Merge pull request #39164 from danwinship/networkpolicy-v1

Automatic merge from submit-queue Move NetworkPolicy to v1 Move NetworkPolicy to v1 @kubernetes/sig-network-misc **Release note**: ```release-note NetworkPolicy has been moved from `extensions/v1beta1` to the new `networking.k8s.io/v1` API group. The structure remains unchanged from the beta1 API. The `net.beta.kubernetes.io/network-policy` annotation on Namespaces to opt in to isolation has been removed. Instead, isolation is now determined at a per-pod level, with pods being isolated if there is any NetworkPolicy whose spec.podSelector targets them. Pods that are targeted by NetworkPolicies accept traffic that is accepted by any of the NetworkPolicies (and nothing else), and pods that are not targeted by any NetworkPolicy accept all traffic by default. Action Required: When upgrading to Kubernetes 1.7 (and a network plugin that supports the new NetworkPolicy v1 semantics), to ensure full behavioral compatibility with v1beta1: 1. In Namespaces that previously had the "DefaultDeny" annotation, you can create equivalent v1 semantics by creating a NetworkPolicy that matches all pods but does not allow any traffic: kind: NetworkPolicy apiVersion: networking.k8s.io/v1 metadata: name: default-deny spec: podSelector: This will ensure that pods that aren't match by any other NetworkPolicy will continue to be fully-isolated, as they were before. 2. In Namespaces that previously did not have the "DefaultDeny" annotation, you should delete any existing NetworkPolicy objects. These would have had no effect before, but with v1 semantics they might cause some traffic to be blocked that you didn't intend to be blocked. ```
kubernetes · May 28, 2017 · 382a170 · 382a170
2 parents 1fd6e97 + 0923f86
commit 382a170
Show file tree

Hide file tree

Showing 172 changed files with 21,105 additions and 37 deletions.
diff --git a/api/openapi-spec/swagger.json b/api/openapi-spec/swagger.json
diff --git a/api/swagger-spec/extensions_v1beta1.json b/api/swagger-spec/extensions_v1beta1.json
@@ -9765,6 +9765,7 @@
    },
    "v1beta1.NetworkPolicy": {
     "id": "v1beta1.NetworkPolicy",
+    "description": "NetworkPolicy describes what network traffic is allowed for a set of Pods",
     "properties": {
      "kind": {
       "type": "string",
@@ -9799,7 +9800,7 @@
       "items": {
        "$ref": "v1beta1.NetworkPolicyIngressRule"
       },
-      "description": "List of ingress rules to be applied to the selected pods. Traffic is allowed to a pod if namespace.networkPolicy.ingress.isolation is undefined and cluster policy allows it, OR if the traffic source is the pod's local node, OR if the traffic matches at least one ingress rule across all of the NetworkPolicy objects whose podSelector matches the pod. If this field is empty then this NetworkPolicy does not affect ingress isolation. If this field is present and contains at least one rule, this policy allows any traffic which matches at least one of the ingress rules in this list."
+      "description": "List of ingress rules to be applied to the selected pods. Traffic is allowed to a pod if there are no NetworkPolicies selecting the pod OR if the traffic source is the pod's local node, OR if the traffic matches at least one ingress rule across all of the NetworkPolicy objects whose podSelector matches the pod. If this field is empty then this NetworkPolicy does not allow any traffic (and serves solely to ensure that the pods it selects are isolated by default)."
      }
     }
    },

diff --git a/api/swagger-spec/networking.k8s.io.json b/api/swagger-spec/networking.k8s.io.json
@@ -0,0 +1,114 @@
+{
+  "swaggerVersion": "1.2",
+  "apiVersion": "",
+  "basePath": "https://10.10.10.10:6443",
+  "resourcePath": "/apis/networking.k8s.io",
+  "info": {
+   "title": "",
+   "description": ""
+  },
+  "apis": [
+   {
+    "path": "/apis/networking.k8s.io",
+    "description": "get information of a group",
+    "operations": [
+     {
+      "type": "v1.APIGroup",
+      "method": "GET",
+      "summary": "get information of a group",
+      "nickname": "getAPIGroup",
+      "parameters": [],
+      "produces": [
+       "application/json",
+       "application/yaml",
+       "application/vnd.kubernetes.protobuf"
+      ],
+      "consumes": [
+       "application/json",
+       "application/yaml",
+       "application/vnd.kubernetes.protobuf"
+      ]
+     }
+    ]
+   }
+  ],
+  "models": {
+   "v1.APIGroup": {
+    "id": "v1.APIGroup",
+    "description": "APIGroup contains the name, the supported versions, and the preferred version of a group.",
+    "required": [
+     "name",
+     "versions",
+     "serverAddressByClientCIDRs"
+    ],
+    "properties": {
+     "kind": {
+      "type": "string",
+      "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: http://releases.k8s.io/HEAD/docs/devel/api-conventions.md#types-kinds"
+     },
+     "apiVersion": {
+      "type": "string",
+      "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: http://releases.k8s.io/HEAD/docs/devel/api-conventions.md#resources"
+     },
+     "name": {
+      "type": "string",
+      "description": "name is the name of the group."
+     },
+     "versions": {
+      "type": "array",
+      "items": {
+       "$ref": "v1.GroupVersionForDiscovery"
+      },
+      "description": "versions are the versions supported in this group."
+     },
+     "preferredVersion": {
+      "$ref": "v1.GroupVersionForDiscovery",
+      "description": "preferredVersion is the version preferred by the API server, which probably is the storage version."
+     },
+     "serverAddressByClientCIDRs": {
+      "type": "array",
+      "items": {
+       "$ref": "v1.ServerAddressByClientCIDR"
+      },
+      "description": "a map of client CIDR to server address that is serving this group. This is to help clients reach servers in the most network-efficient way possible. Clients can use the appropriate server address as per the CIDR that they match. In case of multiple matches, clients should use the longest matching CIDR. The server returns only those CIDRs that it thinks that the client can match. For example: the master will return an internal IP CIDR only, if the client reaches the server using an internal IP. Server looks at X-Forwarded-For header or X-Real-Ip header or request.RemoteAddr (in that order) to get the client IP."
+     }
+    }
+   },
+   "v1.GroupVersionForDiscovery": {
+    "id": "v1.GroupVersionForDiscovery",
+    "description": "GroupVersion contains the \"group/version\" and \"version\" string of a version. It is made a struct to keep extensibility.",
+    "required": [
+     "groupVersion",
+     "version"
+    ],
+    "properties": {
+     "groupVersion": {
+      "type": "string",
+      "description": "groupVersion specifies the API group and version in the form \"group/version\""
+     },
+     "version": {
+      "type": "string",
+      "description": "version specifies the version in the form of \"version\". This is to save the clients the trouble of splitting the GroupVersion."
+     }
+    }
+   },
+   "v1.ServerAddressByClientCIDR": {
+    "id": "v1.ServerAddressByClientCIDR",
+    "description": "ServerAddressByClientCIDR helps the client to determine the server address that they should use, depending on the clientCIDR that they match.",
+    "required": [
+     "clientCIDR",
+     "serverAddress"
+    ],
+    "properties": {
+     "clientCIDR": {
+      "type": "string",
+      "description": "The CIDR with which clients can match their IP to figure out the server address that they should use."
+     },
+     "serverAddress": {
+      "type": "string",
+      "description": "Address of this server, suitable for a client that matches the above CIDR. This can be a hostname, hostname:port, IP or IP:port."
+     }
+    }
+   }
+  }
+ }