Add support for Namespace scoped NetworkPolicy CRD (#775)

* Add API types for Namespaced Antrea NetworkPolicy

* Update priority to float64

Add new CRD yamls only when explicitly set.

* Update apigroup for ExternalEndpoint CRD

Move ExternalEndpoint to core group.

* Fix name mismatch for externalNode field

* Move security and core group to v1alpha1

Address comments.

* Minor patches to ANP CRD types

- Nameport.protocol is no longer a pointer --> consistent with k8s core.servicePort
- ExternalEndPoint.ip is a string ---> so it is readable to end user.
- Add "omitempty" to all fields ---> we potentially can have some fields unset.
- added webhook methods ---> allows ExternalEntity to hookup to webhook service.

Co-authored-by: Abhishek Raut <rauta@vmware.com>
Co-authored-by: Su Wang <suw@vmware.com>

build/yamls/base/core-crds.yml

@@ -0,0 +1,48 @@
+---
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+  name: externalentities.core.antrea.tanzu.vmware.com
+spec:
+  group: core.antrea.tanzu.vmware.com
+  versions:
+    - name: v1alpha1
+      served: true
+      storage: true
+  scope: Namespaced
+  names:
+    plural: externalentities
+    singular: externalentity
+    kind: ExternalEntity
+    shortNames:
+      - ee
+  # Prune any unknown fields
+  preserveUnknownFields: false
+  validation:
+    openAPIV3Schema:
+      type: object
+      properties:
+        spec:
+          type: object
+          properties:
+            endpoints:
+              type: array
+              items:
+                type: object
+                properties:
+                  ip:
+                    type: string
+                    format: ipv4
+                  name:
+                    type: string
+                  ports:
+                    type: array
+                    items:
+                      type: object
+                      properties:
+                        protocol:
+                          type: string
+                        port:
+                          x-kubernetes-int-or-string: true
+            externalNode:
+              type: string

build/yamls/base/security-crds.yml

@@ -0,0 +1,121 @@
+---
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+  name: networkpolicies.security.antrea.tanzu.vmware.com
+spec:
+  group: security.antrea.tanzu.vmware.com
+  versions:
+    - name: v1alpha1
+      served: true
+      storage: true
+  scope: Namespaced
+  names:
+    plural: networkpolicies
+    singular: networkpolicy
+    kind: NetworkPolicy
+    shortNames:
+      - anp
+  # Prune any unknown fields
+  preserveUnknownFields: false
+  validation:
+    openAPIV3Schema:
+      type: object
+      properties:
+        spec:
+          # Ensure that Spec.AppliedTo and Spec.Priority fields are set
+          required:
+            - appliedTo
+            - priority
+          type: object
+          properties:
+           priority:
+             type: number
+             format: float
+             # Ensure that Spec.Priority field is between 1 and 10000
+             minimum: 1.0
+             maximum: 10000.0
+           appliedTo:
+             type: array
+             items:
+               type: object
+               # Ensure that Spec.AppliedTo does not allow NamespaceSelector/IPBlock field
+               properties:
+                 podSelector:
+                   type: object
+                   additionalProperties:
+                     type: object
+                 externalEntitySelector:
+                   type: object
+                   additionalProperties:
+                     type: object
+           ingress:
+             type: array
+             items:
+               type: object
+               required:
+                 - action
+               properties:
+                 # Ensure that Action field allows only ALLOW and DROP values
+                 action:
+                   type: string
+                   pattern: '\bALLOW|\bAllow|\ballow|\bDROP|\bDrop|\bdrop'
+                 ports:
+                   type: array
+                   items:
+                     type: object
+                     properties:
+                       protocol:
+                         type: string
+                       port:
+                         x-kubernetes-int-or-string: true
+                 from:
+                   type: array
+                   items:
+                     type: object
+                     properties:
+                       podSelector:
+                         x-kubernetes-preserve-unknown-fields: true
+                       namespaceSelector:
+                         x-kubernetes-preserve-unknown-fields: true
+                       ipBlock:
+                         type: object
+                         properties:
+                           cidr:
+                             type: string
+                             format: cidr
+           egress:
+             type: array
+             items:
+               type: object
+               required:
+                 - action
+               properties:
+                 # Ensure that Action field allows only ALLOW and DROP values
+                 action:
+                   type: string
+                   pattern: '\bALLOW|\bAllow|\ballow|\bDROP|\bDrop|\bdrop'
+                 ports:
+                   type: array
+                   items:
+                     type: object
+                     properties:
+                       protocol:
+                         type: string
+                       port:
+                         x-kubernetes-int-or-string: true
+                 to:
+                   type: array
+                   items:
+                     type: object
+                     properties:
+                       podSelector:
+                         x-kubernetes-preserve-unknown-fields: true
+                       namespaceSelector:
+                         x-kubernetes-preserve-unknown-fields: true
+                       ipBlock:
+                         type: object
+                         properties:
+                           cidr:
+                             type: string
+                             format: cidr

build/yamls/patches/np/npRbac.yml

@@ -0,0 +1,22 @@
+---
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: antrea-controller
+rules:
+  - apiGroups:
+      - security.antrea.tanzu.vmware.com
+    resources:
+      - networkpolicies
+    verbs:
+      - get
+      - watch
+      - list
+  - apiGroups:
+      - core.antrea.tanzu.vmware.com
+    resources:
+      - externalentities
+    verbs:
+      - get
+      - watch
+      - list

hack/generate-manifest.sh

@@ -27,6 +27,7 @@ Generate a YAML manifest for Antrea using Kustomize and print it to stdout.
         --kind                Generate a manifest appropriate for running Antrea in a Kind cluster
         --cloud               Generate a manifest appropriate for running Antrea in Public Cloud
         --ipsec               Generate a manifest with IPSec encryption of tunnel traffic enabled
+        --np                  Generate a manifest with Namespaced Antrea NetworkPolicy CRDs enabled
         --keep                Debug flag which will preserve the generated kustomization.yml
         --help, -h            Print this message and exit
 
@@ -48,6 +49,7 @@ function print_help {
 MODE="dev"
 KIND=false
 IPSEC=false
+NP=false
 KEEP=false
 ENCAP_MODE=""
 CLOUD=""
@@ -77,6 +79,10 @@ case $key in
     IPSEC=true
     shift
     ;;
+    --np)
+    NP=true
+    shift
+    ;;
     --keep)
     KEEP=true
     shift
@@ -173,6 +179,23 @@ if $IPSEC; then
     cd ..
 fi
 
+if $NP; then
+    mkdir np && cd np
+    cp ../../patches/np/*.yml .
+    cp ../../base/security-crds.yml .
+    cp ../../base/core-crds.yml .
+    touch kustomization.yml
+    $KUSTOMIZE edit add base $BASE
+    # add RBAC to antrea-controller for NP CRD access.
+    $KUSTOMIZE edit add patch npRbac.yml
+    # create NetworkPolicy related CRDs.
+    $KUSTOMIZE edit add resource security-crds.yml
+    # create ExternalEntity related CRDs.
+    $KUSTOMIZE edit add resource core-crds.yml
+    BASE=../np
+    cd ..
+fi
+
 if [[ $ENCAP_MODE == "networkPolicyOnly" ]] ; then
     mkdir chaining && cd chaining
     cp ../../patches/chaining/*.yml .

hack/update-codegen-dockerized.sh

@@ -32,14 +32,32 @@ $GOPATH/bin/client-gen \
   --input "clusterinformation/v1beta1" \
   --input "networking/v1beta1" \
   --input "system/v1beta1" \
+  --input "security/v1alpha1" \
+  --input "core/v1alpha1" \
   --output-package "${ANTREA_PKG}/pkg/client/clientset" \
   --go-header-file hack/boilerplate/license_header.go.txt
 
+# Generate listers with K8s codegen tools.
+$GOPATH/bin/lister-gen \
+  --input-dirs "${ANTREA_PKG}/pkg/apis/security/v1alpha1,${ANTREA_PKG}/pkg/apis/core/v1alpha1" \
+  --output-package "${ANTREA_PKG}/pkg/client/listers" \
+  --go-header-file hack/boilerplate/license_header.go.txt
+
+# Generate informers with K8s codegen tools.
+$GOPATH/bin/informer-gen \
+  --input-dirs "${ANTREA_PKG}/pkg/apis/security/v1alpha1,${ANTREA_PKG}/pkg/apis/core/v1alpha1" \
+  --versioned-clientset-package "${ANTREA_PKG}/pkg/client/clientset/versioned" \
+  --listers-package "${ANTREA_PKG}/pkg/client/listers" \
+  --output-package "${ANTREA_PKG}/pkg/client/informers" \
+  --go-header-file hack/boilerplate/license_header.go.txt
+
 $GOPATH/bin/deepcopy-gen \
   --input-dirs "${ANTREA_PKG}/pkg/apis/clusterinformation/v1beta1" \
   --input-dirs "${ANTREA_PKG}/pkg/apis/networking" \
   --input-dirs "${ANTREA_PKG}/pkg/apis/networking/v1beta1" \
   --input-dirs "${ANTREA_PKG}/pkg/apis/system/v1beta1" \
+  --input-dirs "${ANTREA_PKG}/pkg/apis/security/v1alpha1" \
+  --input-dirs "${ANTREA_PKG}/pkg/apis/core/v1alpha1" \
   -O zz_generated.deepcopy \
   --go-header-file hack/boilerplate/license_header.go.txt
 

pkg/apis/core/doc.go

@@ -0,0 +1,18 @@
+// Copyright 2020 Antrea Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+// +k8s:deepcopy-gen=package
+// +groupName=core.antrea.tanzu.vmware.com
+
+package core

pkg/apis/core/register.go

@@ -0,0 +1,20 @@
+// Copyright 2020 Antrea Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package core
+
+// GroupName is the group name used in this package
+const (
+	GroupName = "core.antrea.tanzu.vmware.com"
+)

pkg/apis/core/v1alpha1/doc.go

@@ -0,0 +1,19 @@
+// Copyright 2020 Antrea Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+// +k8s:openapi-gen=true
+// +k8s:deepcopy-gen=package
+// +groupName=core.antrea.tanzu.vmware.com
+
+package v1alpha1 // import "github.com/vmware-tanzu/antrea/pkg/apis/core/v1alpha1"

pkg/apis/core/v1alpha1/register.go

@@ -0,0 +1,53 @@
+// Copyright 2020 Antrea Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package v1alpha1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+)
+
+// GroupName is the group name used in this package.
+const GroupName = "core.antrea.tanzu.vmware.com"
+
+// SchemeGroupVersion is group version used to register these objects.
+var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: "v1alpha1"}
+
+// Kind takes an unqualified kind and returns back a Group qualified GroupKind
+func Kind(kind string) schema.GroupKind {
+	return SchemeGroupVersion.WithKind(kind).GroupKind()
+}
+
+// Resource takes an unqualified resource and returns a Group qualified GroupResource.
+func Resource(resource string) schema.GroupResource {
+	return SchemeGroupVersion.WithResource(resource).GroupResource()
+}
+
+var (
+	SchemeBuilder = runtime.NewSchemeBuilder(addKnownTypes)
+	AddToScheme   = SchemeBuilder.AddToScheme
+)
+
+// Adds the list of known types to the given scheme.
+func addKnownTypes(scheme *runtime.Scheme) error {
+	scheme.AddKnownTypes(SchemeGroupVersion,
+		&ExternalEntity{},
+		&ExternalEntityList{},
+	)
+
+	metav1.AddToGroupVersion(scheme, SchemeGroupVersion)
+	return nil
+}