Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #39164 from danwinship/networkpolicy-v1
Automatic merge from submit-queue Move NetworkPolicy to v1 Move NetworkPolicy to v1 @kubernetes/sig-network-misc **Release note**: ```release-note NetworkPolicy has been moved from `extensions/v1beta1` to the new `networking.k8s.io/v1` API group. The structure remains unchanged from the beta1 API. The `net.beta.kubernetes.io/network-policy` annotation on Namespaces to opt in to isolation has been removed. Instead, isolation is now determined at a per-pod level, with pods being isolated if there is any NetworkPolicy whose spec.podSelector targets them. Pods that are targeted by NetworkPolicies accept traffic that is accepted by any of the NetworkPolicies (and nothing else), and pods that are not targeted by any NetworkPolicy accept all traffic by default. Action Required: When upgrading to Kubernetes 1.7 (and a network plugin that supports the new NetworkPolicy v1 semantics), to ensure full behavioral compatibility with v1beta1: 1. In Namespaces that previously had the "DefaultDeny" annotation, you can create equivalent v1 semantics by creating a NetworkPolicy that matches all pods but does not allow any traffic: kind: NetworkPolicy apiVersion: networking.k8s.io/v1 metadata: name: default-deny spec: podSelector: This will ensure that pods that aren't match by any other NetworkPolicy will continue to be fully-isolated, as they were before. 2. In Namespaces that previously did not have the "DefaultDeny" annotation, you should delete any existing NetworkPolicy objects. These would have had no effect before, but with v1 semantics they might cause some traffic to be blocked that you didn't intend to be blocked. ```
- Loading branch information
Showing
172 changed files
with
21,105 additions
and
37 deletions.
There are no files selected for viewing
Large diffs are not rendered by default.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,114 @@ | ||
{ | ||
"swaggerVersion": "1.2", | ||
"apiVersion": "", | ||
"basePath": "https://10.10.10.10:6443", | ||
"resourcePath": "/apis/networking.k8s.io", | ||
"info": { | ||
"title": "", | ||
"description": "" | ||
}, | ||
"apis": [ | ||
{ | ||
"path": "/apis/networking.k8s.io", | ||
"description": "get information of a group", | ||
"operations": [ | ||
{ | ||
"type": "v1.APIGroup", | ||
"method": "GET", | ||
"summary": "get information of a group", | ||
"nickname": "getAPIGroup", | ||
"parameters": [], | ||
"produces": [ | ||
"application/json", | ||
"application/yaml", | ||
"application/vnd.kubernetes.protobuf" | ||
], | ||
"consumes": [ | ||
"application/json", | ||
"application/yaml", | ||
"application/vnd.kubernetes.protobuf" | ||
] | ||
} | ||
] | ||
} | ||
], | ||
"models": { | ||
"v1.APIGroup": { | ||
"id": "v1.APIGroup", | ||
"description": "APIGroup contains the name, the supported versions, and the preferred version of a group.", | ||
"required": [ | ||
"name", | ||
"versions", | ||
"serverAddressByClientCIDRs" | ||
], | ||
"properties": { | ||
"kind": { | ||
"type": "string", | ||
"description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: http://releases.k8s.io/HEAD/docs/devel/api-conventions.md#types-kinds" | ||
}, | ||
"apiVersion": { | ||
"type": "string", | ||
"description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: http://releases.k8s.io/HEAD/docs/devel/api-conventions.md#resources" | ||
}, | ||
"name": { | ||
"type": "string", | ||
"description": "name is the name of the group." | ||
}, | ||
"versions": { | ||
"type": "array", | ||
"items": { | ||
"$ref": "v1.GroupVersionForDiscovery" | ||
}, | ||
"description": "versions are the versions supported in this group." | ||
}, | ||
"preferredVersion": { | ||
"$ref": "v1.GroupVersionForDiscovery", | ||
"description": "preferredVersion is the version preferred by the API server, which probably is the storage version." | ||
}, | ||
"serverAddressByClientCIDRs": { | ||
"type": "array", | ||
"items": { | ||
"$ref": "v1.ServerAddressByClientCIDR" | ||
}, | ||
"description": "a map of client CIDR to server address that is serving this group. This is to help clients reach servers in the most network-efficient way possible. Clients can use the appropriate server address as per the CIDR that they match. In case of multiple matches, clients should use the longest matching CIDR. The server returns only those CIDRs that it thinks that the client can match. For example: the master will return an internal IP CIDR only, if the client reaches the server using an internal IP. Server looks at X-Forwarded-For header or X-Real-Ip header or request.RemoteAddr (in that order) to get the client IP." | ||
} | ||
} | ||
}, | ||
"v1.GroupVersionForDiscovery": { | ||
"id": "v1.GroupVersionForDiscovery", | ||
"description": "GroupVersion contains the \"group/version\" and \"version\" string of a version. It is made a struct to keep extensibility.", | ||
"required": [ | ||
"groupVersion", | ||
"version" | ||
], | ||
"properties": { | ||
"groupVersion": { | ||
"type": "string", | ||
"description": "groupVersion specifies the API group and version in the form \"group/version\"" | ||
}, | ||
"version": { | ||
"type": "string", | ||
"description": "version specifies the version in the form of \"version\". This is to save the clients the trouble of splitting the GroupVersion." | ||
} | ||
} | ||
}, | ||
"v1.ServerAddressByClientCIDR": { | ||
"id": "v1.ServerAddressByClientCIDR", | ||
"description": "ServerAddressByClientCIDR helps the client to determine the server address that they should use, depending on the clientCIDR that they match.", | ||
"required": [ | ||
"clientCIDR", | ||
"serverAddress" | ||
], | ||
"properties": { | ||
"clientCIDR": { | ||
"type": "string", | ||
"description": "The CIDR with which clients can match their IP to figure out the server address that they should use." | ||
}, | ||
"serverAddress": { | ||
"type": "string", | ||
"description": "Address of this server, suitable for a client that matches the above CIDR. This can be a hostname, hostname:port, IP or IP:port." | ||
} | ||
} | ||
} | ||
} | ||
} |
Oops, something went wrong.