Skip to content

Commit

Permalink
Change to verbose API design
Browse files Browse the repository at this point in the history 
Signed-off-by: wgrayson <wgrayson@vmware.com>
  • Loading branch information
@GraysonWu
GraysonWu committed Jan 26, 2022
1 parent 7836393 commit 4f64e47
Show file tree
Hide file tree
Showing 14 changed files with 2,633 additions and 1,070 deletions.
485 changes: 350 additions & 135 deletions build/yamls/antrea-aks.yml
View file

Large diffs are not rendered by default.

485 changes: 350 additions & 135 deletions build/yamls/antrea-eks.yml
View file

Large diffs are not rendered by default.

485 changes: 350 additions & 135 deletions build/yamls/antrea-gke.yml
View file

Large diffs are not rendered by default.

485 changes: 350 additions & 135 deletions build/yamls/antrea-ipsec.yml
View file

Large diffs are not rendered by default.

485 changes: 350 additions & 135 deletions build/yamls/antrea-kind.yml
View file

Large diffs are not rendered by default.

485 changes: 350 additions & 135 deletions build/yamls/antrea.yml
View file

Large diffs are not rendered by default.

470 changes: 335 additions & 135 deletions build/yamls/base/crds.yml
View file

Large diffs are not rendered by default.

28 changes: 15 additions & 13 deletions docs/antrea-network-policy.md
View file
Expand Up @@ -1121,9 +1121,9 @@ No matter `serviceAccounts` is used in which sections, it cannot be used with an

`serviceAccounts` can be used in three ways:

1. `name` + `namespace`: The ServiceAccount with a specific name under a specific namespace will be selected.
2. `labelSelector`: All ServiceAccounts with specific labels in all namespace will be selected.
3. `labelSelector` + `namespaceSelector`: All ServiceAccounts with specific labels in all namespaces that have
1. Use `namespacedName`: The ServiceAccount with a specific name under a specific namespace will be selected.
2. Use `objectSelector`: All ServiceAccounts with specific labels in all namespace will be selected.
3. Use `namespacedObjectSelector`: All ServiceAccounts with specific labels in all namespaces that have
specific labels will be selected.

An example policy using `serviceAccounts` could look like this:
Expand All @@ -1138,27 +1138,29 @@ spec:
tier: securityops
appliedTo:
- serviceAccounts:
labelSelector:
objectSelector:
matchLabels:
level: user
level: user
egress:
- action: Drop
to:
- serviceAccounts:
name: sa-1
namespace: ns-1
namespacedName:
name: sa-1
namespace: ns-1
name: ServiceAccountsEgressRule
enableLogging: false
ingress:
- action: Reject
from:
- serviceAccounts:
labelSelector:
matchLabels:
level: admin
namespaceSelector:
matchLabels:
env: prod
namespacedObjectSelector:
objectSelector:
matchLabels:
level: admin
namespaceSelector:
matchLabels:
env: prod
name: ServiceAccountsIngressRule
enableLogging: false
```
Expand Down
24 changes: 16 additions & 8 deletions pkg/apis/crd/v1alpha1/types.go
View file
Expand Up @@ -597,16 +597,24 @@ type TierList struct {
Items []Tier `json:"items"`
}

// PeerServiceAccounts can use NamespacedName, ObjectSelector or
// NamespacedObjectSelector to select ServiceAccounts.
type PeerServiceAccounts struct {
// Name and Namespace must be used together to select a specific ServiceAccount.
// Name and Namespace cannot be set with any other fields.
NamespacedName *NamespacedName `json:"namespacedName,omitempty"`
ObjectSelector *metav1.LabelSelector `json:"objectSelector,omitempty"`
NamespacedObjectSelector *NamespacedObjectSelector `json:"namespacedObjectSelector,omitempty"`
}

// NamespacedName selects a specific Object by using Name + Namespace.
// All fields must be used together.
type NamespacedName struct {
Name string `json:"name,omitempty"`
Namespace string `json:"namespace,omitempty"`
// Select all ServiceAccounts matched by this selector. If set with
// NamespaceSelector, ServiceAccounts are matched from Namespaces matched by the
// NamespaceSelector.
// Cannot be set with any other fields except NamespaceSelector.
LabelSelector *metav1.LabelSelector `json:"labelSelector,omitempty"`
// Can be only used with LabelSelector.
}

// NamespacedObjectSelector selects all Objects matched by the ObjectSelector from
// Namespaces matched by the NamespaceSelector. All fields must be used together.
type NamespacedObjectSelector struct {
ObjectSelector *metav1.LabelSelector `json:"objectSelector,omitempty"`
NamespaceSelector *metav1.LabelSelector `json:"namespaceSelector,omitempty"`
}
57 changes: 52 additions & 5 deletions pkg/apis/crd/v1alpha1/zz_generated.deepcopy.go
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

84 changes: 46 additions & 38 deletions pkg/controller/networkpolicy/clusternetworkpolicy.go
View file
Expand Up @@ -271,28 +271,31 @@ func (n *NetworkPolicyController) filterACNPsByServiceAccount(sa *v1.ServiceAcco
peerSelectedServiceAccount := func(peers []crdv1alpha1.NetworkPolicyPeer) bool {
for _, peer := range peers {
if peer.ServiceAccounts != nil {
if peer.ServiceAccounts.Name == sa.Name && peer.ServiceAccounts.Namespace == sa.Namespace {
if peer.ServiceAccounts.NamespacedName != nil && peer.ServiceAccounts.NamespacedName.Name == sa.Name && peer.ServiceAccounts.NamespacedName.Namespace == sa.Namespace {
return true
}
if peer.ServiceAccounts.LabelSelector != nil {
if peer.ServiceAccounts.NamespaceSelector != nil {
saNSSelector, err := metav1.LabelSelectorAsSelector(peer.ServiceAccounts.NamespaceSelector)
if err != nil {
continue
}
selectedNSs, _ := n.namespaceLister.List(saNSSelector)
nsSelected := false
for _, selectedNS := range selectedNSs {
if sa.Namespace == selectedNS.Name {
nsSelected = true
break
}
}
if !nsSelected {
continue
}
if peer.ServiceAccounts.ObjectSelector != nil {
saSelector, err := metav1.LabelSelectorAsSelector(peer.ServiceAccounts.ObjectSelector)
if err != nil {
continue
}
if saSelector.Matches(labels.Set(sa.Labels)) {
return true
}
saSelector, err := metav1.LabelSelectorAsSelector(peer.ServiceAccounts.LabelSelector)
}
if peer.ServiceAccounts.NamespacedObjectSelector != nil {
saNSSelector, err := metav1.LabelSelectorAsSelector(peer.ServiceAccounts.NamespacedObjectSelector.NamespaceSelector)
if err != nil {
continue
}
saNS, err := n.namespaceLister.Get(sa.Namespace)
if err != nil {
continue
}
if !saNSSelector.Matches(labels.Set(saNS.Labels)) {
continue
}
saSelector, err := metav1.LabelSelectorAsSelector(peer.ServiceAccounts.NamespacedObjectSelector.ObjectSelector)
if err != nil {
continue
}
Expand Down Expand Up @@ -589,34 +592,39 @@ func (n *NetworkPolicyController) translateServiceAccounts(sa *crdv1alpha1.PeerS
}
}
if sa == nil {
return
return
}
if sa.Name != "" && sa.Namespace != "" {
newPeers = append(newPeers, saToPSelNSel(sa.Namespace, sa.Name))
if sa.NamespacedName != nil {
newPeers = append(newPeers, saToPSelNSel(sa.NamespacedName.Namespace, sa.NamespacedName.Name))
return
}
if sa.LabelSelector != nil {
var selectedSAs []*v1.ServiceAccount
saLabelSelector, err := metav1.LabelSelectorAsSelector(sa.LabelSelector)
if sa.ObjectSelector != nil {
saLabelSelector, err := metav1.LabelSelectorAsSelector(sa.ObjectSelector)
if err != nil {
return
}
if sa.NamespaceSelector == nil {
selectedSAs, _ = n.serviceAccountLister.List(saLabelSelector)
} else {
saNSSelector, err := metav1.LabelSelectorAsSelector(sa.NamespaceSelector)
if err != nil {
return
}
selectedNSs, _ := n.namespaceLister.List(saNSSelector)
for _, selectedNS := range selectedNSs {
saInNS, _ := n.serviceAccountLister.ServiceAccounts(selectedNS.Name).List(saLabelSelector)
selectedSAs = append(selectedSAs, saInNS...)
}
}
selectedSAs, _ := n.serviceAccountLister.List(saLabelSelector)
for _, selectedSA := range selectedSAs {
newPeers = append(newPeers, saToPSelNSel(selectedSA.Namespace, selectedSA.Name))
}
return
}
if sa.NamespacedObjectSelector != nil {
saLabelSelector, err := metav1.LabelSelectorAsSelector(sa.NamespacedObjectSelector.ObjectSelector)
if err != nil {
return
}
saNSSelector, err := metav1.LabelSelectorAsSelector(sa.NamespacedObjectSelector.NamespaceSelector)
if err != nil {
return
}
selectedNSs, _ := n.namespaceLister.List(saNSSelector)
for _, selectedNS := range selectedNSs {
selectedSAs, _ := n.serviceAccountLister.ServiceAccounts(selectedNS.Name).List(saLabelSelector)
for _, selectedSA := range selectedSAs {
newPeers = append(newPeers, saToPSelNSel(selectedSA.Namespace, selectedSA.Name))
}
}
}
return
}
Expand Down
44 changes: 28 additions & 16 deletions pkg/controller/networkpolicy/clusternetworkpolicy_test.go
View file
Expand Up @@ -966,15 +966,17 @@ func TestProcessClusterNetworkPolicy(t *testing.T) {
expectedAddressGroups: 0,
},
{
name: "applied-to-with-service-accounts-name",
name: "applied-to-with-service-accounts-namespaced-name",
inputPolicy: &crdv1alpha1.ClusterNetworkPolicy{
ObjectMeta: metav1.ObjectMeta{Name: "cnpL", UID: "uidL"},
Spec: crdv1alpha1.ClusterNetworkPolicySpec{
AppliedTo: []crdv1alpha1.NetworkPolicyPeer{
{
ServiceAccounts: &crdv1alpha1.PeerServiceAccounts{
Name: saA.Name,
Namespace: saA.Namespace,
NamespacedName: &crdv1alpha1.NamespacedName{
Name: saA.Name,
Namespace: saA.Namespace,
},
},
},
},
Expand Down Expand Up @@ -1023,14 +1025,14 @@ func TestProcessClusterNetworkPolicy(t *testing.T) {
expectedAddressGroups: 0,
},
{
name: "applied-to-with-service-accounts-label-sel",
name: "applied-to-with-service-accounts-object-sel",
inputPolicy: &crdv1alpha1.ClusterNetworkPolicy{
ObjectMeta: metav1.ObjectMeta{Name: "cnpM", UID: "uidM"},
Spec: crdv1alpha1.ClusterNetworkPolicySpec{
AppliedTo: []crdv1alpha1.NetworkPolicyPeer{
{
ServiceAccounts: &crdv1alpha1.PeerServiceAccounts{
LabelSelector: &metav1.LabelSelector{MatchLabels: saA.Labels},
ObjectSelector: &metav1.LabelSelector{MatchLabels: saA.Labels},
},
},
},
Expand Down Expand Up @@ -1079,15 +1081,17 @@ func TestProcessClusterNetworkPolicy(t *testing.T) {
expectedAddressGroups: 0,
},
{
name: "applied-to-with-service-accounts-label-ns-sel",
name: "applied-to-with-service-accounts-namespaced-object-sel",
inputPolicy: &crdv1alpha1.ClusterNetworkPolicy{
ObjectMeta: metav1.ObjectMeta{Name: "cnpN", UID: "uidN"},
Spec: crdv1alpha1.ClusterNetworkPolicySpec{
AppliedTo: []crdv1alpha1.NetworkPolicyPeer{
{
ServiceAccounts: &crdv1alpha1.PeerServiceAccounts{
LabelSelector: &metav1.LabelSelector{MatchLabels: saA.Labels},
NamespaceSelector: &metav1.LabelSelector{MatchLabels: nsA.Labels},
NamespacedObjectSelector: &crdv1alpha1.NamespacedObjectSelector{
ObjectSelector: &metav1.LabelSelector{MatchLabels: saA.Labels},
NamespaceSelector: &metav1.LabelSelector{MatchLabels: nsA.Labels},
},
},
},
},
Expand Down Expand Up @@ -1143,8 +1147,10 @@ func TestProcessClusterNetworkPolicy(t *testing.T) {
AppliedTo: []crdv1alpha1.NetworkPolicyPeer{
{
ServiceAccounts: &crdv1alpha1.PeerServiceAccounts{
LabelSelector: &metav1.LabelSelector{MatchLabels: saA.Labels},
NamespaceSelector: &metav1.LabelSelector{MatchLabels: nsB.Labels},
NamespacedObjectSelector: &crdv1alpha1.NamespacedObjectSelector{
ObjectSelector: &metav1.LabelSelector{MatchLabels: saA.Labels},
NamespaceSelector: &metav1.LabelSelector{MatchLabels: nsB.Labels},
},
},
},
{
Expand Down Expand Up @@ -1211,8 +1217,10 @@ func TestProcessClusterNetworkPolicy(t *testing.T) {
To: []crdv1alpha1.NetworkPolicyPeer{
{
ServiceAccounts: &crdv1alpha1.PeerServiceAccounts{
Name: saA.Name,
Namespace: saA.Namespace,
NamespacedName: &crdv1alpha1.NamespacedName{
Name: saA.Name,
Namespace: saA.Namespace,
},
},
},
},
Expand Down Expand Up @@ -1263,8 +1271,10 @@ func TestProcessClusterNetworkPolicy(t *testing.T) {
AppliedTo: []crdv1alpha1.NetworkPolicyPeer{
{
ServiceAccounts: &crdv1alpha1.PeerServiceAccounts{
Name: saA.Name,
Namespace: saA.Namespace,
NamespacedName: &crdv1alpha1.NamespacedName{
Name: saA.Name,
Namespace: saA.Namespace,
},
},
},
},
Expand Down Expand Up @@ -1307,8 +1317,10 @@ func TestProcessClusterNetworkPolicy(t *testing.T) {
AppliedTo: []crdv1alpha1.NetworkPolicyPeer{
{
ServiceAccounts: &crdv1alpha1.PeerServiceAccounts{
Name: saA.Name,
Namespace: saA.Namespace,
NamespacedName: &crdv1alpha1.NamespacedName{
Name: saA.Name,
Namespace: saA.Namespace,
},
},
},
},
Expand Down

0 comments on commit 4f64e47

Please sign in to comment.