From 1ff54b51d2814d49f57f795177ad661abbfa3a1a Mon Sep 17 00:00:00 2001 From: Abhishek Raut Date: Wed, 5 Aug 2020 23:03:53 -0700 Subject: [PATCH] CNP Tier integration (#956) Add support for Tiered ClusterNetworkPolicies by associating a CNP with Tier name. This PR adds the following: Add a new field tier to CNP and native NP specs Add "Emergency, SecurityOps, NetworkOps, Platform, Application" as choices for tier names Add Tier column to the CNP kubectl get cnp output Update internal NetworkPolicy types to include the TierPriority associated with above tier names A CNP without any association to any tier will be created in the default lowest priority tier i.e. "Application Tier". The same applies for all existing CNP created prior to the Tier introduction. The tiers have the following precedence: Emergency > SecurityOps > NetworkOps > Platform > Application i.e. all policies associated with Emergency Tiers will be evaluated before any policy associated with SecurityOps tier and so on. The K8s NetworkPolicies will be evaluated once all Tiers are evaluated i.e. after the Application Tier. --- build/yamls/antrea-eks.yml | 12 + build/yamls/antrea-gke.yml | 12 + build/yamls/antrea-ipsec.yml | 12 + build/yamls/antrea.yml | 12 + build/yamls/base/crds.yml | 7 + pkg/apis/networking/types.go | 13 +- pkg/apis/networking/v1beta1/generated.pb.go | 195 ++++++----- pkg/apis/networking/v1beta1/generated.proto | 4 + pkg/apis/networking/v1beta1/types.go | 7 + .../v1beta1/zz_generated.conversion.go | 2 + .../v1beta1/zz_generated.deepcopy.go | 5 + pkg/apis/networking/zz_generated.deepcopy.go | 5 + pkg/apis/security/v1alpha1/types.go | 12 + pkg/apiserver/openapi/zz_generated.openapi.go | 7 + .../networkpolicy/clusternetworkpolicy.go | 21 ++ .../clusternetworkpolicy_test.go | 323 ++++++++++++++++-- .../networkpolicy/networkpolicy_controller.go | 1 + .../networkpolicy/store/networkpolicy.go | 1 + pkg/controller/types/networkpolicy.go | 11 + 19 files changed, 558 insertions(+), 104 deletions(-) diff --git a/build/yamls/antrea-eks.yml b/build/yamls/antrea-eks.yml index d4a4016a660..5095efd120f 100644 --- a/build/yamls/antrea-eks.yml +++ b/build/yamls/antrea-eks.yml @@ -46,6 +46,10 @@ metadata: name: clusternetworkpolicies.security.antrea.tanzu.vmware.com spec: additionalPrinterColumns: + - JSONPath: .spec.tier + description: The Tier to which this ClusterNetworkPolicy belongs to. + name: Tier + type: string - JSONPath: .spec.priority description: The Priority of this ClusterNetworkPolicy relative to other policies. format: float @@ -150,6 +154,14 @@ spec: maximum: 10000 minimum: 1 type: number + tier: + enum: + - Emergency + - SecurityOps + - NetworkOps + - Platform + - Application + type: string required: - appliedTo - priority diff --git a/build/yamls/antrea-gke.yml b/build/yamls/antrea-gke.yml index f7b17f07454..79e318fbddd 100644 --- a/build/yamls/antrea-gke.yml +++ b/build/yamls/antrea-gke.yml @@ -46,6 +46,10 @@ metadata: name: clusternetworkpolicies.security.antrea.tanzu.vmware.com spec: additionalPrinterColumns: + - JSONPath: .spec.tier + description: The Tier to which this ClusterNetworkPolicy belongs to. + name: Tier + type: string - JSONPath: .spec.priority description: The Priority of this ClusterNetworkPolicy relative to other policies. format: float @@ -150,6 +154,14 @@ spec: maximum: 10000 minimum: 1 type: number + tier: + enum: + - Emergency + - SecurityOps + - NetworkOps + - Platform + - Application + type: string required: - appliedTo - priority diff --git a/build/yamls/antrea-ipsec.yml b/build/yamls/antrea-ipsec.yml index f4c14af81cd..340a47db0a5 100644 --- a/build/yamls/antrea-ipsec.yml +++ b/build/yamls/antrea-ipsec.yml @@ -46,6 +46,10 @@ metadata: name: clusternetworkpolicies.security.antrea.tanzu.vmware.com spec: additionalPrinterColumns: + - JSONPath: .spec.tier + description: The Tier to which this ClusterNetworkPolicy belongs to. + name: Tier + type: string - JSONPath: .spec.priority description: The Priority of this ClusterNetworkPolicy relative to other policies. format: float @@ -150,6 +154,14 @@ spec: maximum: 10000 minimum: 1 type: number + tier: + enum: + - Emergency + - SecurityOps + - NetworkOps + - Platform + - Application + type: string required: - appliedTo - priority diff --git a/build/yamls/antrea.yml b/build/yamls/antrea.yml index 4906e2ba7c4..842a1d6e9ed 100644 --- a/build/yamls/antrea.yml +++ b/build/yamls/antrea.yml @@ -46,6 +46,10 @@ metadata: name: clusternetworkpolicies.security.antrea.tanzu.vmware.com spec: additionalPrinterColumns: + - JSONPath: .spec.tier + description: The Tier to which this ClusterNetworkPolicy belongs to. + name: Tier + type: string - JSONPath: .spec.priority description: The Priority of this ClusterNetworkPolicy relative to other policies. format: float @@ -150,6 +154,14 @@ spec: maximum: 10000 minimum: 1 type: number + tier: + enum: + - Emergency + - SecurityOps + - NetworkOps + - Platform + - Application + type: string required: - appliedTo - priority diff --git a/build/yamls/base/crds.yml b/build/yamls/base/crds.yml index c2f591f170c..bf0c36fa014 100644 --- a/build/yamls/base/crds.yml +++ b/build/yamls/base/crds.yml @@ -221,6 +221,10 @@ spec: # Prune any unknown fields preserveUnknownFields: false additionalPrinterColumns: + - name: Tier + type: string + description: The Tier to which this ClusterNetworkPolicy belongs to. + JSONPath: .spec.tier - name: Priority type: number format: float @@ -240,6 +244,9 @@ spec: - priority type: object properties: + tier: + type: string + enum: ['Emergency', 'SecurityOps', 'NetworkOps', 'Platform', 'Application'] priority: type: number format: float diff --git a/pkg/apis/networking/types.go b/pkg/apis/networking/types.go index 251a672e33b..2a86a6217ee 100644 --- a/pkg/apis/networking/types.go +++ b/pkg/apis/networking/types.go @@ -146,6 +146,10 @@ type AddressGroupList struct { Items []AddressGroup } +// TierPriority specifies the relative ordering among Tiers. A lower +// TierPriority indicates higher precedence. +type TierPriority uint32 + // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object // NetworkPolicy is the message format of antrea/pkg/controller/types.NetworkPolicy in an API response. type NetworkPolicy struct { @@ -155,9 +159,12 @@ type NetworkPolicy struct { Rules []NetworkPolicyRule // AppliedToGroups is a list of names of AppliedToGroups to which this policy applies. AppliedToGroups []string - // Priority represents the relative priority of this Network Policy as compared to - // other Network Policies. Priority will be unset (nil) for K8s Network Policy. + // Priority represents the relative priority of this NetworkPolicy as compared to + // other NetworkPolicies. Priority will be unset (nil) for K8s NetworkPolicy. Priority *float64 + // TierPriority represents the priority of the Tier associated with this NetworkPolicy. + // The TierPriority will remain nil for K8s NetworkPolicy. + TierPriority *TierPriority } // Direction defines traffic direction of NetworkPolicyRule. @@ -185,7 +192,7 @@ type NetworkPolicyRule struct { Priority int32 // Action specifies the action to be applied on the rule. i.e. Allow/Drop. An empty // action “nil” defaults to Allow action, which would be the case for rules created for - // K8s Network Policy. + // K8s NetworkPolicy. Action *secv1alpha1.RuleAction } diff --git a/pkg/apis/networking/v1beta1/generated.pb.go b/pkg/apis/networking/v1beta1/generated.pb.go index 12e279364a3..47d143bf9e8 100644 --- a/pkg/apis/networking/v1beta1/generated.pb.go +++ b/pkg/apis/networking/v1beta1/generated.pb.go @@ -603,90 +603,92 @@ func init() { } var fileDescriptor_da8f95e0f1c69434 = []byte{ - // 1324 bytes of a gzipped FileDescriptorProto - 0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xec, 0x58, 0xc1, 0x6f, 0x1b, 0xc5, - 0x17, 0xce, 0xae, 0xed, 0x24, 0x9e, 0x38, 0x69, 0x33, 0xf9, 0x49, 0x3f, 0x53, 0x90, 0x1d, 0x2d, + // 1349 bytes of a gzipped FileDescriptorProto + 0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xec, 0x58, 0xcf, 0x6f, 0x1b, 0xc5, + 0x17, 0xcf, 0xae, 0xed, 0x24, 0x9e, 0x38, 0x69, 0x33, 0xf9, 0x4a, 0x5f, 0x53, 0x90, 0x1d, 0x2d, 0x97, 0x1c, 0xe8, 0x2e, 0x29, 0x15, 0x54, 0x08, 0x0e, 0x71, 0x13, 0x8a, 0xab, 0x36, 0x5d, 0x4d, 0x7b, 0x42, 0x48, 0x30, 0xd9, 0x9d, 0x38, 0xd3, 0x78, 0x77, 0x96, 0xd9, 0xb1, 0xdb, 0xc2, 0x05, - 0x2e, 0x48, 0x9c, 0xda, 0x13, 0x17, 0x6e, 0x88, 0xbf, 0x82, 0x0b, 0xd7, 0x9e, 0x50, 0x8f, 0xe5, - 0x62, 0x88, 0xcb, 0x5f, 0x51, 0x2e, 0x68, 0x66, 0x67, 0xbd, 0xbb, 0x0e, 0x56, 0x23, 0xec, 0x44, - 0x1c, 0x72, 0x4a, 0x66, 0xe6, 0xcd, 0xfb, 0xde, 0x7c, 0xf3, 0xde, 0x37, 0x6f, 0x0d, 0x6e, 0x76, - 0xa8, 0x38, 0xe8, 0xed, 0xd9, 0x1e, 0x0b, 0x9c, 0x7e, 0xf0, 0x00, 0x73, 0x72, 0x59, 0xe0, 0xf0, - 0xcb, 0x9e, 0x83, 0x43, 0xc1, 0x09, 0x76, 0xa2, 0xc3, 0x8e, 0x83, 0x23, 0x1a, 0x3b, 0x21, 0x11, - 0x0f, 0x18, 0x3f, 0xa4, 0x61, 0xc7, 0xe9, 0x6f, 0xee, 0x11, 0x81, 0x37, 0x9d, 0x0e, 0x09, 0x09, - 0xc7, 0x82, 0xf8, 0x76, 0xc4, 0x99, 0x60, 0xf0, 0xfd, 0xcc, 0x97, 0x9d, 0xf8, 0xfa, 0x4c, 0xf9, - 0xb2, 0x13, 0x5f, 0x76, 0x74, 0xd8, 0xb1, 0xa5, 0x2f, 0x3b, 0xf3, 0x65, 0x6b, 0x5f, 0x97, 0x2e, - 0xe7, 0xe2, 0xe8, 0xb0, 0x0e, 0x73, 0x94, 0xcb, 0xbd, 0xde, 0xbe, 0x1a, 0xa9, 0x81, 0xfa, 0x2f, - 0x81, 0xba, 0x74, 0xf5, 0xf0, 0x5a, 0x6c, 0x53, 0x26, 0x43, 0x0b, 0xb0, 0x77, 0x40, 0x43, 0xc2, - 0x1f, 0x65, 0xb1, 0x06, 0x44, 0x60, 0xa7, 0x7f, 0x2c, 0xc0, 0x4b, 0xce, 0xa4, 0x5d, 0xbc, 0x17, - 0x0a, 0x1a, 0x90, 0x63, 0x1b, 0xde, 0x7d, 0xd5, 0x86, 0xd8, 0x3b, 0x20, 0x01, 0x3e, 0xb6, 0xef, - 0x9d, 0x49, 0xfb, 0x7a, 0x82, 0x76, 0x1d, 0x1a, 0x8a, 0x58, 0xf0, 0xf1, 0x4d, 0xd6, 0xd0, 0x04, - 0xb5, 0x2d, 0xdf, 0xe7, 0x24, 0x8e, 0x6f, 0x70, 0xd6, 0x8b, 0xe0, 0xe7, 0x60, 0x51, 0x9e, 0xc4, - 0xc7, 0x02, 0xd7, 0x8d, 0x75, 0x63, 0x63, 0xe9, 0xca, 0xdb, 0x76, 0xe2, 0xd8, 0xce, 0x3b, 0xce, - 0x78, 0x95, 0xd6, 0x76, 0x7f, 0xd3, 0xbe, 0xb3, 0x77, 0x9f, 0x78, 0xe2, 0x36, 0x11, 0xb8, 0x05, - 0x9f, 0x0e, 0x9a, 0x73, 0xc3, 0x41, 0x13, 0x64, 0x73, 0x68, 0xe4, 0x15, 0x76, 0x41, 0x39, 0x62, - 0x7e, 0x5c, 0x37, 0xd7, 0x4b, 0x1b, 0x4b, 0x57, 0x6e, 0xda, 0xff, 0xfe, 0x02, 0x6d, 0x15, 0xf2, - 0x6d, 0x12, 0xec, 0x11, 0xee, 0x32, 0xbf, 0x55, 0xd3, 0xb8, 0x65, 0x97, 0xf9, 0x31, 0x52, 0x28, - 0xf0, 0x1b, 0x03, 0xd4, 0x3a, 0x99, 0x59, 0x5c, 0x2f, 0x29, 0xd8, 0x1b, 0x33, 0x82, 0x6d, 0xfd, - 0x4f, 0x63, 0xd6, 0x72, 0x93, 0x31, 0x2a, 0x40, 0x5a, 0xbf, 0x1b, 0xe0, 0x62, 0x9e, 0xe4, 0x5b, - 0x34, 0x16, 0xf0, 0xd3, 0x63, 0x44, 0xdb, 0x27, 0x23, 0x5a, 0xee, 0x56, 0x34, 0x5f, 0xd4, 0xd0, - 0x8b, 0xe9, 0x4c, 0x8e, 0xe4, 0x00, 0x54, 0xa8, 0x20, 0x41, 0xca, 0xf2, 0xc7, 0xd3, 0x1c, 0x37, - 0x1f, 0x7a, 0x6b, 0x59, 0x83, 0x56, 0xda, 0xd2, 0x3d, 0x4a, 0x50, 0xac, 0x1f, 0x2b, 0x60, 0x35, - 0x6f, 0xe6, 0x62, 0xe1, 0x1d, 0x9c, 0x41, 0x2e, 0x7d, 0x05, 0xaa, 0xd8, 0xf7, 0x89, 0xef, 0x9e, - 0x4e, 0x42, 0xad, 0x6a, 0xf0, 0xea, 0x56, 0x0a, 0x82, 0x32, 0x3c, 0x99, 0x5a, 0x4b, 0x9c, 0x04, - 0xac, 0xaf, 0xf1, 0x4b, 0x33, 0xc7, 0x5f, 0xd3, 0xf8, 0x4b, 0x28, 0x83, 0x41, 0x79, 0x4c, 0xf8, - 0xc4, 0x00, 0xab, 0x2a, 0xa2, 0x7c, 0xfa, 0xd5, 0xcb, 0xb3, 0xcd, 0xf1, 0xd7, 0x74, 0x18, 0xab, - 0x5b, 0xe3, 0x48, 0xe8, 0x38, 0x38, 0xfc, 0xde, 0x00, 0x6b, 0x3a, 0xc4, 0x42, 0x50, 0x95, 0xd9, - 0x06, 0xf5, 0xba, 0x0e, 0x6a, 0x0d, 0x1d, 0xc7, 0x42, 0xff, 0x14, 0x80, 0xf5, 0xa7, 0x09, 0x56, - 0xb6, 0xa2, 0xa8, 0x4b, 0x89, 0x7f, 0x8f, 0x9d, 0xab, 0xdd, 0x69, 0xa9, 0xdd, 0x0b, 0x03, 0xc0, - 0x22, 0xcd, 0x67, 0xa0, 0x77, 0xac, 0xa8, 0x77, 0x53, 0xf1, 0x5c, 0x0c, 0x7e, 0x82, 0xe2, 0xfd, - 0x54, 0x01, 0x6b, 0x45, 0xc3, 0x73, 0xcd, 0x3b, 0xd7, 0xbc, 0xff, 0x9c, 0xe6, 0xfd, 0x60, 0x80, - 0xc5, 0x9d, 0xd0, 0x8f, 0x18, 0x0d, 0x05, 0x7c, 0x13, 0x98, 0x34, 0x52, 0x59, 0x59, 0x6b, 0xad, - 0x0d, 0x07, 0x4d, 0xb3, 0xed, 0xbe, 0x1c, 0x34, 0xab, 0x6d, 0x57, 0x3f, 0xdd, 0xc8, 0xa4, 0x11, - 0xbc, 0x0f, 0x2a, 0x11, 0xe3, 0x22, 0x4d, 0xad, 0x9d, 0x69, 0x62, 0xdf, 0xc5, 0x81, 0xbc, 0x33, - 0x2e, 0xb2, 0x22, 0x92, 0xa3, 0x18, 0x25, 0x10, 0x56, 0x17, 0xfc, 0x7f, 0xe7, 0xa1, 0x20, 0x3c, - 0xc4, 0xdd, 0x9d, 0x50, 0x50, 0xf1, 0x08, 0x91, 0x7d, 0xc2, 0x49, 0xe8, 0x11, 0xb8, 0x0e, 0xca, - 0x21, 0x0e, 0x88, 0x8a, 0xb6, 0x9a, 0x69, 0x9d, 0xf4, 0x88, 0xd4, 0x0a, 0x74, 0x40, 0x55, 0xfe, - 0x8d, 0x23, 0xec, 0x91, 0xba, 0xa9, 0xcc, 0x46, 0xb9, 0xbb, 0x9b, 0x2e, 0xa0, 0xcc, 0xc6, 0xfa, - 0xcb, 0x04, 0x4b, 0x39, 0x72, 0xe0, 0x63, 0x03, 0xac, 0x90, 0x02, 0xbc, 0xae, 0xd8, 0xbb, 0xd3, - 0x9c, 0x79, 0xc2, 0x81, 0x5a, 0x70, 0x38, 0x68, 0xae, 0x8c, 0x2d, 0x8e, 0xc1, 0x43, 0x0f, 0x94, - 0x22, 0xe6, 0xab, 0xc3, 0x4c, 0xd9, 0xb3, 0xb9, 0xcc, 0xcf, 0xa0, 0x17, 0x86, 0x83, 0x66, 0x49, - 0xce, 0x48, 0xef, 0xb0, 0x07, 0xaa, 0x44, 0x67, 0x44, 0x5a, 0xbf, 0xdb, 0x53, 0x1d, 0x58, 0x3b, - 0xcb, 0xd8, 0x4f, 0x67, 0x62, 0x94, 0x21, 0x59, 0xdf, 0x9a, 0x60, 0xa5, 0x58, 0xea, 0xe9, 0x71, - 0x8d, 0x53, 0x3d, 0x6e, 0x92, 0xf4, 0xe6, 0x09, 0x93, 0xbe, 0x74, 0xfa, 0x49, 0xff, 0x9b, 0x01, - 0x16, 0xda, 0x6e, 0xab, 0xcb, 0xbc, 0x43, 0xe8, 0x81, 0xb2, 0x47, 0x7d, 0xae, 0x29, 0xd8, 0x9a, - 0x06, 0xb6, 0xed, 0xee, 0x12, 0x91, 0x15, 0xca, 0xf5, 0xf6, 0x36, 0x42, 0xca, 0x39, 0xa4, 0x60, - 0x9e, 0x3c, 0xf4, 0x48, 0x24, 0x74, 0x49, 0xcf, 0x00, 0x66, 0x45, 0xc3, 0xcc, 0xef, 0x28, 0xc7, - 0x48, 0x03, 0x58, 0xfb, 0xa0, 0xa2, 0x0c, 0x4e, 0x26, 0x35, 0xd7, 0x40, 0x2d, 0xe2, 0x64, 0x9f, - 0x3e, 0xbc, 0x45, 0xc2, 0x8e, 0x38, 0x50, 0x97, 0x54, 0xc9, 0x7a, 0x0c, 0x37, 0xb7, 0x86, 0x0a, - 0x96, 0xd6, 0x77, 0x06, 0xa8, 0x8e, 0x78, 0x96, 0x5a, 0x21, 0xa9, 0x55, 0x70, 0x95, 0x7c, 0x5f, - 0xc4, 0x05, 0x52, 0x2b, 0x23, 0x35, 0x31, 0x27, 0xaa, 0xc9, 0x35, 0xb0, 0xa8, 0xbe, 0x88, 0x3d, - 0xd6, 0xad, 0x97, 0x94, 0xd5, 0x1b, 0x69, 0xbb, 0xe1, 0xea, 0xf9, 0x97, 0xb9, 0xff, 0xd1, 0xc8, - 0xda, 0xfa, 0xd5, 0x04, 0xcb, 0xbb, 0x09, 0x51, 0x2e, 0xeb, 0x52, 0xef, 0xd1, 0x19, 0xf4, 0x00, - 0x1c, 0x54, 0x78, 0xaf, 0x4b, 0x52, 0x91, 0xbe, 0x3d, 0x55, 0xbe, 0xe6, 0x63, 0x47, 0xbd, 0x2e, - 0xc9, 0xf2, 0x56, 0x8e, 0x62, 0x94, 0x40, 0xc1, 0x0f, 0xc1, 0x05, 0x5c, 0x68, 0x78, 0x92, 0x6a, - 0xa9, 0xaa, 0xfb, 0xbd, 0x50, 0xec, 0x85, 0x62, 0x34, 0x6e, 0x0b, 0x37, 0x24, 0xc1, 0x94, 0x71, - 0x29, 0xb3, 0xe5, 0x75, 0x63, 0xc3, 0x68, 0xd5, 0x12, 0x72, 0x93, 0x39, 0x34, 0x5a, 0xb5, 0x8e, - 0x0c, 0xb0, 0x5a, 0x08, 0xea, 0x0c, 0xfa, 0xc7, 0xb0, 0xd8, 0x3f, 0xb6, 0x67, 0x46, 0xe8, 0x84, - 0xf6, 0xf1, 0x97, 0xf1, 0x33, 0xba, 0x84, 0x70, 0xf8, 0x1e, 0x58, 0xc6, 0xb9, 0xaf, 0xe8, 0xb8, - 0x6e, 0x28, 0x82, 0x57, 0x87, 0x83, 0xe6, 0x72, 0xfe, 0xf3, 0x3a, 0x46, 0x45, 0x3b, 0xf8, 0x05, - 0x58, 0xa4, 0x91, 0x92, 0x94, 0xf4, 0x04, 0xd7, 0xa7, 0x2b, 0x72, 0xe5, 0x2b, 0x63, 0x4c, 0x4f, - 0xc4, 0x68, 0x04, 0x63, 0xfd, 0x5c, 0x1e, 0x3b, 0x81, 0x4c, 0x16, 0xf8, 0x01, 0xa8, 0xfa, 0x94, - 0x13, 0x4f, 0x50, 0x16, 0xea, 0xb7, 0xbb, 0x91, 0x3e, 0x0b, 0xdb, 0xe9, 0xc2, 0xcb, 0xfc, 0x00, - 0x65, 0x1b, 0x20, 0x03, 0xe5, 0x7d, 0xce, 0x02, 0xfd, 0x00, 0xce, 0x2e, 0xab, 0x25, 0xb9, 0x59, - 0xd5, 0x7f, 0xc4, 0x59, 0x80, 0x14, 0x10, 0xa4, 0xc0, 0x14, 0x4c, 0xd5, 0xfb, 0xcc, 0xe1, 0x80, - 0x86, 0x33, 0xef, 0x31, 0x64, 0x0a, 0x26, 0xaf, 0x28, 0x26, 0xbc, 0x4f, 0x3d, 0x92, 0xf6, 0xaa, - 0x53, 0x5d, 0xd1, 0xdd, 0xc4, 0x57, 0x76, 0x45, 0x7a, 0x22, 0x46, 0x23, 0x18, 0xf8, 0x56, 0xae, - 0xe4, 0x2a, 0x4a, 0x1b, 0x2f, 0x66, 0x9a, 0x36, 0x5e, 0x76, 0xf0, 0x3e, 0x98, 0xc7, 0xc9, 0xbd, - 0xcd, 0xab, 0x7b, 0x43, 0x52, 0xdf, 0xb7, 0xd2, 0x0b, 0xdb, 0x3e, 0xe9, 0x6f, 0xb6, 0x31, 0xf1, - 0x7a, 0xd2, 0x9f, 0xd3, 0xdf, 0xc4, 0xdd, 0xe8, 0x00, 0x6f, 0xda, 0x32, 0x31, 0x12, 0x3f, 0x48, - 0x23, 0x58, 0x18, 0xd4, 0xf2, 0x4f, 0xf6, 0x69, 0x74, 0x7b, 0x8f, 0x0d, 0xb0, 0xa0, 0x39, 0x81, - 0x57, 0x73, 0xe2, 0x9e, 0x40, 0xd4, 0x5f, 0x2d, 0xec, 0x70, 0x57, 0x3f, 0x2b, 0xe6, 0x2b, 0x24, - 0xbc, 0x27, 0x68, 0xd7, 0x4e, 0x7e, 0x5f, 0xb5, 0xdb, 0xa1, 0xb8, 0xc3, 0xef, 0x0a, 0x4e, 0xc3, - 0x4e, 0x6b, 0xb1, 0xf8, 0x08, 0xb5, 0x2e, 0x3f, 0x3d, 0x6a, 0xcc, 0x3d, 0x3b, 0x6a, 0xcc, 0x3d, - 0x3f, 0x6a, 0xcc, 0x7d, 0x3d, 0x6c, 0x18, 0x4f, 0x87, 0x0d, 0xe3, 0xd9, 0xb0, 0x61, 0x3c, 0x1f, - 0x36, 0x8c, 0x3f, 0x86, 0x0d, 0xe3, 0xc9, 0x8b, 0xc6, 0xdc, 0x27, 0x0b, 0xfa, 0x86, 0xff, 0x0e, - 0x00, 0x00, 0xff, 0xff, 0x5f, 0x0e, 0xc9, 0x67, 0x26, 0x17, 0x00, 0x00, + 0x2e, 0x48, 0x9c, 0xda, 0x03, 0xe2, 0xc2, 0x0d, 0xf1, 0x57, 0x70, 0xe1, 0xda, 0x63, 0x8f, 0xe5, + 0x62, 0x88, 0xcb, 0x5f, 0x11, 0x2e, 0x68, 0x66, 0x67, 0xbd, 0xbb, 0x36, 0x51, 0x23, 0xec, 0x44, + 0x1c, 0x7a, 0x4a, 0x66, 0xe6, 0xcd, 0xfb, 0xbc, 0x5f, 0xf3, 0x79, 0x6f, 0x0d, 0x6e, 0x76, 0xa8, + 0x38, 0xe8, 0xed, 0xd9, 0x1e, 0x0b, 0x9c, 0x7e, 0xf0, 0x00, 0x73, 0x72, 0x59, 0xe0, 0xf0, 0xcb, + 0x9e, 0x83, 0x43, 0xc1, 0x09, 0x76, 0xa2, 0xc3, 0x8e, 0x83, 0x23, 0x1a, 0x3b, 0x21, 0x11, 0x0f, + 0x18, 0x3f, 0xa4, 0x61, 0xc7, 0xe9, 0x6f, 0xee, 0x11, 0x81, 0x37, 0x9d, 0x0e, 0x09, 0x09, 0xc7, + 0x82, 0xf8, 0x76, 0xc4, 0x99, 0x60, 0xf0, 0xfd, 0x4c, 0x97, 0x9d, 0xe8, 0xfa, 0x4c, 0xe9, 0xb2, + 0x13, 0x5d, 0x76, 0x74, 0xd8, 0xb1, 0xa5, 0x2e, 0x3b, 0xd3, 0x65, 0x6b, 0x5d, 0x97, 0x2e, 0xe7, + 0xec, 0xe8, 0xb0, 0x0e, 0x73, 0x94, 0xca, 0xbd, 0xde, 0xbe, 0x5a, 0xa9, 0x85, 0xfa, 0x2f, 0x81, + 0xba, 0x74, 0xf5, 0xf0, 0x5a, 0x6c, 0x53, 0x26, 0x4d, 0x0b, 0xb0, 0x77, 0x40, 0x43, 0xc2, 0x1f, + 0x65, 0xb6, 0x06, 0x44, 0x60, 0xa7, 0x3f, 0x61, 0xe0, 0x25, 0xe7, 0xa4, 0x5b, 0xbc, 0x17, 0x0a, + 0x1a, 0x90, 0x89, 0x0b, 0xef, 0xbe, 0xec, 0x42, 0xec, 0x1d, 0x90, 0x00, 0x4f, 0xdc, 0x7b, 0xe7, + 0xa4, 0x7b, 0x3d, 0x41, 0xbb, 0x0e, 0x0d, 0x45, 0x2c, 0xf8, 0xf8, 0x25, 0x6b, 0x68, 0x82, 0xda, + 0x96, 0xef, 0x73, 0x12, 0xc7, 0x37, 0x38, 0xeb, 0x45, 0xf0, 0x73, 0xb0, 0x28, 0x3d, 0xf1, 0xb1, + 0xc0, 0x75, 0x63, 0xdd, 0xd8, 0x58, 0xba, 0xf2, 0xb6, 0x9d, 0x28, 0xb6, 0xf3, 0x8a, 0xb3, 0xb8, + 0x4a, 0x69, 0xbb, 0xbf, 0x69, 0xdf, 0xd9, 0xbb, 0x4f, 0x3c, 0x71, 0x9b, 0x08, 0xdc, 0x82, 0x4f, + 0x07, 0xcd, 0xb9, 0xe1, 0xa0, 0x09, 0xb2, 0x3d, 0x34, 0xd2, 0x0a, 0xbb, 0xa0, 0x1c, 0x31, 0x3f, + 0xae, 0x9b, 0xeb, 0xa5, 0x8d, 0xa5, 0x2b, 0x37, 0xed, 0x7f, 0x9f, 0x40, 0x5b, 0x99, 0x7c, 0x9b, + 0x04, 0x7b, 0x84, 0xbb, 0xcc, 0x6f, 0xd5, 0x34, 0x6e, 0xd9, 0x65, 0x7e, 0x8c, 0x14, 0x0a, 0xfc, + 0xc6, 0x00, 0xb5, 0x4e, 0x26, 0x16, 0xd7, 0x4b, 0x0a, 0xf6, 0xc6, 0x8c, 0x60, 0x5b, 0xff, 0xd3, + 0x98, 0xb5, 0xdc, 0x66, 0x8c, 0x0a, 0x90, 0xd6, 0xef, 0x06, 0xb8, 0x98, 0x0f, 0xf2, 0x2d, 0x1a, + 0x0b, 0xf8, 0xe9, 0x44, 0xa0, 0xed, 0xd3, 0x05, 0x5a, 0xde, 0x56, 0x61, 0xbe, 0xa8, 0xa1, 0x17, + 0xd3, 0x9d, 0x5c, 0x90, 0x03, 0x50, 0xa1, 0x82, 0x04, 0x69, 0x94, 0x3f, 0x9e, 0xc6, 0xdd, 0xbc, + 0xe9, 0xad, 0x65, 0x0d, 0x5a, 0x69, 0x4b, 0xf5, 0x28, 0x41, 0xb1, 0x7e, 0xaa, 0x80, 0xd5, 0xbc, + 0x98, 0x8b, 0x85, 0x77, 0x70, 0x0e, 0xb5, 0xf4, 0x15, 0xa8, 0x62, 0xdf, 0x27, 0xbe, 0x7b, 0x36, + 0x05, 0xb5, 0xaa, 0xc1, 0xab, 0x5b, 0x29, 0x08, 0xca, 0xf0, 0x64, 0x69, 0x2d, 0x71, 0x12, 0xb0, + 0xbe, 0xc6, 0x2f, 0xcd, 0x1c, 0x7f, 0x4d, 0xe3, 0x2f, 0xa1, 0x0c, 0x06, 0xe5, 0x31, 0xe1, 0x13, + 0x03, 0xac, 0x2a, 0x8b, 0xf2, 0xe5, 0x57, 0x2f, 0xcf, 0xb6, 0xc6, 0x5f, 0xd3, 0x66, 0xac, 0x6e, + 0x8d, 0x23, 0xa1, 0x49, 0x70, 0xf8, 0x83, 0x01, 0xd6, 0xb4, 0x89, 0x05, 0xa3, 0x2a, 0xb3, 0x35, + 0xea, 0x75, 0x6d, 0xd4, 0x1a, 0x9a, 0xc4, 0x42, 0xff, 0x64, 0x80, 0xf5, 0xa7, 0x09, 0x56, 0xb6, + 0xa2, 0xa8, 0x4b, 0x89, 0x7f, 0x8f, 0xbd, 0x62, 0xbb, 0xb3, 0x62, 0xbb, 0x17, 0x06, 0x80, 0xc5, + 0x30, 0x9f, 0x03, 0xdf, 0xb1, 0x22, 0xdf, 0x4d, 0x15, 0xe7, 0xa2, 0xf1, 0x27, 0x30, 0xde, 0xcf, + 0x15, 0xb0, 0x56, 0x14, 0x7c, 0xc5, 0x79, 0xaf, 0x38, 0xef, 0x3f, 0xc7, 0x79, 0x3f, 0x1a, 0x60, + 0x71, 0x27, 0xf4, 0x23, 0x46, 0x43, 0x01, 0xdf, 0x04, 0x26, 0x8d, 0x54, 0x55, 0xd6, 0x5a, 0x6b, + 0xc3, 0x41, 0xd3, 0x6c, 0xbb, 0xc7, 0x83, 0x66, 0xb5, 0xed, 0xea, 0xd6, 0x8d, 0x4c, 0x1a, 0xc1, + 0xfb, 0xa0, 0x12, 0x31, 0x2e, 0xd2, 0xd2, 0xda, 0x99, 0xc6, 0xf6, 0x5d, 0x1c, 0xc8, 0x9c, 0x71, + 0x91, 0x3d, 0x22, 0xb9, 0x8a, 0x51, 0x02, 0x61, 0x75, 0xc1, 0xff, 0x77, 0x1e, 0x0a, 0xc2, 0x43, + 0xdc, 0xdd, 0x09, 0x05, 0x15, 0x8f, 0x10, 0xd9, 0x27, 0x9c, 0x84, 0x1e, 0x81, 0xeb, 0xa0, 0x1c, + 0xe2, 0x80, 0x28, 0x6b, 0xab, 0x19, 0xd7, 0x49, 0x8d, 0x48, 0x9d, 0x40, 0x07, 0x54, 0xe5, 0xdf, + 0x38, 0xc2, 0x1e, 0xa9, 0x9b, 0x4a, 0x6c, 0x54, 0xbb, 0xbb, 0xe9, 0x01, 0xca, 0x64, 0xac, 0xbf, + 0x4c, 0xb0, 0x94, 0x0b, 0x0e, 0x7c, 0x6c, 0x80, 0x15, 0x52, 0x80, 0xd7, 0x2f, 0xf6, 0xee, 0x34, + 0x3e, 0x9f, 0xe0, 0x50, 0x0b, 0x0e, 0x07, 0xcd, 0x95, 0xb1, 0xc3, 0x31, 0x78, 0xe8, 0x81, 0x52, + 0xc4, 0x7c, 0xe5, 0xcc, 0x94, 0x33, 0x9b, 0xcb, 0xfc, 0x0c, 0x7a, 0x61, 0x38, 0x68, 0x96, 0xe4, + 0x8e, 0xd4, 0x0e, 0x7b, 0xa0, 0x4a, 0x74, 0x45, 0xa4, 0xef, 0x77, 0x7b, 0x2a, 0x87, 0xb5, 0xb2, + 0x2c, 0xfa, 0xe9, 0x4e, 0x8c, 0x32, 0x24, 0xeb, 0x5b, 0x13, 0xac, 0x14, 0x9f, 0x7a, 0xea, 0xae, + 0x71, 0xa6, 0xee, 0x26, 0x45, 0x6f, 0x9e, 0xb2, 0xe8, 0x4b, 0x67, 0x5f, 0xf4, 0xbf, 0x19, 0x60, + 0xa1, 0xed, 0xb6, 0xba, 0xcc, 0x3b, 0x84, 0x1e, 0x28, 0x7b, 0xd4, 0xe7, 0x3a, 0x04, 0x5b, 0xd3, + 0xc0, 0xb6, 0xdd, 0x5d, 0x22, 0xb2, 0x87, 0x72, 0xbd, 0xbd, 0x8d, 0x90, 0x52, 0x0e, 0x29, 0x98, + 0x27, 0x0f, 0x3d, 0x12, 0x09, 0xfd, 0xa4, 0x67, 0x00, 0xb3, 0xa2, 0x61, 0xe6, 0x77, 0x94, 0x62, + 0xa4, 0x01, 0xac, 0x7d, 0x50, 0x51, 0x02, 0xa7, 0xa3, 0x9a, 0x6b, 0xa0, 0x16, 0x71, 0xb2, 0x4f, + 0x1f, 0xde, 0x22, 0x61, 0x47, 0x1c, 0xa8, 0x24, 0x55, 0xb2, 0x19, 0xc3, 0xcd, 0x9d, 0xa1, 0x82, + 0xa4, 0xf5, 0x9d, 0x01, 0xaa, 0xa3, 0x38, 0x4b, 0xae, 0x90, 0xa1, 0x55, 0x70, 0x95, 0xfc, 0x5c, + 0xc4, 0x05, 0x52, 0x27, 0x23, 0x36, 0x31, 0x4f, 0x64, 0x93, 0x6b, 0x60, 0x51, 0x7d, 0x11, 0x7b, + 0xac, 0x5b, 0x2f, 0x29, 0xa9, 0x37, 0xd2, 0x71, 0xc3, 0xd5, 0xfb, 0xc7, 0xb9, 0xff, 0xd1, 0x48, + 0xda, 0xfa, 0xbe, 0x04, 0x96, 0x77, 0x93, 0x40, 0xb9, 0xac, 0x4b, 0xbd, 0x47, 0xe7, 0x30, 0x03, + 0x70, 0x50, 0xe1, 0xbd, 0x2e, 0x49, 0x49, 0xfa, 0xf6, 0x54, 0xf5, 0x9a, 0xb7, 0x1d, 0xf5, 0xba, + 0x24, 0xab, 0x5b, 0xb9, 0x8a, 0x51, 0x02, 0x05, 0x3f, 0x04, 0x17, 0x70, 0x61, 0xe0, 0x49, 0x5e, + 0x4b, 0x55, 0xe5, 0xf7, 0x42, 0x71, 0x16, 0x8a, 0xd1, 0xb8, 0x2c, 0xdc, 0x90, 0x01, 0xa6, 0x8c, + 0x4b, 0x9a, 0x2d, 0xaf, 0x1b, 0x1b, 0x46, 0xab, 0x96, 0x04, 0x37, 0xd9, 0x43, 0xa3, 0x53, 0xb8, + 0x0d, 0x6a, 0x82, 0x12, 0x9e, 0x9e, 0xd4, 0x2b, 0xeb, 0xc6, 0xc6, 0x72, 0x6b, 0x5d, 0x96, 0xc4, + 0xbd, 0xdc, 0xfe, 0xf1, 0xd8, 0x1a, 0x15, 0x6e, 0x59, 0x47, 0x06, 0x58, 0x2d, 0xb8, 0x76, 0x0e, + 0x53, 0x68, 0x58, 0x9c, 0x42, 0xdb, 0x33, 0x4b, 0xcb, 0x09, 0x43, 0xe8, 0xaf, 0xe3, 0x3e, 0xba, + 0x84, 0x70, 0xf8, 0x1e, 0x58, 0xc6, 0xb9, 0x6f, 0xf1, 0xb8, 0x6e, 0xa8, 0x34, 0xad, 0x0e, 0x07, + 0xcd, 0xe5, 0xfc, 0x47, 0x7a, 0x8c, 0x8a, 0x72, 0xf0, 0x0b, 0xb0, 0x48, 0x23, 0x45, 0x4c, 0xa9, + 0x07, 0xd7, 0xa7, 0xa3, 0x0a, 0xa5, 0x2b, 0x8b, 0x98, 0xde, 0x88, 0xd1, 0x08, 0xc6, 0xfa, 0xa5, + 0x3c, 0xe6, 0x81, 0x2c, 0x39, 0xf8, 0x01, 0xa8, 0xfa, 0x94, 0x13, 0x4f, 0x50, 0x16, 0xea, 0x09, + 0xa0, 0x91, 0x36, 0x97, 0xed, 0xf4, 0xe0, 0x38, 0xbf, 0x40, 0xd9, 0x05, 0xc8, 0x40, 0x79, 0x9f, + 0xb3, 0x40, 0xb7, 0xd1, 0xd9, 0xbd, 0x0d, 0x19, 0xdc, 0x8c, 0x3b, 0x3e, 0xe2, 0x2c, 0x40, 0x0a, + 0x08, 0x52, 0x60, 0x0a, 0xa6, 0x58, 0x63, 0xe6, 0x70, 0x40, 0xc3, 0x99, 0xf7, 0x18, 0x32, 0x05, + 0x93, 0x29, 0x8a, 0x09, 0xef, 0x53, 0x8f, 0xa4, 0x13, 0xef, 0x54, 0x29, 0xba, 0x9b, 0xe8, 0xca, + 0x52, 0xa4, 0x37, 0x62, 0x34, 0x82, 0x81, 0x6f, 0xe5, 0x1e, 0x6e, 0x45, 0x31, 0xec, 0xc5, 0x8c, + 0x19, 0x27, 0x1e, 0xef, 0x7d, 0x30, 0x8f, 0x93, 0xbc, 0xcd, 0xab, 0xbc, 0x21, 0xd9, 0x25, 0xb6, + 0xd2, 0x84, 0x6d, 0x9f, 0xf6, 0x97, 0xdf, 0x98, 0x78, 0x3d, 0xa9, 0xcf, 0xe9, 0x6f, 0xe2, 0x6e, + 0x74, 0x80, 0x37, 0x6d, 0x59, 0x18, 0x89, 0x1e, 0xa4, 0x11, 0x2c, 0x0c, 0x6a, 0xf9, 0xc6, 0x7f, + 0x16, 0x33, 0xe3, 0x63, 0x03, 0x2c, 0xe8, 0x98, 0xc0, 0xab, 0xb9, 0x16, 0x91, 0x40, 0xd4, 0x5f, + 0xde, 0x1e, 0xe0, 0xae, 0x6e, 0x4e, 0xe6, 0x4b, 0x1a, 0x41, 0x4f, 0xd0, 0xae, 0x9d, 0xfc, 0x4a, + 0x6b, 0xb7, 0x43, 0x71, 0x87, 0xdf, 0x15, 0x9c, 0x86, 0x9d, 0xd6, 0x62, 0xb1, 0x95, 0xb5, 0x2e, + 0x3f, 0x3d, 0x6a, 0xcc, 0x3d, 0x3b, 0x6a, 0xcc, 0x3d, 0x3f, 0x6a, 0xcc, 0x7d, 0x3d, 0x6c, 0x18, + 0x4f, 0x87, 0x0d, 0xe3, 0xd9, 0xb0, 0x61, 0x3c, 0x1f, 0x36, 0x8c, 0x3f, 0x86, 0x0d, 0xe3, 0xc9, + 0x8b, 0xc6, 0xdc, 0x27, 0x0b, 0x3a, 0xc3, 0x7f, 0x07, 0x00, 0x00, 0xff, 0xff, 0x22, 0xa3, 0x1b, + 0xdb, 0x6c, 0x17, 0x00, 0x00, } func (m *AddressGroup) Marshal() (dAtA []byte, err error) { @@ -1413,6 +1415,11 @@ func (m *NetworkPolicy) MarshalToSizedBuffer(dAtA []byte) (int, error) { _ = i var l int _ = l + if m.TierPriority != nil { + i = encodeVarintGenerated(dAtA, i, uint64(*m.TierPriority)) + i-- + dAtA[i] = 0x28 + } if m.Priority != nil { i -= 8 encoding_binary.LittleEndian.PutUint64(dAtA[i:], uint64(math.Float64bits(float64(*m.Priority)))) @@ -2002,6 +2009,9 @@ func (m *NetworkPolicy) Size() (n int) { if m.Priority != nil { n += 9 } + if m.TierPriority != nil { + n += 1 + sovGenerated(uint64(*m.TierPriority)) + } return n } @@ -2363,6 +2373,7 @@ func (this *NetworkPolicy) String() string { `Rules:` + repeatedStringForRules + `,`, `AppliedToGroups:` + fmt.Sprintf("%v", this.AppliedToGroups) + `,`, `Priority:` + valueToStringGenerated(this.Priority) + `,`, + `TierPriority:` + valueToStringGenerated(this.TierPriority) + `,`, `}`, }, "") return s @@ -4497,6 +4508,26 @@ func (m *NetworkPolicy) Unmarshal(dAtA []byte) error { iNdEx += 8 v2 := float64(math.Float64frombits(v)) m.Priority = &v2 + case 5: + if wireType != 0 { + return fmt.Errorf("proto: wrong wireType = %d for field TierPriority", wireType) + } + var v TierPriority + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowGenerated + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + v |= TierPriority(b&0x7F) << shift + if b < 0x80 { + break + } + } + m.TierPriority = &v default: iNdEx = preIndex skippy, err := skipGenerated(dAtA[iNdEx:]) diff --git a/pkg/apis/networking/v1beta1/generated.proto b/pkg/apis/networking/v1beta1/generated.proto index 33d57bcdaf5..539d011f59c 100644 --- a/pkg/apis/networking/v1beta1/generated.proto +++ b/pkg/apis/networking/v1beta1/generated.proto @@ -188,6 +188,10 @@ message NetworkPolicy { // Priority represents the relative priority of this Network Policy as compared to // other Network Policies. Priority will be unset (nil) for K8s Network Policy. optional double priority = 4; + + // TierPriority represents the priority of the Tier associated with this Network + // Policy. The TierPriority will remain nil for K8s NetworkPolicy. + optional uint32 tierPriority = 5; } // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object diff --git a/pkg/apis/networking/v1beta1/types.go b/pkg/apis/networking/v1beta1/types.go index 59c4d5374e4..3f8edd1d8b9 100644 --- a/pkg/apis/networking/v1beta1/types.go +++ b/pkg/apis/networking/v1beta1/types.go @@ -151,6 +151,10 @@ type AddressGroupList struct { Items []AddressGroup `json:"items" protobuf:"bytes,2,rep,name=items"` } +// TierPriority specifies the relative ordering among Tiers. A lower +// TierPriority indicates higher precedence. +type TierPriority uint32 + // +genclient // +genclient:onlyVerbs=list,get,watch // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object @@ -165,6 +169,9 @@ type NetworkPolicy struct { // Priority represents the relative priority of this Network Policy as compared to // other Network Policies. Priority will be unset (nil) for K8s Network Policy. Priority *float64 `json:"priority,omitempty" protobuf:"fixed64,4,opt,name=priority"` + // TierPriority represents the priority of the Tier associated with this Network + // Policy. The TierPriority will remain nil for K8s NetworkPolicy. + TierPriority *TierPriority `json:"tierPriority,omitempty" protobuf:"varint,5,opt,name=tierPriority"` } // Direction defines traffic direction of NetworkPolicyRule. diff --git a/pkg/apis/networking/v1beta1/zz_generated.conversion.go b/pkg/apis/networking/v1beta1/zz_generated.conversion.go index eedc7b21ff2..84732c5e6ca 100644 --- a/pkg/apis/networking/v1beta1/zz_generated.conversion.go +++ b/pkg/apis/networking/v1beta1/zz_generated.conversion.go @@ -545,6 +545,7 @@ func autoConvert_v1beta1_NetworkPolicy_To_networking_NetworkPolicy(in *NetworkPo out.Rules = *(*[]networking.NetworkPolicyRule)(unsafe.Pointer(&in.Rules)) out.AppliedToGroups = *(*[]string)(unsafe.Pointer(&in.AppliedToGroups)) out.Priority = (*float64)(unsafe.Pointer(in.Priority)) + out.TierPriority = (*networking.TierPriority)(unsafe.Pointer(in.TierPriority)) return nil } @@ -558,6 +559,7 @@ func autoConvert_networking_NetworkPolicy_To_v1beta1_NetworkPolicy(in *networkin out.Rules = *(*[]NetworkPolicyRule)(unsafe.Pointer(&in.Rules)) out.AppliedToGroups = *(*[]string)(unsafe.Pointer(&in.AppliedToGroups)) out.Priority = (*float64)(unsafe.Pointer(in.Priority)) + out.TierPriority = (*TierPriority)(unsafe.Pointer(in.TierPriority)) return nil } diff --git a/pkg/apis/networking/v1beta1/zz_generated.deepcopy.go b/pkg/apis/networking/v1beta1/zz_generated.deepcopy.go index 79234a533a4..d2c5dca9b93 100644 --- a/pkg/apis/networking/v1beta1/zz_generated.deepcopy.go +++ b/pkg/apis/networking/v1beta1/zz_generated.deepcopy.go @@ -517,6 +517,11 @@ func (in *NetworkPolicy) DeepCopyInto(out *NetworkPolicy) { *out = new(float64) **out = **in } + if in.TierPriority != nil { + in, out := &in.TierPriority, &out.TierPriority + *out = new(TierPriority) + **out = **in + } return } diff --git a/pkg/apis/networking/zz_generated.deepcopy.go b/pkg/apis/networking/zz_generated.deepcopy.go index f015a7c3c38..ffef7f42b25 100644 --- a/pkg/apis/networking/zz_generated.deepcopy.go +++ b/pkg/apis/networking/zz_generated.deepcopy.go @@ -517,6 +517,11 @@ func (in *NetworkPolicy) DeepCopyInto(out *NetworkPolicy) { *out = new(float64) **out = **in } + if in.TierPriority != nil { + in, out := &in.TierPriority, &out.TierPriority + *out = new(TierPriority) + **out = **in + } return } diff --git a/pkg/apis/security/v1alpha1/types.go b/pkg/apis/security/v1alpha1/types.go index 156094fd21d..f1968f2c90d 100644 --- a/pkg/apis/security/v1alpha1/types.go +++ b/pkg/apis/security/v1alpha1/types.go @@ -35,6 +35,12 @@ type NetworkPolicy struct { // NetworkPolicySpec defines the desired state for NetworkPolicy. type NetworkPolicySpec struct { + // Tier specifies the tier to which this NetworkPolicy belongs to. + // The NetworkPolicy order will be determined based on the combination of the + // Tier's Priority and the NetworkPolicy's own Priority. If not specified, + // this policy will be created in the Application Tier right above the K8s + // NetworkPolicy which resides at the bottom. + Tier string `json:"tier,omitempty"` // Priority specfies the order of the NetworkPolicy relative to other // NetworkPolicies. Priority float64 `json:"priority"` @@ -159,6 +165,12 @@ type ClusterNetworkPolicy struct { // ClusterNetworkPolicySpec defines the desired state for ClusterNetworkPolicy. type ClusterNetworkPolicySpec struct { + // Tier specifies the tier to which this ClusterNetworkPolicy belongs to. + // The ClusterNetworkPolicy order will be determined based on the + // combination of the Tier's Priority and the ClusterNetworkPolicy's own + // Priority. If not specified, this policy will be created in the Application + // Tier right above the K8s NetworkPolicy which resides at the bottom. + Tier string `json:"tier,omitempty"` // Priority specfies the order of the ClusterNetworkPolicy relative to // other ClusterNetworkPolicies. Priority float64 `json:"priority"` diff --git a/pkg/apiserver/openapi/zz_generated.openapi.go b/pkg/apiserver/openapi/zz_generated.openapi.go index 88470a18237..0059a09dd1b 100644 --- a/pkg/apiserver/openapi/zz_generated.openapi.go +++ b/pkg/apiserver/openapi/zz_generated.openapi.go @@ -1437,6 +1437,13 @@ func schema_pkg_apis_networking_v1beta1_NetworkPolicy(ref common.ReferenceCallba Format: "double", }, }, + "tierPriority": { + SchemaProps: spec.SchemaProps{ + Description: "TierPriority represents the priority of the Tier associated with this Network Policy. The TierPriority will remain nil for K8s NetworkPolicy.", + Type: []string{"integer"}, + Format: "int64", + }, + }, }, }, }, diff --git a/pkg/controller/networkpolicy/clusternetworkpolicy.go b/pkg/controller/networkpolicy/clusternetworkpolicy.go index 5481998bdb2..38a6e32661f 100644 --- a/pkg/controller/networkpolicy/clusternetworkpolicy.go +++ b/pkg/controller/networkpolicy/clusternetworkpolicy.go @@ -31,6 +31,15 @@ var ( matchAllPodsPeerCrd = secv1alpha1.NetworkPolicyPeer{ NamespaceSelector: &metav1.LabelSelector{}, } + + // tierPriorityMap maintains a map of the Tier name to it's priority. + tierPriorityMap = map[string]networking.TierPriority{ + "Emergency": antreatypes.TierEmergency, + "SecurityOps": antreatypes.TierSecurityOps, + "NetworkOps": antreatypes.TierNetworkOps, + "Platform": antreatypes.TierPlatform, + "Application": antreatypes.TierApplication, + } ) // addCNP receives ClusterNetworkPolicy ADD events and creates resources @@ -155,6 +164,16 @@ func toAntreaIPBlockForCRD(ipBlock *secv1alpha1.IPBlock) (*networking.IPBlock, e return antreaIPBlock, nil } +// getTierPriority retrieves the priority associated with the input Tier name. +// If the Tier name is empty, by default, the lowest priority Application Tier +// is returned. +func getTierPriority(tier string) networking.TierPriority { + if tier == "" { + return antreatypes.TierApplication + } + return tierPriorityMap[tier] +} + func (n *NetworkPolicyController) toAntreaPeerForCRD(peers []secv1alpha1.NetworkPolicyPeer, cnp *secv1alpha1.ClusterNetworkPolicy, dir networking.Direction) *networking.NetworkPolicyPeer { var addressGroups []string // Empty NetworkPolicyPeer is supposed to match all addresses. @@ -253,6 +272,7 @@ func (n *NetworkPolicyController) processClusterNetworkPolicy(cnp *secv1alpha1.C Priority: int32(idx), }) } + tierPriority := getTierPriority(cnp.Spec.Tier) internalNetworkPolicy := &antreatypes.NetworkPolicy{ Name: cnp.Name, Namespace: "", @@ -260,6 +280,7 @@ func (n *NetworkPolicyController) processClusterNetworkPolicy(cnp *secv1alpha1.C AppliedToGroups: appliedToGroupNames, Rules: rules, Priority: &cnp.Spec.Priority, + TierPriority: &tierPriority, } return internalNetworkPolicy } diff --git a/pkg/controller/networkpolicy/clusternetworkpolicy_test.go b/pkg/controller/networkpolicy/clusternetworkpolicy_test.go index e880c93acf0..90db92f414a 100644 --- a/pkg/controller/networkpolicy/clusternetworkpolicy_test.go +++ b/pkg/controller/networkpolicy/clusternetworkpolicy_test.go @@ -232,6 +232,7 @@ func TestToAntreaPeerForCRD(t *testing.T) { func TestProcessClusterNetworkPolicy(t *testing.T) { p10 := float64(10) + appTier := antreatypes.TierApplication allowAction := secv1alpha1.RuleActionAllow protocolTCP := networking.ProtocolTCP intstr80, intstr81 := intstr.FromInt(80), intstr.FromInt(81) @@ -289,10 +290,11 @@ func TestProcessClusterNetworkPolicy(t *testing.T) { }, }, expectedPolicy: &antreatypes.NetworkPolicy{ - UID: "uidA", - Name: "cnpA", - Namespace: "", - Priority: &p10, + UID: "uidA", + Name: "cnpA", + Namespace: "", + Priority: &p10, + TierPriority: &appTier, Rules: []networking.NetworkPolicyRule{ { Direction: networking.DirectionIn, @@ -368,10 +370,11 @@ func TestProcessClusterNetworkPolicy(t *testing.T) { }, }, expectedPolicy: &antreatypes.NetworkPolicy{ - UID: "uidA", - Name: "cnpA", - Namespace: "", - Priority: &p10, + UID: "uidA", + Name: "cnpA", + Namespace: "", + Priority: &p10, + TierPriority: &appTier, Rules: []networking.NetworkPolicyRule{ { Direction: networking.DirectionIn, @@ -429,6 +432,11 @@ func TestProcessClusterNetworkPolicy(t *testing.T) { func TestAddCNP(t *testing.T) { p10 := float64(10) + appTier := antreatypes.TierApplication + secOpsTier := antreatypes.TierSecurityOps + netOpsTier := antreatypes.TierNetworkOps + platformTier := antreatypes.TierPlatform + emergencyTier := antreatypes.TierEmergency allowAction := secv1alpha1.RuleActionAllow protocolTCP := networking.ProtocolTCP intstr80, intstr81 := intstr.FromInt(80), intstr.FromInt(81) @@ -446,6 +454,281 @@ func TestAddCNP(t *testing.T) { expAppliedToGroups int expAddressGroups int }{ + { + name: "application-tier-policy", + inputPolicy: &secv1alpha1.ClusterNetworkPolicy{ + ObjectMeta: metav1.ObjectMeta{Name: "cnpA", UID: "uidA"}, + Spec: secv1alpha1.ClusterNetworkPolicySpec{ + AppliedTo: []secv1alpha1.NetworkPolicyPeer{ + {PodSelector: &selectorA}, + }, + Priority: p10, + Tier: "Application", + Ingress: []secv1alpha1.Rule{ + { + Ports: []secv1alpha1.NetworkPolicyPort{ + { + Port: &intstr80, + }, + }, + From: []secv1alpha1.NetworkPolicyPeer{ + { + PodSelector: &selectorB, + NamespaceSelector: &selectorC, + }, + }, + Action: &allowAction, + }, + }, + }, + }, + expPolicy: &antreatypes.NetworkPolicy{ + UID: "uidA", + Name: "cnpA", + Namespace: "", + Priority: &p10, + TierPriority: &appTier, + Rules: []networking.NetworkPolicyRule{ + { + Direction: networking.DirectionIn, + From: networking.NetworkPolicyPeer{ + AddressGroups: []string{getNormalizedUID(toGroupSelector("", &selectorB, &selectorC).NormalizedName)}, + }, + Services: []networking.Service{ + { + Protocol: &protocolTCP, + Port: &int80, + }, + }, + Priority: 0, + Action: &allowAction, + }, + }, + AppliedToGroups: []string{getNormalizedUID(toGroupSelector("", &selectorA, nil).NormalizedName)}, + }, + expAppliedToGroups: 1, + expAddressGroups: 1, + }, + { + name: "secops-tier-policy", + inputPolicy: &secv1alpha1.ClusterNetworkPolicy{ + ObjectMeta: metav1.ObjectMeta{Name: "cnpB", UID: "uidB"}, + Spec: secv1alpha1.ClusterNetworkPolicySpec{ + AppliedTo: []secv1alpha1.NetworkPolicyPeer{ + {PodSelector: &selectorA}, + }, + Priority: p10, + Tier: "SecurityOps", + Ingress: []secv1alpha1.Rule{ + { + Ports: []secv1alpha1.NetworkPolicyPort{ + { + Port: &intstr80, + }, + }, + From: []secv1alpha1.NetworkPolicyPeer{ + { + PodSelector: &selectorB, + NamespaceSelector: &selectorC, + }, + }, + Action: &allowAction, + }, + }, + }, + }, + expPolicy: &antreatypes.NetworkPolicy{ + UID: "uidB", + Name: "cnpB", + Namespace: "", + Priority: &p10, + TierPriority: &secOpsTier, + Rules: []networking.NetworkPolicyRule{ + { + Direction: networking.DirectionIn, + From: networking.NetworkPolicyPeer{ + AddressGroups: []string{getNormalizedUID(toGroupSelector("", &selectorB, &selectorC).NormalizedName)}, + }, + Services: []networking.Service{ + { + Protocol: &protocolTCP, + Port: &int80, + }, + }, + Priority: 0, + Action: &allowAction, + }, + }, + AppliedToGroups: []string{getNormalizedUID(toGroupSelector("", &selectorA, nil).NormalizedName)}, + }, + expAppliedToGroups: 1, + expAddressGroups: 1, + }, + { + name: "netops-tier-policy", + inputPolicy: &secv1alpha1.ClusterNetworkPolicy{ + ObjectMeta: metav1.ObjectMeta{Name: "cnpC", UID: "uidC"}, + Spec: secv1alpha1.ClusterNetworkPolicySpec{ + AppliedTo: []secv1alpha1.NetworkPolicyPeer{ + {PodSelector: &selectorA}, + }, + Priority: p10, + Tier: "NetworkOps", + Ingress: []secv1alpha1.Rule{ + { + Ports: []secv1alpha1.NetworkPolicyPort{ + { + Port: &intstr80, + }, + }, + From: []secv1alpha1.NetworkPolicyPeer{ + { + PodSelector: &selectorB, + NamespaceSelector: &selectorC, + }, + }, + Action: &allowAction, + }, + }, + }, + }, + expPolicy: &antreatypes.NetworkPolicy{ + UID: "uidC", + Name: "cnpC", + Namespace: "", + Priority: &p10, + TierPriority: &netOpsTier, + Rules: []networking.NetworkPolicyRule{ + { + Direction: networking.DirectionIn, + From: networking.NetworkPolicyPeer{ + AddressGroups: []string{getNormalizedUID(toGroupSelector("", &selectorB, &selectorC).NormalizedName)}, + }, + Services: []networking.Service{ + { + Protocol: &protocolTCP, + Port: &int80, + }, + }, + Priority: 0, + Action: &allowAction, + }, + }, + AppliedToGroups: []string{getNormalizedUID(toGroupSelector("", &selectorA, nil).NormalizedName)}, + }, + expAppliedToGroups: 1, + expAddressGroups: 1, + }, + { + name: "emergency-tier-policy", + inputPolicy: &secv1alpha1.ClusterNetworkPolicy{ + ObjectMeta: metav1.ObjectMeta{Name: "cnpD", UID: "uidD"}, + Spec: secv1alpha1.ClusterNetworkPolicySpec{ + AppliedTo: []secv1alpha1.NetworkPolicyPeer{ + {PodSelector: &selectorA}, + }, + Priority: p10, + Tier: "Emergency", + Ingress: []secv1alpha1.Rule{ + { + Ports: []secv1alpha1.NetworkPolicyPort{ + { + Port: &intstr80, + }, + }, + From: []secv1alpha1.NetworkPolicyPeer{ + { + PodSelector: &selectorB, + NamespaceSelector: &selectorC, + }, + }, + Action: &allowAction, + }, + }, + }, + }, + expPolicy: &antreatypes.NetworkPolicy{ + UID: "uidD", + Name: "cnpD", + Namespace: "", + Priority: &p10, + TierPriority: &emergencyTier, + Rules: []networking.NetworkPolicyRule{ + { + Direction: networking.DirectionIn, + From: networking.NetworkPolicyPeer{ + AddressGroups: []string{getNormalizedUID(toGroupSelector("", &selectorB, &selectorC).NormalizedName)}, + }, + Services: []networking.Service{ + { + Protocol: &protocolTCP, + Port: &int80, + }, + }, + Priority: 0, + Action: &allowAction, + }, + }, + AppliedToGroups: []string{getNormalizedUID(toGroupSelector("", &selectorA, nil).NormalizedName)}, + }, + expAppliedToGroups: 1, + expAddressGroups: 1, + }, + { + name: "inter-tenant-tier-policy", + inputPolicy: &secv1alpha1.ClusterNetworkPolicy{ + ObjectMeta: metav1.ObjectMeta{Name: "cnpE", UID: "uidE"}, + Spec: secv1alpha1.ClusterNetworkPolicySpec{ + AppliedTo: []secv1alpha1.NetworkPolicyPeer{ + {PodSelector: &selectorA}, + }, + Priority: p10, + Tier: "Platform", + Ingress: []secv1alpha1.Rule{ + { + Ports: []secv1alpha1.NetworkPolicyPort{ + { + Port: &intstr80, + }, + }, + From: []secv1alpha1.NetworkPolicyPeer{ + { + PodSelector: &selectorB, + NamespaceSelector: &selectorC, + }, + }, + Action: &allowAction, + }, + }, + }, + }, + expPolicy: &antreatypes.NetworkPolicy{ + UID: "uidE", + Name: "cnpE", + Namespace: "", + Priority: &p10, + TierPriority: &platformTier, + Rules: []networking.NetworkPolicyRule{ + { + Direction: networking.DirectionIn, + From: networking.NetworkPolicyPeer{ + AddressGroups: []string{getNormalizedUID(toGroupSelector("", &selectorB, &selectorC).NormalizedName)}, + }, + Services: []networking.Service{ + { + Protocol: &protocolTCP, + Port: &int80, + }, + }, + Priority: 0, + Action: &allowAction, + }, + }, + AppliedToGroups: []string{getNormalizedUID(toGroupSelector("", &selectorA, nil).NormalizedName)}, + }, + expAppliedToGroups: 1, + expAddressGroups: 1, + }, { name: "rules-with-same-selectors", inputPolicy: &secv1alpha1.ClusterNetworkPolicy{ @@ -490,10 +773,11 @@ func TestAddCNP(t *testing.T) { }, }, expPolicy: &antreatypes.NetworkPolicy{ - UID: "uidE", - Name: "npE", - Namespace: "", - Priority: &p10, + UID: "uidE", + Name: "npE", + Namespace: "", + Priority: &p10, + TierPriority: &appTier, Rules: []networking.NetworkPolicyRule{ { Direction: networking.DirectionIn, @@ -569,10 +853,11 @@ func TestAddCNP(t *testing.T) { }, }, expPolicy: &antreatypes.NetworkPolicy{ - UID: "uidF", - Name: "npF", - Namespace: "", - Priority: &p10, + UID: "uidF", + Name: "npF", + Namespace: "", + Priority: &p10, + TierPriority: &appTier, Rules: []networking.NetworkPolicyRule{ { Direction: networking.DirectionIn, @@ -633,9 +918,9 @@ func TestAddCNP(t *testing.T) { for _, tt := range tests { npc.addCNP(tt.inputPolicy) } - assert.Equal(t, 2, npc.GetNetworkPolicyNum(), "expected networkPolicy number is 2") - assert.Equal(t, 3, npc.GetAddressGroupNum(), "expected addressGroup number is 3") - assert.Equal(t, 1, npc.GetAppliedToGroupNum(), "appliedToGroup number is 1") + assert.Equal(t, 7, npc.GetNetworkPolicyNum(), "number of NetworkPolicies do not match") + assert.Equal(t, 3, npc.GetAddressGroupNum(), "number of AddressGroups do not match") + assert.Equal(t, 1, npc.GetAppliedToGroupNum(), "number of AppliedToGroups do not match") } func TestDeleteCNP(t *testing.T) { diff --git a/pkg/controller/networkpolicy/networkpolicy_controller.go b/pkg/controller/networkpolicy/networkpolicy_controller.go index ee8e3ddbc06..f6ae1dad97d 100644 --- a/pkg/controller/networkpolicy/networkpolicy_controller.go +++ b/pkg/controller/networkpolicy/networkpolicy_controller.go @@ -1325,6 +1325,7 @@ func (n *NetworkPolicyController) syncInternalNetworkPolicy(key string) error { Rules: internalNP.Rules, AppliedToGroups: internalNP.AppliedToGroups, Priority: internalNP.Priority, + TierPriority: internalNP.TierPriority, SpanMeta: antreatypes.SpanMeta{NodeNames: nodeNames}, } klog.V(4).Infof("Updating internal NetworkPolicy %s with %d Nodes", key, nodeNames.Len()) diff --git a/pkg/controller/networkpolicy/store/networkpolicy.go b/pkg/controller/networkpolicy/store/networkpolicy.go index 415fd571140..77ff0a05eb8 100644 --- a/pkg/controller/networkpolicy/store/networkpolicy.go +++ b/pkg/controller/networkpolicy/store/networkpolicy.go @@ -113,6 +113,7 @@ func ToNetworkPolicyMsg(in *types.NetworkPolicy, out *networking.NetworkPolicy, out.Rules = in.Rules out.AppliedToGroups = in.AppliedToGroups out.Priority = in.Priority + out.TierPriority = in.TierPriority } // NetworkPolicyKeyFunc knows how to get the key of a NetworkPolicy. diff --git a/pkg/controller/types/networkpolicy.go b/pkg/controller/types/networkpolicy.go index 3ba5832ab4c..ef3740fd0d8 100644 --- a/pkg/controller/types/networkpolicy.go +++ b/pkg/controller/types/networkpolicy.go @@ -37,6 +37,14 @@ func (meta *SpanMeta) Has(nodeName string) bool { return meta.NodeNames.Has(nodeName) } +const ( + TierEmergency networking.TierPriority = iota + 1 + TierSecurityOps + TierNetworkOps + TierPlatform + TierApplication +) + // GroupSelector describes how to select Pods. type GroupSelector struct { // The normalized name is calculated from Namespace, PodSelector, and NamespaceSelector. @@ -100,4 +108,7 @@ type NetworkPolicy struct { Rules []networking.NetworkPolicyRule // AppliedToGroups is a list of names of AppliedToGroups to which this policy applies. AppliedToGroups []string + // TierPriority represents the priority of the Tier associated with this Network + // Policy. + TierPriority *networking.TierPriority }