From 789bf583cd2b2746791052d3adbef1c0eaae9e4e Mon Sep 17 00:00:00 2001 From: Pierangelo Di Pilato Date: Wed, 12 Jun 2024 10:55:43 +0200 Subject: [PATCH] Add EventPolicy CRD Signed-off-by: Pierangelo Di Pilato --- cmd/schema/main.go | 2 + config/core/resources/eventpolicy.yaml | 181 +++++++++++++++++++++++++ 2 files changed, 183 insertions(+) create mode 100644 config/core/resources/eventpolicy.yaml diff --git a/cmd/schema/main.go b/cmd/schema/main.go index 62b58d42937..2c38476a3cb 100644 --- a/cmd/schema/main.go +++ b/cmd/schema/main.go @@ -23,6 +23,7 @@ import ( "knative.dev/hack/schema/registry" eventingv1 "knative.dev/eventing/pkg/apis/eventing/v1" + eventingv1alpha1 "knative.dev/eventing/pkg/apis/eventing/v1alpha1" flowsv1 "knative.dev/eventing/pkg/apis/flows/v1" messagingv1 "knative.dev/eventing/pkg/apis/messaging/v1" sourcesv1 "knative.dev/eventing/pkg/apis/sources/v1" @@ -47,6 +48,7 @@ func main() { // Flows registry.Register(&flowsv1.Sequence{}) registry.Register(&flowsv1.Parallel{}) + registry.Register(&eventingv1alpha1.EventPolicy{}) if err := commands.New("knative.dev/eventing").Execute(); err != nil { log.Fatal("Error during command execution: ", err) diff --git a/config/core/resources/eventpolicy.yaml b/config/core/resources/eventpolicy.yaml new file mode 100644 index 00000000000..159d379e5bb --- /dev/null +++ b/config/core/resources/eventpolicy.yaml @@ -0,0 +1,181 @@ +# Copyright 2024 The Knative Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: eventpolicies.eventing.knative.dev + labels: + knative.dev/crd-install: "true" + app.kubernetes.io/version: devel + app.kubernetes.io/name: knative-eventing +spec: + group: eventing.knative.dev + versions: + - name: v1alpha1 + served: true + storage: true + subresources: + status: {} + schema: + openAPIV3Schema: + type: object + properties: + spec: + description: Spec defines the desired state of the EventPolicy. + type: object + properties: + from: + description: From is the list of sources or oidc identities, which are allowed to send events to the targets (.spec.to). + type: array + items: + type: object + properties: + ref: + description: Ref contains a direct reference to a resource which is allowed to send events to the target. + type: object + properties: + apiVersion: + description: API version of the referent. + type: string + kind: + description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + namespace: + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ This is optional field, it gets defaulted to the object holding it if left out.' + type: string + sub: + description: Sub sets the OIDC identity name to be allowed to send events to the target. It is also possible to set a glob-like pattern to match any suffix. + type: string + to: + description: To lists all resources for which this policy applies. Resources in this list must act like an ingress and have an audience. The resources are part of the same namespace as the EventPolicy. An empty list means it applies to all resources in the EventPolicies namespace + type: array + items: + type: object + properties: + ref: + description: Ref contains the direct reference to a target + type: object + properties: + apiVersion: + description: API version of the referent. + type: string + kind: + description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + selector: + description: Selector contains a selector to group targets + type: object + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + type: array + items: + type: object + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + type: array + items: + type: string + matchLabels: + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + x-kubernetes-preserve-unknown-fields: true + status: + description: Status represents the current state of the EventPolicy. This data may be out of date. + type: object + properties: + annotations: + description: Annotations is additional Status fields for the Resource to save some additional State as well as convey more information to the user. This is roughly akin to Annotations on any k8s resource, just the reconciler conveying richer information outwards. + type: object + x-kubernetes-preserve-unknown-fields: true + conditions: + description: Conditions the latest available observations of a resource's current state. + type: array + items: + type: object + required: + - type + - status + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition transitioned from one status to another. We use VolatileTime in place of metav1.Time to exclude this from creating equality.Semantic differences (all other things held constant). + type: string + message: + description: A human readable message indicating details about the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + severity: + description: Severity with which to treat failures of this type of condition. When this is not specified, it defaults to Error. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + from: + description: From is the list of resolved oidc identities from .spec.from + type: array + items: + type: string + observedGeneration: + description: ObservedGeneration is the 'Generation' of the Service that was last processed by the controller. + type: integer + format: int64 + + additionalPrinterColumns: + - name: Ready + type: string + jsonPath: ".status.conditions[?(@.type==\"Ready\")].status" + - name: Reason + type: string + jsonPath: ".status.conditions[?(@.type==\"Ready\")].reason" + names: + kind: EventPolicy + plural: eventpolicies + singular: eventpolicy + categories: + - all + - knative + - eventing + scope: Namespaced + conversion: + strategy: Webhook + webhook: + conversionReviewVersions: ["v1", "v1beta1"] + clientConfig: + service: + name: eventing-webhook + namespace: knative-eventing