Skip to content

Commit

Permalink
ingress: Create FromGroups resource
Browse files Browse the repository at this point in the history 
Duplicates the structures inplace to evaluate the toGroups resource into the ingress
section, allowing the creation of FromGroups. This means AWS SG groups can be
included as ingress resources and directly translated into fromCIDR rules.

Fixes: #30032
Signed-off-by: Alex Waring <ajmwaring@gmail.com>
  • Loading branch information
@Alex-Waring
Alex-Waring committed Feb 12, 2024
1 parent f44e000 commit 7f8c38b
Show file tree
Hide file tree
Showing 15 changed files with 437 additions and 85 deletions.
142 changes: 131 additions & 11 deletions pkg/k8s/apis/cilium.io/client/crds/v2/ciliumclusterwidenetworkpolicies.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -327,8 +327,8 @@ spec:
and the rule can select by multiple sub directives: \n Example:
toGroups: - aws: securityGroupsIds: - 'sg-XXXXXXXXXXXXX'"
items:
description: ToGroups structure to store all kinds of new
integrations that needs a new derivative policy.
description: Groups structure to store all kinds of new integrations
that needs a new derivative policy.
properties:
aws:
description: AWSGroup is an structure that can be used
Expand Down Expand Up @@ -1224,8 +1224,8 @@ spec:
and the rule can select by multiple sub directives: \n Example:
toGroups: - aws: securityGroupsIds: - 'sg-XXXXXXXXXXXXX'"
items:
description: ToGroups structure to store all kinds of new
integrations that needs a new derivative policy.
description: Groups structure to store all kinds of new integrations
that needs a new derivative policy.
properties:
aws:
description: AWSGroup is an structure that can be used
Expand Down Expand Up @@ -1576,6 +1576,36 @@ spec:
and FromEntities are mutually exclusive. Only one of these members
may be present within an individual rule."
properties:
FromGroups:
description: "FromGroups is a directive that allows the integration
with multiple outside providers. Currently, only AWS is supported,
and the rule can select by multiple sub directives: \n Example:
FromGroups: - aws: securityGroupsIds: - 'sg-XXXXXXXXXXXXX'"
items:
description: Groups structure to store all kinds of new integrations
that needs a new derivative policy.
properties:
aws:
description: AWSGroup is an structure that can be used
to whitelisting information from AWS integration
properties:
labels:
additionalProperties:
type: string
type: object
region:
type: string
securityGroupsIds:
items:
type: string
type: array
securityGroupsNames:
items:
type: string
type: array
type: object
type: object
type: array
authentication:
description: Authentication is the required authentication type
for the allowed traffic, if any.
Expand Down Expand Up @@ -2368,10 +2398,40 @@ spec:
members are set, all of them need to match in order for the rule
to take effect. The exception to this rule is FromRequires field;
the effects of any Requires field in any rule will apply to all
other rules as well. \n - FromEndpoints, FromCIDR, FromCIDRSet
and FromEntities are mutually exclusive. Only one of these members
may be present within an individual rule."
other rules as well. \n - FromEndpoints, FromCIDR, FromCIDRSet,
FromGroups and FromEntities are mutually exclusive. Only one of
these members may be present within an individual rule."
properties:
FromGroups:
description: "FromGroups is a directive that allows the integration
with multiple outside providers. Currently, only AWS is supported,
and the rule can select by multiple sub directives: \n Example:
FromGroups: - aws: securityGroupsIds: - 'sg-XXXXXXXXXXXXX'"
items:
description: Groups structure to store all kinds of new integrations
that needs a new derivative policy.
properties:
aws:
description: AWSGroup is an structure that can be used
to whitelisting information from AWS integration
properties:
labels:
additionalProperties:
type: string
type: object
region:
type: string
securityGroupsIds:
items:
type: string
type: array
securityGroupsNames:
items:
type: string
type: array
type: object
type: object
type: array
fromCIDR:
description: "FromCIDR is a list of IP blocks which the endpoint
subject to the rule is allowed to receive connections from.
Expand Down Expand Up @@ -3109,7 +3169,7 @@ spec:
supported, and the rule can select by multiple sub directives:
\n Example: toGroups: - aws: securityGroupsIds: - 'sg-XXXXXXXXXXXXX'"
items:
description: ToGroups structure to store all kinds of new
description: Groups structure to store all kinds of new
integrations that needs a new derivative policy.
properties:
aws:
Expand Down Expand Up @@ -4020,7 +4080,7 @@ spec:
supported, and the rule can select by multiple sub directives:
\n Example: toGroups: - aws: securityGroupsIds: - 'sg-XXXXXXXXXXXXX'"
items:
description: ToGroups structure to store all kinds of new
description: Groups structure to store all kinds of new
integrations that needs a new derivative policy.
properties:
aws:
Expand Down Expand Up @@ -4377,6 +4437,36 @@ spec:
Only one of these members may be present within an individual
rule."
properties:
FromGroups:
description: "FromGroups is a directive that allows the integration
with multiple outside providers. Currently, only AWS is
supported, and the rule can select by multiple sub directives:
\n Example: FromGroups: - aws: securityGroupsIds: - 'sg-XXXXXXXXXXXXX'"
items:
description: Groups structure to store all kinds of new
integrations that needs a new derivative policy.
properties:
aws:
description: AWSGroup is an structure that can be used
to whitelisting information from AWS integration
properties:
labels:
additionalProperties:
type: string
type: object
region:
type: string
securityGroupsIds:
items:
type: string
type: array
securityGroupsNames:
items:
type: string
type: array
type: object
type: object
type: array
authentication:
description: Authentication is the required authentication
type for the allowed traffic, if any.
Expand Down Expand Up @@ -5181,10 +5271,40 @@ spec:
to match in order for the rule to take effect. The exception
to this rule is FromRequires field; the effects of any Requires
field in any rule will apply to all other rules as well. \n
- FromEndpoints, FromCIDR, FromCIDRSet and FromEntities are
mutually exclusive. Only one of these members may be present
- FromEndpoints, FromCIDR, FromCIDRSet, FromGroups and FromEntities
are mutually exclusive. Only one of these members may be present
within an individual rule."
properties:
FromGroups:
description: "FromGroups is a directive that allows the integration
with multiple outside providers. Currently, only AWS is
supported, and the rule can select by multiple sub directives:
\n Example: FromGroups: - aws: securityGroupsIds: - 'sg-XXXXXXXXXXXXX'"
items:
description: Groups structure to store all kinds of new
integrations that needs a new derivative policy.
properties:
aws:
description: AWSGroup is an structure that can be used
to whitelisting information from AWS integration
properties:
labels:
additionalProperties:
type: string
type: object
region:
type: string
securityGroupsIds:
items:
type: string
type: array
securityGroupsNames:
items:
type: string
type: array
type: object
type: object
type: array
fromCIDR:
description: "FromCIDR is a list of IP blocks which the endpoint
subject to the rule is allowed to receive connections from.
Expand Down

0 comments on commit 7f8c38b

Please sign in to comment.