 0xc0, 0x55, 0xce, 0x0f, 0xdc, 0xf0, 0x2e, 0x64, 0xc6, 0xde, 0x85, 0x3a, + 0x64, 0xfb, 0x96, 0x59, 0xce, 0x0a, 0x82, 0x97, 0x24, 0x41, 0xf6, 0xad, 0xc6, 0xf6, 0xe9, 0xa0, + 0xfa, 0xc2, 0xb8, 0x19, 0x98, 0x9d, 0x38, 0xc4, 0xd3, 0xde, 0x6a, 0x6c, 0x63, 0xce, 0xac, 0xfe, + 0x4e, 0x81, 0x39, 0x59, 0xe5, 0xd0, 0x03, 0xc8, 0x19, 0x96, 0xe9, 0xca, 0xe8, 0xb8, 0x60, 0x5d, + 0x0d, 0x15, 0xbd, 0xd3, 0xd8, 0xc6, 0x58, 0x08, 0x44, 0x6f, 0xc3, 0x2c, 0x79, 0x68, 0x10, 0x87, + 0xc9, 0x1b, 0x70, 0x41, 0xd1, 0x4b, 0x52, 0xf4, 0xec, 0x8e, 0x10, 0x86, 0xa5, 0x50, 0xb5, 0x0d, + 0x79, 0x41, 0x80, 0x3e, 0x07, 0x19, 0xcb, 0x11, 0xea, 0x17, 0xeb, 0xab, 0xc3, 0x41, 0x35, 0xd3, + 0x68, 0x25, 0x9d, 0x9f, 0xb1, 0x1c, 0x74, 0x1b, 0x8a, 0x8e, 0x4b, 0xda, 0xd6, 0xc3, 0x7b, 0xc4, + 0xee, 0xb0, 0x43, 0x71, 0xbe, 0xf9, 0xa8, 0x36, 0xb6, 0x62, 0x7b, 0x38, 0x41, 0xa9, 0xbe, 0xa7, + 0x40, 0x21, 0xf4, 0x3c, 0xf7, 0x0f, 0x77, 0xb6, 0x80, 0xcb, 0x47, 0x66, 0xf3, 0x3d, 0x2c, 0x76, + 0x9e, 0xc2, 0x83, 0xb7, 0x61, 0x5e, 0xbc, 0x7d, 0x30, 0x68, 0x57, 0xba, 0xf1, 0x46, 0x50, 0x29, + 0x5b, 0x72, 0xfd, 0x34, 0xf6, 0x1f, 0x87, 0xd4, 0xea, 0xbf, 0xb3, 0xb0, 0xd8, 0x24, 0xec, 0xfb, + 0xd4, 0x3d, 0x6a, 0xd1, 0xae, 0x65, 0x9c, 0x4c, 0x21, 0xa7, 0xb5, 0x21, 0xef, 0xf6, 0xbb, 0x24, + 0xc8, 0x63, 0x5b, 0x13, 0xdf, 0x9a, 0xb8, 0xbe, 0xb8, 0xdf, 0x25, 0xd1, 0xed, 0xe1, 0x4f, 0x1e, + 0xf6, 0xc5, 0xa3, 0xd7, 0x61, 0x59, 0x4f, 0xcc, 0x1d, 0xfe, 0x8d, 0x2e, 0x08, 0x9f, 0x2e, 0x27, + 0x47, 0x12, 0x0f, 0xa7, 0x69, 0xd1, 0x3a, 0x3f, 0x54, 0x8b, 0xba, 0x3c, 0x07, 0xe5, 0xd6, 0x94, + 0x75, 0xa5, 0x5e, 0xf4, 0x0f, 0xd4, 0x5f, 0xc3, 0xe1, 0x2e, 0xba, 0x09, 0x45, 0x66, 0x11, 0x37, + 0xd8, 0x29, 0xe7, 0x85, 0x2b, 0x4b, 0x3c, 0x0c, 0xf6, 0x63, 0xeb, 0x38, 0x41, 0x85, 0x3c, 0x28, + 0x78, 0xb4, 0xef, 0x1a, 0x04, 0x93, 0x76, 0x79, 0x56, 0x9c, 0xf4, 0xdd, 0xcb, 0x1d, 0x45, 0x98, + 0xe3, 0x16, 0x79, 0x36, 0xd8, 0x0b, 0x84, 0xe3, 0x08, 0x47, 0xfd, 0xb3, 0x02, 0x2b, 0x09, 0xa6, + 0x29, 0x74, 0x66, 0x07, 0xc9, 0xce, 0xec, 0xf5, 0x4b, 0x19, 0x39, 0xa6, 0x37, 0xfb, 0x01, 0x5c, + 0x4f, 0x90, 0x35, 0xa9, 0x49, 0xf6, 0x98, 0xce, 0xfa, 0x1e, 0xfa, 0x12, 0xcc, 0xdb, 0xd4, 0x24, + 0xcd, 0xa8, 0x21, 0x08, 0x95, 0x6d, 0xca, 0x75, 0x1c, 0x52, 0xa0, 0x4d, 0x00, 0xf9, 0x4a, 0xcf, + 0xa2, 0xb6, 0xb8, 0x72, 0xd9, 0x28, 0x9c, 0x77, 0xc3, 0x1d, 0x1c, 0xa3, 0x52, 0xff, 0x90, 0x49, + 0x1d, 0x6a, 0x8b, 0x10, 0x17, 0xdd, 0x82, 0x45, 0x3d, 0xf6, 0x22, 0xc9, 0x2b, 0x2b, 0x22, 0xf8, + 0x56, 0x86, 0x83, 0xea, 0x62, 0xfc, 0x0d, 0x93, 0x87, 0x93, 0x74, 0x88, 0xc0, 0xbc, 0xe5, 0xc8, + 0xd9, 0xc4, 0x3f, 0xb2, 0x5b, 0x93, 0x27, 0x3a, 0xc1, 0x1f, 0x59, 0x1a, 0x0e, 0x25, 0xa1, 0x68, + 0x54, 0x85, 0x7c, 0xfb, 0x7b, 0xa6, 0x1d, 0x5c, 0x8a, 0x02, 0x3f, 0xd3, 0xbb, 0xdf, 0xd8, 0x6e, + 0x7a, 0xd8, 0x5f, 0x47, 0x0c, 0x80, 0xd1, 0x3d, 0xe2, 0x1e, 0x5b, 0x06, 0x09, 0x4a, 0xdc, 0xd7, + 0x27, 0xd5, 0x44, 0xf2, 0xc7, 0xea, 0x6f, 0x70, 0x98, 0xfb, 0xa1, 0x6c, 0x1c, 0xc3, 0xe1, 0x23, + 0xd2, 0xa7, 0xce, 0x0e, 0x6b, 0xf4, 0x32, 0xe4, 0x78, 0xd9, 0x91, 0x5e, 0x7c, 0x21, 0x48, 0x84, + 0xfb, 0x27, 0x0e, 0x39, 0x1d, 0x54, 0x93, 0x2e, 0xe0, 0x8b, 0x58, 0x90, 0x4f, 0xdc, 0xeb, 0x85, + 0x09, 0x37, 0x7b, 0x5e, 0xc9, 0xcc, 0x5d, 0xa6, 0x64, 0xfe, 0x3a, 0x9f, 0x8a, 0x1a, 0x9e, 0xbc, + 0xd0, 0x6b, 0x50, 0x30, 0x2d, 0x97, 0x8f, 0x8d, 0xd4, 0x96, 0x86, 0x56, 0x02, 0x65, 0xb7, 0x83, + 0x8d, 0xd3, 0xf8, 0x03, 0x8e, 0x18, 0x90, 0x01, 0xb9, 0xb6, 0x4b, 0x7b, 0xb2, 0x67, 0xba, 0x5c, + 0x66, 0xe5, 0x41, 0x1c, 0x19, 0x7f, 0xd7, 0xa5, 0x3d, 0x2c, 0x84, 0xa3, 0xb7, 0x21, 0xc3, 0xa8, + 0x38, 0x9c, 0x2b, 0x81, 0x00, 0x09, 0x91, 0xd9, 0xa7, 0x38, 0xc3, 0x28, 0x0f, 0x7f, 0x2f, 0x19, + 0x74, 0xb7, 0x2e, 0x18, 0x74, 0x51, 0xf8, 0x87, 0x91, 0x16, 0x8a, 0xe6, 0x69, 0xc1, 0x49, 0x25, + 0xec, 0xa8, 0x66, 0x8e, 0xa4, 0xf8, 0x07, 0x30, 0xab, 0xfb, 0x3e, 0x99, 0x15, 0x3e, 0xf9, 0x1a, + 0xef, 0x1f, 0xb6, 0x02, 0x67, 0x6c, 0x3c, 0xe1, 0x0b, 0x8d, 0x6b, 0x86, 0xdf, 0x4b, 0x34, 0xee, + 0x61, 0x9f, 0x09, 0x4b, 0x71, 0xe8, 0x55, 0x58, 0x24, 0xb6, 0x7e, 0xd0, 0x25, 0xf7, 0x68, 0xa7, + 0x63, 0xd9, 0x9d, 0xf2, 0xdc, 0x9a, 0xb2, 0x3e, 0x5f, 0xbf, 0x26, 0x75, 0x59, 0xdc, 0x89, 0x6f, + 0xe2, 0x24, 0xed, 0x59, 0x15, 0x6e, 0x7e, 0x82, 0x0a, 0x17, 0xc4, 0x79, 0x61, 0x5c, 0x9c, 0xab, + 0xbf, 0xc8, 0x02, 0x4a, 0x78, 0x8c, 0xe7, 0x54, 0x8f, 0x77, 0xe9, 0x8b, 0x76, 0x7c, 0x59, 0x56, + 0x8d, 0xab, 0xaa, 0x5f, 0xa1, 0xf5, 0xc9, 0xfd, 0x24, 0x26, 0x72, 0xa0, 0xc8, 0x5c, 0xbd, 0xdd, + 0xb6, 0x0c, 0xa1, 0x95, 0x0c, 0xfa, 0x57, 0x9e, 0xa0, 0x83, 0xf8, 0x7c, 0xa5, 0x85, 0xee, 0xd8, + 0x8f, 0x71, 0x47, 0x9d, 0x5b, 0x7c, 0x15, 0x27, 0x10, 0xd0, 0xbb, 0x0a, 0x94, 0x78, 0x6f, 0x11, + 0x27, 0x91, 0xc3, 0xef, 0x57, 0x9f, 0x1e, 0x16, 0xa7, 0x24, 0x44, 0x93, 0x58, 0x7a, 0x07, 0x8f, + 0xa0, 0xa9, 0x7f, 0x57, 0x60, 0x75, 0xc4, 0x23, 0xfd, 0x69, 0xbc, 0xbf, 0xeb, 0x42, 0x9e, 0x57, + 0xc9, 0xa0, 0x26, 0xed, 0x5e, 0xca, 0xd7, 0x51, 0x7d, 0x8e, 0x0a, 0x3a, 0x5f, 0xf3, 0xb0, 0x0f, + 0xa2, 0xfe, 0x3e, 0x07, 0xa5, 0x80, 0xc8, 0xdb, 0xeb, 0xf7, 0x7a, 0xba, 0x3b, 0x8d, 0xde, 0xf4, + 0xa7, 0x0a, 0x2c, 0xc7, 0xa3, 0xcc, 0x0a, 0xed, 0xad, 0x5f, 0xca, 0x5e, 0xdf, 0xd1, 0xd7, 0x25, + 0xf6, 0x72, 0x33, 0x09, 0x81, 0xd3, 0x98, 0xe8, 0xb7, 0x0a, 0xdc, 0xf0, 0x51, 0xe4, 0xcb, 0xda, + 0x14, 0x87, 0x8c, 0xba, 0xab, 0x50, 0xea, 0xf3, 0x52, 0xa9, 0x1b, 0x5b, 0x4f, 0xc0, 0xc3, 0x4f, + 0xd4, 0x06, 0xfd, 0x4a, 0x81, 0x6b, 0x3e, 0x41, 0x5a, 0xcf, 0xdc, 0x95, 0xe9, 0xf9, 0x59, 0xa9, + 0xe7, 0xb5, 0xad, 0xb3, 0x80, 0xf0, 0xd9, 0xf8, 0xaa, 0x0e, 0xc5, 0xf8, 0xeb, 0x86, 0x67, 0xf1, + 0x6a, 0xe8, 0xfd, 0x0c, 0xcc, 0xc9, 0x02, 0x83, 0x6e, 0xc6, 0x26, 0x31, 0x1f, 0xa2, 0x7c, 0xfe, + 0x14, 0x86, 0x9a, 0x72, 0x06, 0xcc, 0x9c, 0x13, 0xd3, 0x7d, 0x66, 0x75, 0x35, 0xff, 0xc3, 0xb3, + 0xd6, 0xb0, 0xd9, 0x9b, 0xee, 0x1e, 0x73, 0x2d, 0xbb, 0x53, 0x9f, 0x4f, 0x4d, 0x8c, 0x5f, 0x80, + 0x39, 0x62, 0x8b, 0xf1, 0x52, 0x94, 0xe9, 0x7c, 0x7d, 0x61, 0x38, 0xa8, 0xce, 0xed, 0xf8, 0x4b, + 0x38, 0xd8, 0xe3, 0x13, 0x8e, 0x65, 0xf4, 0x1c, 0xde, 0x2a, 0x89, 0x56, 0x26, 0xef, 0x4f, 0x38, + 0x8d, 0x3b, 0xf7, 0x5b, 0xa2, 0x7d, 0x0a, 0x77, 0x03, 0xca, 0x3b, 0xd4, 0x24, 0xb2, 0x58, 0x86, + 0x94, 0x7c, 0x0d, 0x87, 0xbb, 0x2a, 0x81, 0x52, 0xba, 0xe5, 0x7b, 0x06, 0x67, 0x5e, 0x7f, 0xf1, + 0xd1, 0xe3, 0xca, 0xcc, 0x07, 0x8f, 0x2b, 0x33, 0x1f, 0x3e, 0xae, 0xcc, 0xbc, 0x3b, 0xac, 0x28, + 0x8f, 0x86, 0x15, 0xe5, 0x83, 0x61, 0x45, 0xf9, 0x70, 0x58, 0x51, 0xfe, 0x3a, 0xac, 0x28, 0xbf, + 0xfc, 0x5b, 0x65, 0xe6, 0x9b, 0x73, 0x32, 0x9c, 0xfe, 0x1b, 0x00, 0x00, 0xff, 0xff, 0xe4, 0x1c, + 0xc9, 0xcd, 0x43, 0x21, 0x00, 0x00, } func (m *AddressGroup) Marshal() (dAtA []byte, err error) { @@ -2443,6 +2445,16 @@ func (m *Service) MarshalToSizedBuffer(dAtA []byte) (int, error) { _ = i var l int _ = l + if m.ICMPCode != nil { + i = encodeVarintGenerated(dAtA, i, uint64(*m.ICMPCode)) + i-- + dAtA[i] = 0x28 + } + if m.ICMPType != nil { + i = encodeVarintGenerated(dAtA, i, uint64(*m.ICMPType)) + i-- + dAtA[i] = 0x20 + } if m.EndPort != nil { i = encodeVarintGenerated(dAtA, i, uint64(*m.EndPort)) i-- @@ -3069,6 +3081,12 @@ func (m *Service) Size() (n int) { if m.EndPort != nil { n += 1 + sovGenerated(uint64(*m.EndPort)) } + if m.ICMPType != nil { + n += 1 + sovGenerated(uint64(*m.ICMPType)) + } + if m.ICMPCode != nil { + n += 1 + sovGenerated(uint64(*m.ICMPCode)) + } return n } @@ -3557,6 +3575,8 @@ func (this *Service) String() string { `Protocol:` + valueToStringGenerated(this.Protocol) + `,`, `Port:` + strings.Replace(fmt.Sprintf("%v", this.Port), "IntOrString", "intstr.IntOrString", 1) + `,`, `EndPort:` + valueToStringGenerated(this.EndPort) + `,`, + `ICMPType:` + valueToStringGenerated(this.ICMPType) + `,`, + `ICMPCode:` + valueToStringGenerated(this.ICMPCode) + `,`, `}`, }, "") return s @@ -7601,6 +7621,46 @@ func (m *Service) Unmarshal(dAtA []byte) error { } } m.EndPort = &v + case 4: + if wireType != 0 { + return fmt.Errorf("proto: wrong wireType = %d for field ICMPType", wireType) + } + var v int32 + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowGenerated + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + v |= int32(b&0x7F) << shift + if b < 0x80 { + break + } + } + m.ICMPType = &v + case 5: + if wireType != 0 { + return fmt.Errorf("proto: wrong wireType = %d for field ICMPCode", wireType) + } + var v int32 + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowGenerated + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + v |= int32(b&0x7F) << shift + if b < 0x80 { + break + } + } + m.ICMPCode = &v default: iNdEx = preIndex skippy, err := skipGenerated(dAtA[iNdEx:]) diff --git a/pkg/apis/controlplane/v1beta2/generated.proto b/pkg/apis/controlplane/v1beta2/generated.proto index 497c46b9337..93098f7e54e 100644 --- a/pkg/apis/controlplane/v1beta2/generated.proto +++ b/pkg/apis/controlplane/v1beta2/generated.proto @@ -1,4 +1,4 @@ -// Copyright 2021 Antrea Authors +// Copyright 2022 Antrea Authors // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. @@ -348,6 +348,10 @@ message Service { // It can only be specified when a numerical `port` is specified. // +optional optional int32 endPort = 3; + + optional int32 icmpType = 4; + + optional int32 icmpCode = 5; } // ServiceReference represents reference to a v1.Service. diff --git a/pkg/apis/controlplane/v1beta2/types.go b/pkg/apis/controlplane/v1beta2/types.go index ec15a700e03..876be2b5613 100644 --- a/pkg/apis/controlplane/v1beta2/types.go +++ b/pkg/apis/controlplane/v1beta2/types.go @@ -245,21 +245,30 @@ const ( ProtocolUDP Protocol = "UDP" // ProtocolSCTP is the SCTP protocol. ProtocolSCTP Protocol = "SCTP" + // ProtocolICMP is the ICMP protocol. + ProtocolICMP Protocol = "ICMP" ) // Service describes a port to allow traffic on. type Service struct { - // The protocol (TCP, UDP, or SCTP) which traffic must match. If not specified, this + // The protocol (TCP, UDP, SCTP, or ICMP) which traffic must match. If not specified, this // field defaults to TCP. // +optional Protocol *Protocol `json:"protocol,omitempty" protobuf:"bytes,1,opt,name=protocol"` - // The port name or number on the given protocol. If not specified, this matches all port numbers. + // Port and EndPort can only be specified, when the Protocol is TCP, UDP, or SCTP. + // Port defines the port name or number on the given protocol. If not specified + // and the Protocol is TCP, UDP, or SCTP, this matches all port numbers. // +optional Port *intstr.IntOrString `json:"port,omitempty" protobuf:"bytes,2,opt,name=port"` // EndPort defines the end of the port range, being the end included within the range. // It can only be specified when a numerical `port` is specified. // +optional EndPort *int32 `json:"endPort,omitempty" protobuf:"bytes,3,opt,name=endPort"` + // ICMPType and ICMPCode can only be specified, when the Protocol is ICMP. If they + // both are not specified and the Protocol is ICMP, this matches all ICMP traffic. + // +optional + ICMPType *int32 `json:"icmpType,omitempty" protobuf:"bytes,4,opt,name=icmpType"` + ICMPCode *int32 `json:"icmpCode,omitempty" protobuf:"bytes,5,opt,name=icmpCode"` } // NetworkPolicyPeer describes a peer of NetworkPolicyRules. diff --git a/pkg/apis/controlplane/v1beta2/zz_generated.conversion.go b/pkg/apis/controlplane/v1beta2/zz_generated.conversion.go index 351f9e867fc..a2c8ca4b84e 100644 --- a/pkg/apis/controlplane/v1beta2/zz_generated.conversion.go +++ b/pkg/apis/controlplane/v1beta2/zz_generated.conversion.go @@ -1,7 +1,7 @@ //go:build !ignore_autogenerated // +build !ignore_autogenerated -// Copyright 2021 Antrea Authors +// Copyright 2022 Antrea Authors // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. @@ -1037,6 +1037,8 @@ func autoConvert_v1beta2_Service_To_controlplane_Service(in *Service, out *contr out.Protocol = (*controlplane.Protocol)(unsafe.Pointer(in.Protocol)) out.Port = (*intstr.IntOrString)(unsafe.Pointer(in.Port)) out.EndPort = (*int32)(unsafe.Pointer(in.EndPort)) + out.ICMPType = (*int32)(unsafe.Pointer(in.ICMPType)) + out.ICMPCode = (*int32)(unsafe.Pointer(in.ICMPCode)) return nil } @@ -1049,6 +1051,8 @@ func autoConvert_controlplane_Service_To_v1beta2_Service(in *controlplane.Servic out.Protocol = (*Protocol)(unsafe.Pointer(in.Protocol)) out.Port = (*intstr.IntOrString)(unsafe.Pointer(in.Port)) out.EndPort = (*int32)(unsafe.Pointer(in.EndPort)) + out.ICMPType = (*int32)(unsafe.Pointer(in.ICMPType)) + out.ICMPCode = (*int32)(unsafe.Pointer(in.ICMPCode)) return nil } diff --git a/pkg/apis/controlplane/v1beta2/zz_generated.deepcopy.go b/pkg/apis/controlplane/v1beta2/zz_generated.deepcopy.go index 17c4b00a365..51fcf47241a 100644 --- a/pkg/apis/controlplane/v1beta2/zz_generated.deepcopy.go +++ b/pkg/apis/controlplane/v1beta2/zz_generated.deepcopy.go @@ -1,7 +1,7 @@ //go:build !ignore_autogenerated // +build !ignore_autogenerated -// Copyright 2021 Antrea Authors +// Copyright 2022 Antrea Authors // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. @@ -896,6 +896,16 @@ func (in *Service) DeepCopyInto(out *Service) { *out = new(int32) **out = **in } + if in.ICMPType != nil { + in, out := &in.ICMPType, &out.ICMPType + *out = new(int32) + **out = **in + } + if in.ICMPCode != nil { + in, out := &in.ICMPCode, &out.ICMPCode + *out = new(int32) + **out = **in + } return } diff --git a/pkg/apis/controlplane/zz_generated.deepcopy.go b/pkg/apis/controlplane/zz_generated.deepcopy.go index 829e0756c2b..5a764620fa5 100644 --- a/pkg/apis/controlplane/zz_generated.deepcopy.go +++ b/pkg/apis/controlplane/zz_generated.deepcopy.go @@ -1,7 +1,7 @@ //go:build !ignore_autogenerated // +build !ignore_autogenerated -// Copyright 2021 Antrea Authors +// Copyright 2022 Antrea Authors // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. @@ -896,6 +896,16 @@ func (in *Service) DeepCopyInto(out *Service) { *out = new(int32) **out = **in } + if in.ICMPType != nil { + in, out := &in.ICMPType, &out.ICMPType + *out = new(int32) + **out = **in + } + if in.ICMPCode != nil { + in, out := &in.ICMPCode, &out.ICMPCode + *out = new(int32) + **out = **in + } return } diff --git a/pkg/apis/crd/v1alpha2/register.go b/pkg/apis/crd/v1alpha2/register.go index 6de40e17e8c..5c464a1a7b7 100644 --- a/pkg/apis/crd/v1alpha2/register.go +++ b/pkg/apis/crd/v1alpha2/register.go @@ -54,6 +54,10 @@ func addKnownTypes(scheme *runtime.Scheme) error { &ExternalIPPoolList{}, &IPPool{}, &IPPoolList{}, + &ClusterNetworkPolicy{}, + &ClusterNetworkPolicyList{}, + &NetworkPolicy{}, + &NetworkPolicyList{}, ) metav1.AddToGroupVersion(scheme, SchemeGroupVersion) diff --git a/pkg/apis/crd/v1alpha2/types.go b/pkg/apis/crd/v1alpha2/types.go index 0b04bc13ae7..e142927ffd8 100644 --- a/pkg/apis/crd/v1alpha2/types.go +++ b/pkg/apis/crd/v1alpha2/types.go @@ -17,6 +17,7 @@ package v1alpha2 import ( v1 "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/util/intstr" "antrea.io/antrea/pkg/apis/crd/v1alpha1" ) @@ -379,3 +380,187 @@ type IPPoolList struct { Items []IPPool `json:"items"` } + +// +genclient +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object + +type NetworkPolicy struct { + metav1.TypeMeta `json:",inline"` + // Standard metadata of the object. + metav1.ObjectMeta `json:"metadata,omitempty"` + + // Specification of the desired behavior of NetworkPolicy. + Spec NetworkPolicySpec `json:"spec"` + // Most recently observed status of the NetworkPolicy. + Status NetworkPolicyStatus `json:"status"` +} + +// NetworkPolicySpec defines the desired state for NetworkPolicy. +type NetworkPolicySpec struct { + // Tier specifies the tier to which this NetworkPolicy belongs to. + // The NetworkPolicy order will be determined based on the combination of the + // Tier's Priority and the NetworkPolicy's own Priority. If not specified, + // this policy will be created in the Application Tier right above the K8s + // NetworkPolicy which resides at the bottom. + Tier string `json:"tier,omitempty"` + // Priority specfies the order of the NetworkPolicy relative to other + // NetworkPolicies. + Priority float64 `json:"priority"` + // Select workloads on which the rules will be applied to. Cannot be set in + // conjunction with AppliedTo in each rule. + // +optional + AppliedTo []v1alpha1.NetworkPolicyPeer `json:"appliedTo,omitempty"` + // Set of ingress rules evaluated based on the order in which they are set. + // Currently Ingress rule supports setting the `From` field but not the `To` + // field within a Rule. + // +optional + Ingress []Rule `json:"ingress"` + // Set of egress rules evaluated based on the order in which they are set. + // Currently Egress rule supports setting the `To` field but not the `From` + // field within a Rule. + // +optional + Egress []Rule `json:"egress"` +} + +// NetworkPolicyStatus represents information about the status of a NetworkPolicy. +type NetworkPolicyStatus struct { + // The phase of a NetworkPolicy is a simple, high-level summary of the NetworkPolicy's status. + Phase v1alpha1.NetworkPolicyPhase `json:"phase"` + // The generation observed by Antrea. + ObservedGeneration int64 `json:"observedGeneration"` + // The number of nodes that have realized the NetworkPolicy. + CurrentNodesRealized int32 `json:"currentNodesRealized"` + // The total number of nodes that should realize the NetworkPolicy. + DesiredNodesRealized int32 `json:"desiredNodesRealized"` +} + +// Rule describes the traffic allowed to/from the workloads selected by +// Spec.AppliedTo. Based on the action specified in the rule, traffic is either +// allowed or denied which exactly match the specified ports and protocol. +type Rule struct { + // Action specifies the action to be applied on the rule. + Action *v1alpha1.RuleAction `json:"action"` + // Set of protocol with its specific spec allowed/denied by the rule. If this field + // is unset or empty, this rule match all protocols supported in PeerProtocol. + // +optional + Protocols []PeerProtocol `json:"protocols,omitempty"` + // Rule is matched if traffic originates from workloads selected by + // this field. If this field is empty, this rule matches all sources. + // +optional + From []v1alpha1.NetworkPolicyPeer `json:"from"` + // Rule is matched if traffic is intended for workloads selected by + // this field. This field can't be used with ToServices. If this field + // and ToServices are both empty or missing this rule matches all destinations. + // +optional + To []v1alpha1.NetworkPolicyPeer `json:"to"` + // Rule is matched if traffic is intended for a Service listed in this field. + // Currently only ClusterIP types Services are supported in this field. This field + // can only be used when AntreaProxy is enabled. This field can't be used with To + // or Ports. If this field and To are both empty or missing, this rule matches all + // destinations. + // +optional + ToServices []v1alpha1.NamespacedName `json:"toServices,omitempty"` + // Name describes the intention of this rule. + // Name should be unique within the policy. + // +optional + Name string `json:"name"` + // EnableLogging is used to indicate if agent should generate logs + // when rules are matched. Should be default to false. + EnableLogging bool `json:"enableLogging"` + // Select workloads on which this rule will be applied to. Cannot be set in + // conjunction with NetworkPolicySpec/ClusterNetworkPolicySpec.AppliedTo. + // +optional + AppliedTo []v1alpha1.NetworkPolicyPeer `json:"appliedTo,omitempty"` +} + +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object + +type NetworkPolicyList struct { + metav1.TypeMeta `json:",inline"` + // +optional + metav1.ListMeta `json:"metadata,omitempty"` + + Items []NetworkPolicy `json:"items"` +} + +// +genclient +// +genclient:nonNamespaced +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object + +type ClusterNetworkPolicy struct { + metav1.TypeMeta `json:",inline"` + // Standard metadata of the object. + metav1.ObjectMeta `json:"metadata,omitempty"` + + // Specification of the desired behavior of ClusterNetworkPolicy. + Spec ClusterNetworkPolicySpec `json:"spec"` + // Most recently observed status of the NetworkPolicy. + Status NetworkPolicyStatus `json:"status"` +} + +// ClusterNetworkPolicySpec defines the desired state for ClusterNetworkPolicy. +type ClusterNetworkPolicySpec struct { + // Tier specifies the tier to which this ClusterNetworkPolicy belongs to. + // The ClusterNetworkPolicy order will be determined based on the + // combination of the Tier's Priority and the ClusterNetworkPolicy's own + // Priority. If not specified, this policy will be created in the Application + // Tier right above the K8s NetworkPolicy which resides at the bottom. + Tier string `json:"tier,omitempty"` + // Priority specfies the order of the ClusterNetworkPolicy relative to + // other AntreaClusterNetworkPolicies. + Priority float64 `json:"priority"` + // Select workloads on which the rules will be applied to. Cannot be set in + // conjunction with AppliedTo in each rule. + // +optional + AppliedTo []v1alpha1.NetworkPolicyPeer `json:"appliedTo,omitempty"` + // Set of ingress rules evaluated based on the order in which they are set. + // Currently Ingress rule supports setting the `From` field but not the `To` + // field within a Rule. + // +optional + Ingress []Rule `json:"ingress"` + // Set of egress rules evaluated based on the order in which they are set. + // Currently Egress rule supports setting the `To` field but not the `From` + // field within a Rule. + // +optional + Egress []Rule `json:"egress"` +} + +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object + +type ClusterNetworkPolicyList struct { + metav1.TypeMeta `json:",inline"` + // +optional + metav1.ListMeta `json:"metadata,omitempty"` + + Items []ClusterNetworkPolicy `json:"items"` +} + +// PeerProtocol includes all protocols that are supported. All fields should be +// used as a stand-alone field. To match all traffic with a specific protocol, set +// the value of the corresponding field as an empty struct. +type PeerProtocol struct { + TCP *L4Protocol `json:"tcp,omitempty"` + UDP *L4Protocol `json:"udp,omitempty"` + SCTP *L4Protocol `json:"sctp,omitempty"` + ICMP *ICMPProtocol `json:"icmp,omitempty"` +} + +type L4Protocol struct { + // The port on the given protocol. This can be either a numerical + // or named port on a Pod. If this field is not provided, this + // matches all port names and numbers. + // +optional + Port *intstr.IntOrString `json:"port,omitempty"` + // EndPort defines the end of the port range, being the end included within the range. + // It can only be specified when a numerical `port` is specified. + // +optional + EndPort *int32 `json:"endPort,omitempty"` +} + +// ICMPProtocol matches ICMP traffic with specific ICMPType and/or ICMPCode. All +// fields could be used alone or together. If all fields are not provided, this +// matches all ICMP traffic. +type ICMPProtocol struct { + ICMPType *int32 `json:"icmpType,omitempty"` + ICMPCode *int32 `json:"icmpCode,omitempty"` +} diff --git a/pkg/apis/crd/v1alpha2/zz_generated.deepcopy.go b/pkg/apis/crd/v1alpha2/zz_generated.deepcopy.go index 4334cb9f36e..2660df539de 100644 --- a/pkg/apis/crd/v1alpha2/zz_generated.deepcopy.go +++ b/pkg/apis/crd/v1alpha2/zz_generated.deepcopy.go @@ -23,6 +23,7 @@ import ( v1alpha1 "antrea.io/antrea/pkg/apis/crd/v1alpha1" v1 "k8s.io/apimachinery/pkg/apis/meta/v1" runtime "k8s.io/apimachinery/pkg/runtime" + intstr "k8s.io/apimachinery/pkg/util/intstr" ) // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. @@ -117,6 +118,104 @@ func (in *ClusterGroupList) DeepCopyObject() runtime.Object { return nil } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ClusterNetworkPolicy) DeepCopyInto(out *ClusterNetworkPolicy) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) + in.Spec.DeepCopyInto(&out.Spec) + out.Status = in.Status + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterNetworkPolicy. +func (in *ClusterNetworkPolicy) DeepCopy() *ClusterNetworkPolicy { + if in == nil { + return nil + } + out := new(ClusterNetworkPolicy) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *ClusterNetworkPolicy) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ClusterNetworkPolicyList) DeepCopyInto(out *ClusterNetworkPolicyList) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ListMeta.DeepCopyInto(&out.ListMeta) + if in.Items != nil { + in, out := &in.Items, &out.Items + *out = make([]ClusterNetworkPolicy, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterNetworkPolicyList. +func (in *ClusterNetworkPolicyList) DeepCopy() *ClusterNetworkPolicyList { + if in == nil { + return nil + } + out := new(ClusterNetworkPolicyList) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *ClusterNetworkPolicyList) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ClusterNetworkPolicySpec) DeepCopyInto(out *ClusterNetworkPolicySpec) { + *out = *in + if in.AppliedTo != nil { + in, out := &in.AppliedTo, &out.AppliedTo + *out = make([]v1alpha1.NetworkPolicyPeer, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + if in.Ingress != nil { + in, out := &in.Ingress, &out.Ingress + *out = make([]Rule, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + if in.Egress != nil { + in, out := &in.Egress, &out.Egress + *out = make([]Rule, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterNetworkPolicySpec. +func (in *ClusterNetworkPolicySpec) DeepCopy() *ClusterNetworkPolicySpec { + if in == nil { + return nil + } + out := new(ClusterNetworkPolicySpec) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *Egress) DeepCopyInto(out *Egress) { *out = *in @@ -520,6 +619,32 @@ func (in *GroupStatus) DeepCopy() *GroupStatus { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ICMPProtocol) DeepCopyInto(out *ICMPProtocol) { + *out = *in + if in.ICMPType != nil { + in, out := &in.ICMPType, &out.ICMPType + *out = new(int32) + **out = **in + } + if in.ICMPCode != nil { + in, out := &in.ICMPCode, &out.ICMPCode + *out = new(int32) + **out = **in + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ICMPProtocol. +func (in *ICMPProtocol) DeepCopy() *ICMPProtocol { + if in == nil { + return nil + } + out := new(ICMPProtocol) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *IPAddressOwner) DeepCopyInto(out *IPAddressOwner) { *out = *in @@ -684,6 +809,32 @@ func (in *IPRange) DeepCopy() *IPRange { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *L4Protocol) DeepCopyInto(out *L4Protocol) { + *out = *in + if in.Port != nil { + in, out := &in.Port, &out.Port + *out = new(intstr.IntOrString) + **out = **in + } + if in.EndPort != nil { + in, out := &in.EndPort, &out.EndPort + *out = new(int32) + **out = **in + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new L4Protocol. +func (in *L4Protocol) DeepCopy() *L4Protocol { + if in == nil { + return nil + } + out := new(L4Protocol) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *NamedPort) DeepCopyInto(out *NamedPort) { *out = *in @@ -700,6 +851,156 @@ func (in *NamedPort) DeepCopy() *NamedPort { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *NetworkPolicy) DeepCopyInto(out *NetworkPolicy) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) + in.Spec.DeepCopyInto(&out.Spec) + out.Status = in.Status + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NetworkPolicy. +func (in *NetworkPolicy) DeepCopy() *NetworkPolicy { + if in == nil { + return nil + } + out := new(NetworkPolicy) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *NetworkPolicy) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *NetworkPolicyList) DeepCopyInto(out *NetworkPolicyList) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ListMeta.DeepCopyInto(&out.ListMeta) + if in.Items != nil { + in, out := &in.Items, &out.Items + *out = make([]NetworkPolicy, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NetworkPolicyList. +func (in *NetworkPolicyList) DeepCopy() *NetworkPolicyList { + if in == nil { + return nil + } + out := new(NetworkPolicyList) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *NetworkPolicyList) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *NetworkPolicySpec) DeepCopyInto(out *NetworkPolicySpec) { + *out = *in + if in.AppliedTo != nil { + in, out := &in.AppliedTo, &out.AppliedTo + *out = make([]v1alpha1.NetworkPolicyPeer, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + if in.Ingress != nil { + in, out := &in.Ingress, &out.Ingress + *out = make([]Rule, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + if in.Egress != nil { + in, out := &in.Egress, &out.Egress + *out = make([]Rule, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NetworkPolicySpec. +func (in *NetworkPolicySpec) DeepCopy() *NetworkPolicySpec { + if in == nil { + return nil + } + out := new(NetworkPolicySpec) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *NetworkPolicyStatus) DeepCopyInto(out *NetworkPolicyStatus) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NetworkPolicyStatus. +func (in *NetworkPolicyStatus) DeepCopy() *NetworkPolicyStatus { + if in == nil { + return nil + } + out := new(NetworkPolicyStatus) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *PeerProtocol) DeepCopyInto(out *PeerProtocol) { + *out = *in + if in.TCP != nil { + in, out := &in.TCP, &out.TCP + *out = new(L4Protocol) + (*in).DeepCopyInto(*out) + } + if in.UDP != nil { + in, out := &in.UDP, &out.UDP + *out = new(L4Protocol) + (*in).DeepCopyInto(*out) + } + if in.SCTP != nil { + in, out := &in.SCTP, &out.SCTP + *out = new(L4Protocol) + (*in).DeepCopyInto(*out) + } + if in.ICMP != nil { + in, out := &in.ICMP, &out.ICMP + *out = new(ICMPProtocol) + (*in).DeepCopyInto(*out) + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PeerProtocol. +func (in *PeerProtocol) DeepCopy() *PeerProtocol { + if in == nil { + return nil + } + out := new(PeerProtocol) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *PodOwner) DeepCopyInto(out *PodOwner) { *out = *in @@ -716,6 +1017,60 @@ func (in *PodOwner) DeepCopy() *PodOwner { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *Rule) DeepCopyInto(out *Rule) { + *out = *in + if in.Action != nil { + in, out := &in.Action, &out.Action + *out = new(v1alpha1.RuleAction) + **out = **in + } + if in.Protocols != nil { + in, out := &in.Protocols, &out.Protocols + *out = make([]PeerProtocol, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + if in.From != nil { + in, out := &in.From, &out.From + *out = make([]v1alpha1.NetworkPolicyPeer, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + if in.To != nil { + in, out := &in.To, &out.To + *out = make([]v1alpha1.NetworkPolicyPeer, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + if in.ToServices != nil { + in, out := &in.ToServices, &out.ToServices + *out = make([]v1alpha1.NamespacedName, len(*in)) + copy(*out, *in) + } + if in.AppliedTo != nil { + in, out := &in.AppliedTo, &out.AppliedTo + *out = make([]v1alpha1.NetworkPolicyPeer, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Rule. +func (in *Rule) DeepCopy() *Rule { + if in == nil { + return nil + } + out := new(Rule) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *StatefulSetOwner) DeepCopyInto(out *StatefulSetOwner) { *out = *in diff --git a/pkg/apiserver/apiserver.go b/pkg/apiserver/apiserver.go index fb66d9139c6..a45ff6b162a 100644 --- a/pkg/apiserver/apiserver.go +++ b/pkg/apiserver/apiserver.go @@ -272,7 +272,10 @@ func installHandlers(c *ExtraConfig, s *genericapiserver.GenericAPIServer) { s.Handler.NonGoRestfulMux.HandleFunc("/validate/clustergroup", webhook.HandlerForValidateFunc(v.Validate)) // Install handlers for CRD conversion between versions + klog.Infof("=============install convert handler") s.Handler.NonGoRestfulMux.HandleFunc("/convert/clustergroup", webhook.HandleCRDConversion(controllernetworkpolicy.ConvertClusterGroupCRD)) + s.Handler.NonGoRestfulMux.HandleFunc("/convert/clusternetworkpolicy", webhook.HandleCRDConversion(controllernetworkpolicy.ConvertClusterNetworkPolicyCRD)) + s.Handler.NonGoRestfulMux.HandleFunc("/convert/networkpolicy", webhook.HandleCRDConversion(controllernetworkpolicy.ConvertNetworkPolicyCRD)) // Install a post start hook to initialize Tiers on start-up s.AddPostStartHook("initialize-tiers", func(context genericapiserver.PostStartHookContext) error { @@ -313,6 +316,8 @@ func DefaultCAConfig() *certificate.CAConfig { }, CRDsWithConversionWebhooks: []string{ "clustergroups.crd.antrea.io", + "clusternetworkpolicies.crd.antrea.io", + "networkpolicies.crd.antrea.io", }, CertDir: "/var/run/antrea/antrea-controller-tls", SelfSignedCertDir: "/var/run/antrea/antrea-controller-self-signed", diff --git a/pkg/apiserver/handlers/webhook/convert_crd.go b/pkg/apiserver/handlers/webhook/convert_crd.go index bd1d5024151..21d1dcbaa46 100644 --- a/pkg/apiserver/handlers/webhook/convert_crd.go +++ b/pkg/apiserver/handlers/webhook/convert_crd.go @@ -108,6 +108,7 @@ func doConversionV1(convertRequest *v1.ConversionRequest, convert convertFunc) * func HandleCRDConversion(crdConvertFunc convertFunc) http.HandlerFunc { return func(w http.ResponseWriter, r *http.Request) { klog.V(2).Info("Received request to convert CRD version") + klog.Infof("Received request to convert CRD version: %v", r.Body) var body []byte if r.Body != nil { if data, err := ioutil.ReadAll(r.Body); err == nil { diff --git a/pkg/apiserver/openapi/zz_generated.openapi.go b/pkg/apiserver/openapi/zz_generated.openapi.go index 96844d0c14a..42129e7b824 100644 --- a/pkg/apiserver/openapi/zz_generated.openapi.go +++ b/pkg/apiserver/openapi/zz_generated.openapi.go @@ -1,7 +1,7 @@ //go:build !ignore_autogenerated // +build !ignore_autogenerated -// Copyright 2021 Antrea Authors +// Copyright 2022 Antrea Authors // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. @@ -1720,6 +1720,18 @@ func schema_pkg_apis_controlplane_v1beta2_Service(ref common.ReferenceCallback) Format: "int32", }, }, + "icmpType": { + SchemaProps: spec.SchemaProps{ + Type: []string{"integer"}, + Format: "int32", + }, + }, + "icmpCode": { + SchemaProps: spec.SchemaProps{ + Type: []string{"integer"}, + Format: "int32", + }, + }, }, }, }, diff --git a/pkg/client/clientset/versioned/typed/crd/v1alpha2/clusternetworkpolicy.go b/pkg/client/clientset/versioned/typed/crd/v1alpha2/clusternetworkpolicy.go new file mode 100644 index 00000000000..d3500754359 --- /dev/null +++ b/pkg/client/clientset/versioned/typed/crd/v1alpha2/clusternetworkpolicy.go @@ -0,0 +1,182 @@ +// Copyright 2022 Antrea Authors +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +// Code generated by client-gen. DO NOT EDIT. + +package v1alpha2 + +import ( + "context" + "time" + + v1alpha2 "antrea.io/antrea/pkg/apis/crd/v1alpha2" + scheme "antrea.io/antrea/pkg/client/clientset/versioned/scheme" + v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + types "k8s.io/apimachinery/pkg/types" + watch "k8s.io/apimachinery/pkg/watch" + rest "k8s.io/client-go/rest" +) + +// ClusterNetworkPoliciesGetter has a method to return a ClusterNetworkPolicyInterface. +// A group's client should implement this interface. +type ClusterNetworkPoliciesGetter interface { + ClusterNetworkPolicies() ClusterNetworkPolicyInterface +} + +// ClusterNetworkPolicyInterface has methods to work with ClusterNetworkPolicy resources. +type ClusterNetworkPolicyInterface interface { + Create(ctx context.Context, clusterNetworkPolicy *v1alpha2.ClusterNetworkPolicy, opts v1.CreateOptions) (*v1alpha2.ClusterNetworkPolicy, error) + Update(ctx context.Context, clusterNetworkPolicy *v1alpha2.ClusterNetworkPolicy, opts v1.UpdateOptions) (*v1alpha2.ClusterNetworkPolicy, error) + UpdateStatus(ctx context.Context, clusterNetworkPolicy *v1alpha2.ClusterNetworkPolicy, opts v1.UpdateOptions) (*v1alpha2.ClusterNetworkPolicy, error) + Delete(ctx context.Context, name string, opts v1.DeleteOptions) error + DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error + Get(ctx context.Context, name string, opts v1.GetOptions) (*v1alpha2.ClusterNetworkPolicy, error) + List(ctx context.Context, opts v1.ListOptions) (*v1alpha2.ClusterNetworkPolicyList, error) + Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) + Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha2.ClusterNetworkPolicy, err error) + ClusterNetworkPolicyExpansion +} + +// clusterNetworkPolicies implements ClusterNetworkPolicyInterface +type clusterNetworkPolicies struct { + client rest.Interface +} + +// newClusterNetworkPolicies returns a ClusterNetworkPolicies +func newClusterNetworkPolicies(c *CrdV1alpha2Client) *clusterNetworkPolicies { + return &clusterNetworkPolicies{ + client: c.RESTClient(), + } +} + +// Get takes name of the clusterNetworkPolicy, and returns the corresponding clusterNetworkPolicy object, and an error if there is any. +func (c *clusterNetworkPolicies) Get(ctx context.Context, name string, options v1.GetOptions) (result *v1alpha2.ClusterNetworkPolicy, err error) { + result = &v1alpha2.ClusterNetworkPolicy{} + err = c.client.Get(). + Resource("clusternetworkpolicies"). + Name(name). + VersionedParams(&options, scheme.ParameterCodec). + Do(ctx). + Into(result) + return +} + +// List takes label and field selectors, and returns the list of ClusterNetworkPolicies that match those selectors. +func (c *clusterNetworkPolicies) List(ctx context.Context, opts v1.ListOptions) (result *v1alpha2.ClusterNetworkPolicyList, err error) { + var timeout time.Duration + if opts.TimeoutSeconds != nil { + timeout = time.Duration(*opts.TimeoutSeconds) * time.Second + } + result = &v1alpha2.ClusterNetworkPolicyList{} + err = c.client.Get(). + Resource("clusternetworkpolicies"). + VersionedParams(&opts, scheme.ParameterCodec). + Timeout(timeout). + Do(ctx). + Into(result) + return +} + +// Watch returns a watch.Interface that watches the requested clusterNetworkPolicies. +func (c *clusterNetworkPolicies) Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) { + var timeout time.Duration + if opts.TimeoutSeconds != nil { + timeout = time.Duration(*opts.TimeoutSeconds) * time.Second + } + opts.Watch = true + return c.client.Get(). + Resource("clusternetworkpolicies"). + VersionedParams(&opts, scheme.ParameterCodec). + Timeout(timeout). + Watch(ctx) +} + +// Create takes the representation of a clusterNetworkPolicy and creates it. Returns the server's representation of the clusterNetworkPolicy, and an error, if there is any. +func (c *clusterNetworkPolicies) Create(ctx context.Context, clusterNetworkPolicy *v1alpha2.ClusterNetworkPolicy, opts v1.CreateOptions) (result *v1alpha2.ClusterNetworkPolicy, err error) { + result = &v1alpha2.ClusterNetworkPolicy{} + err = c.client.Post(). + Resource("clusternetworkpolicies"). + VersionedParams(&opts, scheme.ParameterCodec). + Body(clusterNetworkPolicy). + Do(ctx). + Into(result) + return +} + +// Update takes the representation of a clusterNetworkPolicy and updates it. Returns the server's representation of the clusterNetworkPolicy, and an error, if there is any. +func (c *clusterNetworkPolicies) Update(ctx context.Context, clusterNetworkPolicy *v1alpha2.ClusterNetworkPolicy, opts v1.UpdateOptions) (result *v1alpha2.ClusterNetworkPolicy, err error) { + result = &v1alpha2.ClusterNetworkPolicy{} + err = c.client.Put(). + Resource("clusternetworkpolicies"). + Name(clusterNetworkPolicy.Name). + VersionedParams(&opts, scheme.ParameterCodec). + Body(clusterNetworkPolicy). + Do(ctx). + Into(result) + return +} + +// UpdateStatus was generated because the type contains a Status member. +// Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus(). +func (c *clusterNetworkPolicies) UpdateStatus(ctx context.Context, clusterNetworkPolicy *v1alpha2.ClusterNetworkPolicy, opts v1.UpdateOptions) (result *v1alpha2.ClusterNetworkPolicy, err error) { + result = &v1alpha2.ClusterNetworkPolicy{} + err = c.client.Put(). + Resource("clusternetworkpolicies"). + Name(clusterNetworkPolicy.Name). + SubResource("status"). + VersionedParams(&opts, scheme.ParameterCodec). + Body(clusterNetworkPolicy). + Do(ctx). + Into(result) + return +} + +// Delete takes name of the clusterNetworkPolicy and deletes it. Returns an error if one occurs. +func (c *clusterNetworkPolicies) Delete(ctx context.Context, name string, opts v1.DeleteOptions) error { + return c.client.Delete(). + Resource("clusternetworkpolicies"). + Name(name). + Body(&opts). + Do(ctx). + Error() +} + +// DeleteCollection deletes a collection of objects. +func (c *clusterNetworkPolicies) DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error { + var timeout time.Duration + if listOpts.TimeoutSeconds != nil { + timeout = time.Duration(*listOpts.TimeoutSeconds) * time.Second + } + return c.client.Delete(). + Resource("clusternetworkpolicies"). + VersionedParams(&listOpts, scheme.ParameterCodec). + Timeout(timeout). + Body(&opts). + Do(ctx). + Error() +} + +// Patch applies the patch and returns the patched clusterNetworkPolicy. +func (c *clusterNetworkPolicies) Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha2.ClusterNetworkPolicy, err error) { + result = &v1alpha2.ClusterNetworkPolicy{} + err = c.client.Patch(pt). + Resource("clusternetworkpolicies"). + Name(name). + SubResource(subresources...). + VersionedParams(&opts, scheme.ParameterCodec). + Body(data). + Do(ctx). + Into(result) + return +} diff --git a/pkg/client/clientset/versioned/typed/crd/v1alpha2/crd_client.go b/pkg/client/clientset/versioned/typed/crd/v1alpha2/crd_client.go index 38c83aebaf1..421bfb1488d 100644 --- a/pkg/client/clientset/versioned/typed/crd/v1alpha2/crd_client.go +++ b/pkg/client/clientset/versioned/typed/crd/v1alpha2/crd_client.go @@ -1,4 +1,4 @@ -// Copyright 2021 Antrea Authors +// Copyright 2022 Antrea Authors // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. @@ -25,10 +25,12 @@ import ( type CrdV1alpha2Interface interface { RESTClient() rest.Interface ClusterGroupsGetter + ClusterNetworkPoliciesGetter EgressesGetter ExternalEntitiesGetter ExternalIPPoolsGetter IPPoolsGetter + NetworkPoliciesGetter } // CrdV1alpha2Client is used to interact with features provided by the crd.antrea.io group. @@ -40,6 +42,10 @@ func (c *CrdV1alpha2Client) ClusterGroups() ClusterGroupInterface { return newClusterGroups(c) } +func (c *CrdV1alpha2Client) ClusterNetworkPolicies() ClusterNetworkPolicyInterface { + return newClusterNetworkPolicies(c) +} + func (c *CrdV1alpha2Client) Egresses() EgressInterface { return newEgresses(c) } @@ -56,6 +62,10 @@ func (c *CrdV1alpha2Client) IPPools() IPPoolInterface { return newIPPools(c) } +func (c *CrdV1alpha2Client) NetworkPolicies(namespace string) NetworkPolicyInterface { + return newNetworkPolicies(c, namespace) +} + // NewForConfig creates a new CrdV1alpha2Client for the given config. func NewForConfig(c *rest.Config) (*CrdV1alpha2Client, error) { config := *c diff --git a/pkg/client/clientset/versioned/typed/crd/v1alpha2/fake/fake_clusternetworkpolicy.go b/pkg/client/clientset/versioned/typed/crd/v1alpha2/fake/fake_clusternetworkpolicy.go new file mode 100644 index 00000000000..fd3c3fed389 --- /dev/null +++ b/pkg/client/clientset/versioned/typed/crd/v1alpha2/fake/fake_clusternetworkpolicy.go @@ -0,0 +1,131 @@ +// Copyright 2022 Antrea Authors +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +// Code generated by client-gen. DO NOT EDIT. + +package fake + +import ( + "context" + + v1alpha2 "antrea.io/antrea/pkg/apis/crd/v1alpha2" + v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + labels "k8s.io/apimachinery/pkg/labels" + schema "k8s.io/apimachinery/pkg/runtime/schema" + types "k8s.io/apimachinery/pkg/types" + watch "k8s.io/apimachinery/pkg/watch" + testing "k8s.io/client-go/testing" +) + +// FakeClusterNetworkPolicies implements ClusterNetworkPolicyInterface +type FakeClusterNetworkPolicies struct { + Fake *FakeCrdV1alpha2 +} + +var clusternetworkpoliciesResource = schema.GroupVersionResource{Group: "crd.antrea.io", Version: "v1alpha2", Resource: "clusternetworkpolicies"} + +var clusternetworkpoliciesKind = schema.GroupVersionKind{Group: "crd.antrea.io", Version: "v1alpha2", Kind: "ClusterNetworkPolicy"} + +// Get takes name of the clusterNetworkPolicy, and returns the corresponding clusterNetworkPolicy object, and an error if there is any. +func (c *FakeClusterNetworkPolicies) Get(ctx context.Context, name string, options v1.GetOptions) (result *v1alpha2.ClusterNetworkPolicy, err error) { + obj, err := c.Fake. + Invokes(testing.NewRootGetAction(clusternetworkpoliciesResource, name), &v1alpha2.ClusterNetworkPolicy{}) + if obj == nil { + return nil, err + } + return obj.(*v1alpha2.ClusterNetworkPolicy), err +} + +// List takes label and field selectors, and returns the list of ClusterNetworkPolicies that match those selectors. +func (c *FakeClusterNetworkPolicies) List(ctx context.Context, opts v1.ListOptions) (result *v1alpha2.ClusterNetworkPolicyList, err error) { + obj, err := c.Fake. + Invokes(testing.NewRootListAction(clusternetworkpoliciesResource, clusternetworkpoliciesKind, opts), &v1alpha2.ClusterNetworkPolicyList{}) + if obj == nil { + return nil, err + } + + label, _, _ := testing.ExtractFromListOptions(opts) + if label == nil { + label = labels.Everything() + } + list := &v1alpha2.ClusterNetworkPolicyList{ListMeta: obj.(*v1alpha2.ClusterNetworkPolicyList).ListMeta} + for _, item := range obj.(*v1alpha2.ClusterNetworkPolicyList).Items { + if label.Matches(labels.Set(item.Labels)) { + list.Items = append(list.Items, item) + } + } + return list, err +} + +// Watch returns a watch.Interface that watches the requested clusterNetworkPolicies. +func (c *FakeClusterNetworkPolicies) Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) { + return c.Fake. + InvokesWatch(testing.NewRootWatchAction(clusternetworkpoliciesResource, opts)) +} + +// Create takes the representation of a clusterNetworkPolicy and creates it. Returns the server's representation of the clusterNetworkPolicy, and an error, if there is any. +func (c *FakeClusterNetworkPolicies) Create(ctx context.Context, clusterNetworkPolicy *v1alpha2.ClusterNetworkPolicy, opts v1.CreateOptions) (result *v1alpha2.ClusterNetworkPolicy, err error) { + obj, err := c.Fake. + Invokes(testing.NewRootCreateAction(clusternetworkpoliciesResource, clusterNetworkPolicy), &v1alpha2.ClusterNetworkPolicy{}) + if obj == nil { + return nil, err + } + return obj.(*v1alpha2.ClusterNetworkPolicy), err +} + +// Update takes the representation of a clusterNetworkPolicy and updates it. Returns the server's representation of the clusterNetworkPolicy, and an error, if there is any. +func (c *FakeClusterNetworkPolicies) Update(ctx context.Context, clusterNetworkPolicy *v1alpha2.ClusterNetworkPolicy, opts v1.UpdateOptions) (result *v1alpha2.ClusterNetworkPolicy, err error) { + obj, err := c.Fake. + Invokes(testing.NewRootUpdateAction(clusternetworkpoliciesResource, clusterNetworkPolicy), &v1alpha2.ClusterNetworkPolicy{}) + if obj == nil { + return nil, err + } + return obj.(*v1alpha2.ClusterNetworkPolicy), err +} + +// UpdateStatus was generated because the type contains a Status member. +// Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus(). +func (c *FakeClusterNetworkPolicies) UpdateStatus(ctx context.Context, clusterNetworkPolicy *v1alpha2.ClusterNetworkPolicy, opts v1.UpdateOptions) (*v1alpha2.ClusterNetworkPolicy, error) { + obj, err := c.Fake. + Invokes(testing.NewRootUpdateSubresourceAction(clusternetworkpoliciesResource, "status", clusterNetworkPolicy), &v1alpha2.ClusterNetworkPolicy{}) + if obj == nil { + return nil, err + } + return obj.(*v1alpha2.ClusterNetworkPolicy), err +} + +// Delete takes name of the clusterNetworkPolicy and deletes it. Returns an error if one occurs. +func (c *FakeClusterNetworkPolicies) Delete(ctx context.Context, name string, opts v1.DeleteOptions) error { + _, err := c.Fake. + Invokes(testing.NewRootDeleteAction(clusternetworkpoliciesResource, name), &v1alpha2.ClusterNetworkPolicy{}) + return err +} + +// DeleteCollection deletes a collection of objects. +func (c *FakeClusterNetworkPolicies) DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error { + action := testing.NewRootDeleteCollectionAction(clusternetworkpoliciesResource, listOpts) + + _, err := c.Fake.Invokes(action, &v1alpha2.ClusterNetworkPolicyList{}) + return err +} + +// Patch applies the patch and returns the patched clusterNetworkPolicy. +func (c *FakeClusterNetworkPolicies) Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha2.ClusterNetworkPolicy, err error) { + obj, err := c.Fake. + Invokes(testing.NewRootPatchSubresourceAction(clusternetworkpoliciesResource, name, pt, data, subresources...), &v1alpha2.ClusterNetworkPolicy{}) + if obj == nil { + return nil, err + } + return obj.(*v1alpha2.ClusterNetworkPolicy), err +} diff --git a/pkg/client/clientset/versioned/typed/crd/v1alpha2/fake/fake_crd_client.go b/pkg/client/clientset/versioned/typed/crd/v1alpha2/fake/fake_crd_client.go index b814a2d96c5..7aa85533404 100644 --- a/pkg/client/clientset/versioned/typed/crd/v1alpha2/fake/fake_crd_client.go +++ b/pkg/client/clientset/versioned/typed/crd/v1alpha2/fake/fake_crd_client.go @@ -1,4 +1,4 @@ -// Copyright 2021 Antrea Authors +// Copyright 2022 Antrea Authors // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. @@ -30,6 +30,10 @@ func (c *FakeCrdV1alpha2) ClusterGroups() v1alpha2.ClusterGroupInterface { return &FakeClusterGroups{c} } +func (c *FakeCrdV1alpha2) ClusterNetworkPolicies() v1alpha2.ClusterNetworkPolicyInterface { + return &FakeClusterNetworkPolicies{c} +} + func (c *FakeCrdV1alpha2) Egresses() v1alpha2.EgressInterface { return &FakeEgresses{c} } @@ -46,6 +50,10 @@ func (c *FakeCrdV1alpha2) IPPools() v1alpha2.IPPoolInterface { return &FakeIPPools{c} } +func (c *FakeCrdV1alpha2) NetworkPolicies(namespace string) v1alpha2.NetworkPolicyInterface { + return &FakeNetworkPolicies{c, namespace} +} + // RESTClient returns a RESTClient that is used to communicate // with API server by this client implementation. func (c *FakeCrdV1alpha2) RESTClient() rest.Interface { diff --git a/pkg/client/clientset/versioned/typed/crd/v1alpha2/fake/fake_networkpolicy.go b/pkg/client/clientset/versioned/typed/crd/v1alpha2/fake/fake_networkpolicy.go new file mode 100644 index 00000000000..3f6635a5e6f --- /dev/null +++ b/pkg/client/clientset/versioned/typed/crd/v1alpha2/fake/fake_networkpolicy.go @@ -0,0 +1,140 @@ +// Copyright 2022 Antrea Authors +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +// Code generated by client-gen. DO NOT EDIT. + +package fake + +import ( + "context" + + v1alpha2 "antrea.io/antrea/pkg/apis/crd/v1alpha2" + v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + labels "k8s.io/apimachinery/pkg/labels" + schema "k8s.io/apimachinery/pkg/runtime/schema" + types "k8s.io/apimachinery/pkg/types" + watch "k8s.io/apimachinery/pkg/watch" + testing "k8s.io/client-go/testing" +) + +// FakeNetworkPolicies implements NetworkPolicyInterface +type FakeNetworkPolicies struct { + Fake *FakeCrdV1alpha2 + ns string +} + +var networkpoliciesResource = schema.GroupVersionResource{Group: "crd.antrea.io", Version: "v1alpha2", Resource: "networkpolicies"} + +var networkpoliciesKind = schema.GroupVersionKind{Group: "crd.antrea.io", Version: "v1alpha2", Kind: "NetworkPolicy"} + +// Get takes name of the networkPolicy, and returns the corresponding networkPolicy object, and an error if there is any. +func (c *FakeNetworkPolicies) Get(ctx context.Context, name string, options v1.GetOptions) (result *v1alpha2.NetworkPolicy, err error) { + obj, err := c.Fake. + Invokes(testing.NewGetAction(networkpoliciesResource, c.ns, name), &v1alpha2.NetworkPolicy{}) + + if obj == nil { + return nil, err + } + return obj.(*v1alpha2.NetworkPolicy), err +} + +// List takes label and field selectors, and returns the list of NetworkPolicies that match those selectors. +func (c *FakeNetworkPolicies) List(ctx context.Context, opts v1.ListOptions) (result *v1alpha2.NetworkPolicyList, err error) { + obj, err := c.Fake. + Invokes(testing.NewListAction(networkpoliciesResource, networkpoliciesKind, c.ns, opts), &v1alpha2.NetworkPolicyList{}) + + if obj == nil { + return nil, err + } + + label, _, _ := testing.ExtractFromListOptions(opts) + if label == nil { + label = labels.Everything() + } + list := &v1alpha2.NetworkPolicyList{ListMeta: obj.(*v1alpha2.NetworkPolicyList).ListMeta} + for _, item := range obj.(*v1alpha2.NetworkPolicyList).Items { + if label.Matches(labels.Set(item.Labels)) { + list.Items = append(list.Items, item) + } + } + return list, err +} + +// Watch returns a watch.Interface that watches the requested networkPolicies. +func (c *FakeNetworkPolicies) Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) { + return c.Fake. + InvokesWatch(testing.NewWatchAction(networkpoliciesResource, c.ns, opts)) + +} + +// Create takes the representation of a networkPolicy and creates it. Returns the server's representation of the networkPolicy, and an error, if there is any. +func (c *FakeNetworkPolicies) Create(ctx context.Context, networkPolicy *v1alpha2.NetworkPolicy, opts v1.CreateOptions) (result *v1alpha2.NetworkPolicy, err error) { + obj, err := c.Fake. + Invokes(testing.NewCreateAction(networkpoliciesResource, c.ns, networkPolicy), &v1alpha2.NetworkPolicy{}) + + if obj == nil { + return nil, err + } + return obj.(*v1alpha2.NetworkPolicy), err +} + +// Update takes the representation of a networkPolicy and updates it. Returns the server's representation of the networkPolicy, and an error, if there is any. +func (c *FakeNetworkPolicies) Update(ctx context.Context, networkPolicy *v1alpha2.NetworkPolicy, opts v1.UpdateOptions) (result *v1alpha2.NetworkPolicy, err error) { + obj, err := c.Fake. + Invokes(testing.NewUpdateAction(networkpoliciesResource, c.ns, networkPolicy), &v1alpha2.NetworkPolicy{}) + + if obj == nil { + return nil, err + } + return obj.(*v1alpha2.NetworkPolicy), err +} + +// UpdateStatus was generated because the type contains a Status member. +// Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus(). +func (c *FakeNetworkPolicies) UpdateStatus(ctx context.Context, networkPolicy *v1alpha2.NetworkPolicy, opts v1.UpdateOptions) (*v1alpha2.NetworkPolicy, error) { + obj, err := c.Fake. + Invokes(testing.NewUpdateSubresourceAction(networkpoliciesResource, "status", c.ns, networkPolicy), &v1alpha2.NetworkPolicy{}) + + if obj == nil { + return nil, err + } + return obj.(*v1alpha2.NetworkPolicy), err +} + +// Delete takes name of the networkPolicy and deletes it. Returns an error if one occurs. +func (c *FakeNetworkPolicies) Delete(ctx context.Context, name string, opts v1.DeleteOptions) error { + _, err := c.Fake. + Invokes(testing.NewDeleteAction(networkpoliciesResource, c.ns, name), &v1alpha2.NetworkPolicy{}) + + return err +} + +// DeleteCollection deletes a collection of objects. +func (c *FakeNetworkPolicies) DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error { + action := testing.NewDeleteCollectionAction(networkpoliciesResource, c.ns, listOpts) + + _, err := c.Fake.Invokes(action, &v1alpha2.NetworkPolicyList{}) + return err +} + +// Patch applies the patch and returns the patched networkPolicy. +func (c *FakeNetworkPolicies) Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha2.NetworkPolicy, err error) { + obj, err := c.Fake. + Invokes(testing.NewPatchSubresourceAction(networkpoliciesResource, c.ns, name, pt, data, subresources...), &v1alpha2.NetworkPolicy{}) + + if obj == nil { + return nil, err + } + return obj.(*v1alpha2.NetworkPolicy), err +} diff --git a/pkg/client/clientset/versioned/typed/crd/v1alpha2/generated_expansion.go b/pkg/client/clientset/versioned/typed/crd/v1alpha2/generated_expansion.go index 2103fbb17bc..43220cbe622 100644 --- a/pkg/client/clientset/versioned/typed/crd/v1alpha2/generated_expansion.go +++ b/pkg/client/clientset/versioned/typed/crd/v1alpha2/generated_expansion.go @@ -1,4 +1,4 @@ -// Copyright 2021 Antrea Authors +// Copyright 2022 Antrea Authors // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. @@ -18,6 +18,8 @@ package v1alpha2 type ClusterGroupExpansion interface{} +type ClusterNetworkPolicyExpansion interface{} + type EgressExpansion interface{} type ExternalEntityExpansion interface{} @@ -25,3 +27,5 @@ type ExternalEntityExpansion interface{} type ExternalIPPoolExpansion interface{} type IPPoolExpansion interface{} + +type NetworkPolicyExpansion interface{} diff --git a/pkg/client/clientset/versioned/typed/crd/v1alpha2/networkpolicy.go b/pkg/client/clientset/versioned/typed/crd/v1alpha2/networkpolicy.go new file mode 100644 index 00000000000..9b428157e0b --- /dev/null +++ b/pkg/client/clientset/versioned/typed/crd/v1alpha2/networkpolicy.go @@ -0,0 +1,193 @@ +// Copyright 2022 Antrea Authors +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +// Code generated by client-gen. DO NOT EDIT. + +package v1alpha2 + +import ( + "context" + "time" + + v1alpha2 "antrea.io/antrea/pkg/apis/crd/v1alpha2" + scheme "antrea.io/antrea/pkg/client/clientset/versioned/scheme" + v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + types "k8s.io/apimachinery/pkg/types" + watch "k8s.io/apimachinery/pkg/watch" + rest "k8s.io/client-go/rest" +) + +// NetworkPoliciesGetter has a method to return a NetworkPolicyInterface. +// A group's client should implement this interface. +type NetworkPoliciesGetter interface { + NetworkPolicies(namespace string) NetworkPolicyInterface +} + +// NetworkPolicyInterface has methods to work with NetworkPolicy resources. +type NetworkPolicyInterface interface { + Create(ctx context.Context, networkPolicy *v1alpha2.NetworkPolicy, opts v1.CreateOptions) (*v1alpha2.NetworkPolicy, error) + Update(ctx context.Context, networkPolicy *v1alpha2.NetworkPolicy, opts v1.UpdateOptions) (*v1alpha2.NetworkPolicy, error) + UpdateStatus(ctx context.Context, networkPolicy *v1alpha2.NetworkPolicy, opts v1.UpdateOptions) (*v1alpha2.NetworkPolicy, error) + Delete(ctx context.Context, name string, opts v1.DeleteOptions) error + DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error + Get(ctx context.Context, name string, opts v1.GetOptions) (*v1alpha2.NetworkPolicy, error) + List(ctx context.Context, opts v1.ListOptions) (*v1alpha2.NetworkPolicyList, error) + Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) + Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha2.NetworkPolicy, err error) + NetworkPolicyExpansion +} + +// networkPolicies implements NetworkPolicyInterface +type networkPolicies struct { + client rest.Interface + ns string +} + +// newNetworkPolicies returns a NetworkPolicies +func newNetworkPolicies(c *CrdV1alpha2Client, namespace string) *networkPolicies { + return &networkPolicies{ + client: c.RESTClient(), + ns: namespace, + } +} + +// Get takes name of the networkPolicy, and returns the corresponding networkPolicy object, and an error if there is any. +func (c *networkPolicies) Get(ctx context.Context, name string, options v1.GetOptions) (result *v1alpha2.NetworkPolicy, err error) { + result = &v1alpha2.NetworkPolicy{} + err = c.client.Get(). + Namespace(c.ns). + Resource("networkpolicies"). + Name(name). + VersionedParams(&options, scheme.ParameterCodec). + Do(ctx). + Into(result) + return +} + +// List takes label and field selectors, and returns the list of NetworkPolicies that match those selectors. +func (c *networkPolicies) List(ctx context.Context, opts v1.ListOptions) (result *v1alpha2.NetworkPolicyList, err error) { + var timeout time.Duration + if opts.TimeoutSeconds != nil { + timeout = time.Duration(*opts.TimeoutSeconds) * time.Second + } + result = &v1alpha2.NetworkPolicyList{} + err = c.client.Get(). + Namespace(c.ns). + Resource("networkpolicies"). + VersionedParams(&opts, scheme.ParameterCodec). + Timeout(timeout). + Do(ctx). + Into(result) + return +} + +// Watch returns a watch.Interface that watches the requested networkPolicies. +func (c *networkPolicies) Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) { + var timeout time.Duration + if opts.TimeoutSeconds != nil { + timeout = time.Duration(*opts.TimeoutSeconds) * time.Second + } + opts.Watch = true + return c.client.Get(). + Namespace(c.ns). + Resource("networkpolicies"). + VersionedParams(&opts, scheme.ParameterCodec). + Timeout(timeout). + Watch(ctx) +} + +// Create takes the representation of a networkPolicy and creates it. Returns the server's representation of the networkPolicy, and an error, if there is any. +func (c *networkPolicies) Create(ctx context.Context, networkPolicy *v1alpha2.NetworkPolicy, opts v1.CreateOptions) (result *v1alpha2.NetworkPolicy, err error) { + result = &v1alpha2.NetworkPolicy{} + err = c.client.Post(). + Namespace(c.ns). + Resource("networkpolicies"). + VersionedParams(&opts, scheme.ParameterCodec). + Body(networkPolicy). + Do(ctx). + Into(result) + return +} + +// Update takes the representation of a networkPolicy and updates it. Returns the server's representation of the networkPolicy, and an error, if there is any. +func (c *networkPolicies) Update(ctx context.Context, networkPolicy *v1alpha2.NetworkPolicy, opts v1.UpdateOptions) (result *v1alpha2.NetworkPolicy, err error) { + result = &v1alpha2.NetworkPolicy{} + err = c.client.Put(). + Namespace(c.ns). + Resource("networkpolicies"). + Name(networkPolicy.Name). + VersionedParams(&opts, scheme.ParameterCodec). + Body(networkPolicy). + Do(ctx). + Into(result) + return +} + +// UpdateStatus was generated because the type contains a Status member. +// Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus(). +func (c *networkPolicies) UpdateStatus(ctx context.Context, networkPolicy *v1alpha2.NetworkPolicy, opts v1.UpdateOptions) (result *v1alpha2.NetworkPolicy, err error) { + result = &v1alpha2.NetworkPolicy{} + err = c.client.Put(). + Namespace(c.ns). + Resource("networkpolicies"). + Name(networkPolicy.Name). + SubResource("status"). + VersionedParams(&opts, scheme.ParameterCodec). + Body(networkPolicy). + Do(ctx). + Into(result) + return +} + +// Delete takes name of the networkPolicy and deletes it. Returns an error if one occurs. +func (c *networkPolicies) Delete(ctx context.Context, name string, opts v1.DeleteOptions) error { + return c.client.Delete(). + Namespace(c.ns). + Resource("networkpolicies"). + Name(name). + Body(&opts). + Do(ctx). + Error() +} + +// DeleteCollection deletes a collection of objects. +func (c *networkPolicies) DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error { + var timeout time.Duration + if listOpts.TimeoutSeconds != nil { + timeout = time.Duration(*listOpts.TimeoutSeconds) * time.Second + } + return c.client.Delete(). + Namespace(c.ns). + Resource("networkpolicies"). + VersionedParams(&listOpts, scheme.ParameterCodec). + Timeout(timeout). + Body(&opts). + Do(ctx). + Error() +} + +// Patch applies the patch and returns the patched networkPolicy. +func (c *networkPolicies) Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha2.NetworkPolicy, err error) { + result = &v1alpha2.NetworkPolicy{} + err = c.client.Patch(pt). + Namespace(c.ns). + Resource("networkpolicies"). + Name(name). + SubResource(subresources...). + VersionedParams(&opts, scheme.ParameterCodec). + Body(data). + Do(ctx). + Into(result) + return +} diff --git a/pkg/client/clientset/versioned/typed/crd/v1alpha3/fake/fake_externalentity.go b/pkg/client/clientset/versioned/typed/crd/v1alpha3/fake/fake_externalentity.go new file mode 100644 index 00000000000..108036d664d --- /dev/null +++ b/pkg/client/clientset/versioned/typed/crd/v1alpha3/fake/fake_externalentity.go @@ -0,0 +1,128 @@ +// Copyright 2022 Antrea Authors +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +// Code generated by client-gen. DO NOT EDIT. + +package fake + +import ( + "context" + + v1alpha3 "antrea.io/antrea/pkg/apis/crd/v1alpha3" + v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + labels "k8s.io/apimachinery/pkg/labels" + schema "k8s.io/apimachinery/pkg/runtime/schema" + types "k8s.io/apimachinery/pkg/types" + watch "k8s.io/apimachinery/pkg/watch" + testing "k8s.io/client-go/testing" +) + +// FakeExternalEntities implements ExternalEntityInterface +type FakeExternalEntities struct { + Fake *FakeCrdV1alpha3 + ns string +} + +var externalentitiesResource = schema.GroupVersionResource{Group: "crd.antrea.io", Version: "v1alpha3", Resource: "externalentities"} + +var externalentitiesKind = schema.GroupVersionKind{Group: "crd.antrea.io", Version: "v1alpha3", Kind: "ExternalEntity"} + +// Get takes name of the externalEntity, and returns the corresponding externalEntity object, and an error if there is any. +func (c *FakeExternalEntities) Get(ctx context.Context, name string, options v1.GetOptions) (result *v1alpha3.ExternalEntity, err error) { + obj, err := c.Fake. + Invokes(testing.NewGetAction(externalentitiesResource, c.ns, name), &v1alpha3.ExternalEntity{}) + + if obj == nil { + return nil, err + } + return obj.(*v1alpha3.ExternalEntity), err +} + +// List takes label and field selectors, and returns the list of ExternalEntities that match those selectors. +func (c *FakeExternalEntities) List(ctx context.Context, opts v1.ListOptions) (result *v1alpha3.ExternalEntityList, err error) { + obj, err := c.Fake. + Invokes(testing.NewListAction(externalentitiesResource, externalentitiesKind, c.ns, opts), &v1alpha3.ExternalEntityList{}) + + if obj == nil { + return nil, err + } + + label, _, _ := testing.ExtractFromListOptions(opts) + if label == nil { + label = labels.Everything() + } + list := &v1alpha3.ExternalEntityList{ListMeta: obj.(*v1alpha3.ExternalEntityList).ListMeta} + for _, item := range obj.(*v1alpha3.ExternalEntityList).Items { + if label.Matches(labels.Set(item.Labels)) { + list.Items = append(list.Items, item) + } + } + return list, err +} + +// Watch returns a watch.Interface that watches the requested externalEntities. +func (c *FakeExternalEntities) Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) { + return c.Fake. + InvokesWatch(testing.NewWatchAction(externalentitiesResource, c.ns, opts)) + +} + +// Create takes the representation of a externalEntity and creates it. Returns the server's representation of the externalEntity, and an error, if there is any. +func (c *FakeExternalEntities) Create(ctx context.Context, externalEntity *v1alpha3.ExternalEntity, opts v1.CreateOptions) (result *v1alpha3.ExternalEntity, err error) { + obj, err := c.Fake. + Invokes(testing.NewCreateAction(externalentitiesResource, c.ns, externalEntity), &v1alpha3.ExternalEntity{}) + + if obj == nil { + return nil, err + } + return obj.(*v1alpha3.ExternalEntity), err +} + +// Update takes the representation of a externalEntity and updates it. Returns the server's representation of the externalEntity, and an error, if there is any. +func (c *FakeExternalEntities) Update(ctx context.Context, externalEntity *v1alpha3.ExternalEntity, opts v1.UpdateOptions) (result *v1alpha3.ExternalEntity, err error) { + obj, err := c.Fake. + Invokes(testing.NewUpdateAction(externalentitiesResource, c.ns, externalEntity), &v1alpha3.ExternalEntity{}) + + if obj == nil { + return nil, err + } + return obj.(*v1alpha3.ExternalEntity), err +} + +// Delete takes name of the externalEntity and deletes it. Returns an error if one occurs. +func (c *FakeExternalEntities) Delete(ctx context.Context, name string, opts v1.DeleteOptions) error { + _, err := c.Fake. + Invokes(testing.NewDeleteAction(externalentitiesResource, c.ns, name), &v1alpha3.ExternalEntity{}) + + return err +} + +// DeleteCollection deletes a collection of objects. +func (c *FakeExternalEntities) DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error { + action := testing.NewDeleteCollectionAction(externalentitiesResource, c.ns, listOpts) + + _, err := c.Fake.Invokes(action, &v1alpha3.ExternalEntityList{}) + return err +} + +// Patch applies the patch and returns the patched externalEntity. +func (c *FakeExternalEntities) Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha3.ExternalEntity, err error) { + obj, err := c.Fake. + Invokes(testing.NewPatchSubresourceAction(externalentitiesResource, c.ns, name, pt, data, subresources...), &v1alpha3.ExternalEntity{}) + + if obj == nil { + return nil, err + } + return obj.(*v1alpha3.ExternalEntity), err +} diff --git a/pkg/client/informers/externalversions/crd/v1alpha2/clusternetworkpolicy.go b/pkg/client/informers/externalversions/crd/v1alpha2/clusternetworkpolicy.go new file mode 100644 index 00000000000..ae66562185f --- /dev/null +++ b/pkg/client/informers/externalversions/crd/v1alpha2/clusternetworkpolicy.go @@ -0,0 +1,87 @@ +// Copyright 2022 Antrea Authors +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +// Code generated by informer-gen. DO NOT EDIT. + +package v1alpha2 + +import ( + "context" + time "time" + + crdv1alpha2 "antrea.io/antrea/pkg/apis/crd/v1alpha2" + versioned "antrea.io/antrea/pkg/client/clientset/versioned" + internalinterfaces "antrea.io/antrea/pkg/client/informers/externalversions/internalinterfaces" + v1alpha2 "antrea.io/antrea/pkg/client/listers/crd/v1alpha2" + v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + runtime "k8s.io/apimachinery/pkg/runtime" + watch "k8s.io/apimachinery/pkg/watch" + cache "k8s.io/client-go/tools/cache" +) + +// ClusterNetworkPolicyInformer provides access to a shared informer and lister for +// ClusterNetworkPolicies. +type ClusterNetworkPolicyInformer interface { + Informer() cache.SharedIndexInformer + Lister() v1alpha2.ClusterNetworkPolicyLister +} + +type clusterNetworkPolicyInformer struct { + factory internalinterfaces.SharedInformerFactory + tweakListOptions internalinterfaces.TweakListOptionsFunc +} + +// NewClusterNetworkPolicyInformer constructs a new informer for ClusterNetworkPolicy type. +// Always prefer using an informer factory to get a shared informer instead of getting an independent +// one. This reduces memory footprint and number of connections to the server. +func NewClusterNetworkPolicyInformer(client versioned.Interface, resyncPeriod time.Duration, indexers cache.Indexers) cache.SharedIndexInformer { + return NewFilteredClusterNetworkPolicyInformer(client, resyncPeriod, indexers, nil) +} + +// NewFilteredClusterNetworkPolicyInformer constructs a new informer for ClusterNetworkPolicy type. +// Always prefer using an informer factory to get a shared informer instead of getting an independent +// one. This reduces memory footprint and number of connections to the server. +func NewFilteredClusterNetworkPolicyInformer(client versioned.Interface, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer { + return cache.NewSharedIndexInformer( + &cache.ListWatch{ + ListFunc: func(options v1.ListOptions) (runtime.Object, error) { + if tweakListOptions != nil { + tweakListOptions(&options) + } + return client.CrdV1alpha2().ClusterNetworkPolicies().List(context.TODO(), options) + }, + WatchFunc: func(options v1.ListOptions) (watch.Interface, error) { + if tweakListOptions != nil { + tweakListOptions(&options) + } + return client.CrdV1alpha2().ClusterNetworkPolicies().Watch(context.TODO(), options) + }, + }, + &crdv1alpha2.ClusterNetworkPolicy{}, + resyncPeriod, + indexers, + ) +} + +func (f *clusterNetworkPolicyInformer) defaultInformer(client versioned.Interface, resyncPeriod time.Duration) cache.SharedIndexInformer { + return NewFilteredClusterNetworkPolicyInformer(client, resyncPeriod, cache.Indexers{cache.NamespaceIndex: cache.MetaNamespaceIndexFunc}, f.tweakListOptions) +} + +func (f *clusterNetworkPolicyInformer) Informer() cache.SharedIndexInformer { + return f.factory.InformerFor(&crdv1alpha2.ClusterNetworkPolicy{}, f.defaultInformer) +} + +func (f *clusterNetworkPolicyInformer) Lister() v1alpha2.ClusterNetworkPolicyLister { + return v1alpha2.NewClusterNetworkPolicyLister(f.Informer().GetIndexer()) +} diff --git a/pkg/client/informers/externalversions/crd/v1alpha2/interface.go b/pkg/client/informers/externalversions/crd/v1alpha2/interface.go index 648f8a62313..959c15f69df 100644 --- a/pkg/client/informers/externalversions/crd/v1alpha2/interface.go +++ b/pkg/client/informers/externalversions/crd/v1alpha2/interface.go @@ -1,4 +1,4 @@ -// Copyright 2021 Antrea Authors +// Copyright 2022 Antrea Authors // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. @@ -24,6 +24,8 @@ import ( type Interface interface { // ClusterGroups returns a ClusterGroupInformer. ClusterGroups() ClusterGroupInformer + // ClusterNetworkPolicies returns a ClusterNetworkPolicyInformer. + ClusterNetworkPolicies() ClusterNetworkPolicyInformer // Egresses returns a EgressInformer. Egresses() EgressInformer // ExternalEntities returns a ExternalEntityInformer. @@ -32,6 +34,8 @@ type Interface interface { ExternalIPPools() ExternalIPPoolInformer // IPPools returns a IPPoolInformer. IPPools() IPPoolInformer + // NetworkPolicies returns a NetworkPolicyInformer. + NetworkPolicies() NetworkPolicyInformer } type version struct { @@ -50,6 +54,11 @@ func (v *version) ClusterGroups() ClusterGroupInformer { return &clusterGroupInformer{factory: v.factory, tweakListOptions: v.tweakListOptions} } +// ClusterNetworkPolicies returns a ClusterNetworkPolicyInformer. +func (v *version) ClusterNetworkPolicies() ClusterNetworkPolicyInformer { + return &clusterNetworkPolicyInformer{factory: v.factory, tweakListOptions: v.tweakListOptions} +} + // Egresses returns a EgressInformer. func (v *version) Egresses() EgressInformer { return &egressInformer{factory: v.factory, tweakListOptions: v.tweakListOptions} @@ -69,3 +78,8 @@ func (v *version) ExternalIPPools() ExternalIPPoolInformer { func (v *version) IPPools() IPPoolInformer { return &iPPoolInformer{factory: v.factory, tweakListOptions: v.tweakListOptions} } + +// NetworkPolicies returns a NetworkPolicyInformer. +func (v *version) NetworkPolicies() NetworkPolicyInformer { + return &networkPolicyInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions} +} diff --git a/pkg/client/informers/externalversions/crd/v1alpha2/networkpolicy.go b/pkg/client/informers/externalversions/crd/v1alpha2/networkpolicy.go new file mode 100644 index 00000000000..3431cc8dcf3 --- /dev/null +++ b/pkg/client/informers/externalversions/crd/v1alpha2/networkpolicy.go @@ -0,0 +1,88 @@ +// Copyright 2022 Antrea Authors +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +// Code generated by informer-gen. DO NOT EDIT. + +package v1alpha2 + +import ( + "context" + time "time" + + crdv1alpha2 "antrea.io/antrea/pkg/apis/crd/v1alpha2" + versioned "antrea.io/antrea/pkg/client/clientset/versioned" + internalinterfaces "antrea.io/antrea/pkg/client/informers/externalversions/internalinterfaces" + v1alpha2 "antrea.io/antrea/pkg/client/listers/crd/v1alpha2" + v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + runtime "k8s.io/apimachinery/pkg/runtime" + watch "k8s.io/apimachinery/pkg/watch" + cache "k8s.io/client-go/tools/cache" +) + +// NetworkPolicyInformer provides access to a shared informer and lister for +// NetworkPolicies. +type NetworkPolicyInformer interface { + Informer() cache.SharedIndexInformer + Lister() v1alpha2.NetworkPolicyLister +} + +type networkPolicyInformer struct { + factory internalinterfaces.SharedInformerFactory + tweakListOptions internalinterfaces.TweakListOptionsFunc + namespace string +} + +// NewNetworkPolicyInformer constructs a new informer for NetworkPolicy type. +// Always prefer using an informer factory to get a shared informer instead of getting an independent +// one. This reduces memory footprint and number of connections to the server. +func NewNetworkPolicyInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers) cache.SharedIndexInformer { + return NewFilteredNetworkPolicyInformer(client, namespace, resyncPeriod, indexers, nil) +} + +// NewFilteredNetworkPolicyInformer constructs a new informer for NetworkPolicy type. +// Always prefer using an informer factory to get a shared informer instead of getting an independent +// one. This reduces memory footprint and number of connections to the server. +func NewFilteredNetworkPolicyInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer { + return cache.NewSharedIndexInformer( + &cache.ListWatch{ + ListFunc: func(options v1.ListOptions) (runtime.Object, error) { + if tweakListOptions != nil { + tweakListOptions(&options) + } + return client.CrdV1alpha2().NetworkPolicies(namespace).List(context.TODO(), options) + }, + WatchFunc: func(options v1.ListOptions) (watch.Interface, error) { + if tweakListOptions != nil { + tweakListOptions(&options) + } + return client.CrdV1alpha2().NetworkPolicies(namespace).Watch(context.TODO(), options) + }, + }, + &crdv1alpha2.NetworkPolicy{}, + resyncPeriod, + indexers, + ) +} + +func (f *networkPolicyInformer) defaultInformer(client versioned.Interface, resyncPeriod time.Duration) cache.SharedIndexInformer { + return NewFilteredNetworkPolicyInformer(client, f.namespace, resyncPeriod, cache.Indexers{cache.NamespaceIndex: cache.MetaNamespaceIndexFunc}, f.tweakListOptions) +} + +func (f *networkPolicyInformer) Informer() cache.SharedIndexInformer { + return f.factory.InformerFor(&crdv1alpha2.NetworkPolicy{}, f.defaultInformer) +} + +func (f *networkPolicyInformer) Lister() v1alpha2.NetworkPolicyLister { + return v1alpha2.NewNetworkPolicyLister(f.Informer().GetIndexer()) +} diff --git a/pkg/client/informers/externalversions/generic.go b/pkg/client/informers/externalversions/generic.go index 8c8ee1ab463..61060428f99 100644 --- a/pkg/client/informers/externalversions/generic.go +++ b/pkg/client/informers/externalversions/generic.go @@ -1,4 +1,4 @@ -// Copyright 2021 Antrea Authors +// Copyright 2022 Antrea Authors // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. @@ -66,6 +66,8 @@ func (f *sharedInformerFactory) ForResource(resource schema.GroupVersionResource // Group=crd.antrea.io, Version=v1alpha2 case v1alpha2.SchemeGroupVersion.WithResource("clustergroups"): return &genericInformer{resource: resource.GroupResource(), informer: f.Crd().V1alpha2().ClusterGroups().Informer()}, nil + case v1alpha2.SchemeGroupVersion.WithResource("clusternetworkpolicies"): + return &genericInformer{resource: resource.GroupResource(), informer: f.Crd().V1alpha2().ClusterNetworkPolicies().Informer()}, nil case v1alpha2.SchemeGroupVersion.WithResource("egresses"): return &genericInformer{resource: resource.GroupResource(), informer: f.Crd().V1alpha2().Egresses().Informer()}, nil case v1alpha2.SchemeGroupVersion.WithResource("externalentities"): @@ -74,6 +76,8 @@ func (f *sharedInformerFactory) ForResource(resource schema.GroupVersionResource return &genericInformer{resource: resource.GroupResource(), informer: f.Crd().V1alpha2().ExternalIPPools().Informer()}, nil case v1alpha2.SchemeGroupVersion.WithResource("ippools"): return &genericInformer{resource: resource.GroupResource(), informer: f.Crd().V1alpha2().IPPools().Informer()}, nil + case v1alpha2.SchemeGroupVersion.WithResource("networkpolicies"): + return &genericInformer{resource: resource.GroupResource(), informer: f.Crd().V1alpha2().NetworkPolicies().Informer()}, nil // Group=crd.antrea.io, Version=v1alpha3 case v1alpha3.SchemeGroupVersion.WithResource("clustergroups"): diff --git a/pkg/client/listers/crd/v1alpha2/clusternetworkpolicy.go b/pkg/client/listers/crd/v1alpha2/clusternetworkpolicy.go new file mode 100644 index 00000000000..5ee4025ee23 --- /dev/null +++ b/pkg/client/listers/crd/v1alpha2/clusternetworkpolicy.go @@ -0,0 +1,66 @@ +// Copyright 2022 Antrea Authors +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +// Code generated by lister-gen. DO NOT EDIT. + +package v1alpha2 + +import ( + v1alpha2 "antrea.io/antrea/pkg/apis/crd/v1alpha2" + "k8s.io/apimachinery/pkg/api/errors" + "k8s.io/apimachinery/pkg/labels" + "k8s.io/client-go/tools/cache" +) + +// ClusterNetworkPolicyLister helps list ClusterNetworkPolicies. +// All objects returned here must be treated as read-only. +type ClusterNetworkPolicyLister interface { + // List lists all ClusterNetworkPolicies in the indexer. + // Objects returned here must be treated as read-only. + List(selector labels.Selector) (ret []*v1alpha2.ClusterNetworkPolicy, err error) + // Get retrieves the ClusterNetworkPolicy from the index for a given name. + // Objects returned here must be treated as read-only. + Get(name string) (*v1alpha2.ClusterNetworkPolicy, error) + ClusterNetworkPolicyListerExpansion +} + +// clusterNetworkPolicyLister implements the ClusterNetworkPolicyLister interface. +type clusterNetworkPolicyLister struct { + indexer cache.Indexer +} + +// NewClusterNetworkPolicyLister returns a new ClusterNetworkPolicyLister. +func NewClusterNetworkPolicyLister(indexer cache.Indexer) ClusterNetworkPolicyLister { + return &clusterNetworkPolicyLister{indexer: indexer} +} + +// List lists all ClusterNetworkPolicies in the indexer. +func (s *clusterNetworkPolicyLister) List(selector labels.Selector) (ret []*v1alpha2.ClusterNetworkPolicy, err error) { + err = cache.ListAll(s.indexer, selector, func(m interface{}) { + ret = append(ret, m.(*v1alpha2.ClusterNetworkPolicy)) + }) + return ret, err +} + +// Get retrieves the ClusterNetworkPolicy from the index for a given name. +func (s *clusterNetworkPolicyLister) Get(name string) (*v1alpha2.ClusterNetworkPolicy, error) { + obj, exists, err := s.indexer.GetByKey(name) + if err != nil { + return nil, err + } + if !exists { + return nil, errors.NewNotFound(v1alpha2.Resource("clusternetworkpolicy"), name) + } + return obj.(*v1alpha2.ClusterNetworkPolicy), nil +} diff --git a/pkg/client/listers/crd/v1alpha2/expansion_generated.go b/pkg/client/listers/crd/v1alpha2/expansion_generated.go index e7120eb239a..90717378d5e 100644 --- a/pkg/client/listers/crd/v1alpha2/expansion_generated.go +++ b/pkg/client/listers/crd/v1alpha2/expansion_generated.go @@ -1,4 +1,4 @@ -// Copyright 2021 Antrea Authors +// Copyright 2022 Antrea Authors // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. @@ -20,6 +20,10 @@ package v1alpha2 // ClusterGroupLister. type ClusterGroupListerExpansion interface{} +// ClusterNetworkPolicyListerExpansion allows custom methods to be added to +// ClusterNetworkPolicyLister. +type ClusterNetworkPolicyListerExpansion interface{} + // EgressListerExpansion allows custom methods to be added to // EgressLister. type EgressListerExpansion interface{} @@ -39,3 +43,11 @@ type ExternalIPPoolListerExpansion interface{} // IPPoolListerExpansion allows custom methods to be added to // IPPoolLister. type IPPoolListerExpansion interface{} + +// NetworkPolicyListerExpansion allows custom methods to be added to +// NetworkPolicyLister. +type NetworkPolicyListerExpansion interface{} + +// NetworkPolicyNamespaceListerExpansion allows custom methods to be added to +// NetworkPolicyNamespaceLister. +type NetworkPolicyNamespaceListerExpansion interface{} diff --git a/pkg/client/listers/crd/v1alpha2/networkpolicy.go b/pkg/client/listers/crd/v1alpha2/networkpolicy.go new file mode 100644 index 00000000000..6c5f81736d4 --- /dev/null +++ b/pkg/client/listers/crd/v1alpha2/networkpolicy.go @@ -0,0 +1,97 @@ +// Copyright 2022 Antrea Authors +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +// Code generated by lister-gen. DO NOT EDIT. + +package v1alpha2 + +import ( + v1alpha2 "antrea.io/antrea/pkg/apis/crd/v1alpha2" + "k8s.io/apimachinery/pkg/api/errors" + "k8s.io/apimachinery/pkg/labels" + "k8s.io/client-go/tools/cache" +) + +// NetworkPolicyLister helps list NetworkPolicies. +// All objects returned here must be treated as read-only. +type NetworkPolicyLister interface { + // List lists all NetworkPolicies in the indexer. + // Objects returned here must be treated as read-only. + List(selector labels.Selector) (ret []*v1alpha2.NetworkPolicy, err error) + // NetworkPolicies returns an object that can list and get NetworkPolicies. + NetworkPolicies(namespace string) NetworkPolicyNamespaceLister + NetworkPolicyListerExpansion +} + +// networkPolicyLister implements the NetworkPolicyLister interface. +type networkPolicyLister struct { + indexer cache.Indexer +} + +// NewNetworkPolicyLister returns a new NetworkPolicyLister. +func NewNetworkPolicyLister(indexer cache.Indexer) NetworkPolicyLister { + return &networkPolicyLister{indexer: indexer} +} + +// List lists all NetworkPolicies in the indexer. +func (s *networkPolicyLister) List(selector labels.Selector) (ret []*v1alpha2.NetworkPolicy, err error) { + err = cache.ListAll(s.indexer, selector, func(m interface{}) { + ret = append(ret, m.(*v1alpha2.NetworkPolicy)) + }) + return ret, err +} + +// NetworkPolicies returns an object that can list and get NetworkPolicies. +func (s *networkPolicyLister) NetworkPolicies(namespace string) NetworkPolicyNamespaceLister { + return networkPolicyNamespaceLister{indexer: s.indexer, namespace: namespace} +} + +// NetworkPolicyNamespaceLister helps list and get NetworkPolicies. +// All objects returned here must be treated as read-only. +type NetworkPolicyNamespaceLister interface { + // List lists all NetworkPolicies in the indexer for a given namespace. + // Objects returned here must be treated as read-only. + List(selector labels.Selector) (ret []*v1alpha2.NetworkPolicy, err error) + // Get retrieves the NetworkPolicy from the indexer for a given namespace and name. + // Objects returned here must be treated as read-only. + Get(name string) (*v1alpha2.NetworkPolicy, error) + NetworkPolicyNamespaceListerExpansion +} + +// networkPolicyNamespaceLister implements the NetworkPolicyNamespaceLister +// interface. +type networkPolicyNamespaceLister struct { + indexer cache.Indexer + namespace string +} + +// List lists all NetworkPolicies in the indexer for a given namespace. +func (s networkPolicyNamespaceLister) List(selector labels.Selector) (ret []*v1alpha2.NetworkPolicy, err error) { + err = cache.ListAllByNamespace(s.indexer, s.namespace, selector, func(m interface{}) { + ret = append(ret, m.(*v1alpha2.NetworkPolicy)) + }) + return ret, err +} + +// Get retrieves the NetworkPolicy from the indexer for a given namespace and name. +func (s networkPolicyNamespaceLister) Get(name string) (*v1alpha2.NetworkPolicy, error) { + obj, exists, err := s.indexer.GetByKey(s.namespace + "/" + name) + if err != nil { + return nil, err + } + if !exists { + return nil, errors.NewNotFound(v1alpha2.Resource("networkpolicy"), name) + } + return obj.(*v1alpha2.NetworkPolicy), nil +} diff --git a/pkg/controller/networkpolicy/antreanetworkpolicy.go b/pkg/controller/networkpolicy/antreanetworkpolicy.go index eb0f4d5c54f..dcc02d4bb4b 100644 --- a/pkg/controller/networkpolicy/antreanetworkpolicy.go +++ b/pkg/controller/networkpolicy/antreanetworkpolicy.go @@ -21,6 +21,7 @@ import ( "antrea.io/antrea/pkg/apis/controlplane" crdv1alpha1 "antrea.io/antrea/pkg/apis/crd/v1alpha1" + crdv1alpha2 "antrea.io/antrea/pkg/apis/crd/v1alpha2" antreatypes "antrea.io/antrea/pkg/controller/types" ) @@ -28,7 +29,7 @@ import ( // which can be consumed by agents to configure corresponding rules on the Nodes. func (n *NetworkPolicyController) addANP(obj interface{}) { defer n.heartbeat("addANP") - np := obj.(*crdv1alpha1.NetworkPolicy) + np := obj.(*crdv1alpha2.NetworkPolicy) klog.Infof("Processing Antrea NetworkPolicy %s/%s ADD event", np.Namespace, np.Name) // Create an internal NetworkPolicy object corresponding to this // NetworkPolicy and enqueue task to internal NetworkPolicy Workqueue. @@ -43,14 +44,14 @@ func (n *NetworkPolicyController) addANP(obj interface{}) { // which can be consumed by agents to configure corresponding rules on the Nodes. func (n *NetworkPolicyController) updateANP(old, cur interface{}) { defer n.heartbeat("updateANP") - curNP := cur.(*crdv1alpha1.NetworkPolicy) + curNP := cur.(*crdv1alpha2.NetworkPolicy) klog.Infof("Processing Antrea NetworkPolicy %s/%s UPDATE event", curNP.Namespace, curNP.Name) // Update an internal NetworkPolicy, corresponding to this NetworkPolicy and // enqueue task to internal NetworkPolicy Workqueue. curInternalNP := n.processAntreaNetworkPolicy(curNP) klog.V(2).Infof("Updating existing internal NetworkPolicy %s for %s", curInternalNP.Name, curInternalNP.SourceRef.ToString()) // Retrieve old crdv1alpha1.NetworkPolicy object. - oldNP := old.(*crdv1alpha1.NetworkPolicy) + oldNP := old.(*crdv1alpha2.NetworkPolicy) // Old and current NetworkPolicy share the same key. key := internalNetworkPolicyKeyFunc(oldNP) // Lock access to internal NetworkPolicy store such that concurrent access @@ -123,7 +124,7 @@ func (n *NetworkPolicyController) deleteANP(old interface{}) { // instance to the caller wherein, it will be either stored as a new Object // in case of ADD event or modified and store the updated instance, in case // of an UPDATE event. -func (n *NetworkPolicyController) processAntreaNetworkPolicy(np *crdv1alpha1.NetworkPolicy) *antreatypes.NetworkPolicy { +func (n *NetworkPolicyController) processAntreaNetworkPolicy(np *crdv1alpha2.NetworkPolicy) *antreatypes.NetworkPolicy { appliedToPerRule := len(np.Spec.AppliedTo) == 0 // appliedToGroupNames tracks all distinct appliedToGroups referred to by the Antrea NetworkPolicy, // either in the spec section or in ingress/egress rules. @@ -138,7 +139,7 @@ func (n *NetworkPolicyController) processAntreaNetworkPolicy(np *crdv1alpha1.Net // Compute NetworkPolicyRule for Ingress Rule. for idx, ingressRule := range np.Spec.Ingress { // Set default action to ALLOW to allow traffic. - services, namedPortExists := toAntreaServicesForCRD(ingressRule.Ports) + services, namedPortExists := toAntreaServicesForCRD(ingressRule.Protocols) var appliedToGroupNamesForRule []string // Create AppliedToGroup for each AppliedTo present in the ingress rule. for _, at := range ingressRule.AppliedTo { @@ -160,7 +161,7 @@ func (n *NetworkPolicyController) processAntreaNetworkPolicy(np *crdv1alpha1.Net // Compute NetworkPolicyRule for Egress Rule. for idx, egressRule := range np.Spec.Egress { // Set default action to ALLOW to allow traffic. - services, namedPortExists := toAntreaServicesForCRD(egressRule.Ports) + services, namedPortExists := toAntreaServicesForCRD(egressRule.Protocols) var appliedToGroupNamesForRule []string // Create AppliedToGroup for each AppliedTo present in the ingress rule. for _, at := range egressRule.AppliedTo { diff --git a/pkg/controller/networkpolicy/clustergroup.go b/pkg/controller/networkpolicy/clustergroup.go index 1158f929544..b1de5b8f75f 100644 --- a/pkg/controller/networkpolicy/clustergroup.go +++ b/pkg/controller/networkpolicy/clustergroup.go @@ -25,7 +25,7 @@ import ( "k8s.io/klog/v2" "antrea.io/antrea/pkg/apis/controlplane" - crdv1alpha1 "antrea.io/antrea/pkg/apis/crd/v1alpha1" + crdv1alpha2 "antrea.io/antrea/pkg/apis/crd/v1alpha2" crdv1alpha3 "antrea.io/antrea/pkg/apis/crd/v1alpha3" "antrea.io/antrea/pkg/controller/networkpolicy/store" antreatypes "antrea.io/antrea/pkg/controller/types" @@ -287,7 +287,7 @@ func (c *NetworkPolicyController) triggerCNPUpdates(cg string) { } for _, obj := range cnps { // ClusterGroup may be used by AppliedToGroup, enqueuing them after reprocessing CNP. - c.reprocessCNP(obj.(*crdv1alpha1.ClusterNetworkPolicy), true) + c.reprocessCNP(obj.(*crdv1alpha2.ClusterNetworkPolicy), true) } } diff --git a/pkg/controller/networkpolicy/clusternetworkpolicy.go b/pkg/controller/networkpolicy/clusternetworkpolicy.go index 821cbb37dd1..7b1e0b3263e 100644 --- a/pkg/controller/networkpolicy/clusternetworkpolicy.go +++ b/pkg/controller/networkpolicy/clusternetworkpolicy.go @@ -24,6 +24,7 @@ import ( "antrea.io/antrea/pkg/apis/controlplane" crdv1alpha1 "antrea.io/antrea/pkg/apis/crd/v1alpha1" + crdv1alpha2 "antrea.io/antrea/pkg/apis/crd/v1alpha2" "antrea.io/antrea/pkg/controller/grouping" "antrea.io/antrea/pkg/controller/networkpolicy/store" antreatypes "antrea.io/antrea/pkg/controller/types" @@ -34,7 +35,7 @@ import ( // which can be consumed by agents to configure corresponding rules on the Nodes. func (n *NetworkPolicyController) addCNP(obj interface{}) { defer n.heartbeat("addCNP") - cnp := obj.(*crdv1alpha1.ClusterNetworkPolicy) + cnp := obj.(*crdv1alpha2.ClusterNetworkPolicy) klog.Infof("Processing ClusterNetworkPolicy %s ADD event", cnp.Name) // Create an internal NetworkPolicy object corresponding to this // ClusterNetworkPolicy and enqueue task to internal NetworkPolicy Workqueue. @@ -49,14 +50,14 @@ func (n *NetworkPolicyController) addCNP(obj interface{}) { // which can be consumed by agents to configure corresponding rules on the Nodes. func (n *NetworkPolicyController) updateCNP(old, cur interface{}) { defer n.heartbeat("updateCNP") - curCNP := cur.(*crdv1alpha1.ClusterNetworkPolicy) + curCNP := cur.(*crdv1alpha2.ClusterNetworkPolicy) klog.Infof("Processing ClusterNetworkPolicy %s UPDATE event", curCNP.Name) // Update an internal NetworkPolicy, corresponding to this NetworkPolicy and // enqueue task to internal NetworkPolicy Workqueue. curInternalNP := n.processClusterNetworkPolicy(curCNP) klog.V(2).Infof("Updating existing internal NetworkPolicy %s for %s", curInternalNP.Name, curInternalNP.SourceRef.ToString()) - // Retrieve old crdv1alpha1.NetworkPolicy object. - oldCNP := old.(*crdv1alpha1.ClusterNetworkPolicy) + // Retrieve old crdv1alpha2.ClusterNetworkPolicy object. + oldCNP := old.(*crdv1alpha2.ClusterNetworkPolicy) // Old and current NetworkPolicy share the same key. key := internalNetworkPolicyKeyFunc(oldCNP) // Lock access to internal NetworkPolicy store such that concurrent access @@ -93,14 +94,14 @@ func (n *NetworkPolicyController) updateCNP(old, cur interface{}) { // deleteCNP receives ClusterNetworkPolicy DELETED events and deletes resources // which can be consumed by agents to delete corresponding rules on the Nodes. func (n *NetworkPolicyController) deleteCNP(old interface{}) { - cnp, ok := old.(*crdv1alpha1.ClusterNetworkPolicy) + cnp, ok := old.(*crdv1alpha2.ClusterNetworkPolicy) if !ok { tombstone, ok := old.(cache.DeletedFinalStateUnknown) if !ok { klog.Errorf("Error decoding object when deleting ClusterNetworkPolicy, invalid type: %v", old) return } - cnp, ok = tombstone.Obj.(*crdv1alpha1.ClusterNetworkPolicy) + cnp, ok = tombstone.Obj.(*crdv1alpha2.ClusterNetworkPolicy) if !ok { klog.Errorf("Error decoding object tombstone when deleting ClusterNetworkPolicy, invalid type: %v", tombstone.Obj) return @@ -129,7 +130,7 @@ func (n *NetworkPolicyController) deleteCNP(old interface{}) { // reprocessCNP is triggered when a CNP may be impacted by non-ClusterNetworkPolicy events, including Namespace events // (for per-namespace rules) and ClusterGroup events (for ClusterGroup reference). -func (n *NetworkPolicyController) reprocessCNP(cnp *crdv1alpha1.ClusterNetworkPolicy, enqueueAppliedToGroup bool) { +func (n *NetworkPolicyController) reprocessCNP(cnp *crdv1alpha2.ClusterNetworkPolicy, enqueueAppliedToGroup bool) { key := internalNetworkPolicyKeyFunc(cnp) n.internalNetworkPolicyMutex.Lock() oldInternalNPObj, exist, _ := n.internalNetworkPolicyStore.Get(key) @@ -256,12 +257,12 @@ func (n *NetworkPolicyController) deleteNamespace(old interface{}) { } // processClusterNetworkPolicy creates an internal NetworkPolicy instance -// corresponding to the crdv1alpha1.ClusterNetworkPolicy object. This method +// corresponding to the crdv1alpha2.ClusterNetworkPolicy object. This method // does not commit the internal NetworkPolicy in store, instead returns an // instance to the caller wherein, it will be either stored as a new Object // in case of ADD event or modified and store the updated instance, in case // of an UPDATE event. -func (n *NetworkPolicyController) processClusterNetworkPolicy(cnp *crdv1alpha1.ClusterNetworkPolicy) *antreatypes.NetworkPolicy { +func (n *NetworkPolicyController) processClusterNetworkPolicy(cnp *crdv1alpha2.ClusterNetworkPolicy) *antreatypes.NetworkPolicy { hasPerNamespaceRule := hasPerNamespaceRule(cnp) // If one of the ACNP rule is a per-namespace rule (a peer in that rule has namespaces.Match set // to Self), the policy will need to be converted to appliedTo per rule policy, as the appliedTo @@ -301,9 +302,9 @@ func (n *NetworkPolicyController) processClusterNetworkPolicy(cnp *crdv1alpha1.C } } var rules []controlplane.NetworkPolicyRule - processRules := func(cnpRules []crdv1alpha1.Rule, direction controlplane.Direction) { + processRules := func(cnpRules []crdv1alpha2.Rule, direction controlplane.Direction) { for idx, cnpRule := range cnpRules { - services, namedPortExists := toAntreaServicesForCRD(cnpRule.Ports) + services, namedPortExists := toAntreaServicesForCRD(cnpRule.Protocols) clusterPeers, perNSPeers := splitPeersByScope(cnpRule, direction) addRule := func(peer *controlplane.NetworkPolicyPeer, dir controlplane.Direction, ruleAppliedTos []string) { rule := controlplane.NetworkPolicyRule{ @@ -406,7 +407,7 @@ func serviceAccountNameToPodSelector(saName string) *metav1.LabelSelector { } // hasPerNamespaceRule returns true if there is at least one per-namespace rule -func hasPerNamespaceRule(cnp *crdv1alpha1.ClusterNetworkPolicy) bool { +func hasPerNamespaceRule(cnp *crdv1alpha2.ClusterNetworkPolicy) bool { for _, ingress := range cnp.Spec.Ingress { for _, peer := range ingress.From { if peer.Namespaces != nil && peer.Namespaces.Match == crdv1alpha1.NamespaceMatchSelf { @@ -447,7 +448,7 @@ func (n *NetworkPolicyController) processClusterAppliedTo(appliedTo []crdv1alpha // splitPeersByScope splits the ClusterNetworkPolicy peers in the rule by whether the peer // is cluster-scoped or per-namespace. -func splitPeersByScope(rule crdv1alpha1.Rule, dir controlplane.Direction) ([]crdv1alpha1.NetworkPolicyPeer, []crdv1alpha1.NetworkPolicyPeer) { +func splitPeersByScope(rule crdv1alpha2.Rule, dir controlplane.Direction) ([]crdv1alpha1.NetworkPolicyPeer, []crdv1alpha1.NetworkPolicyPeer) { var clusterPeers, perNSPeers []crdv1alpha1.NetworkPolicyPeer peers := rule.From if dir == controlplane.DirectionOut { diff --git a/pkg/controller/networkpolicy/convert.go b/pkg/controller/networkpolicy/convert.go index b1d960227d5..740708b9c98 100644 --- a/pkg/controller/networkpolicy/convert.go +++ b/pkg/controller/networkpolicy/convert.go @@ -16,6 +16,7 @@ package networkpolicy import ( "fmt" + "strings" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" @@ -67,3 +68,128 @@ func ConvertClusterGroupCRD(Object *unstructured.Unstructured, toVersion string) Status: metav1.StatusSuccess, } } + +func translateV1A1NetworkPolicyPortToV1A2PeerProtocol(ports []interface{}) (protocols []interface{}) { + for _, eachPort := range ports { + mapPort := eachPort.(map[string]interface{}) + protocol, _, _ := unstructured.NestedString(mapPort, "protocol") + if protocol == "" { + protocol = "TCP" + } + + l4Protocol := make(map[string]interface{}) + port, found, err := unstructured.NestedFieldNoCopy(mapPort, "port") + if err == nil && found && port != nil { + unstructured.SetNestedField(l4Protocol, port, "port") + } + endPort, found, err := unstructured.NestedFieldNoCopy(mapPort, "endPort") + if err == nil && found && endPort != nil { + unstructured.SetNestedField(l4Protocol, endPort, "endPort") + } + + peerProtocol := make(map[string]interface{}, 1) + unstructured.SetNestedMap(peerProtocol, l4Protocol, strings.ToLower(protocol)) + protocols = append(protocols, peerProtocol) + } + return +} + +func convertV1A1RuleToV1A2Rule(rules []interface{}) { + for _, rule := range rules { + mapRule := rule.(map[string]interface{}) + ports, found, err := unstructured.NestedSlice(mapRule, "ports") + if err == nil && found && len(ports) > 0 { + protocols := translateV1A1NetworkPolicyPortToV1A2PeerProtocol(ports) + unstructured.RemoveNestedField(mapRule, "ports") + unstructured.SetNestedSlice(mapRule, protocols, "protocols") + } + } +} + +func ConvertClusterNetworkPolicyCRD(Object *unstructured.Unstructured, toVersion string) (*unstructured.Unstructured, metav1.Status) { + klog.V(2).Infof("Converting CRD for ClusterNetworkPolicy %s", Object.GetName()) + convertedObject := Object.DeepCopy() + fromVersion := Object.GetAPIVersion() + if toVersion == fromVersion { + return nil, statusErrorWithMessage("conversion from a version to itself should not call the webhook: %s", toVersion) + } + switch Object.GetAPIVersion() { + case "crd.antrea.io/v1alpha1": + switch toVersion { + case "crd.antrea.io/v1alpha2": + ingressRules, found, err := unstructured.NestedFieldNoCopy(convertedObject.Object, "spec", "ingress") + if err == nil && found { + if ingressRulesSlice, ok := ingressRules.([]interface{}); ok { + convertV1A1RuleToV1A2Rule(ingressRulesSlice) + } + } + egressRules, found, err := unstructured.NestedFieldNoCopy(convertedObject.Object, "spec", "egress") + if err == nil && found { + if egressRulesSlice, ok := egressRules.([]interface{}); ok { + convertV1A1RuleToV1A2Rule(egressRulesSlice) + } + } + default: + return nil, statusErrorWithMessage("unexpected conversion version %q", toVersion) + } + case "crd.antrea.io/v1alpha2": + switch toVersion { + case "crd.antrea.io/v1alpha1": + return convertedObject, metav1.Status{ + Status: metav1.StatusSuccess, + } + default: + return nil, statusErrorWithMessage("unexpected conversion version %q", toVersion) + } + default: + return nil, statusErrorWithMessage("unexpected conversion version %q", fromVersion) + } + return convertedObject, metav1.Status{ + Status: metav1.StatusSuccess, + } +} + +func ConvertNetworkPolicyCRD(Object *unstructured.Unstructured, toVersion string) (*unstructured.Unstructured, metav1.Status) { + klog.V(2).Infof("Converting CRD for NetworkPolicy %s", Object.GetName()) + convertedObject := Object.DeepCopy() + fromVersion := Object.GetAPIVersion() + if toVersion == fromVersion { + return nil, statusErrorWithMessage("conversion from a version to itself should not call the webhook: %s", toVersion) + } + switch Object.GetAPIVersion() { + case "crd.antrea.io/v1alpha1": + switch toVersion { + case "crd.antrea.io/v1alpha2": + ingressRules, found, err := unstructured.NestedSlice(convertedObject.Object, "spec", "ingress") + if err == nil && found && len(ingressRules) > 0 { + convertV1A1RuleToV1A2Rule(ingressRules) + } + egressRules, found, err := unstructured.NestedSlice(convertedObject.Object, "spec", "egress") + if err == nil && found && len(egressRules) > 0 { + convertV1A1RuleToV1A2Rule(egressRules) + } + default: + return nil, statusErrorWithMessage("unexpected conversion version %q", toVersion) + } + case "crd.antrea.io/v1alpha2": + switch toVersion { + case "crd.antrea.io/v1alpha1": + return convertedObject, metav1.Status{ + Status: metav1.StatusSuccess, + } + default: + return nil, statusErrorWithMessage("unexpected conversion version %q", toVersion) + } + default: + return nil, statusErrorWithMessage("unexpected conversion version %q", fromVersion) + } + return convertedObject, metav1.Status{ + Status: metav1.StatusSuccess, + } +} + +func ConvertExternalEntityCRD(Object *unstructured.Unstructured, toVersion string) (*unstructured.Unstructured, metav1.Status) { + return nil, metav1.Status{ + Status: metav1.StatusFailure, + } +} diff --git a/pkg/controller/networkpolicy/crd_utils.go b/pkg/controller/networkpolicy/crd_utils.go index c0bb6797898..4480dcc2c9d 100644 --- a/pkg/controller/networkpolicy/crd_utils.go +++ b/pkg/controller/networkpolicy/crd_utils.go @@ -23,6 +23,7 @@ import ( "antrea.io/antrea/pkg/apis/controlplane" "antrea.io/antrea/pkg/apis/crd/v1alpha1" + "antrea.io/antrea/pkg/apis/crd/v1alpha2" "antrea.io/antrea/pkg/controller/networkpolicy/store" antreatypes "antrea.io/antrea/pkg/controller/types" ) @@ -38,19 +39,44 @@ var ( // toAntreaServicesForCRD converts a slice of v1alpha1.NetworkPolicyPort // objects to a slice of Antrea Service objects. A bool is returned along with // the Service objects to indicate whether any named port exists. -func toAntreaServicesForCRD(npPorts []v1alpha1.NetworkPolicyPort) ([]controlplane.Service, bool) { +func toAntreaServicesForCRD(npProtocols []v1alpha2.PeerProtocol) ([]controlplane.Service, bool) { var antreaServices []controlplane.Service var namedPortExists bool - for _, npPort := range npPorts { - if npPort.Port != nil && npPort.Port.Type == intstr.String { - namedPortExists = true + klog.Infof("npprotocol: %v", npProtocols) + for _, npProtocol := range npProtocols { + var l4Protocol *v1alpha2.L4Protocol + var curProtocol controlplane.Protocol + if npProtocol.TCP != nil { + curProtocol = controlplane.ProtocolTCP + l4Protocol = npProtocol.TCP + } else if npProtocol.UDP != nil { + curProtocol = controlplane.ProtocolUDP + l4Protocol = npProtocol.UDP + } else if npProtocol.SCTP != nil { + curProtocol = controlplane.ProtocolSCTP + l4Protocol = npProtocol.SCTP + } + if l4Protocol != nil { + if l4Protocol.Port != nil && l4Protocol.Port.Type == intstr.String { + namedPortExists = true + } + antreaServices = append(antreaServices, controlplane.Service{ + Protocol: &curProtocol, + Port: l4Protocol.Port, + EndPort: l4Protocol.EndPort, + }) + continue + } + if npProtocol.ICMP != nil { + curProtocol = controlplane.ProtocolICMP + antreaServices = append(antreaServices, controlplane.Service{ + Protocol: &curProtocol, + ICMPType: npProtocol.ICMP.ICMPType, + ICMPCode: npProtocol.ICMP.ICMPCode, + }) } - antreaServices = append(antreaServices, controlplane.Service{ - Protocol: toAntreaProtocol(npPort.Protocol), - Port: npPort.Port, - EndPort: npPort.EndPort, - }) } + klog.Infof("antrea service: %s", antreaServices) return antreaServices, namedPortExists } diff --git a/pkg/controller/networkpolicy/mutate.go b/pkg/controller/networkpolicy/mutate.go index 7727dab5fd0..1dade4367e5 100644 --- a/pkg/controller/networkpolicy/mutate.go +++ b/pkg/controller/networkpolicy/mutate.go @@ -25,7 +25,7 @@ import ( metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/klog/v2" - crdv1alpha1 "antrea.io/antrea/pkg/apis/crd/v1alpha1" + crdv1alpha2 "antrea.io/antrea/pkg/apis/crd/v1alpha2" ) type NetworkPolicyMutator struct { @@ -54,7 +54,7 @@ func (m *NetworkPolicyMutator) Mutate(ar *admv1.AdmissionReview) *admv1.Admissio switch ar.Request.Kind.Kind { case "ClusterNetworkPolicy": klog.V(2).Info("Mutating Antrea ClusterNetworkPolicy CRD") - var curACNP, oldACNP crdv1alpha1.ClusterNetworkPolicy + var curACNP, oldACNP crdv1alpha2.ClusterNetworkPolicy if curRaw != nil { if err := json.Unmarshal(curRaw, &curACNP); err != nil { klog.Errorf("Error de-serializing current Antrea ClusterNetworkPolicy") @@ -70,7 +70,7 @@ func (m *NetworkPolicyMutator) Mutate(ar *admv1.AdmissionReview) *admv1.Admissio msg, allowed, patch = m.mutateAntreaPolicy(op, curACNP.Spec.Ingress, curACNP.Spec.Egress, curACNP.Spec.Tier) case "NetworkPolicy": klog.V(2).Info("Mutating Antrea NetworkPolicy CRD") - var curANP, oldANP crdv1alpha1.NetworkPolicy + var curANP, oldANP crdv1alpha2.NetworkPolicy if curRaw != nil { if err := json.Unmarshal(curRaw, &curANP); err != nil { klog.Errorf("Error de-serializing current Antrea NetworkPolicy") @@ -108,7 +108,7 @@ func (m *NetworkPolicyMutator) Mutate(ar *admv1.AdmissionReview) *admv1.Admissio // mutateAntreaPolicy will auto-generate a name for this rule. In // addition to the rule names, it also mutates the Tier field to the default // tier name if it is unset. -func (m *NetworkPolicyMutator) mutateAntreaPolicy(op admv1.Operation, ingress, egress []crdv1alpha1.Rule, tier string) (string, bool, []byte) { +func (m *NetworkPolicyMutator) mutateAntreaPolicy(op admv1.Operation, ingress, egress []crdv1alpha2.Rule, tier string) (string, bool, []byte) { allowed := true reason := "" var patch []byte @@ -140,7 +140,7 @@ func (m *NetworkPolicyMutator) mutateAntreaPolicy(op admv1.Operation, ingress, e } // generateRuleNames generates unique rule names and returns a list of json paths and the corresponding list of generated names -func generateRuleNames(prefix string, rules []crdv1alpha1.Rule) ([]string, []string) { +func generateRuleNames(prefix string, rules []crdv1alpha2.Rule) ([]string, []string) { var paths []string var values []string for idx, rule := range rules { @@ -191,7 +191,7 @@ func createReplacePatch(paths []string, values []string) ([]byte, error) { const ruleNameSuffixLen = 7 // hashRule calculates a string based on the rule's content. -func hashRule(r crdv1alpha1.Rule) string { +func hashRule(r crdv1alpha2.Rule) string { hash := sha1.New() // #nosec G401: not used for security purposes b, _ := json.Marshal(r) hash.Write(b) diff --git a/pkg/controller/networkpolicy/networkpolicy_controller.go b/pkg/controller/networkpolicy/networkpolicy_controller.go index 2fc02356026..c860021c730 100644 --- a/pkg/controller/networkpolicy/networkpolicy_controller.go +++ b/pkg/controller/networkpolicy/networkpolicy_controller.go @@ -49,8 +49,10 @@ import ( "antrea.io/antrea/pkg/apiserver/storage" "antrea.io/antrea/pkg/client/clientset/versioned" secinformers "antrea.io/antrea/pkg/client/informers/externalversions/crd/v1alpha1" + crdv1a2informers "antrea.io/antrea/pkg/client/informers/externalversions/crd/v1alpha2" crdv1a3informers "antrea.io/antrea/pkg/client/informers/externalversions/crd/v1alpha3" seclisters "antrea.io/antrea/pkg/client/listers/crd/v1alpha1" + crdv1a2listers "antrea.io/antrea/pkg/client/listers/crd/v1alpha2" crdv1a3listers "antrea.io/antrea/pkg/client/listers/crd/v1alpha3" "antrea.io/antrea/pkg/controller/grouping" "antrea.io/antrea/pkg/controller/metrics" @@ -144,17 +146,17 @@ type NetworkPolicyController struct { // networkPolicyListerSynced is a function which returns true if the Network Policy shared informer has been synced at least once. networkPolicyListerSynced cache.InformerSynced - cnpInformer secinformers.ClusterNetworkPolicyInformer + cnpInformer crdv1a2informers.ClusterNetworkPolicyInformer // cnpLister is able to list/get AntreaClusterNetworkPolicies and is populated by the shared informer passed to // NewClusterNetworkPolicyController. - cnpLister seclisters.ClusterNetworkPolicyLister + cnpLister crdv1a2listers.ClusterNetworkPolicyLister // cnpListerSynced is a function which returns true if the AntreaClusterNetworkPolicies shared informer has been synced at least once. cnpListerSynced cache.InformerSynced - anpInformer secinformers.NetworkPolicyInformer + anpInformer crdv1a2informers.NetworkPolicyInformer // anpLister is able to list/get AntreaNetworkPolicies and is populated by the shared informer passed to // NewNetworkPolicyController. - anpLister seclisters.NetworkPolicyLister + anpLister crdv1a2listers.NetworkPolicyLister // anpListerSynced is a function which returns true if the AntreaNetworkPolicies shared informer has been synced at least once. anpListerSynced cache.InformerSynced @@ -225,14 +227,14 @@ var tierIndexers = cache.Indexers{ var cnpIndexers = cache.Indexers{ TierIndex: func(obj interface{}) ([]string, error) { - cnp, ok := obj.(*secv1alpha1.ClusterNetworkPolicy) + cnp, ok := obj.(*v1alpha2.ClusterNetworkPolicy) if !ok { return []string{}, nil } return []string{cnp.Spec.Tier}, nil }, ClusterGroupIndex: func(obj interface{}) ([]string, error) { - cnp, ok := obj.(*secv1alpha1.ClusterNetworkPolicy) + cnp, ok := obj.(*v1alpha2.ClusterNetworkPolicy) if !ok { return []string{}, nil } @@ -245,7 +247,7 @@ var cnpIndexers = cache.Indexers{ if len(cnp.Spec.Ingress) == 0 && len(cnp.Spec.Egress) == 0 { return groupNames.List(), nil } - appendGroups := func(rule secv1alpha1.Rule) { + appendGroups := func(rule v1alpha2.Rule) { for _, peer := range rule.To { if peer.Group != "" { groupNames.Insert(peer.Group) @@ -289,8 +291,8 @@ func NewNetworkPolicyController(kubeClient clientset.Interface, namespaceInformer coreinformers.NamespaceInformer, serviceInformer coreinformers.ServiceInformer, networkPolicyInformer networkinginformers.NetworkPolicyInformer, - cnpInformer secinformers.ClusterNetworkPolicyInformer, - anpInformer secinformers.NetworkPolicyInformer, + cnpInformer crdv1a2informers.ClusterNetworkPolicyInformer, + anpInformer crdv1a2informers.NetworkPolicyInformer, tierInformer secinformers.TierInformer, cgInformer crdv1a3informers.ClusterGroupInformer, addressGroupStore storage.Interface, diff --git a/pkg/controller/networkpolicy/status_controller.go b/pkg/controller/networkpolicy/status_controller.go index cb9fec00045..429a7612866 100644 --- a/pkg/controller/networkpolicy/status_controller.go +++ b/pkg/controller/networkpolicy/status_controller.go @@ -32,10 +32,12 @@ import ( "antrea.io/antrea/pkg/apis/controlplane" crdv1alpha1 "antrea.io/antrea/pkg/apis/crd/v1alpha1" + crdv1alpha2 "antrea.io/antrea/pkg/apis/crd/v1alpha2" "antrea.io/antrea/pkg/apiserver/storage" antreaclientset "antrea.io/antrea/pkg/client/clientset/versioned" - crdinformers "antrea.io/antrea/pkg/client/informers/externalversions/crd/v1alpha1" + crdv1a2informers "antrea.io/antrea/pkg/client/informers/externalversions/crd/v1alpha2" crdlisters "antrea.io/antrea/pkg/client/listers/crd/v1alpha1" + crdv1a2listers "antrea.io/antrea/pkg/client/listers/crd/v1alpha2" "antrea.io/antrea/pkg/controller/metrics" antreatypes "antrea.io/antrea/pkg/controller/types" ) @@ -73,7 +75,7 @@ type StatusController struct { anpListerSynced cache.InformerSynced } -func NewStatusController(antreaClient antreaclientset.Interface, internalNetworkPolicyStore storage.Interface, cnpInformer crdinformers.ClusterNetworkPolicyInformer, anpInformer crdinformers.NetworkPolicyInformer) *StatusController { +func NewStatusController(antreaClient antreaclientset.Interface, internalNetworkPolicyStore storage.Interface, cnpInformer crdv1a2informers.ClusterNetworkPolicyInformer, anpInformer crdv1a2informers.NetworkPolicyInformer) *StatusController { c := &StatusController{ npControlInterface: &networkPolicyControl{ antreaClient: antreaClient, @@ -109,8 +111,8 @@ func NewStatusController(antreaClient antreaclientset.Interface, internalNetwork } func (c *StatusController) updateCNP(old, cur interface{}) { - curCNP := cur.(*crdv1alpha1.ClusterNetworkPolicy) - oldCNP := old.(*crdv1alpha1.ClusterNetworkPolicy) + curCNP := cur.(*crdv1alpha2.ClusterNetworkPolicy) + oldCNP := old.(*crdv1alpha2.ClusterNetworkPolicy) if oldCNP.Status == curCNP.Status { return } @@ -119,8 +121,8 @@ func (c *StatusController) updateCNP(old, cur interface{}) { } func (c *StatusController) updateANP(old, cur interface{}) { - curANP := cur.(*crdv1alpha1.NetworkPolicy) - oldANP := old.(*crdv1alpha1.NetworkPolicy) + curANP := cur.(*crdv1alpha2.NetworkPolicy) + oldANP := old.(*crdv1alpha2.NetworkPolicy) if oldANP.Status == curANP.Status { return } @@ -271,7 +273,7 @@ func (c *StatusController) syncHandler(key string) error { // It means the NetworkPolicy hasn't been processed once. Set it to Pending to differentiate from NetworkPolicies // that spans 0 Node. if internalNP.SpanMeta.NodeNames == nil { - status := &crdv1alpha1.NetworkPolicyStatus{ + status := &crdv1alpha2.NetworkPolicyStatus{ Phase: crdv1alpha1.NetworkPolicyPending, ObservedGeneration: internalNP.Generation, } @@ -299,7 +301,7 @@ func (c *StatusController) syncHandler(key string) error { phase = crdv1alpha1.NetworkPolicyRealized } - status := &crdv1alpha1.NetworkPolicyStatus{ + status := &crdv1alpha2.NetworkPolicyStatus{ Phase: phase, ObservedGeneration: internalNP.Generation, CurrentNodesRealized: int32(currentNodes), @@ -315,17 +317,17 @@ func (c *StatusController) syncHandler(key string) error { // networkPolicyControlInterface is an interface that knows how to update Antrea NetworkPolicy status. // It's created as an interface to allow testing. type networkPolicyControlInterface interface { - UpdateAntreaNetworkPolicyStatus(namespace, name string, status *crdv1alpha1.NetworkPolicyStatus) error - UpdateAntreaClusterNetworkPolicyStatus(name string, status *crdv1alpha1.NetworkPolicyStatus) error + UpdateAntreaNetworkPolicyStatus(namespace, name string, status *crdv1alpha2.NetworkPolicyStatus) error + UpdateAntreaClusterNetworkPolicyStatus(name string, status *crdv1alpha2.NetworkPolicyStatus) error } type networkPolicyControl struct { antreaClient antreaclientset.Interface - cnpLister crdlisters.ClusterNetworkPolicyLister - anpLister crdlisters.NetworkPolicyLister + cnpLister crdv1a2listers.ClusterNetworkPolicyLister + anpLister crdv1a2listers.NetworkPolicyLister } -func (c *networkPolicyControl) UpdateAntreaNetworkPolicyStatus(namespace, name string, status *crdv1alpha1.NetworkPolicyStatus) error { +func (c *networkPolicyControl) UpdateAntreaNetworkPolicyStatus(namespace, name string, status *crdv1alpha2.NetworkPolicyStatus) error { anp, err := c.anpLister.NetworkPolicies(namespace).Get(name) if err != nil { klog.Infof("Didn't find the original Antrea NetworkPolicy %s/%s, skip updating status", namespace, name) @@ -341,9 +343,9 @@ func (c *networkPolicyControl) UpdateAntreaNetworkPolicyStatus(namespace, name s if err := retry.RetryOnConflict(retry.DefaultRetry, func() error { toUpdate.Status = *status klog.V(2).InfoS("Updating Antrea NetworkPolicy", "NetworkPolicy", klog.KObj(toUpdate)) - _, updateErr := c.antreaClient.CrdV1alpha1().NetworkPolicies(namespace).UpdateStatus(context.TODO(), toUpdate, v1.UpdateOptions{}) + _, updateErr := c.antreaClient.CrdV1alpha2().NetworkPolicies(namespace).UpdateStatus(context.TODO(), toUpdate, v1.UpdateOptions{}) if updateErr != nil && errors.IsConflict(updateErr) { - if toUpdate, getErr = c.antreaClient.CrdV1alpha1().NetworkPolicies(namespace).Get(context.TODO(), name, v1.GetOptions{}); getErr != nil { + if toUpdate, getErr = c.antreaClient.CrdV1alpha2().NetworkPolicies(namespace).Get(context.TODO(), name, v1.GetOptions{}); getErr != nil { return getErr } } @@ -357,7 +359,7 @@ func (c *networkPolicyControl) UpdateAntreaNetworkPolicyStatus(namespace, name s return updateErr } -func (c *networkPolicyControl) UpdateAntreaClusterNetworkPolicyStatus(name string, status *crdv1alpha1.NetworkPolicyStatus) error { +func (c *networkPolicyControl) UpdateAntreaClusterNetworkPolicyStatus(name string, status *crdv1alpha2.NetworkPolicyStatus) error { cnp, err := c.cnpLister.Get(name) if err != nil { klog.Infof("Didn't find the original Antrea ClusterNetworkPolicy %s, skip updating status", name) @@ -374,9 +376,9 @@ func (c *networkPolicyControl) UpdateAntreaClusterNetworkPolicyStatus(name strin if err := retry.RetryOnConflict(retry.DefaultRetry, func() error { toUpdate.Status = *status klog.V(2).InfoS("Updating Antrea ClusterNetworkPolicy", "ClusterNetworkPolicy", klog.KObj(toUpdate)) - _, updateErr := c.antreaClient.CrdV1alpha1().ClusterNetworkPolicies().UpdateStatus(context.TODO(), toUpdate, v1.UpdateOptions{}) + _, updateErr := c.antreaClient.CrdV1alpha2().ClusterNetworkPolicies().UpdateStatus(context.TODO(), toUpdate, v1.UpdateOptions{}) if updateErr != nil && errors.IsConflict(updateErr) { - if toUpdate, getErr = c.antreaClient.CrdV1alpha1().ClusterNetworkPolicies().Get(context.TODO(), name, v1.GetOptions{}); getErr != nil { + if toUpdate, getErr = c.antreaClient.CrdV1alpha2().ClusterNetworkPolicies().Get(context.TODO(), name, v1.GetOptions{}); getErr != nil { return getErr } } diff --git a/pkg/controller/networkpolicy/validate.go b/pkg/controller/networkpolicy/validate.go index 2188bf7d8a8..ef96ac89efa 100644 --- a/pkg/controller/networkpolicy/validate.go +++ b/pkg/controller/networkpolicy/validate.go @@ -17,6 +17,7 @@ package networkpolicy import ( "encoding/json" "fmt" + "k8s.io/apimachinery/pkg/util/intstr" "reflect" "regexp" "strconv" @@ -25,7 +26,6 @@ import ( admv1 "k8s.io/api/admission/v1" authenticationv1 "k8s.io/api/authentication/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - "k8s.io/apimachinery/pkg/util/intstr" "k8s.io/apimachinery/pkg/util/sets" "k8s.io/apimachinery/pkg/util/validation" "k8s.io/apiserver/pkg/authentication/serviceaccount" @@ -187,7 +187,7 @@ func (v *NetworkPolicyValidator) Validate(ar *admv1.AdmissionReview) *admv1.Admi msg, allowed = v.validateAntreaGroup(&curCG, &oldCG, op, ui) case "ClusterNetworkPolicy": klog.V(2).Info("Validating Antrea ClusterNetworkPolicy CRD") - var curCNP, oldCNP crdv1alpha1.ClusterNetworkPolicy + var curCNP, oldCNP crdv1alpha2.ClusterNetworkPolicy if curRaw != nil { if err := json.Unmarshal(curRaw, &curCNP); err != nil { klog.Errorf("Error de-serializing current Antrea ClusterNetworkPolicy") @@ -203,7 +203,7 @@ func (v *NetworkPolicyValidator) Validate(ar *admv1.AdmissionReview) *admv1.Admi msg, allowed = v.validateAntreaPolicy(&curCNP, &oldCNP, op, ui) case "NetworkPolicy": klog.V(2).Info("Validating Antrea NetworkPolicy CRD") - var curANP, oldANP crdv1alpha1.NetworkPolicy + var curANP, oldANP crdv1alpha2.NetworkPolicy if curRaw != nil { if err := json.Unmarshal(curRaw, &curANP); err != nil { klog.Errorf("Error de-serializing current Antrea NetworkPolicy") @@ -261,21 +261,29 @@ func (v *NetworkPolicyValidator) validateAntreaPolicy(curObj, oldObj interface{} return reason, allowed } -// validatePort validates if ports is valid -func (v *antreaPolicyValidator) validatePort(ingress, egress []crdv1alpha1.Rule) error { - isValid := func(rules []crdv1alpha1.Rule) error { +// validateProtocol validates if field `protocols` is valid +func (v *antreaPolicyValidator) validateProtocol(ingress, egress []crdv1alpha2.Rule) error { + isValid := func(rules []crdv1alpha2.Rule) error { for _, rule := range rules { - for _, port := range rule.Ports { - if port.EndPort == nil { + for _, protocol := range rule.Protocols { + var l4Protocol *crdv1alpha2.L4Protocol + if protocol.TCP != nil { + l4Protocol = protocol.TCP + } else if protocol.UDP != nil { + l4Protocol = protocol.UDP + } else if protocol.SCTP != nil { + l4Protocol = protocol.SCTP + } + if l4Protocol == nil || l4Protocol.EndPort == nil { continue } - if port.Port == nil { + if l4Protocol.Port == nil { return fmt.Errorf("if `endPort` is specified `port` must be specified") } - if port.Port.Type == intstr.String { + if l4Protocol.Port.Type == intstr.String { return fmt.Errorf("if `port` is a string `endPort` cannot be specified") } - if *port.EndPort < port.Port.IntVal { + if *l4Protocol.EndPort < l4Protocol.Port.IntVal { return fmt.Errorf("`endPort` should be greater than or equal to `port`") } } @@ -379,17 +387,17 @@ func GetAdmissionResponseForErr(err error) *admv1.AdmissionResponse { // createValidate validates the CREATE events of Antrea-native policies, func (v *antreaPolicyValidator) createValidate(curObj interface{}, userInfo authenticationv1.UserInfo) (string, bool) { var tier string - var ingress, egress []crdv1alpha1.Rule + var ingress, egress []crdv1alpha2.Rule var specAppliedTo []crdv1alpha1.NetworkPolicyPeer switch curObj.(type) { - case *crdv1alpha1.ClusterNetworkPolicy: - curCNP := curObj.(*crdv1alpha1.ClusterNetworkPolicy) + case *crdv1alpha2.ClusterNetworkPolicy: + curCNP := curObj.(*crdv1alpha2.ClusterNetworkPolicy) tier = curCNP.Spec.Tier ingress = curCNP.Spec.Ingress egress = curCNP.Spec.Egress specAppliedTo = curCNP.Spec.AppliedTo - case *crdv1alpha1.NetworkPolicy: - curANP := curObj.(*crdv1alpha1.NetworkPolicy) + case *crdv1alpha2.NetworkPolicy: + curANP := curObj.(*crdv1alpha2.NetworkPolicy) tier = curANP.Spec.Tier ingress = curANP.Spec.Ingress egress = curANP.Spec.Egress @@ -419,16 +427,16 @@ func (v *antreaPolicyValidator) createValidate(curObj interface{}, userInfo auth return reason, allowed } - if err := v.validatePort(ingress, egress); err != nil { + if err := v.validateProtocol(ingress, egress); err != nil { return err.Error(), false } return "", true } // validateRuleName validates if the name of each rule is unique within a policy -func (v *antreaPolicyValidator) validateRuleName(ingress, egress []crdv1alpha1.Rule) bool { +func (v *antreaPolicyValidator) validateRuleName(ingress, egress []crdv1alpha2.Rule) bool { uniqueRuleName := sets.NewString() - isUnique := func(rules []crdv1alpha1.Rule) bool { + isUnique := func(rules []crdv1alpha2.Rule) bool { for _, rule := range rules { if uniqueRuleName.Has(rule.Name) { return false @@ -440,9 +448,9 @@ func (v *antreaPolicyValidator) validateRuleName(ingress, egress []crdv1alpha1.R return isUnique(ingress) && isUnique(egress) } -func (v *antreaPolicyValidator) validateAppliedTo(ingress, egress []crdv1alpha1.Rule, specAppliedTo []crdv1alpha1.NetworkPolicyPeer) (string, bool) { +func (v *antreaPolicyValidator) validateAppliedTo(ingress, egress []crdv1alpha2.Rule, specAppliedTo []crdv1alpha1.NetworkPolicyPeer) (string, bool) { appliedToInSpec := len(specAppliedTo) != 0 - countAppliedToInRules := func(rules []crdv1alpha1.Rule) int { + countAppliedToInRules := func(rules []crdv1alpha2.Rule) int { num := 0 for _, rule := range rules { if len(rule.AppliedTo) != 0 { @@ -502,7 +510,7 @@ func (v *antreaPolicyValidator) validateAppliedTo(ingress, egress []crdv1alpha1. // validatePeers ensures that the NetworkPolicyPeer object set in rules are valid, i.e. // currently it ensures that a Group cannot be set with other stand-alone selectors or IPBlock. -func (v *antreaPolicyValidator) validatePeers(ingress, egress []crdv1alpha1.Rule) (string, bool) { +func (v *antreaPolicyValidator) validatePeers(ingress, egress []crdv1alpha2.Rule) (string, bool) { checkPeers := func(peers []crdv1alpha1.NetworkPolicyPeer) (string, bool) { for _, peer := range peers { if peer.NamespaceSelector != nil && peer.Namespaces != nil { @@ -532,8 +540,8 @@ func (v *antreaPolicyValidator) validatePeers(ingress, egress []crdv1alpha1.Rule if !features.DefaultFeatureGate.Enabled(features.AntreaProxy) { return fmt.Sprintf("`toServices` can only be used when AntreaProxy is enabled"), false } - if (rule.To != nil && len(rule.To) > 0) || rule.Ports != nil { - return fmt.Sprintf("`toServices` can't be used with `to` or `ports`"), false + if (rule.To != nil && len(rule.To) > 0) || rule.Protocols != nil { + return fmt.Sprintf("`toServices` can't be used with `to` or `protocols`"), false } } msg, isValid := checkPeers(rule.To) @@ -545,7 +553,7 @@ func (v *antreaPolicyValidator) validatePeers(ingress, egress []crdv1alpha1.Rule } // numFieldsSetInPeer returns the number of fields in use of a peer. -func numFieldsSetInPeer(peer crdv1alpha1.NetworkPolicyPeer) int { +func numFieldsSetInPeer(peer interface{}) int { num := 0 v := reflect.ValueOf(peer) for i := 0; i < v.NumField(); i++ { @@ -596,7 +604,7 @@ func (v *antreaPolicyValidator) validateTierForPolicy(tier string) (string, bool } // validateTierForPassAction validates that rules with pass action are not created in the Baseline Tier. -func (v *antreaPolicyValidator) validateTierForPassAction(tier string, ingress, egress []crdv1alpha1.Rule) (string, bool) { +func (v *antreaPolicyValidator) validateTierForPassAction(tier string, ingress, egress []crdv1alpha2.Rule) (string, bool) { if strings.ToLower(tier) != baselineTierName { return "", true } @@ -614,7 +622,7 @@ func (v *antreaPolicyValidator) validateTierForPassAction(tier string, ingress, } // validateFQDNSelectors validates the toFQDN field set in Antrea-native policy egress rules are valid. -func (v *antreaPolicyValidator) validateFQDNSelectors(egressRules []crdv1alpha1.Rule) (string, bool) { +func (v *antreaPolicyValidator) validateFQDNSelectors(egressRules []crdv1alpha2.Rule) (string, bool) { for _, r := range egressRules { for _, peer := range r.To { if len(peer.FQDN) > 0 && !allowedFQDNChars.MatchString(peer.FQDN) { @@ -628,17 +636,17 @@ func (v *antreaPolicyValidator) validateFQDNSelectors(egressRules []crdv1alpha1. // updateValidate validates the UPDATE events of Antrea-native policies. func (v *antreaPolicyValidator) updateValidate(curObj, oldObj interface{}, userInfo authenticationv1.UserInfo) (string, bool) { var tier string - var ingress, egress []crdv1alpha1.Rule + var ingress, egress []crdv1alpha2.Rule var specAppliedTo []crdv1alpha1.NetworkPolicyPeer switch curObj.(type) { - case *crdv1alpha1.ClusterNetworkPolicy: - curCNP := curObj.(*crdv1alpha1.ClusterNetworkPolicy) + case *crdv1alpha2.ClusterNetworkPolicy: + curCNP := curObj.(*crdv1alpha2.ClusterNetworkPolicy) tier = curCNP.Spec.Tier ingress = curCNP.Spec.Ingress egress = curCNP.Spec.Egress specAppliedTo = curCNP.Spec.AppliedTo - case *crdv1alpha1.NetworkPolicy: - curANP := curObj.(*crdv1alpha1.NetworkPolicy) + case *crdv1alpha2.NetworkPolicy: + curANP := curObj.(*crdv1alpha2.NetworkPolicy) tier = curANP.Spec.Tier ingress = curANP.Spec.Ingress egress = curANP.Spec.Egress @@ -659,7 +667,7 @@ func (v *antreaPolicyValidator) updateValidate(curObj, oldObj interface{}, userI if !allowed { return reason, allowed } - if err := v.validatePort(ingress, egress); err != nil { + if err := v.validateProtocol(ingress, egress); err != nil { return err.Error(), false } reason, allowed = v.validateTierForPassAction(tier, ingress, egress) diff --git a/pkg/controller/stats/aggregator.go b/pkg/controller/stats/aggregator.go index e39bc11793d..c7a9b30727c 100644 --- a/pkg/controller/stats/aggregator.go +++ b/pkg/controller/stats/aggregator.go @@ -26,9 +26,9 @@ import ( "k8s.io/klog/v2" "antrea.io/antrea/pkg/apis/controlplane" - crdv1alpha1 "antrea.io/antrea/pkg/apis/crd/v1alpha1" + crdv1alpha2 "antrea.io/antrea/pkg/apis/crd/v1alpha2" statsv1alpha1 "antrea.io/antrea/pkg/apis/stats/v1alpha1" - crdvinformers "antrea.io/antrea/pkg/client/informers/externalversions/crd/v1alpha1" + crdv1a2informers "antrea.io/antrea/pkg/client/informers/externalversions/crd/v1alpha2" "antrea.io/antrea/pkg/features" "antrea.io/antrea/pkg/util/k8s" ) @@ -69,7 +69,7 @@ func uidIndexFunc(obj interface{}) ([]string, error) { return []string{string(meta.GetUID())}, nil } -func NewAggregator(networkPolicyInformer networkinginformers.NetworkPolicyInformer, cnpInformer crdvinformers.ClusterNetworkPolicyInformer, anpInformer crdvinformers.NetworkPolicyInformer) *Aggregator { +func NewAggregator(networkPolicyInformer networkinginformers.NetworkPolicyInformer, cnpInformer crdv1a2informers.ClusterNetworkPolicyInformer, anpInformer crdv1a2informers.NetworkPolicyInformer) *Aggregator { aggregator := &Aggregator{ networkPolicyStats: cache.NewIndexer(cache.MetaNamespaceKeyFunc, cache.Indexers{cache.NamespaceIndex: cache.MetaNamespaceIndexFunc, uidIndex: uidIndexFunc}), dataCh: make(chan *controlplane.NodeStatsSummary, 1000), @@ -158,7 +158,7 @@ func (a *Aggregator) deleteNetworkPolicy(obj interface{}) { // addCNP handles ClusterNetworkPolicy ADD events and creates corresponding ClusterNetworkPolicyStats objects. func (a *Aggregator) addCNP(obj interface{}) { - cnp := obj.(*crdv1alpha1.ClusterNetworkPolicy) + cnp := obj.(*crdv1alpha2.ClusterNetworkPolicy) stats := &statsv1alpha1.AntreaClusterNetworkPolicyStats{ ObjectMeta: metav1.ObjectMeta{ Name: cnp.Name, @@ -173,14 +173,14 @@ func (a *Aggregator) addCNP(obj interface{}) { // deleteCNP handles ClusterNetworkPolicy DELETE events and deletes corresponding ClusterNetworkPolicyStats objects. func (a *Aggregator) deleteCNP(obj interface{}) { - cnp, ok := obj.(*crdv1alpha1.ClusterNetworkPolicy) + cnp, ok := obj.(*crdv1alpha2.ClusterNetworkPolicy) if !ok { tombstone, ok := obj.(cache.DeletedFinalStateUnknown) if !ok { klog.Errorf("Error decoding object when deleting Antrea ClusterNetworkPolicy, invalid type: %v", obj) return } - cnp, ok = tombstone.Obj.(*crdv1alpha1.ClusterNetworkPolicy) + cnp, ok = tombstone.Obj.(*crdv1alpha2.ClusterNetworkPolicy) if !ok { klog.Errorf("Error decoding object tombstone when deleting Antrea ClusterNetworkPolicy, invalid type: %v", tombstone.Obj) return @@ -197,7 +197,7 @@ func (a *Aggregator) deleteCNP(obj interface{}) { // addANP handles Antrea NetworkPolicy ADD events and creates corresponding AntreaNetworkPolicyStats objects. func (a *Aggregator) addANP(obj interface{}) { - anp := obj.(*crdv1alpha1.NetworkPolicy) + anp := obj.(*crdv1alpha2.NetworkPolicy) stats := &statsv1alpha1.AntreaNetworkPolicyStats{ ObjectMeta: metav1.ObjectMeta{ Namespace: anp.Namespace, @@ -213,14 +213,14 @@ func (a *Aggregator) addANP(obj interface{}) { // deleteANP handles Antrea NetworkPolicy DELETE events and deletes corresponding AntreaNetworkPolicyStats objects. func (a *Aggregator) deleteANP(obj interface{}) { - anp, ok := obj.(*crdv1alpha1.NetworkPolicy) + anp, ok := obj.(*crdv1alpha2.NetworkPolicy) if !ok { tombstone, ok := obj.(cache.DeletedFinalStateUnknown) if !ok { klog.Errorf("Error decoding object when deleting Antrea NetworkPolicy, invalid type: %v", obj) return } - anp, ok = tombstone.Obj.(*crdv1alpha1.NetworkPolicy) + anp, ok = tombstone.Obj.(*crdv1alpha2.NetworkPolicy) if !ok { klog.Errorf("Error decoding object tombstone when deleting Antrea NetworkPolicy, invalid type: %v", tombstone.Obj) return diff --git a/pkg/ovs/openflow/interfaces.go b/pkg/ovs/openflow/interfaces.go index 5f24f90ec69..ce4d1622afa 100644 --- a/pkg/ovs/openflow/interfaces.go +++ b/pkg/ovs/openflow/interfaces.go @@ -257,6 +257,8 @@ type FlowBuilder interface { MatchConjID(value uint32) FlowBuilder MatchDstPort(port uint16, portMask *uint16) FlowBuilder MatchSrcPort(port uint16, portMask *uint16) FlowBuilder + MatchICMPType(icmpType byte) FlowBuilder + MatchICMPCode(icmpCode byte) FlowBuilder MatchICMPv6Type(icmp6Type byte) FlowBuilder MatchICMPv6Code(icmp6Code byte) FlowBuilder MatchTunnelDst(dstIP net.IP) FlowBuilder diff --git a/pkg/ovs/openflow/ofctrl_builder.go b/pkg/ovs/openflow/ofctrl_builder.go index 71fccb5bc7e..d871dd49d2e 100644 --- a/pkg/ovs/openflow/ofctrl_builder.go +++ b/pkg/ovs/openflow/ofctrl_builder.go @@ -344,14 +344,26 @@ func (b *ofFlowBuilder) MatchDstIPNet(ipnet net.IPNet) FlowBuilder { return b } +func (b *ofFlowBuilder) MatchICMPType(icmpType byte) FlowBuilder { + b.matchers = append(b.matchers, fmt.Sprintf("icmp_type=%d", icmpType)) + b.Match.Icmp4Type = &icmpType + return b +} + +func (b *ofFlowBuilder) MatchICMPCode(icmpCode byte) FlowBuilder { + b.matchers = append(b.matchers, fmt.Sprintf("icmp_code=%d", icmpCode)) + b.Match.Icmp4Code = &icmpCode + return b +} + func (b *ofFlowBuilder) MatchICMPv6Type(icmp6Type byte) FlowBuilder { - b.matchers = append(b.matchers, fmt.Sprintf("icmp_type=%d", icmp6Type)) + b.matchers = append(b.matchers, fmt.Sprintf("icmpv6_type=%d", icmp6Type)) b.Match.Icmp6Type = &icmp6Type return b } func (b *ofFlowBuilder) MatchICMPv6Code(icmp6Code byte) FlowBuilder { - b.matchers = append(b.matchers, fmt.Sprintf("icmp_code=%d", icmp6Code)) + b.matchers = append(b.matchers, fmt.Sprintf("icmpv6_code=%d", icmp6Code)) b.Match.Icmp6Code = &icmp6Code return b } diff --git a/pkg/ovs/openflow/testing/mock_openflow.go b/pkg/ovs/openflow/testing/mock_openflow.go index af365d0b222..014a349eafb 100644 --- a/pkg/ovs/openflow/testing/mock_openflow.go +++ b/pkg/ovs/openflow/testing/mock_openflow.go @@ -1729,6 +1729,34 @@ func (mr *MockFlowBuilderMockRecorder) MatchDstPort(arg0, arg1 interface{}) *gom return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "MatchDstPort", reflect.TypeOf((*MockFlowBuilder)(nil).MatchDstPort), arg0, arg1) } +// MatchICMPCode mocks base method +func (m *MockFlowBuilder) MatchICMPCode(arg0 byte) openflow.FlowBuilder { + m.ctrl.T.Helper() + ret := m.ctrl.Call(m, "MatchICMPCode", arg0) + ret0, _ := ret[0].(openflow.FlowBuilder) + return ret0 +} + +// MatchICMPCode indicates an expected call of MatchICMPCode +func (mr *MockFlowBuilderMockRecorder) MatchICMPCode(arg0 interface{}) *gomock.Call { + mr.mock.ctrl.T.Helper() + return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "MatchICMPCode", reflect.TypeOf((*MockFlowBuilder)(nil).MatchICMPCode), arg0) +} + +// MatchICMPType mocks base method +func (m *MockFlowBuilder) MatchICMPType(arg0 byte) openflow.FlowBuilder { + m.ctrl.T.Helper() + ret := m.ctrl.Call(m, "MatchICMPType", arg0) + ret0, _ := ret[0].(openflow.FlowBuilder) + return ret0 +} + +// MatchICMPType indicates an expected call of MatchICMPType +func (mr *MockFlowBuilderMockRecorder) MatchICMPType(arg0 interface{}) *gomock.Call { + mr.mock.ctrl.T.Helper() + return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "MatchICMPType", reflect.TypeOf((*MockFlowBuilder)(nil).MatchICMPType), arg0) +} + // MatchICMPv6Code mocks base method func (m *MockFlowBuilder) MatchICMPv6Code(arg0 byte) openflow.FlowBuilder { m.ctrl.T.Helper()