Clusterwide K8s Cilium Network Policies #9381
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
aanm
reviewed
Oct 9, 2019
pkg/k8s/apis/cilium.io/v2/types.go
Outdated
| // CiliumGlobalNetworkPolicy is a Kubernetes third-party resource with an extended version | ||
| // of CiliumNetworkPolicy which is cluster scoped rather than namespace scoped. | ||
| type CiliumGlobalNetworkPolicy struct { | ||
| // +k8s:openapi-gen=false |
There was a problem hiding this comment.
If you do this we get all of the methods already implemented for CNP for free.
type CiliumGlobalNetworkPolicy struct {
CiliumNetworkPolicy
}
fristonio
force-pushed
the
pr/fristonio/global-policies
branch
2 times, most recently
from
8dc8a24 to
800d637
Compare
aanm
changed the title
fristonio
force-pushed
the
pr/fristonio/global-policies
branch
3 times, most recently
from
8b979c5 to
79f2142
Compare
fristonio
force-pushed
the
pr/fristonio/global-policies
branch
2 times, most recently
from
559fb57 to
2f59927
Compare
houndci-bot
reviewed
Oct 21, 2019
| k8sAPIGroupCRD = "CustomResourceDefinition" | ||
| k8sAPIGroupNodeV1Core = "core/v1::Node" | ||
| k8sAPIGroupNamespaceV1Core = "core/v1::Namespace" | ||
| K8sAPIGroupServiceV1Core = "core/v1::Service" |
There was a problem hiding this comment.
exported const K8sAPIGroupServiceV1Core should have comment (or a comment on this block) or be unexported
|
Hi @fristonio , sorry for moving the pr from draft, I had to check something in regards to CI failure. |
aanm
requested changes
Oct 22, 2019
pkg/k8s/apis/cilium.io/v2/types.go
Outdated
| // rules. This is similar to the parse function used in CiliumNetworkPolicy with | ||
| // the only difference that since the CRD is cluster scoped we don't send any namespace | ||
| // here. | ||
| func (r *CiliumClusterwideNetworkPolicy) Parse() (api.Rules, error) { |
There was a problem hiding this comment.
Was this removed in follow up commits?
pkg/k8s/apis/cilium.io/v2/types.go
Outdated
| } | ||
|
|
||
| // GetControllerName returns the unique name for the controller manager. | ||
| func (r *CiliumClusterwideNetworkPolicy) GetControllerName() string { |
There was a problem hiding this comment.
Was this removed in follow up commits?
pkg/k8s/apis/cilium.io/v2/types.go
Outdated
| } | ||
|
|
||
| // GetIdentityLabels returns all rule labels in the CiliumNetworkPolicy. | ||
| func (r *CiliumClusterwideNetworkPolicy) GetIdentityLabels() labels.LabelArray { |
There was a problem hiding this comment.
Was this removed in follow up commits?
pkg/k8s/apis/cilium.io/v2/types.go
Outdated
| @@ -276,58 +276,6 @@ type CiliumClusterwideNetworkPolicy struct { | |||
| CiliumNetworkPolicy | |||
| } | |||
|
|
|||
| // Parse parses a CiliumClusterwideNetworkPolicy and returns a list of cilium policy | |||
There was a problem hiding this comment.
you can squash this change with the previous commit
pkg/k8s/factory_functions.go
Outdated
| @@ -386,24 +387,39 @@ func ConvertToCNPWithStatus(obj interface{}) interface{} { | |||
| return &types.SlimCNP{ | |||
There was a problem hiding this comment.
Please create a new function dedicated for the conversion of CiliumClusterwideNetworkPolicy to types.SlimpCNP
fristonio
force-pushed
the
pr/fristonio/global-policies
branch
2 times, most recently
from
002ddd5 to
d39c134
Compare
|
test-me-please |
fristonio
force-pushed
the
pr/fristonio/global-policies
branch
from
a0df602 to
dd5297d
Compare
|
test-me-please |
fristonio
force-pushed
the
pr/fristonio/global-policies
branch
from
dd5297d to
1ac45e2
Compare
|
test-me-please |
fristonio
force-pushed
the
pr/fristonio/global-policies
branch
from
1ac45e2 to
9b16060
Compare
|
test-me-please |
1 similar comment
|
test-me-please |
fristonio
force-pushed
the
pr/fristonio/global-policies
branch
2 times, most recently
from
d8082f8 to
a96bdf9
Compare
|
test-me-please |
aanm
approved these changes
Nov 4, 2019
aanm
added
the
sig/k8s
|
test-me-please |
aanm
removed
the
sig/k8s
|
test-upstream-k8s |
|
test-missed-k8s previous test https://jenkins.cilium.io/job/Cilium-PR-Ginkgo-Tests-K8s/2603/ |
|
test-missed-k8s |
|
test-upstream-k8s |
|
Upstream k8s tests got stuck: I hit this in a recent PR as well; re-running. |
|
test-upstream-k8s |
ianvernon
reviewed
Nov 6, 2019
Documentation/kubernetes/policy.rst
Outdated
| @@ -24,6 +24,11 @@ with Kubernetes: | |||
| `CustomResourceDefinition` which supports specification of policies | |||
| at Layers 3-7 for both ingress and egress. | |||
|
|
|||
| - The `CiliumClusterwideNetworkPolicy` format which is cluster scoped | |||
Documentation/kubernetes/policy.rst
Outdated
| @@ -24,6 +24,11 @@ with Kubernetes: | |||
| `CustomResourceDefinition` which supports specification of policies | |||
| at Layers 3-7 for both ingress and egress. | |||
|
|
|||
| - The `CiliumClusterwideNetworkPolicy` format which is cluster scoped | |||
| `CustomResourceDefinition` for specifying cluster wide policies to be enforced | |||
Documentation/kubernetes/policy.rst
Outdated
|
|
||
| `CiliumClusterwideNetworkPolicy` is same as that of `CiliumNetworkPolicy` with the only | ||
| difference in the scope of the policy. Policies defined by `CiliumClusterwideNetworkPolicy` | ||
| are non namespaced and are cluster scoped. Internally the policy is composed of |
There was a problem hiding this comment.
non-namespaces and are cluster-scoped.
Documentation/policy/language.rst
Outdated
| -------------------- | ||
|
|
||
| `CiliumNetworkPolicy` only allows to bind a policy restricted to a particular namespace. There can be situations | ||
| where one wants to have a cluster scoped effect of the policy, this can be done using cilium's |
Documentation/policy/language.rst
Outdated
| -------------------- | ||
|
|
||
| `CiliumNetworkPolicy` only allows to bind a policy restricted to a particular namespace. There can be situations | ||
| where one wants to have a cluster scoped effect of the policy, this can be done using cilium's |
There was a problem hiding this comment.
..., which can be done using Cilium's...
Documentation/policy/language.rst
Outdated
|
|
||
| `CiliumNetworkPolicy` only allows to bind a policy restricted to a particular namespace. There can be situations | ||
| where one wants to have a cluster scoped effect of the policy, this can be done using cilium's | ||
| `CiliumClusterwideNetworkPolicy` kubernetes custom resource. The specification of the policy is same as that |
Documentation/policy/language.rst
Outdated
| `CiliumNetworkPolicy` only allows to bind a policy restricted to a particular namespace. There can be situations | ||
| where one wants to have a cluster scoped effect of the policy, this can be done using cilium's | ||
| `CiliumClusterwideNetworkPolicy` kubernetes custom resource. The specification of the policy is same as that | ||
| of `CiliumNetworkPolicy` with the only difference that it is not namespaced. |
There was a problem hiding this comment.
with the only difference that it is not namespace --> except that it is not namespaced.
| CustomResourceDefinitionPluralName = "ciliumclusterwidenetworkpolicies" | ||
|
|
||
| // CustomResourceDefinitionShortNames are the abbreviated names to refer to this CRD's instances | ||
| CustomResourceDefinitionShortNames = []string{"ccnp", "ciliumcnp"} |
There was a problem hiding this comment.
I don't think ciliumcnp is necessary here - CNP is almost always used to abbeviate CiliumNetworkPolicy, while here it refers to ClusterwideNetworkPolicy. I'd prefer we keep only ccnp.
fristonio
force-pushed
the
pr/fristonio/global-policies
branch
2 times, most recently
from
581835d to
3ac09b4
Compare
|
test-me-please |
1 similar comment
|
test-me-please |
tgraf
requested changes
Nov 11, 2019
|
|
||
| // ResourceTypeCiliumClusterwideNetworkPolicy is the resource type used for the | ||
| // PolicyLabelDerivedFrom label | ||
| ResourceTypeCiliumClusterwideNetworkPolicy = "CiliumClusterwideNetworkPolicy" |
There was a problem hiding this comment.
I would call this CiliumClusterNetworkPolicy. It's shorter and also clear.
There was a problem hiding this comment.
Discussed offline. The naming was discussed in SIG-policy and the conclusion was CiliumClusterwideNetworkPolicy. I'm OK with this.
tgraf
approved these changes
Nov 11, 2019
tgraf
added
the
dont-merge/needs-rebase
* Add CiliumGlobalNetowrkPolicy type to Cilium k8s api client. * Update k8s utilities to incorporate changes corresponding to cilium global policies. Signed-off-by: Deepesh Pathak <deepshpathak@gmail.com>
* Update k8s_watcher.go to include controller to watch for CiliumClusterwideNetworkPolicy CRD. * Update ExtractNamespace function in k8s utils to account for the fact that any object with empty namespace is a cluster scoped object and we should not automatically add default namespace to such objects. Signed-off-by: Deepesh Pathak <deepshpathak@gmail.com>
Signed-off-by: Deepesh Pathak <deepshpathak@gmail.com>
* Added k8s manifests for ccnp polices to test common policies * Updated tests to include ccnp policy test manifests Signed-off-by: Deepesh Pathak <deepshpathak@gmail.com>
Signed-off-by: Deepesh Pathak <deepshpathak@gmail.com>
Signed-off-by: Deepesh Pathak <deepshpathak@gmail.com>
fristonio
force-pushed
the
pr/fristonio/global-policies
branch
from
3ac09b4 to
1f7036f
Compare
|
test-me-please |
aanm
removed
the
dont-merge/needs-rebase
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Fixes #9200
CiliumClusterwideNetworkPolicyresource.This change is