diff --git a/build/yamls/antrea-eks.yml b/build/yamls/antrea-eks.yml index d4a4016a660..5095efd120f 100644 --- a/build/yamls/antrea-eks.yml +++ b/build/yamls/antrea-eks.yml @@ -46,6 +46,10 @@ metadata: name: clusternetworkpolicies.security.antrea.tanzu.vmware.com spec: additionalPrinterColumns: + - JSONPath: .spec.tier + description: The Tier to which this ClusterNetworkPolicy belongs to. + name: Tier + type: string - JSONPath: .spec.priority description: The Priority of this ClusterNetworkPolicy relative to other policies. format: float @@ -150,6 +154,14 @@ spec: maximum: 10000 minimum: 1 type: number + tier: + enum: + - Emergency + - SecurityOps + - NetworkOps + - Platform + - Application + type: string required: - appliedTo - priority diff --git a/build/yamls/antrea-gke.yml b/build/yamls/antrea-gke.yml index f7b17f07454..79e318fbddd 100644 --- a/build/yamls/antrea-gke.yml +++ b/build/yamls/antrea-gke.yml @@ -46,6 +46,10 @@ metadata: name: clusternetworkpolicies.security.antrea.tanzu.vmware.com spec: additionalPrinterColumns: + - JSONPath: .spec.tier + description: The Tier to which this ClusterNetworkPolicy belongs to. + name: Tier + type: string - JSONPath: .spec.priority description: The Priority of this ClusterNetworkPolicy relative to other policies. format: float @@ -150,6 +154,14 @@ spec: maximum: 10000 minimum: 1 type: number + tier: + enum: + - Emergency + - SecurityOps + - NetworkOps + - Platform + - Application + type: string required: - appliedTo - priority diff --git a/build/yamls/antrea-ipsec.yml b/build/yamls/antrea-ipsec.yml index f4c14af81cd..340a47db0a5 100644 --- a/build/yamls/antrea-ipsec.yml +++ b/build/yamls/antrea-ipsec.yml @@ -46,6 +46,10 @@ metadata: name: clusternetworkpolicies.security.antrea.tanzu.vmware.com spec: additionalPrinterColumns: + - JSONPath: .spec.tier + description: The Tier to which this ClusterNetworkPolicy belongs to. + name: Tier + type: string - JSONPath: .spec.priority description: The Priority of this ClusterNetworkPolicy relative to other policies. format: float @@ -150,6 +154,14 @@ spec: maximum: 10000 minimum: 1 type: number + tier: + enum: + - Emergency + - SecurityOps + - NetworkOps + - Platform + - Application + type: string required: - appliedTo - priority diff --git a/build/yamls/antrea.yml b/build/yamls/antrea.yml index 4906e2ba7c4..842a1d6e9ed 100644 --- a/build/yamls/antrea.yml +++ b/build/yamls/antrea.yml @@ -46,6 +46,10 @@ metadata: name: clusternetworkpolicies.security.antrea.tanzu.vmware.com spec: additionalPrinterColumns: + - JSONPath: .spec.tier + description: The Tier to which this ClusterNetworkPolicy belongs to. + name: Tier + type: string - JSONPath: .spec.priority description: The Priority of this ClusterNetworkPolicy relative to other policies. format: float @@ -150,6 +154,14 @@ spec: maximum: 10000 minimum: 1 type: number + tier: + enum: + - Emergency + - SecurityOps + - NetworkOps + - Platform + - Application + type: string required: - appliedTo - priority diff --git a/build/yamls/base/crds.yml b/build/yamls/base/crds.yml index c2f591f170c..bf0c36fa014 100644 --- a/build/yamls/base/crds.yml +++ b/build/yamls/base/crds.yml @@ -221,6 +221,10 @@ spec: # Prune any unknown fields preserveUnknownFields: false additionalPrinterColumns: + - name: Tier + type: string + description: The Tier to which this ClusterNetworkPolicy belongs to. + JSONPath: .spec.tier - name: Priority type: number format: float @@ -240,6 +244,9 @@ spec: - priority type: object properties: + tier: + type: string + enum: ['Emergency', 'SecurityOps', 'NetworkOps', 'Platform', 'Application'] priority: type: number format: float diff --git a/pkg/apis/networking/types.go b/pkg/apis/networking/types.go index 251a672e33b..2a86a6217ee 100644 --- a/pkg/apis/networking/types.go +++ b/pkg/apis/networking/types.go @@ -146,6 +146,10 @@ type AddressGroupList struct { Items []AddressGroup } +// TierPriority specifies the relative ordering among Tiers. A lower +// TierPriority indicates higher precedence. +type TierPriority uint32 + // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object // NetworkPolicy is the message format of antrea/pkg/controller/types.NetworkPolicy in an API response. type NetworkPolicy struct { @@ -155,9 +159,12 @@ type NetworkPolicy struct { Rules []NetworkPolicyRule // AppliedToGroups is a list of names of AppliedToGroups to which this policy applies. AppliedToGroups []string - // Priority represents the relative priority of this Network Policy as compared to - // other Network Policies. Priority will be unset (nil) for K8s Network Policy. + // Priority represents the relative priority of this NetworkPolicy as compared to + // other NetworkPolicies. Priority will be unset (nil) for K8s NetworkPolicy. Priority *float64 + // TierPriority represents the priority of the Tier associated with this NetworkPolicy. + // The TierPriority will remain nil for K8s NetworkPolicy. + TierPriority *TierPriority } // Direction defines traffic direction of NetworkPolicyRule. @@ -185,7 +192,7 @@ type NetworkPolicyRule struct { Priority int32 // Action specifies the action to be applied on the rule. i.e. Allow/Drop. An empty // action “nil” defaults to Allow action, which would be the case for rules created for - // K8s Network Policy. + // K8s NetworkPolicy. Action *secv1alpha1.RuleAction } diff --git a/pkg/apis/networking/v1beta1/generated.pb.go b/pkg/apis/networking/v1beta1/generated.pb.go index 12e279364a3..47d143bf9e8 100644 --- a/pkg/apis/networking/v1beta1/generated.pb.go +++ b/pkg/apis/networking/v1beta1/generated.pb.go @@ -603,90 +603,92 @@ func init() { } var fileDescriptor_da8f95e0f1c69434 = []byte{ - // 1324 bytes of a gzipped FileDescriptorProto - 0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xec, 0x58, 0xc1, 0x6f, 0x1b, 0xc5, - 0x17, 0xce, 0xae, 0xed, 0x24, 0x9e, 0x38, 0x69, 0x33, 0xf9, 0x49, 0x3f, 0x53, 0x90, 0x1d, 0x2d, + // 1349 bytes of a gzipped FileDescriptorProto + 0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xec, 0x58, 0xcf, 0x6f, 0x1b, 0xc5, + 0x17, 0xcf, 0xae, 0xed, 0x24, 0x9e, 0x38, 0x69, 0x33, 0xf9, 0x4a, 0x5f, 0x53, 0x90, 0x1d, 0x2d, 0x97, 0x1c, 0xe8, 0x2e, 0x29, 0x15, 0x54, 0x08, 0x0e, 0x71, 0x13, 0x8a, 0xab, 0x36, 0x5d, 0x4d, 0x7b, 0x42, 0x48, 0x30, 0xd9, 0x9d, 0x38, 0xd3, 0x78, 0x77, 0x96, 0xd9, 0xb1, 0xdb, 0xc2, 0x05, - 0x2e, 0x48, 0x9c, 0xda, 0x13, 0x17, 0x6e, 0x88, 0xbf, 0x82, 0x0b, 0xd7, 0x9e, 0x50, 0x8f, 0xe5, - 0x62, 0x88, 0xcb, 0x5f, 0x51, 0x2e, 0x68, 0x66, 0x67, 0xbd, 0xbb, 0x0e, 0x56, 0x23, 0xec, 0x44, - 0x1c, 0x72, 0x4a, 0x66, 0xe6, 0xcd, 0xfb, 0xde, 0x7c, 0xf3, 0xde, 0x37, 0x6f, 0x0d, 0x6e, 0x76, - 0xa8, 0x38, 0xe8, 0xed, 0xd9, 0x1e, 0x0b, 0x9c, 0x7e, 0xf0, 0x00, 0x73, 0x72, 0x59, 0xe0, 0xf0, - 0xcb, 0x9e, 0x83, 0x43, 0xc1, 0x09, 0x76, 0xa2, 0xc3, 0x8e, 0x83, 0x23, 0x1a, 0x3b, 0x21, 0x11, - 0x0f, 0x18, 0x3f, 0xa4, 0x61, 0xc7, 0xe9, 0x6f, 0xee, 0x11, 0x81, 0x37, 0x9d, 0x0e, 0x09, 0x09, - 0xc7, 0x82, 0xf8, 0x76, 0xc4, 0x99, 0x60, 0xf0, 0xfd, 0xcc, 0x97, 0x9d, 0xf8, 0xfa, 0x4c, 0xf9, - 0xb2, 0x13, 0x5f, 0x76, 0x74, 0xd8, 0xb1, 0xa5, 0x2f, 0x3b, 0xf3, 0x65, 0x6b, 0x5f, 0x97, 0x2e, - 0xe7, 0xe2, 0xe8, 0xb0, 0x0e, 0x73, 0x94, 0xcb, 0xbd, 0xde, 0xbe, 0x1a, 0xa9, 0x81, 0xfa, 0x2f, - 0x81, 0xba, 0x74, 0xf5, 0xf0, 0x5a, 0x6c, 0x53, 0x26, 0x43, 0x0b, 0xb0, 0x77, 0x40, 0x43, 0xc2, - 0x1f, 0x65, 0xb1, 0x06, 0x44, 0x60, 0xa7, 0x7f, 0x2c, 0xc0, 0x4b, 0xce, 0xa4, 0x5d, 0xbc, 0x17, - 0x0a, 0x1a, 0x90, 0x63, 0x1b, 0xde, 0x7d, 0xd5, 0x86, 0xd8, 0x3b, 0x20, 0x01, 0x3e, 0xb6, 0xef, - 0x9d, 0x49, 0xfb, 0x7a, 0x82, 0x76, 0x1d, 0x1a, 0x8a, 0x58, 0xf0, 0xf1, 0x4d, 0xd6, 0xd0, 0x04, - 0xb5, 0x2d, 0xdf, 0xe7, 0x24, 0x8e, 0x6f, 0x70, 0xd6, 0x8b, 0xe0, 0xe7, 0x60, 0x51, 0x9e, 0xc4, - 0xc7, 0x02, 0xd7, 0x8d, 0x75, 0x63, 0x63, 0xe9, 0xca, 0xdb, 0x76, 0xe2, 0xd8, 0xce, 0x3b, 0xce, - 0x78, 0x95, 0xd6, 0x76, 0x7f, 0xd3, 0xbe, 0xb3, 0x77, 0x9f, 0x78, 0xe2, 0x36, 0x11, 0xb8, 0x05, - 0x9f, 0x0e, 0x9a, 0x73, 0xc3, 0x41, 0x13, 0x64, 0x73, 0x68, 0xe4, 0x15, 0x76, 0x41, 0x39, 0x62, - 0x7e, 0x5c, 0x37, 0xd7, 0x4b, 0x1b, 0x4b, 0x57, 0x6e, 0xda, 0xff, 0xfe, 0x02, 0x6d, 0x15, 0xf2, - 0x6d, 0x12, 0xec, 0x11, 0xee, 0x32, 0xbf, 0x55, 0xd3, 0xb8, 0x65, 0x97, 0xf9, 0x31, 0x52, 0x28, - 0xf0, 0x1b, 0x03, 0xd4, 0x3a, 0x99, 0x59, 0x5c, 0x2f, 0x29, 0xd8, 0x1b, 0x33, 0x82, 0x6d, 0xfd, - 0x4f, 0x63, 0xd6, 0x72, 0x93, 0x31, 0x2a, 0x40, 0x5a, 0xbf, 0x1b, 0xe0, 0x62, 0x9e, 0xe4, 0x5b, - 0x34, 0x16, 0xf0, 0xd3, 0x63, 0x44, 0xdb, 0x27, 0x23, 0x5a, 0xee, 0x56, 0x34, 0x5f, 0xd4, 0xd0, - 0x8b, 0xe9, 0x4c, 0x8e, 0xe4, 0x00, 0x54, 0xa8, 0x20, 0x41, 0xca, 0xf2, 0xc7, 0xd3, 0x1c, 0x37, - 0x1f, 0x7a, 0x6b, 0x59, 0x83, 0x56, 0xda, 0xd2, 0x3d, 0x4a, 0x50, 0xac, 0x1f, 0x2b, 0x60, 0x35, - 0x6f, 0xe6, 0x62, 0xe1, 0x1d, 0x9c, 0x41, 0x2e, 0x7d, 0x05, 0xaa, 0xd8, 0xf7, 0x89, 0xef, 0x9e, - 0x4e, 0x42, 0xad, 0x6a, 0xf0, 0xea, 0x56, 0x0a, 0x82, 0x32, 0x3c, 0x99, 0x5a, 0x4b, 0x9c, 0x04, - 0xac, 0xaf, 0xf1, 0x4b, 0x33, 0xc7, 0x5f, 0xd3, 0xf8, 0x4b, 0x28, 0x83, 0x41, 0x79, 0x4c, 0xf8, - 0xc4, 0x00, 0xab, 0x2a, 0xa2, 0x7c, 0xfa, 0xd5, 0xcb, 0xb3, 0xcd, 0xf1, 0xd7, 0x74, 0x18, 0xab, - 0x5b, 0xe3, 0x48, 0xe8, 0x38, 0x38, 0xfc, 0xde, 0x00, 0x6b, 0x3a, 0xc4, 0x42, 0x50, 0x95, 0xd9, - 0x06, 0xf5, 0xba, 0x0e, 0x6a, 0x0d, 0x1d, 0xc7, 0x42, 0xff, 0x14, 0x80, 0xf5, 0xa7, 0x09, 0x56, - 0xb6, 0xa2, 0xa8, 0x4b, 0x89, 0x7f, 0x8f, 0x9d, 0xab, 0xdd, 0x69, 0xa9, 0xdd, 0x0b, 0x03, 0xc0, - 0x22, 0xcd, 0x67, 0xa0, 0x77, 0xac, 0xa8, 0x77, 0x53, 0xf1, 0x5c, 0x0c, 0x7e, 0x82, 0xe2, 0xfd, - 0x54, 0x01, 0x6b, 0x45, 0xc3, 0x73, 0xcd, 0x3b, 0xd7, 0xbc, 0xff, 0x9c, 0xe6, 0xfd, 0x60, 0x80, - 0xc5, 0x9d, 0xd0, 0x8f, 0x18, 0x0d, 0x05, 0x7c, 0x13, 0x98, 0x34, 0x52, 0x59, 0x59, 0x6b, 0xad, - 0x0d, 0x07, 0x4d, 0xb3, 0xed, 0xbe, 0x1c, 0x34, 0xab, 0x6d, 0x57, 0x3f, 0xdd, 0xc8, 0xa4, 0x11, - 0xbc, 0x0f, 0x2a, 0x11, 0xe3, 0x22, 0x4d, 0xad, 0x9d, 0x69, 0x62, 0xdf, 0xc5, 0x81, 0xbc, 0x33, - 0x2e, 0xb2, 0x22, 0x92, 0xa3, 0x18, 0x25, 0x10, 0x56, 0x17, 0xfc, 0x7f, 0xe7, 0xa1, 0x20, 0x3c, - 0xc4, 0xdd, 0x9d, 0x50, 0x50, 0xf1, 0x08, 0x91, 0x7d, 0xc2, 0x49, 0xe8, 0x11, 0xb8, 0x0e, 0xca, - 0x21, 0x0e, 0x88, 0x8a, 0xb6, 0x9a, 0x69, 0x9d, 0xf4, 0x88, 0xd4, 0x0a, 0x74, 0x40, 0x55, 0xfe, - 0x8d, 0x23, 0xec, 0x91, 0xba, 0xa9, 0xcc, 0x46, 0xb9, 0xbb, 0x9b, 0x2e, 0xa0, 0xcc, 0xc6, 0xfa, - 0xcb, 0x04, 0x4b, 0x39, 0x72, 0xe0, 0x63, 0x03, 0xac, 0x90, 0x02, 0xbc, 0xae, 0xd8, 0xbb, 0xd3, - 0x9c, 0x79, 0xc2, 0x81, 0x5a, 0x70, 0x38, 0x68, 0xae, 0x8c, 0x2d, 0x8e, 0xc1, 0x43, 0x0f, 0x94, - 0x22, 0xe6, 0xab, 0xc3, 0x4c, 0xd9, 0xb3, 0xb9, 0xcc, 0xcf, 0xa0, 0x17, 0x86, 0x83, 0x66, 0x49, - 0xce, 0x48, 0xef, 0xb0, 0x07, 0xaa, 0x44, 0x67, 0x44, 0x5a, 0xbf, 0xdb, 0x53, 0x1d, 0x58, 0x3b, - 0xcb, 0xd8, 0x4f, 0x67, 0x62, 0x94, 0x21, 0x59, 0xdf, 0x9a, 0x60, 0xa5, 0x58, 0xea, 0xe9, 0x71, - 0x8d, 0x53, 0x3d, 0x6e, 0x92, 0xf4, 0xe6, 0x09, 0x93, 0xbe, 0x74, 0xfa, 0x49, 0xff, 0x9b, 0x01, - 0x16, 0xda, 0x6e, 0xab, 0xcb, 0xbc, 0x43, 0xe8, 0x81, 0xb2, 0x47, 0x7d, 0xae, 0x29, 0xd8, 0x9a, - 0x06, 0xb6, 0xed, 0xee, 0x12, 0x91, 0x15, 0xca, 0xf5, 0xf6, 0x36, 0x42, 0xca, 0x39, 0xa4, 0x60, - 0x9e, 0x3c, 0xf4, 0x48, 0x24, 0x74, 0x49, 0xcf, 0x00, 0x66, 0x45, 0xc3, 0xcc, 0xef, 0x28, 0xc7, - 0x48, 0x03, 0x58, 0xfb, 0xa0, 0xa2, 0x0c, 0x4e, 0x26, 0x35, 0xd7, 0x40, 0x2d, 0xe2, 0x64, 0x9f, - 0x3e, 0xbc, 0x45, 0xc2, 0x8e, 0x38, 0x50, 0x97, 0x54, 0xc9, 0x7a, 0x0c, 0x37, 0xb7, 0x86, 0x0a, - 0x96, 0xd6, 0x77, 0x06, 0xa8, 0x8e, 0x78, 0x96, 0x5a, 0x21, 0xa9, 0x55, 0x70, 0x95, 0x7c, 0x5f, - 0xc4, 0x05, 0x52, 0x2b, 0x23, 0x35, 0x31, 0x27, 0xaa, 0xc9, 0x35, 0xb0, 0xa8, 0xbe, 0x88, 0x3d, - 0xd6, 0xad, 0x97, 0x94, 0xd5, 0x1b, 0x69, 0xbb, 0xe1, 0xea, 0xf9, 0x97, 0xb9, 0xff, 0xd1, 0xc8, - 0xda, 0xfa, 0xd5, 0x04, 0xcb, 0xbb, 0x09, 0x51, 0x2e, 0xeb, 0x52, 0xef, 0xd1, 0x19, 0xf4, 0x00, - 0x1c, 0x54, 0x78, 0xaf, 0x4b, 0x52, 0x91, 0xbe, 0x3d, 0x55, 0xbe, 0xe6, 0x63, 0x47, 0xbd, 0x2e, - 0xc9, 0xf2, 0x56, 0x8e, 0x62, 0x94, 0x40, 0xc1, 0x0f, 0xc1, 0x05, 0x5c, 0x68, 0x78, 0x92, 0x6a, - 0xa9, 0xaa, 0xfb, 0xbd, 0x50, 0xec, 0x85, 0x62, 0x34, 0x6e, 0x0b, 0x37, 0x24, 0xc1, 0x94, 0x71, - 0x29, 0xb3, 0xe5, 0x75, 0x63, 0xc3, 0x68, 0xd5, 0x12, 0x72, 0x93, 0x39, 0x34, 0x5a, 0xb5, 0x8e, - 0x0c, 0xb0, 0x5a, 0x08, 0xea, 0x0c, 0xfa, 0xc7, 0xb0, 0xd8, 0x3f, 0xb6, 0x67, 0x46, 0xe8, 0x84, - 0xf6, 0xf1, 0x97, 0xf1, 0x33, 0xba, 0x84, 0x70, 0xf8, 0x1e, 0x58, 0xc6, 0xb9, 0xaf, 0xe8, 0xb8, - 0x6e, 0x28, 0x82, 0x57, 0x87, 0x83, 0xe6, 0x72, 0xfe, 0xf3, 0x3a, 0x46, 0x45, 0x3b, 0xf8, 0x05, - 0x58, 0xa4, 0x91, 0x92, 0x94, 0xf4, 0x04, 0xd7, 0xa7, 0x2b, 0x72, 0xe5, 0x2b, 0x63, 0x4c, 0x4f, - 0xc4, 0x68, 0x04, 0x63, 0xfd, 0x5c, 0x1e, 0x3b, 0x81, 0x4c, 0x16, 0xf8, 0x01, 0xa8, 0xfa, 0x94, - 0x13, 0x4f, 0x50, 0x16, 0xea, 0xb7, 0xbb, 0x91, 0x3e, 0x0b, 0xdb, 0xe9, 0xc2, 0xcb, 0xfc, 0x00, - 0x65, 0x1b, 0x20, 0x03, 0xe5, 0x7d, 0xce, 0x02, 0xfd, 0x00, 0xce, 0x2e, 0xab, 0x25, 0xb9, 0x59, - 0xd5, 0x7f, 0xc4, 0x59, 0x80, 0x14, 0x10, 0xa4, 0xc0, 0x14, 0x4c, 0xd5, 0xfb, 0xcc, 0xe1, 0x80, - 0x86, 0x33, 0xef, 0x31, 0x64, 0x0a, 0x26, 0xaf, 0x28, 0x26, 0xbc, 0x4f, 0x3d, 0x92, 0xf6, 0xaa, - 0x53, 0x5d, 0xd1, 0xdd, 0xc4, 0x57, 0x76, 0x45, 0x7a, 0x22, 0x46, 0x23, 0x18, 0xf8, 0x56, 0xae, - 0xe4, 0x2a, 0x4a, 0x1b, 0x2f, 0x66, 0x9a, 0x36, 0x5e, 0x76, 0xf0, 0x3e, 0x98, 0xc7, 0xc9, 0xbd, - 0xcd, 0xab, 0x7b, 0x43, 0x52, 0xdf, 0xb7, 0xd2, 0x0b, 0xdb, 0x3e, 0xe9, 0x6f, 0xb6, 0x31, 0xf1, - 0x7a, 0xd2, 0x9f, 0xd3, 0xdf, 0xc4, 0xdd, 0xe8, 0x00, 0x6f, 0xda, 0x32, 0x31, 0x12, 0x3f, 0x48, - 0x23, 0x58, 0x18, 0xd4, 0xf2, 0x4f, 0xf6, 0x69, 0x74, 0x7b, 0x8f, 0x0d, 0xb0, 0xa0, 0x39, 0x81, - 0x57, 0x73, 0xe2, 0x9e, 0x40, 0xd4, 0x5f, 0x2d, 0xec, 0x70, 0x57, 0x3f, 0x2b, 0xe6, 0x2b, 0x24, - 0xbc, 0x27, 0x68, 0xd7, 0x4e, 0x7e, 0x5f, 0xb5, 0xdb, 0xa1, 0xb8, 0xc3, 0xef, 0x0a, 0x4e, 0xc3, - 0x4e, 0x6b, 0xb1, 0xf8, 0x08, 0xb5, 0x2e, 0x3f, 0x3d, 0x6a, 0xcc, 0x3d, 0x3b, 0x6a, 0xcc, 0x3d, - 0x3f, 0x6a, 0xcc, 0x7d, 0x3d, 0x6c, 0x18, 0x4f, 0x87, 0x0d, 0xe3, 0xd9, 0xb0, 0x61, 0x3c, 0x1f, - 0x36, 0x8c, 0x3f, 0x86, 0x0d, 0xe3, 0xc9, 0x8b, 0xc6, 0xdc, 0x27, 0x0b, 0xfa, 0x86, 0xff, 0x0e, - 0x00, 0x00, 0xff, 0xff, 0x5f, 0x0e, 0xc9, 0x67, 0x26, 0x17, 0x00, 0x00, + 0x2e, 0x48, 0x9c, 0xda, 0x03, 0xe2, 0xc2, 0x0d, 0xf1, 0x57, 0x70, 0xe1, 0xda, 0x63, 0x8f, 0xe5, + 0x62, 0x88, 0xcb, 0x5f, 0x11, 0x2e, 0x68, 0x66, 0x67, 0xbd, 0xbb, 0x36, 0x51, 0x23, 0xec, 0x44, + 0x1c, 0x7a, 0x4a, 0x66, 0xe6, 0xcd, 0xfb, 0xbc, 0x5f, 0xf3, 0x79, 0x6f, 0x0d, 0x6e, 0x76, 0xa8, + 0x38, 0xe8, 0xed, 0xd9, 0x1e, 0x0b, 0x9c, 0x7e, 0xf0, 0x00, 0x73, 0x72, 0x59, 0xe0, 0xf0, 0xcb, + 0x9e, 0x83, 0x43, 0xc1, 0x09, 0x76, 0xa2, 0xc3, 0x8e, 0x83, 0x23, 0x1a, 0x3b, 0x21, 0x11, 0x0f, + 0x18, 0x3f, 0xa4, 0x61, 0xc7, 0xe9, 0x6f, 0xee, 0x11, 0x81, 0x37, 0x9d, 0x0e, 0x09, 0x09, 0xc7, + 0x82, 0xf8, 0x76, 0xc4, 0x99, 0x60, 0xf0, 0xfd, 0x4c, 0x97, 0x9d, 0xe8, 0xfa, 0x4c, 0xe9, 0xb2, + 0x13, 0x5d, 0x76, 0x74, 0xd8, 0xb1, 0xa5, 0x2e, 0x3b, 0xd3, 0x65, 0x6b, 0x5d, 0x97, 0x2e, 0xe7, + 0xec, 0xe8, 0xb0, 0x0e, 0x73, 0x94, 0xca, 0xbd, 0xde, 0xbe, 0x5a, 0xa9, 0x85, 0xfa, 0x2f, 0x81, + 0xba, 0x74, 0xf5, 0xf0, 0x5a, 0x6c, 0x53, 0x26, 0x4d, 0x0b, 0xb0, 0x77, 0x40, 0x43, 0xc2, 0x1f, + 0x65, 0xb6, 0x06, 0x44, 0x60, 0xa7, 0x3f, 0x61, 0xe0, 0x25, 0xe7, 0xa4, 0x5b, 0xbc, 0x17, 0x0a, + 0x1a, 0x90, 0x89, 0x0b, 0xef, 0xbe, 0xec, 0x42, 0xec, 0x1d, 0x90, 0x00, 0x4f, 0xdc, 0x7b, 0xe7, + 0xa4, 0x7b, 0x3d, 0x41, 0xbb, 0x0e, 0x0d, 0x45, 0x2c, 0xf8, 0xf8, 0x25, 0x6b, 0x68, 0x82, 0xda, + 0x96, 0xef, 0x73, 0x12, 0xc7, 0x37, 0x38, 0xeb, 0x45, 0xf0, 0x73, 0xb0, 0x28, 0x3d, 0xf1, 0xb1, + 0xc0, 0x75, 0x63, 0xdd, 0xd8, 0x58, 0xba, 0xf2, 0xb6, 0x9d, 0x28, 0xb6, 0xf3, 0x8a, 0xb3, 0xb8, + 0x4a, 0x69, 0xbb, 0xbf, 0x69, 0xdf, 0xd9, 0xbb, 0x4f, 0x3c, 0x71, 0x9b, 0x08, 0xdc, 0x82, 0x4f, + 0x07, 0xcd, 0xb9, 0xe1, 0xa0, 0x09, 0xb2, 0x3d, 0x34, 0xd2, 0x0a, 0xbb, 0xa0, 0x1c, 0x31, 0x3f, + 0xae, 0x9b, 0xeb, 0xa5, 0x8d, 0xa5, 0x2b, 0x37, 0xed, 0x7f, 0x9f, 0x40, 0x5b, 0x99, 0x7c, 0x9b, + 0x04, 0x7b, 0x84, 0xbb, 0xcc, 0x6f, 0xd5, 0x34, 0x6e, 0xd9, 0x65, 0x7e, 0x8c, 0x14, 0x0a, 0xfc, + 0xc6, 0x00, 0xb5, 0x4e, 0x26, 0x16, 0xd7, 0x4b, 0x0a, 0xf6, 0xc6, 0x8c, 0x60, 0x5b, 0xff, 0xd3, + 0x98, 0xb5, 0xdc, 0x66, 0x8c, 0x0a, 0x90, 0xd6, 0xef, 0x06, 0xb8, 0x98, 0x0f, 0xf2, 0x2d, 0x1a, + 0x0b, 0xf8, 0xe9, 0x44, 0xa0, 0xed, 0xd3, 0x05, 0x5a, 0xde, 0x56, 0x61, 0xbe, 0xa8, 0xa1, 0x17, + 0xd3, 0x9d, 0x5c, 0x90, 0x03, 0x50, 0xa1, 0x82, 0x04, 0x69, 0x94, 0x3f, 0x9e, 0xc6, 0xdd, 0xbc, + 0xe9, 0xad, 0x65, 0x0d, 0x5a, 0x69, 0x4b, 0xf5, 0x28, 0x41, 0xb1, 0x7e, 0xaa, 0x80, 0xd5, 0xbc, + 0x98, 0x8b, 0x85, 0x77, 0x70, 0x0e, 0xb5, 0xf4, 0x15, 0xa8, 0x62, 0xdf, 0x27, 0xbe, 0x7b, 0x36, + 0x05, 0xb5, 0xaa, 0xc1, 0xab, 0x5b, 0x29, 0x08, 0xca, 0xf0, 0x64, 0x69, 0x2d, 0x71, 0x12, 0xb0, + 0xbe, 0xc6, 0x2f, 0xcd, 0x1c, 0x7f, 0x4d, 0xe3, 0x2f, 0xa1, 0x0c, 0x06, 0xe5, 0x31, 0xe1, 0x13, + 0x03, 0xac, 0x2a, 0x8b, 0xf2, 0xe5, 0x57, 0x2f, 0xcf, 0xb6, 0xc6, 0x5f, 0xd3, 0x66, 0xac, 0x6e, + 0x8d, 0x23, 0xa1, 0x49, 0x70, 0xf8, 0x83, 0x01, 0xd6, 0xb4, 0x89, 0x05, 0xa3, 0x2a, 0xb3, 0x35, + 0xea, 0x75, 0x6d, 0xd4, 0x1a, 0x9a, 0xc4, 0x42, 0xff, 0x64, 0x80, 0xf5, 0xa7, 0x09, 0x56, 0xb6, + 0xa2, 0xa8, 0x4b, 0x89, 0x7f, 0x8f, 0xbd, 0x62, 0xbb, 0xb3, 0x62, 0xbb, 0x17, 0x06, 0x80, 0xc5, + 0x30, 0x9f, 0x03, 0xdf, 0xb1, 0x22, 0xdf, 0x4d, 0x15, 0xe7, 0xa2, 0xf1, 0x27, 0x30, 0xde, 0xcf, + 0x15, 0xb0, 0x56, 0x14, 0x7c, 0xc5, 0x79, 0xaf, 0x38, 0xef, 0x3f, 0xc7, 0x79, 0x3f, 0x1a, 0x60, + 0x71, 0x27, 0xf4, 0x23, 0x46, 0x43, 0x01, 0xdf, 0x04, 0x26, 0x8d, 0x54, 0x55, 0xd6, 0x5a, 0x6b, + 0xc3, 0x41, 0xd3, 0x6c, 0xbb, 0xc7, 0x83, 0x66, 0xb5, 0xed, 0xea, 0xd6, 0x8d, 0x4c, 0x1a, 0xc1, + 0xfb, 0xa0, 0x12, 0x31, 0x2e, 0xd2, 0xd2, 0xda, 0x99, 0xc6, 0xf6, 0x5d, 0x1c, 0xc8, 0x9c, 0x71, + 0x91, 0x3d, 0x22, 0xb9, 0x8a, 0x51, 0x02, 0x61, 0x75, 0xc1, 0xff, 0x77, 0x1e, 0x0a, 0xc2, 0x43, + 0xdc, 0xdd, 0x09, 0x05, 0x15, 0x8f, 0x10, 0xd9, 0x27, 0x9c, 0x84, 0x1e, 0x81, 0xeb, 0xa0, 0x1c, + 0xe2, 0x80, 0x28, 0x6b, 0xab, 0x19, 0xd7, 0x49, 0x8d, 0x48, 0x9d, 0x40, 0x07, 0x54, 0xe5, 0xdf, + 0x38, 0xc2, 0x1e, 0xa9, 0x9b, 0x4a, 0x6c, 0x54, 0xbb, 0xbb, 0xe9, 0x01, 0xca, 0x64, 0xac, 0xbf, + 0x4c, 0xb0, 0x94, 0x0b, 0x0e, 0x7c, 0x6c, 0x80, 0x15, 0x52, 0x80, 0xd7, 0x2f, 0xf6, 0xee, 0x34, + 0x3e, 0x9f, 0xe0, 0x50, 0x0b, 0x0e, 0x07, 0xcd, 0x95, 0xb1, 0xc3, 0x31, 0x78, 0xe8, 0x81, 0x52, + 0xc4, 0x7c, 0xe5, 0xcc, 0x94, 0x33, 0x9b, 0xcb, 0xfc, 0x0c, 0x7a, 0x61, 0x38, 0x68, 0x96, 0xe4, + 0x8e, 0xd4, 0x0e, 0x7b, 0xa0, 0x4a, 0x74, 0x45, 0xa4, 0xef, 0x77, 0x7b, 0x2a, 0x87, 0xb5, 0xb2, + 0x2c, 0xfa, 0xe9, 0x4e, 0x8c, 0x32, 0x24, 0xeb, 0x5b, 0x13, 0xac, 0x14, 0x9f, 0x7a, 0xea, 0xae, + 0x71, 0xa6, 0xee, 0x26, 0x45, 0x6f, 0x9e, 0xb2, 0xe8, 0x4b, 0x67, 0x5f, 0xf4, 0xbf, 0x19, 0x60, + 0xa1, 0xed, 0xb6, 0xba, 0xcc, 0x3b, 0x84, 0x1e, 0x28, 0x7b, 0xd4, 0xe7, 0x3a, 0x04, 0x5b, 0xd3, + 0xc0, 0xb6, 0xdd, 0x5d, 0x22, 0xb2, 0x87, 0x72, 0xbd, 0xbd, 0x8d, 0x90, 0x52, 0x0e, 0x29, 0x98, + 0x27, 0x0f, 0x3d, 0x12, 0x09, 0xfd, 0xa4, 0x67, 0x00, 0xb3, 0xa2, 0x61, 0xe6, 0x77, 0x94, 0x62, + 0xa4, 0x01, 0xac, 0x7d, 0x50, 0x51, 0x02, 0xa7, 0xa3, 0x9a, 0x6b, 0xa0, 0x16, 0x71, 0xb2, 0x4f, + 0x1f, 0xde, 0x22, 0x61, 0x47, 0x1c, 0xa8, 0x24, 0x55, 0xb2, 0x19, 0xc3, 0xcd, 0x9d, 0xa1, 0x82, + 0xa4, 0xf5, 0x9d, 0x01, 0xaa, 0xa3, 0x38, 0x4b, 0xae, 0x90, 0xa1, 0x55, 0x70, 0x95, 0xfc, 0x5c, + 0xc4, 0x05, 0x52, 0x27, 0x23, 0x36, 0x31, 0x4f, 0x64, 0x93, 0x6b, 0x60, 0x51, 0x7d, 0x11, 0x7b, + 0xac, 0x5b, 0x2f, 0x29, 0xa9, 0x37, 0xd2, 0x71, 0xc3, 0xd5, 0xfb, 0xc7, 0xb9, 0xff, 0xd1, 0x48, + 0xda, 0xfa, 0xbe, 0x04, 0x96, 0x77, 0x93, 0x40, 0xb9, 0xac, 0x4b, 0xbd, 0x47, 0xe7, 0x30, 0x03, + 0x70, 0x50, 0xe1, 0xbd, 0x2e, 0x49, 0x49, 0xfa, 0xf6, 0x54, 0xf5, 0x9a, 0xb7, 0x1d, 0xf5, 0xba, + 0x24, 0xab, 0x5b, 0xb9, 0x8a, 0x51, 0x02, 0x05, 0x3f, 0x04, 0x17, 0x70, 0x61, 0xe0, 0x49, 0x5e, + 0x4b, 0x55, 0xe5, 0xf7, 0x42, 0x71, 0x16, 0x8a, 0xd1, 0xb8, 0x2c, 0xdc, 0x90, 0x01, 0xa6, 0x8c, + 0x4b, 0x9a, 0x2d, 0xaf, 0x1b, 0x1b, 0x46, 0xab, 0x96, 0x04, 0x37, 0xd9, 0x43, 0xa3, 0x53, 0xb8, + 0x0d, 0x6a, 0x82, 0x12, 0x9e, 0x9e, 0xd4, 0x2b, 0xeb, 0xc6, 0xc6, 0x72, 0x6b, 0x5d, 0x96, 0xc4, + 0xbd, 0xdc, 0xfe, 0xf1, 0xd8, 0x1a, 0x15, 0x6e, 0x59, 0x47, 0x06, 0x58, 0x2d, 0xb8, 0x76, 0x0e, + 0x53, 0x68, 0x58, 0x9c, 0x42, 0xdb, 0x33, 0x4b, 0xcb, 0x09, 0x43, 0xe8, 0xaf, 0xe3, 0x3e, 0xba, + 0x84, 0x70, 0xf8, 0x1e, 0x58, 0xc6, 0xb9, 0x6f, 0xf1, 0xb8, 0x6e, 0xa8, 0x34, 0xad, 0x0e, 0x07, + 0xcd, 0xe5, 0xfc, 0x47, 0x7a, 0x8c, 0x8a, 0x72, 0xf0, 0x0b, 0xb0, 0x48, 0x23, 0x45, 0x4c, 0xa9, + 0x07, 0xd7, 0xa7, 0xa3, 0x0a, 0xa5, 0x2b, 0x8b, 0x98, 0xde, 0x88, 0xd1, 0x08, 0xc6, 0xfa, 0xa5, + 0x3c, 0xe6, 0x81, 0x2c, 0x39, 0xf8, 0x01, 0xa8, 0xfa, 0x94, 0x13, 0x4f, 0x50, 0x16, 0xea, 0x09, + 0xa0, 0x91, 0x36, 0x97, 0xed, 0xf4, 0xe0, 0x38, 0xbf, 0x40, 0xd9, 0x05, 0xc8, 0x40, 0x79, 0x9f, + 0xb3, 0x40, 0xb7, 0xd1, 0xd9, 0xbd, 0x0d, 0x19, 0xdc, 0x8c, 0x3b, 0x3e, 0xe2, 0x2c, 0x40, 0x0a, + 0x08, 0x52, 0x60, 0x0a, 0xa6, 0x58, 0x63, 0xe6, 0x70, 0x40, 0xc3, 0x99, 0xf7, 0x18, 0x32, 0x05, + 0x93, 0x29, 0x8a, 0x09, 0xef, 0x53, 0x8f, 0xa4, 0x13, 0xef, 0x54, 0x29, 0xba, 0x9b, 0xe8, 0xca, + 0x52, 0xa4, 0x37, 0x62, 0x34, 0x82, 0x81, 0x6f, 0xe5, 0x1e, 0x6e, 0x45, 0x31, 0xec, 0xc5, 0x8c, + 0x19, 0x27, 0x1e, 0xef, 0x7d, 0x30, 0x8f, 0x93, 0xbc, 0xcd, 0xab, 0xbc, 0x21, 0xd9, 0x25, 0xb6, + 0xd2, 0x84, 0x6d, 0x9f, 0xf6, 0x97, 0xdf, 0x98, 0x78, 0x3d, 0xa9, 0xcf, 0xe9, 0x6f, 0xe2, 0x6e, + 0x74, 0x80, 0x37, 0x6d, 0x59, 0x18, 0x89, 0x1e, 0xa4, 0x11, 0x2c, 0x0c, 0x6a, 0xf9, 0xc6, 0x7f, + 0x16, 0x33, 0xe3, 0x63, 0x03, 0x2c, 0xe8, 0x98, 0xc0, 0xab, 0xb9, 0x16, 0x91, 0x40, 0xd4, 0x5f, + 0xde, 0x1e, 0xe0, 0xae, 0x6e, 0x4e, 0xe6, 0x4b, 0x1a, 0x41, 0x4f, 0xd0, 0xae, 0x9d, 0xfc, 0x4a, + 0x6b, 0xb7, 0x43, 0x71, 0x87, 0xdf, 0x15, 0x9c, 0x86, 0x9d, 0xd6, 0x62, 0xb1, 0x95, 0xb5, 0x2e, + 0x3f, 0x3d, 0x6a, 0xcc, 0x3d, 0x3b, 0x6a, 0xcc, 0x3d, 0x3f, 0x6a, 0xcc, 0x7d, 0x3d, 0x6c, 0x18, + 0x4f, 0x87, 0x0d, 0xe3, 0xd9, 0xb0, 0x61, 0x3c, 0x1f, 0x36, 0x8c, 0x3f, 0x86, 0x0d, 0xe3, 0xc9, + 0x8b, 0xc6, 0xdc, 0x27, 0x0b, 0x3a, 0xc3, 0x7f, 0x07, 0x00, 0x00, 0xff, 0xff, 0x22, 0xa3, 0x1b, + 0xdb, 0x6c, 0x17, 0x00, 0x00, } func (m *AddressGroup) Marshal() (dAtA []byte, err error) { @@ -1413,6 +1415,11 @@ func (m *NetworkPolicy) MarshalToSizedBuffer(dAtA []byte) (int, error) { _ = i var l int _ = l + if m.TierPriority != nil { + i = encodeVarintGenerated(dAtA, i, uint64(*m.TierPriority)) + i-- + dAtA[i] = 0x28 + } if m.Priority != nil { i -= 8 encoding_binary.LittleEndian.PutUint64(dAtA[i:], uint64(math.Float64bits(float64(*m.Priority)))) @@ -2002,6 +2009,9 @@ func (m *NetworkPolicy) Size() (n int) { if m.Priority != nil { n += 9 } + if m.TierPriority != nil { + n += 1 + sovGenerated(uint64(*m.TierPriority)) + } return n } @@ -2363,6 +2373,7 @@ func (this *NetworkPolicy) String() string { `Rules:` + repeatedStringForRules + `,`, `AppliedToGroups:` + fmt.Sprintf("%v", this.AppliedToGroups) + `,`, `Priority:` + valueToStringGenerated(this.Priority) + `,`, + `TierPriority:` + valueToStringGenerated(this.TierPriority) + `,`, `}`, }, "") return s @@ -4497,6 +4508,26 @@ func (m *NetworkPolicy) Unmarshal(dAtA []byte) error { iNdEx += 8 v2 := float64(math.Float64frombits(v)) m.Priority = &v2 + case 5: + if wireType != 0 { + return fmt.Errorf("proto: wrong wireType = %d for field TierPriority", wireType) + } + var v TierPriority + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowGenerated + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + v |= TierPriority(b&0x7F) << shift + if b < 0x80 { + break + } + } + m.TierPriority = &v default: iNdEx = preIndex skippy, err := skipGenerated(dAtA[iNdEx:]) diff --git a/pkg/apis/networking/v1beta1/generated.proto b/pkg/apis/networking/v1beta1/generated.proto index 33d57bcdaf5..539d011f59c 100644 --- a/pkg/apis/networking/v1beta1/generated.proto +++ b/pkg/apis/networking/v1beta1/generated.proto @@ -188,6 +188,10 @@ message NetworkPolicy { // Priority represents the relative priority of this Network Policy as compared to // other Network Policies. Priority will be unset (nil) for K8s Network Policy. optional double priority = 4; + + // TierPriority represents the priority of the Tier associated with this Network + // Policy. The TierPriority will remain nil for K8s NetworkPolicy. + optional uint32 tierPriority = 5; } // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object diff --git a/pkg/apis/networking/v1beta1/types.go b/pkg/apis/networking/v1beta1/types.go index 59c4d5374e4..3f8edd1d8b9 100644 --- a/pkg/apis/networking/v1beta1/types.go +++ b/pkg/apis/networking/v1beta1/types.go @@ -151,6 +151,10 @@ type AddressGroupList struct { Items []AddressGroup `json:"items" protobuf:"bytes,2,rep,name=items"` } +// TierPriority specifies the relative ordering among Tiers. A lower +// TierPriority indicates higher precedence. +type TierPriority uint32 + // +genclient // +genclient:onlyVerbs=list,get,watch // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object @@ -165,6 +169,9 @@ type NetworkPolicy struct { // Priority represents the relative priority of this Network Policy as compared to // other Network Policies. Priority will be unset (nil) for K8s Network Policy. Priority *float64 `json:"priority,omitempty" protobuf:"fixed64,4,opt,name=priority"` + // TierPriority represents the priority of the Tier associated with this Network + // Policy. The TierPriority will remain nil for K8s NetworkPolicy. + TierPriority *TierPriority `json:"tierPriority,omitempty" protobuf:"varint,5,opt,name=tierPriority"` } // Direction defines traffic direction of NetworkPolicyRule. diff --git a/pkg/apis/networking/v1beta1/zz_generated.conversion.go b/pkg/apis/networking/v1beta1/zz_generated.conversion.go index eedc7b21ff2..84732c5e6ca 100644 --- a/pkg/apis/networking/v1beta1/zz_generated.conversion.go +++ b/pkg/apis/networking/v1beta1/zz_generated.conversion.go @@ -545,6 +545,7 @@ func autoConvert_v1beta1_NetworkPolicy_To_networking_NetworkPolicy(in *NetworkPo out.Rules = *(*[]networking.NetworkPolicyRule)(unsafe.Pointer(&in.Rules)) out.AppliedToGroups = *(*[]string)(unsafe.Pointer(&in.AppliedToGroups)) out.Priority = (*float64)(unsafe.Pointer(in.Priority)) + out.TierPriority = (*networking.TierPriority)(unsafe.Pointer(in.TierPriority)) return nil } @@ -558,6 +559,7 @@ func autoConvert_networking_NetworkPolicy_To_v1beta1_NetworkPolicy(in *networkin out.Rules = *(*[]NetworkPolicyRule)(unsafe.Pointer(&in.Rules)) out.AppliedToGroups = *(*[]string)(unsafe.Pointer(&in.AppliedToGroups)) out.Priority = (*float64)(unsafe.Pointer(in.Priority)) + out.TierPriority = (*TierPriority)(unsafe.Pointer(in.TierPriority)) return nil } diff --git a/pkg/apis/networking/v1beta1/zz_generated.deepcopy.go b/pkg/apis/networking/v1beta1/zz_generated.deepcopy.go index 79234a533a4..d2c5dca9b93 100644 --- a/pkg/apis/networking/v1beta1/zz_generated.deepcopy.go +++ b/pkg/apis/networking/v1beta1/zz_generated.deepcopy.go @@ -517,6 +517,11 @@ func (in *NetworkPolicy) DeepCopyInto(out *NetworkPolicy) { *out = new(float64) **out = **in } + if in.TierPriority != nil { + in, out := &in.TierPriority, &out.TierPriority + *out = new(TierPriority) + **out = **in + } return } diff --git a/pkg/apis/networking/zz_generated.deepcopy.go b/pkg/apis/networking/zz_generated.deepcopy.go index f015a7c3c38..ffef7f42b25 100644 --- a/pkg/apis/networking/zz_generated.deepcopy.go +++ b/pkg/apis/networking/zz_generated.deepcopy.go @@ -517,6 +517,11 @@ func (in *NetworkPolicy) DeepCopyInto(out *NetworkPolicy) { *out = new(float64) **out = **in } + if in.TierPriority != nil { + in, out := &in.TierPriority, &out.TierPriority + *out = new(TierPriority) + **out = **in + } return } diff --git a/pkg/apis/security/v1alpha1/types.go b/pkg/apis/security/v1alpha1/types.go index 156094fd21d..f1968f2c90d 100644 --- a/pkg/apis/security/v1alpha1/types.go +++ b/pkg/apis/security/v1alpha1/types.go @@ -35,6 +35,12 @@ type NetworkPolicy struct { // NetworkPolicySpec defines the desired state for NetworkPolicy. type NetworkPolicySpec struct { + // Tier specifies the tier to which this NetworkPolicy belongs to. + // The NetworkPolicy order will be determined based on the combination of the + // Tier's Priority and the NetworkPolicy's own Priority. If not specified, + // this policy will be created in the Application Tier right above the K8s + // NetworkPolicy which resides at the bottom. + Tier string `json:"tier,omitempty"` // Priority specfies the order of the NetworkPolicy relative to other // NetworkPolicies. Priority float64 `json:"priority"` @@ -159,6 +165,12 @@ type ClusterNetworkPolicy struct { // ClusterNetworkPolicySpec defines the desired state for ClusterNetworkPolicy. type ClusterNetworkPolicySpec struct { + // Tier specifies the tier to which this ClusterNetworkPolicy belongs to. + // The ClusterNetworkPolicy order will be determined based on the + // combination of the Tier's Priority and the ClusterNetworkPolicy's own + // Priority. If not specified, this policy will be created in the Application + // Tier right above the K8s NetworkPolicy which resides at the bottom. + Tier string `json:"tier,omitempty"` // Priority specfies the order of the ClusterNetworkPolicy relative to // other ClusterNetworkPolicies. Priority float64 `json:"priority"` diff --git a/pkg/apiserver/openapi/zz_generated.openapi.go b/pkg/apiserver/openapi/zz_generated.openapi.go index 88470a18237..0059a09dd1b 100644 --- a/pkg/apiserver/openapi/zz_generated.openapi.go +++ b/pkg/apiserver/openapi/zz_generated.openapi.go @@ -1437,6 +1437,13 @@ func schema_pkg_apis_networking_v1beta1_NetworkPolicy(ref common.ReferenceCallba Format: "double", }, }, + "tierPriority": { + SchemaProps: spec.SchemaProps{ + Description: "TierPriority represents the priority of the Tier associated with this Network Policy. The TierPriority will remain nil for K8s NetworkPolicy.", + Type: []string{"integer"}, + Format: "int64", + }, + }, }, }, }, diff --git a/pkg/controller/networkpolicy/clusternetworkpolicy.go b/pkg/controller/networkpolicy/clusternetworkpolicy.go index 5481998bdb2..38a6e32661f 100644 --- a/pkg/controller/networkpolicy/clusternetworkpolicy.go +++ b/pkg/controller/networkpolicy/clusternetworkpolicy.go @@ -31,6 +31,15 @@ var ( matchAllPodsPeerCrd = secv1alpha1.NetworkPolicyPeer{ NamespaceSelector: &metav1.LabelSelector{}, } + + // tierPriorityMap maintains a map of the Tier name to it's priority. + tierPriorityMap = map[string]networking.TierPriority{ + "Emergency": antreatypes.TierEmergency, + "SecurityOps": antreatypes.TierSecurityOps, + "NetworkOps": antreatypes.TierNetworkOps, + "Platform": antreatypes.TierPlatform, + "Application": antreatypes.TierApplication, + } ) // addCNP receives ClusterNetworkPolicy ADD events and creates resources @@ -155,6 +164,16 @@ func toAntreaIPBlockForCRD(ipBlock *secv1alpha1.IPBlock) (*networking.IPBlock, e return antreaIPBlock, nil } +// getTierPriority retrieves the priority associated with the input Tier name. +// If the Tier name is empty, by default, the lowest priority Application Tier +// is returned. +func getTierPriority(tier string) networking.TierPriority { + if tier == "" { + return antreatypes.TierApplication + } + return tierPriorityMap[tier] +} + func (n *NetworkPolicyController) toAntreaPeerForCRD(peers []secv1alpha1.NetworkPolicyPeer, cnp *secv1alpha1.ClusterNetworkPolicy, dir networking.Direction) *networking.NetworkPolicyPeer { var addressGroups []string // Empty NetworkPolicyPeer is supposed to match all addresses. @@ -253,6 +272,7 @@ func (n *NetworkPolicyController) processClusterNetworkPolicy(cnp *secv1alpha1.C Priority: int32(idx), }) } + tierPriority := getTierPriority(cnp.Spec.Tier) internalNetworkPolicy := &antreatypes.NetworkPolicy{ Name: cnp.Name, Namespace: "", @@ -260,6 +280,7 @@ func (n *NetworkPolicyController) processClusterNetworkPolicy(cnp *secv1alpha1.C AppliedToGroups: appliedToGroupNames, Rules: rules, Priority: &cnp.Spec.Priority, + TierPriority: &tierPriority, } return internalNetworkPolicy } diff --git a/pkg/controller/networkpolicy/clusternetworkpolicy_test.go b/pkg/controller/networkpolicy/clusternetworkpolicy_test.go index e880c93acf0..90db92f414a 100644 --- a/pkg/controller/networkpolicy/clusternetworkpolicy_test.go +++ b/pkg/controller/networkpolicy/clusternetworkpolicy_test.go @@ -232,6 +232,7 @@ func TestToAntreaPeerForCRD(t *testing.T) { func TestProcessClusterNetworkPolicy(t *testing.T) { p10 := float64(10) + appTier := antreatypes.TierApplication allowAction := secv1alpha1.RuleActionAllow protocolTCP := networking.ProtocolTCP intstr80, intstr81 := intstr.FromInt(80), intstr.FromInt(81) @@ -289,10 +290,11 @@ func TestProcessClusterNetworkPolicy(t *testing.T) { }, }, expectedPolicy: &antreatypes.NetworkPolicy{ - UID: "uidA", - Name: "cnpA", - Namespace: "", - Priority: &p10, + UID: "uidA", + Name: "cnpA", + Namespace: "", + Priority: &p10, + TierPriority: &appTier, Rules: []networking.NetworkPolicyRule{ { Direction: networking.DirectionIn, @@ -368,10 +370,11 @@ func TestProcessClusterNetworkPolicy(t *testing.T) { }, }, expectedPolicy: &antreatypes.NetworkPolicy{ - UID: "uidA", - Name: "cnpA", - Namespace: "", - Priority: &p10, + UID: "uidA", + Name: "cnpA", + Namespace: "", + Priority: &p10, + TierPriority: &appTier, Rules: []networking.NetworkPolicyRule{ { Direction: networking.DirectionIn, @@ -429,6 +432,11 @@ func TestProcessClusterNetworkPolicy(t *testing.T) { func TestAddCNP(t *testing.T) { p10 := float64(10) + appTier := antreatypes.TierApplication + secOpsTier := antreatypes.TierSecurityOps + netOpsTier := antreatypes.TierNetworkOps + platformTier := antreatypes.TierPlatform + emergencyTier := antreatypes.TierEmergency allowAction := secv1alpha1.RuleActionAllow protocolTCP := networking.ProtocolTCP intstr80, intstr81 := intstr.FromInt(80), intstr.FromInt(81) @@ -446,6 +454,281 @@ func TestAddCNP(t *testing.T) { expAppliedToGroups int expAddressGroups int }{ + { + name: "application-tier-policy", + inputPolicy: &secv1alpha1.ClusterNetworkPolicy{ + ObjectMeta: metav1.ObjectMeta{Name: "cnpA", UID: "uidA"}, + Spec: secv1alpha1.ClusterNetworkPolicySpec{ + AppliedTo: []secv1alpha1.NetworkPolicyPeer{ + {PodSelector: &selectorA}, + }, + Priority: p10, + Tier: "Application", + Ingress: []secv1alpha1.Rule{ + { + Ports: []secv1alpha1.NetworkPolicyPort{ + { + Port: &intstr80, + }, + }, + From: []secv1alpha1.NetworkPolicyPeer{ + { + PodSelector: &selectorB, + NamespaceSelector: &selectorC, + }, + }, + Action: &allowAction, + }, + }, + }, + }, + expPolicy: &antreatypes.NetworkPolicy{ + UID: "uidA", + Name: "cnpA", + Namespace: "", + Priority: &p10, + TierPriority: &appTier, + Rules: []networking.NetworkPolicyRule{ + { + Direction: networking.DirectionIn, + From: networking.NetworkPolicyPeer{ + AddressGroups: []string{getNormalizedUID(toGroupSelector("", &selectorB, &selectorC).NormalizedName)}, + }, + Services: []networking.Service{ + { + Protocol: &protocolTCP, + Port: &int80, + }, + }, + Priority: 0, + Action: &allowAction, + }, + }, + AppliedToGroups: []string{getNormalizedUID(toGroupSelector("", &selectorA, nil).NormalizedName)}, + }, + expAppliedToGroups: 1, + expAddressGroups: 1, + }, + { + name: "secops-tier-policy", + inputPolicy: &secv1alpha1.ClusterNetworkPolicy{ + ObjectMeta: metav1.ObjectMeta{Name: "cnpB", UID: "uidB"}, + Spec: secv1alpha1.ClusterNetworkPolicySpec{ + AppliedTo: []secv1alpha1.NetworkPolicyPeer{ + {PodSelector: &selectorA}, + }, + Priority: p10, + Tier: "SecurityOps", + Ingress: []secv1alpha1.Rule{ + { + Ports: []secv1alpha1.NetworkPolicyPort{ + { + Port: &intstr80, + }, + }, + From: []secv1alpha1.NetworkPolicyPeer{ + { + PodSelector: &selectorB, + NamespaceSelector: &selectorC, + }, + }, + Action: &allowAction, + }, + }, + }, + }, + expPolicy: &antreatypes.NetworkPolicy{ + UID: "uidB", + Name: "cnpB", + Namespace: "", + Priority: &p10, + TierPriority: &secOpsTier, + Rules: []networking.NetworkPolicyRule{ + { + Direction: networking.DirectionIn, + From: networking.NetworkPolicyPeer{ + AddressGroups: []string{getNormalizedUID(toGroupSelector("", &selectorB, &selectorC).NormalizedName)}, + }, + Services: []networking.Service{ + { + Protocol: &protocolTCP, + Port: &int80, + }, + }, + Priority: 0, + Action: &allowAction, + }, + }, + AppliedToGroups: []string{getNormalizedUID(toGroupSelector("", &selectorA, nil).NormalizedName)}, + }, + expAppliedToGroups: 1, + expAddressGroups: 1, + }, + { + name: "netops-tier-policy", + inputPolicy: &secv1alpha1.ClusterNetworkPolicy{ + ObjectMeta: metav1.ObjectMeta{Name: "cnpC", UID: "uidC"}, + Spec: secv1alpha1.ClusterNetworkPolicySpec{ + AppliedTo: []secv1alpha1.NetworkPolicyPeer{ + {PodSelector: &selectorA}, + }, + Priority: p10, + Tier: "NetworkOps", + Ingress: []secv1alpha1.Rule{ + { + Ports: []secv1alpha1.NetworkPolicyPort{ + { + Port: &intstr80, + }, + }, + From: []secv1alpha1.NetworkPolicyPeer{ + { + PodSelector: &selectorB, + NamespaceSelector: &selectorC, + }, + }, + Action: &allowAction, + }, + }, + }, + }, + expPolicy: &antreatypes.NetworkPolicy{ + UID: "uidC", + Name: "cnpC", + Namespace: "", + Priority: &p10, + TierPriority: &netOpsTier, + Rules: []networking.NetworkPolicyRule{ + { + Direction: networking.DirectionIn, + From: networking.NetworkPolicyPeer{ + AddressGroups: []string{getNormalizedUID(toGroupSelector("", &selectorB, &selectorC).NormalizedName)}, + }, + Services: []networking.Service{ + { + Protocol: &protocolTCP, + Port: &int80, + }, + }, + Priority: 0, + Action: &allowAction, + }, + }, + AppliedToGroups: []string{getNormalizedUID(toGroupSelector("", &selectorA, nil).NormalizedName)}, + }, + expAppliedToGroups: 1, + expAddressGroups: 1, + }, + { + name: "emergency-tier-policy", + inputPolicy: &secv1alpha1.ClusterNetworkPolicy{ + ObjectMeta: metav1.ObjectMeta{Name: "cnpD", UID: "uidD"}, + Spec: secv1alpha1.ClusterNetworkPolicySpec{ + AppliedTo: []secv1alpha1.NetworkPolicyPeer{ + {PodSelector: &selectorA}, + }, + Priority: p10, + Tier: "Emergency", + Ingress: []secv1alpha1.Rule{ + { + Ports: []secv1alpha1.NetworkPolicyPort{ + { + Port: &intstr80, + }, + }, + From: []secv1alpha1.NetworkPolicyPeer{ + { + PodSelector: &selectorB, + NamespaceSelector: &selectorC, + }, + }, + Action: &allowAction, + }, + }, + }, + }, + expPolicy: &antreatypes.NetworkPolicy{ + UID: "uidD", + Name: "cnpD", + Namespace: "", + Priority: &p10, + TierPriority: &emergencyTier, + Rules: []networking.NetworkPolicyRule{ + { + Direction: networking.DirectionIn, + From: networking.NetworkPolicyPeer{ + AddressGroups: []string{getNormalizedUID(toGroupSelector("", &selectorB, &selectorC).NormalizedName)}, + }, + Services: []networking.Service{ + { + Protocol: &protocolTCP, + Port: &int80, + }, + }, + Priority: 0, + Action: &allowAction, + }, + }, + AppliedToGroups: []string{getNormalizedUID(toGroupSelector("", &selectorA, nil).NormalizedName)}, + }, + expAppliedToGroups: 1, + expAddressGroups: 1, + }, + { + name: "inter-tenant-tier-policy", + inputPolicy: &secv1alpha1.ClusterNetworkPolicy{ + ObjectMeta: metav1.ObjectMeta{Name: "cnpE", UID: "uidE"}, + Spec: secv1alpha1.ClusterNetworkPolicySpec{ + AppliedTo: []secv1alpha1.NetworkPolicyPeer{ + {PodSelector: &selectorA}, + }, + Priority: p10, + Tier: "Platform", + Ingress: []secv1alpha1.Rule{ + { + Ports: []secv1alpha1.NetworkPolicyPort{ + { + Port: &intstr80, + }, + }, + From: []secv1alpha1.NetworkPolicyPeer{ + { + PodSelector: &selectorB, + NamespaceSelector: &selectorC, + }, + }, + Action: &allowAction, + }, + }, + }, + }, + expPolicy: &antreatypes.NetworkPolicy{ + UID: "uidE", + Name: "cnpE", + Namespace: "", + Priority: &p10, + TierPriority: &platformTier, + Rules: []networking.NetworkPolicyRule{ + { + Direction: networking.DirectionIn, + From: networking.NetworkPolicyPeer{ + AddressGroups: []string{getNormalizedUID(toGroupSelector("", &selectorB, &selectorC).NormalizedName)}, + }, + Services: []networking.Service{ + { + Protocol: &protocolTCP, + Port: &int80, + }, + }, + Priority: 0, + Action: &allowAction, + }, + }, + AppliedToGroups: []string{getNormalizedUID(toGroupSelector("", &selectorA, nil).NormalizedName)}, + }, + expAppliedToGroups: 1, + expAddressGroups: 1, + }, { name: "rules-with-same-selectors", inputPolicy: &secv1alpha1.ClusterNetworkPolicy{ @@ -490,10 +773,11 @@ func TestAddCNP(t *testing.T) { }, }, expPolicy: &antreatypes.NetworkPolicy{ - UID: "uidE", - Name: "npE", - Namespace: "", - Priority: &p10, + UID: "uidE", + Name: "npE", + Namespace: "", + Priority: &p10, + TierPriority: &appTier, Rules: []networking.NetworkPolicyRule{ { Direction: networking.DirectionIn, @@ -569,10 +853,11 @@ func TestAddCNP(t *testing.T) { }, }, expPolicy: &antreatypes.NetworkPolicy{ - UID: "uidF", - Name: "npF", - Namespace: "", - Priority: &p10, + UID: "uidF", + Name: "npF", + Namespace: "", + Priority: &p10, + TierPriority: &appTier, Rules: []networking.NetworkPolicyRule{ { Direction: networking.DirectionIn, @@ -633,9 +918,9 @@ func TestAddCNP(t *testing.T) { for _, tt := range tests { npc.addCNP(tt.inputPolicy) } - assert.Equal(t, 2, npc.GetNetworkPolicyNum(), "expected networkPolicy number is 2") - assert.Equal(t, 3, npc.GetAddressGroupNum(), "expected addressGroup number is 3") - assert.Equal(t, 1, npc.GetAppliedToGroupNum(), "appliedToGroup number is 1") + assert.Equal(t, 7, npc.GetNetworkPolicyNum(), "number of NetworkPolicies do not match") + assert.Equal(t, 3, npc.GetAddressGroupNum(), "number of AddressGroups do not match") + assert.Equal(t, 1, npc.GetAppliedToGroupNum(), "number of AppliedToGroups do not match") } func TestDeleteCNP(t *testing.T) { diff --git a/pkg/controller/networkpolicy/networkpolicy_controller.go b/pkg/controller/networkpolicy/networkpolicy_controller.go index ee8e3ddbc06..f6ae1dad97d 100644 --- a/pkg/controller/networkpolicy/networkpolicy_controller.go +++ b/pkg/controller/networkpolicy/networkpolicy_controller.go @@ -1325,6 +1325,7 @@ func (n *NetworkPolicyController) syncInternalNetworkPolicy(key string) error { Rules: internalNP.Rules, AppliedToGroups: internalNP.AppliedToGroups, Priority: internalNP.Priority, + TierPriority: internalNP.TierPriority, SpanMeta: antreatypes.SpanMeta{NodeNames: nodeNames}, } klog.V(4).Infof("Updating internal NetworkPolicy %s with %d Nodes", key, nodeNames.Len()) diff --git a/pkg/controller/networkpolicy/store/networkpolicy.go b/pkg/controller/networkpolicy/store/networkpolicy.go index 415fd571140..77ff0a05eb8 100644 --- a/pkg/controller/networkpolicy/store/networkpolicy.go +++ b/pkg/controller/networkpolicy/store/networkpolicy.go @@ -113,6 +113,7 @@ func ToNetworkPolicyMsg(in *types.NetworkPolicy, out *networking.NetworkPolicy, out.Rules = in.Rules out.AppliedToGroups = in.AppliedToGroups out.Priority = in.Priority + out.TierPriority = in.TierPriority } // NetworkPolicyKeyFunc knows how to get the key of a NetworkPolicy. diff --git a/pkg/controller/types/networkpolicy.go b/pkg/controller/types/networkpolicy.go index 3ba5832ab4c..ef3740fd0d8 100644 --- a/pkg/controller/types/networkpolicy.go +++ b/pkg/controller/types/networkpolicy.go @@ -37,6 +37,14 @@ func (meta *SpanMeta) Has(nodeName string) bool { return meta.NodeNames.Has(nodeName) } +const ( + TierEmergency networking.TierPriority = iota + 1 + TierSecurityOps + TierNetworkOps + TierPlatform + TierApplication +) + // GroupSelector describes how to select Pods. type GroupSelector struct { // The normalized name is calculated from Namespace, PodSelector, and NamespaceSelector. @@ -100,4 +108,7 @@ type NetworkPolicy struct { Rules []networking.NetworkPolicyRule // AppliedToGroups is a list of names of AppliedToGroups to which this policy applies. AppliedToGroups []string + // TierPriority represents the priority of the Tier associated with this Network + // Policy. + TierPriority *networking.TierPriority }