From ec5c1ec9f80f2378b608b9457fa29fb86a962a7d Mon Sep 17 00:00:00 2001 From: Dyanngg Date: Wed, 3 Jun 2020 21:06:08 -0700 Subject: [PATCH] Add support for Namespace scoped NetworkPolicy CRD (#775) * Add API types for Namespaced Antrea NetworkPolicy * Update priority to float64 Add new CRD yamls only when explicitly set. * Update apigroup for ExternalEndpoint CRD Move ExternalEndpoint to core group. * Fix name mismatch for externalNode field * Move security and core group to v1alpha1 Address comments. * Minor patches to ANP CRD types - Nameport.protocol is no longer a pointer --> consistent with k8s core.servicePort - ExternalEndPoint.ip is a string ---> so it is readable to end user. - Add "omitempty" to all fields ---> we potentially can have some fields unset. - added webhook methods ---> allows ExternalEntity to hookup to webhook service. Co-authored-by: Abhishek Raut Co-authored-by: Su Wang --- build/yamls/base/core-crds.yml | 48 ++++++++++++ build/yamls/base/security-crds.yml | 121 +++++++++++++++++++++++++++++ build/yamls/patches/np/npRbac.yml | 22 ++++++ 3 files changed, 191 insertions(+) create mode 100644 build/yamls/base/core-crds.yml create mode 100644 build/yamls/base/security-crds.yml create mode 100644 build/yamls/patches/np/npRbac.yml diff --git a/build/yamls/base/core-crds.yml b/build/yamls/base/core-crds.yml new file mode 100644 index 00000000000..432da29b4ef --- /dev/null +++ b/build/yamls/base/core-crds.yml @@ -0,0 +1,48 @@ +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: externalentities.core.antrea.tanzu.vmware.com +spec: + group: core.antrea.tanzu.vmware.com + versions: + - name: v1alpha1 + served: true + storage: true + scope: Namespaced + names: + plural: externalentities + singular: externalentity + kind: ExternalEntity + shortNames: + - ee + # Prune any unknown fields + preserveUnknownFields: false + validation: + openAPIV3Schema: + type: object + properties: + spec: + type: object + properties: + endpoints: + type: array + items: + type: object + properties: + ip: + type: string + format: ipv4 + name: + type: string + ports: + type: array + items: + type: object + properties: + protocol: + type: string + port: + x-kubernetes-int-or-string: true + externalNode: + type: string diff --git a/build/yamls/base/security-crds.yml b/build/yamls/base/security-crds.yml new file mode 100644 index 00000000000..a19ae219cef --- /dev/null +++ b/build/yamls/base/security-crds.yml @@ -0,0 +1,121 @@ +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: networkpolicies.security.antrea.tanzu.vmware.com +spec: + group: security.antrea.tanzu.vmware.com + versions: + - name: v1alpha1 + served: true + storage: true + scope: Namespaced + names: + plural: networkpolicies + singular: networkpolicy + kind: NetworkPolicy + shortNames: + - anp + # Prune any unknown fields + preserveUnknownFields: false + validation: + openAPIV3Schema: + type: object + properties: + spec: + # Ensure that Spec.AppliedTo and Spec.Priority fields are set + required: + - appliedTo + - priority + type: object + properties: + priority: + type: number + format: float + # Ensure that Spec.Priority field is between 1 and 10000 + minimum: 1.0 + maximum: 10000.0 + appliedTo: + type: array + items: + type: object + # Ensure that Spec.AppliedTo does not allow NamespaceSelector/IPBlock field + properties: + podSelector: + type: object + additionalProperties: + type: object + externalEntitySelector: + type: object + additionalProperties: + type: object + ingress: + type: array + items: + type: object + required: + - action + properties: + # Ensure that Action field allows only ALLOW and DROP values + action: + type: string + pattern: '\bALLOW|\bAllow|\ballow|\bDROP|\bDrop|\bdrop' + ports: + type: array + items: + type: object + properties: + protocol: + type: string + port: + x-kubernetes-int-or-string: true + from: + type: array + items: + type: object + properties: + podSelector: + x-kubernetes-preserve-unknown-fields: true + namespaceSelector: + x-kubernetes-preserve-unknown-fields: true + ipBlock: + type: object + properties: + cidr: + type: string + format: cidr + egress: + type: array + items: + type: object + required: + - action + properties: + # Ensure that Action field allows only ALLOW and DROP values + action: + type: string + pattern: '\bALLOW|\bAllow|\ballow|\bDROP|\bDrop|\bdrop' + ports: + type: array + items: + type: object + properties: + protocol: + type: string + port: + x-kubernetes-int-or-string: true + to: + type: array + items: + type: object + properties: + podSelector: + x-kubernetes-preserve-unknown-fields: true + namespaceSelector: + x-kubernetes-preserve-unknown-fields: true + ipBlock: + type: object + properties: + cidr: + type: string + format: cidr diff --git a/build/yamls/patches/np/npRbac.yml b/build/yamls/patches/np/npRbac.yml new file mode 100644 index 00000000000..7e3af1eab74 --- /dev/null +++ b/build/yamls/patches/np/npRbac.yml @@ -0,0 +1,22 @@ +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: antrea-controller +rules: + - apiGroups: + - security.antrea.tanzu.vmware.com + resources: + - networkpolicies + verbs: + - get + - watch + - list + - apiGroups: + - core.antrea.tanzu.vmware.com + resources: + - externalentities + verbs: + - get + - watch + - list