From 6ff2bacad6666382bcb295e5aa898b483a4801a8 Mon Sep 17 00:00:00 2001 From: Surya Seetharaman Date: Tue, 20 Feb 2024 13:16:16 +0100 Subject: [PATCH] Implement inline CIDR egress peer This PR adds support for implementing inline CIDR peer blocks. Signed-off-by: Surya Seetharaman --- apis/v1alpha1/shared_types.go | 27 ++++++++++++++ apis/v1alpha1/zz_generated.deepcopy.go | 5 +++ ...etworking.k8s.io_adminnetworkpolicies.yaml | 37 +++++++++++++++++++ ...g.k8s.io_baselineadminnetworkpolicies.yaml | 37 +++++++++++++++++++ mkdocs.yml | 8 ++-- npeps/npep-126-egress-traffic-control.md | 2 +- npeps/npep-137-conformance-profiles.md | 2 +- .../npeps/npep-126-egress-traffic-control.md | 2 +- .../npeps/npep-137-conformance-profiles.md | 2 +- 9 files changed, 114 insertions(+), 8 deletions(-) diff --git a/apis/v1alpha1/shared_types.go b/apis/v1alpha1/shared_types.go index ba37b92c..626f4aee 100644 --- a/apis/v1alpha1/shared_types.go +++ b/apis/v1alpha1/shared_types.go @@ -175,6 +175,26 @@ type AdminNetworkPolicyEgressPeer struct { // // +optional Nodes *metav1.LabelSelector `json:"nodes,omitempty"` + // Networks defines a way to select peers via CIDR blocks. + // This is intended for representing entities that live outside the cluster, + // which can't be selected by pods, namespaces and nodes peers, but note + // that cluster-internal traffic will be checked against the rule as + // well. So if you Allow or Deny traffic to `"0.0.0.0/0"`, that will allow + // or deny all IPv4 pod-to-pod traffic as well. If you don't want that, + // add a rule that Passes all pod traffic before the Networks rule. + // + // Each item in Networks should be provided in the CIDR format and should be + // IPv4 or IPv6, for example "10.0.0.0/8" or "fd00::/8". + // + // Networks can have upto 25 CIDRs specified. + // + // Support: Extended + // + // + // +optional + // +kubebuilder:validation:MinItems=1 + // +kubebuilder:validation:MaxItems=25 + Networks []CIDR `json:"networks,omitempty"` } // NamespacedPeer defines a flexible way to select Namespaces in a cluster. @@ -237,3 +257,10 @@ type NamespacedPodPeer struct { // PodSelector metav1.LabelSelector `json:"podSelector"` } + +// CIDR is an IP address range in CIDR notation (for example, "10.0.0.0/8" or "fd00::/8"). +// This string must be validated by implementations using net.ParseCIDR +// TODO: Introduce CEL CIDR validation regex isCIDR() in Kube 1.31 when it is available. +// +kubebuilder:validation:XValidation:rule="self.contains(':') != self.contains('.')",message="CIDR must be either an IPv4 or IPv6 address. IPv4 address embedded in IPv6 addresses are not supported" +// +kubebuilder:validation:MaxLength=43 +type CIDR string diff --git a/apis/v1alpha1/zz_generated.deepcopy.go b/apis/v1alpha1/zz_generated.deepcopy.go index 5518baca..82b1b61d 100644 --- a/apis/v1alpha1/zz_generated.deepcopy.go +++ b/apis/v1alpha1/zz_generated.deepcopy.go @@ -70,6 +70,11 @@ func (in *AdminNetworkPolicyEgressPeer) DeepCopyInto(out *AdminNetworkPolicyEgre *out = new(v1.LabelSelector) (*in).DeepCopyInto(*out) } + if in.Networks != nil { + in, out := &in.Networks, &out.Networks + *out = make([]CIDR, len(*in)) + copy(*out, *in) + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AdminNetworkPolicyEgressPeer. diff --git a/config/crd/experimental/policy.networking.k8s.io_adminnetworkpolicies.yaml b/config/crd/experimental/policy.networking.k8s.io_adminnetworkpolicies.yaml index c1900148..7c1b8328 100644 --- a/config/crd/experimental/policy.networking.k8s.io_adminnetworkpolicies.yaml +++ b/config/crd/experimental/policy.networking.k8s.io_adminnetworkpolicies.yaml @@ -310,6 +310,43 @@ spec: maxItems: 100 type: array type: object + networks: + description: |- + Networks defines a way to select peers via CIDR blocks. + This is intended for representing entities that live outside the cluster, + which can't be selected by pods, namespaces and nodes peers, but note + that cluster-internal traffic will be checked against the rule as + well. So if you Allow or Deny traffic to `"0.0.0.0/0"`, that will allow + or deny all IPv4 pod-to-pod traffic as well. If you don't want that, + add a rule that Passes all pod traffic before the Networks rule. + + + Each item in Networks should be provided in the CIDR format and should be + IPv4 or IPv6, for example "10.0.0.0/8" or "fd00::/8". + + + Networks can have upto 25 CIDRs specified. + + + Support: Extended + + + + items: + description: |- + CIDR is an IP address range in CIDR notation (for example, "10.0.0.0/8" or "fd00::/8"). + This string must be validated by implementations using net.ParseCIDR + TODO: Introduce CEL CIDR validation regex isCIDR() in Kube 1.31 when it is available. + maxLength: 43 + type: string + x-kubernetes-validations: + - message: CIDR must be either an IPv4 or IPv6 address. + IPv4 address embedded in IPv6 addresses are not + supported + rule: self.contains(':') != self.contains('.') + maxItems: 25 + minItems: 1 + type: array nodes: description: |- Nodes defines a way to select a set of nodes in diff --git a/config/crd/experimental/policy.networking.k8s.io_baselineadminnetworkpolicies.yaml b/config/crd/experimental/policy.networking.k8s.io_baselineadminnetworkpolicies.yaml index 6ebb436e..4f7d9bbf 100644 --- a/config/crd/experimental/policy.networking.k8s.io_baselineadminnetworkpolicies.yaml +++ b/config/crd/experimental/policy.networking.k8s.io_baselineadminnetworkpolicies.yaml @@ -301,6 +301,43 @@ spec: maxItems: 100 type: array type: object + networks: + description: |- + Networks defines a way to select peers via CIDR blocks. + This is intended for representing entities that live outside the cluster, + which can't be selected by pods, namespaces and nodes peers, but note + that cluster-internal traffic will be checked against the rule as + well. So if you Allow or Deny traffic to `"0.0.0.0/0"`, that will allow + or deny all IPv4 pod-to-pod traffic as well. If you don't want that, + add a rule that Passes all pod traffic before the Networks rule. + + + Each item in Networks should be provided in the CIDR format and should be + IPv4 or IPv6, for example "10.0.0.0/8" or "fd00::/8". + + + Networks can have upto 25 CIDRs specified. + + + Support: Extended + + + + items: + description: |- + CIDR is an IP address range in CIDR notation (for example, "10.0.0.0/8" or "fd00::/8"). + This string must be validated by implementations using net.ParseCIDR + TODO: Introduce CEL CIDR validation regex isCIDR() in Kube 1.31 when it is available. + maxLength: 43 + type: string + x-kubernetes-validations: + - message: CIDR must be either an IPv4 or IPv6 address. + IPv4 address embedded in IPv6 addresses are not + supported + rule: self.contains(':') != self.contains('.') + maxItems: 25 + minItems: 1 + type: array nodes: description: |- Nodes defines a way to select a set of nodes in diff --git a/mkdocs.yml b/mkdocs.yml index 6008b385..82fe9f8f 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -65,11 +65,11 @@ nav: - Provisional: - npeps/npep-122.md - npeps/npep-133.md - - Implementable: - - npeps/npep-137-conformance-profiles.md + # - Implementable: + - Experimental: - npeps/npep-126-egress-traffic-control.md - # - Experimental: - # - Standard: + - Standard: + - npeps/npep-137-conformance-profiles.md # - Declined: - Blog: - blog/index.md diff --git a/npeps/npep-126-egress-traffic-control.md b/npeps/npep-126-egress-traffic-control.md index 199f5358..c6a3b659 100644 --- a/npeps/npep-126-egress-traffic-control.md +++ b/npeps/npep-126-egress-traffic-control.md @@ -1,7 +1,7 @@ # NPEP-126: Add northbound traffic support in (B)ANP API * Issue: [#126](https://github.com/kubernetes-sigs/network-policy-api/issues/126) -* Status: Implementable +* Status: Experimental ## TLDR diff --git a/npeps/npep-137-conformance-profiles.md b/npeps/npep-137-conformance-profiles.md index 76f1ad08..3b1f2676 100644 --- a/npeps/npep-137-conformance-profiles.md +++ b/npeps/npep-137-conformance-profiles.md @@ -1,7 +1,7 @@ # NPEP-137: Conformance Profiles * Issue: [#137](https://github.com/kubernetes-sigs/network-policy-api/issues/137) -* Status: Implementable +* Status: Standard ## TLDR diff --git a/site-src/npeps/npep-126-egress-traffic-control.md b/site-src/npeps/npep-126-egress-traffic-control.md index 199f5358..c6a3b659 100644 --- a/site-src/npeps/npep-126-egress-traffic-control.md +++ b/site-src/npeps/npep-126-egress-traffic-control.md @@ -1,7 +1,7 @@ # NPEP-126: Add northbound traffic support in (B)ANP API * Issue: [#126](https://github.com/kubernetes-sigs/network-policy-api/issues/126) -* Status: Implementable +* Status: Experimental ## TLDR diff --git a/site-src/npeps/npep-137-conformance-profiles.md b/site-src/npeps/npep-137-conformance-profiles.md index 76f1ad08..3b1f2676 100644 --- a/site-src/npeps/npep-137-conformance-profiles.md +++ b/site-src/npeps/npep-137-conformance-profiles.md @@ -1,7 +1,7 @@ # NPEP-137: Conformance Profiles * Issue: [#137](https://github.com/kubernetes-sigs/network-policy-api/issues/137) -* Status: Implementable +* Status: Standard ## TLDR