Merge pull request #143 from tssurya/implement-egress-traffic-semantics

Implement Cluster Egress Traffic semantics (ANP&BANP NorthBound Support) - PART1 - Nodes

apis/v1alpha1/adminnetworkpolicy_types.go

@@ -128,15 +128,15 @@ type AdminNetworkPolicyIngressRule struct {
 	Action AdminNetworkPolicyRuleAction `json:"action"`
 
 	// From is the list of sources whose traffic this rule applies to.
-	// If any AdminNetworkPolicyPeer matches the source of incoming
+	// If any AdminNetworkPolicyIngressPeer matches the source of incoming
 	// traffic then the specified action is applied.
 	// This field must be defined and contain at least one item.
 	//
 	// Support: Core
 	//
 	// +kubebuilder:validation:MinItems=1
 	// +kubebuilder:validation:MaxItems=100
-	From []AdminNetworkPolicyPeer `json:"from"`
+	From []AdminNetworkPolicyIngressPeer `json:"from"`
 
 	// Ports allows for matching traffic based on port and protocols.
 	// This field is a list of ports which should be matched on
@@ -180,18 +180,18 @@ type AdminNetworkPolicyEgressRule struct {
 	Action AdminNetworkPolicyRuleAction `json:"action"`
 
 	// To is the List of destinations whose traffic this rule applies to.
-	// If any AdminNetworkPolicyPeer matches the destination of outgoing
+	// If any AdminNetworkPolicyEgressPeer matches the destination of outgoing
 	// traffic then the specified action is applied.
 	// This field must be defined and contain at least one item.
 	//
 	// Support: Core
 	//
 	// +kubebuilder:validation:MinItems=1
 	// +kubebuilder:validation:MaxItems=100
-	To []AdminNetworkPolicyPeer `json:"to"`
+	To []AdminNetworkPolicyEgressPeer `json:"to"`
 
 	// Ports allows for matching traffic based on port and protocols.
-	// This field is a list of destination ports for the outging egress traffic.
+	// This field is a list of destination ports for the outgoing egress traffic.
 	// If Ports is not set then the rule does not filter traffic via port.
 	//
 	// Support: Core

apis/v1alpha1/baselineadminnetworkpolicy_types.go

@@ -112,15 +112,15 @@ type BaselineAdminNetworkPolicyIngressRule struct {
 	Action BaselineAdminNetworkPolicyRuleAction `json:"action"`
 
 	// From is the list of sources whose traffic this rule applies to.
-	// If any AdminNetworkPolicyPeer matches the source of incoming
+	// If any AdminNetworkPolicyIngressPeer matches the source of incoming
 	// traffic then the specified action is applied.
 	// This field must be defined and contain at least one item.
 	//
 	// Support: Core
 	//
 	// +kubebuilder:validation:MinItems=1
 	// +kubebuilder:validation:MaxItems=100
-	From []AdminNetworkPolicyPeer `json:"from"`
+	From []AdminNetworkPolicyIngressPeer `json:"from"`
 
 	// Ports allows for matching traffic based on port and protocols.
 	// This field is a list of ports which should be matched on
@@ -160,15 +160,15 @@ type BaselineAdminNetworkPolicyEgressRule struct {
 	Action BaselineAdminNetworkPolicyRuleAction `json:"action"`
 
 	// To is the list of destinations whose traffic this rule applies to.
-	// If any AdminNetworkPolicyPeer matches the destination of outgoing
+	// If any AdminNetworkPolicyEgressPeer matches the destination of outgoing
 	// traffic then the specified action is applied.
 	// This field must be defined and contain at least one item.
 	// +kubebuilder:validation:MinItems=1
 	// +kubebuilder:validation:MaxItems=100
 	//
 	// Support: Core
 	//
-	To []AdminNetworkPolicyPeer `json:"to"`
+	To []AdminNetworkPolicyEgressPeer `json:"to"`
 
 	// Ports allows for matching traffic based on port and protocols.
 	// This field is a list of destination ports for the outging egress traffic.

apis/v1alpha1/shared_types.go

@@ -120,13 +120,13 @@ type PortRange struct {
 	End int32 `json:"end"`
 }
 
-// AdminNetworkPolicyPeer defines an in-cluster peer to allow traffic to/from.
+// AdminNetworkPolicyIngressPeer defines an in-cluster peer to allow traffic from.
 // Exactly one of the selector pointers must be set for a given peer. If a
 // consumer observes none of its fields are set, they must assume an unknown
 // option has been specified and fail closed.
 // +kubebuilder:validation:MaxProperties=1
 // +kubebuilder:validation:MinProperties=1
-type AdminNetworkPolicyPeer struct {
+type AdminNetworkPolicyIngressPeer struct {
 	// Namespaces defines a way to select all pods within a set of Namespaces.
 	// Note that host-networked pods are not included in this type of peer.
 	//
@@ -135,7 +135,7 @@ type AdminNetworkPolicyPeer struct {
 	// +optional
 	Namespaces *NamespacedPeer `json:"namespaces,omitempty"`
 	// Pods defines a way to select a set of pods in
-	// in a set of namespaces. Note that host-networked pods
+	// a set of namespaces. Note that host-networked pods
 	// are not included in this type of peer.
 	//
 	// Support: Core
@@ -144,6 +144,39 @@ type AdminNetworkPolicyPeer struct {
 	Pods *NamespacedPodPeer `json:"pods,omitempty"`
 }
 
+// AdminNetworkPolicyEgressPeer defines a peer to allow traffic to.
+// Exactly one of the selector pointers must be set for a given peer. If a
+// consumer observes none of its fields are set, they must assume an unknown
+// option has been specified and fail closed.
+// +kubebuilder:validation:MaxProperties=1
+// +kubebuilder:validation:MinProperties=1
+type AdminNetworkPolicyEgressPeer struct {
+	// Namespaces defines a way to select all pods within a set of Namespaces.
+	// Note that host-networked pods are not included in this type of peer.
+	//
+	// Support: Core
+	//
+	// +optional
+	Namespaces *NamespacedPeer `json:"namespaces,omitempty"`
+	// Pods defines a way to select a set of pods in
+	// a set of namespaces. Note that host-networked pods
+	// are not included in this type of peer.
+	//
+	// Support: Core
+	//
+	// +optional
+	Pods *NamespacedPodPeer `json:"pods,omitempty"`
+	// Nodes defines a way to select a set of nodes in
+	// the cluster. This field follows standard label selector
+	// semantics; if present but empty, it selects all Nodes.
+	//
+	// Support: Extended
+	//
+	// <network-policy-api:experimental>
+	// +optional
+	Nodes *metav1.LabelSelector `json:"nodes,omitempty"`
+}
+
 // NamespacedPeer defines a flexible way to select Namespaces in a cluster.
 // Exactly one of the selectors must be set.  If a consumer observes none of
 // its fields are set, they must assume an unknown option has been specified