Skip to content

Commit

Permalink
Add support for Namespaced Group CRD (#2438)
Browse files Browse the repository at this point in the history 
Add Group CRD which is responsible for collecting Pods and Namespaces in the Group's Namespace based on
labelselectors defined in the Group definition. It also allows setting an IPBlock and ChildGroups (cannot be set with other
Selectors) in the Group. The purpose of a Group is to allow grouping of resources and then be referenced in
AntreaNetworkPolicies without having to add the same selectors in every ANP when the group of resources are meant to be
shared. This allows for greater sharing and decouples the job of reconciling effective group members from that of enforcing
security policies.

This PR adds the following:
-Group API types
-Group CRD YAML
-Controller changes to reconcile effective members of a Group
-Controller changes to trigger ANP update introduced by a Group
-Validation webhook to validate a GroupSpec
-NetworkPolicyStatus refactored with Conditions

Signed-off-by: Qiyue Yao <yaoq@vmware.com>
Co-authored-by: Qiyue Yao <yaoq@vmware.com>
Co-authored-by: abhiraut <rauta@vmware.com>
  • Loading branch information
@abhiraut @qiyueyao
abhiraut and qiyueyao committed Aug 10, 2022
1 parent 024254d commit 576b080
Show file tree
Hide file tree
Showing 59 changed files with 5,086 additions and 272 deletions.
15 changes: 15 additions & 0 deletions build/charts/antrea/crds/clusternetworkpolicy.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -616,6 +616,21 @@ spec:
type: integer
desiredNodesRealized:
type: integer
conditions:
type: array
items:
type: object
properties:
type:
type: string
status:
type: string
lastTransitionTime:
type: string
reason:
type: string
message:
type: string
subresources:
status: {}
scope: Cluster
Expand Down
25 changes: 25 additions & 0 deletions build/charts/antrea/crds/networkpolicy.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -81,6 +81,8 @@ spec:
pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
matchLabels:
x-kubernetes-preserve-unknown-fields: true
group:
type: string
ingress:
type: array
items:
Expand Down Expand Up @@ -118,6 +120,8 @@ spec:
pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
matchLabels:
x-kubernetes-preserve-unknown-fields: true
group:
type: string
# Ensure that Action field allows only ALLOW, DROP, REJECT and PASS values
action:
type: string
Expand Down Expand Up @@ -272,6 +276,8 @@ spec:
type: array
matchLabels:
x-kubernetes-preserve-unknown-fields: true
group:
type: string
name:
type: string
enableLogging:
Expand Down Expand Up @@ -313,6 +319,8 @@ spec:
pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
matchLabels:
x-kubernetes-preserve-unknown-fields: true
group:
type: string
# Ensure that Action field allows only ALLOW, DROP, REJECT and PASS values
action:
type: string
Expand Down Expand Up @@ -471,6 +479,8 @@ spec:
type: array
matchLabels:
x-kubernetes-preserve-unknown-fields: true
group:
type: string
toServices:
type: array
items:
Expand All @@ -497,6 +507,21 @@ spec:
type: integer
desiredNodesRealized:
type: integer
conditions:
type: array
items:
type: object
properties:
type:
type: string
status:
type: string
lastTransitionTime:
type: string
reason:
type: string
message:
type: string
subresources:
status: {}
scope: Namespaced
Expand Down
2 changes: 2 additions & 0 deletions build/charts/antrea/templates/controller/clusterrole.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -230,6 +230,7 @@ rules:
resources:
- externalentities
- clustergroups
- groups
verbs:
- get
- watch
Expand All @@ -242,6 +243,7 @@ rules:
- crd.antrea.io
resources:
- clustergroups/status
- groups/status
verbs:
- update
- apiGroups:
Expand Down
128 changes: 128 additions & 0 deletions build/charts/antrea/templates/crds/group.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,128 @@
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: groups.crd.antrea.io
spec:
group: crd.antrea.io
versions:
- name: v1alpha3
served: true
storage: true
schema:
openAPIV3Schema:
type: object
properties:
spec:
type: object
properties:
childGroups:
type: array
items:
type: string
podSelector:
type: object
properties:
matchExpressions:
type: array
items:
type: object
properties:
key:
type: string
operator:
enum:
- In
- NotIn
- Exists
- DoesNotExist
type: string
values:
type: array
items:
type: string
matchLabels:
x-kubernetes-preserve-unknown-fields: true
namespaceSelector:
type: object
properties:
matchExpressions:
type: array
items:
type: object
properties:
key:
type: string
operator:
enum:
- In
- NotIn
- Exists
- DoesNotExist
type: string
values:
type: array
items:
type: string
matchLabels:
x-kubernetes-preserve-unknown-fields: true
externalEntitySelector:
type: object
properties:
matchExpressions:
type: array
items:
type: object
properties:
key:
type: string
operator:
enum:
- In
- NotIn
- Exists
- DoesNotExist
type: string
values:
type: array
items:
type: string
matchLabels:
x-kubernetes-preserve-unknown-fields: true
ipBlocks:
type: array
items:
type: object
properties:
cidr:
type: string
format: cidr
serviceReference:
type: object
properties:
name:
type: string
namespace:
type: string
status:
type: object
properties:
conditions:
type: array
items:
type: object
properties:
type:
type: string
status:
type: string
lastTransitionTime:
type: string
subresources:
status: {}
scope: Namespaced
names:
plural: groups
singular: group
kind: Group
shortNames:
- grp
15 changes: 15 additions & 0 deletions build/charts/antrea/templates/webhooks/validating/crdvalidator.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -65,6 +65,21 @@ webhooks:
admissionReviewVersions: ["v1", "v1beta1"]
sideEffects: None
timeoutSeconds: 5
- name: "groupvalidator.antrea.io"
clientConfig:
service:
name: "antrea"
namespace: "kube-system"
path: "/validate/group"
rules:
- operations: [ "CREATE", "UPDATE" ]
apiGroups: [ "crd.antrea.io" ]
apiVersions: [ "v1alpha3" ]
resources: [ "groups" ]
scope: "Namespaced"
admissionReviewVersions: [ "v1", "v1beta1" ]
sideEffects: None
timeoutSeconds: 5
- name: "externalippoolvalidator.antrea.io"
clientConfig:
service:
Expand Down
Loading

0 comments on commit 576b080

Please sign in to comment.