diff --git a/crd/apis/network/v1/BUILD b/crd/apis/network/v1/BUILD new file mode 100644 index 0000000000..5d72147b2a --- /dev/null +++ b/crd/apis/network/v1/BUILD @@ -0,0 +1,32 @@ +load("@io_bazel_rules_go//go:def.bzl", "go_library", "go_test") + +go_library( + name = "v1", + srcs = [ + "annotations.go", + "groupversion_info.go", + "network.go", + "network_types.go", + "networkinterface_types.go", + "zz_generated.deepcopy.go", + ], + importpath = "k8s.io/cloud-provider-gcp/crd/apis/network/v1", + visibility = ["//visibility:public"], + deps = [ + "//vendor/k8s.io/apimachinery/pkg/apis/meta/v1:meta", + "//vendor/k8s.io/apimachinery/pkg/runtime", + "//vendor/k8s.io/apimachinery/pkg/runtime/schema", + ], +) + +go_test( + name = "v1_test", + embed = [":v1"], + srcs = [ + "annotations_test.go", + ], + deps = [ + "//vendor/github.com/google/go-cmp/cmp", + ], +) + diff --git a/crd/apis/network/v1/annotations.go b/crd/apis/network/v1/annotations.go new file mode 100644 index 0000000000..75a522eea4 --- /dev/null +++ b/crd/apis/network/v1/annotations.go @@ -0,0 +1,147 @@ +package v1 + +import ( + "encoding/json" + "fmt" +) + +// Annotation definitions. +const ( + // DisableSourceValidationAnnotationKey is the annotation on pod to disable source IP validation on L2 interfaces. + // Useful when you want to assign new IPs onto the interface. + DisableSourceIPValidationAnnotationKey = "networking.gke.io/disable-source-ip-validation" + // DisableSourceValidationAnnotationValTrue is the value to disable source IP validation for the pod. + DisableSourceIPValidationAnnotationValTrue = "true" + // DefaultInterfaceAnnotationKey specifies the default route interface with interface name in pod. + // The IP of the gateway comes from network CRs. + DefaultInterfaceAnnotationKey = "networking.gke.io/default-interface" + // InterfaceAnnotationKey specifies interfaces for pod. + InterfaceAnnotationKey = "networking.gke.io/interfaces" + // NodeNetworkAnnotationKey is the key of the annotation which indicates the status of + // networks on the node. + NodeNetworkAnnotationKey = "networking.gke.io/network-status" + // PodIPsAnnotationKey is the key of the annotation which indicates additional pod IPs assigned to the pod. + PodIPsAnnotationKey = "networking.gke.io/pod-ips" + // NetworkAnnotationKey is the network annotation on NetworkPolicy object. + // Value for this key will be the network on which network policy should be enforced. + NetworkAnnotationKey = "networking.gke.io/network" + // NetworkInUseAnnotationKey is the annotation on Network object. + // It's used to indicate if the Network object is referenced by NetworkInterface/pod objects. + NetworkInUseAnnotationKey = "networking.gke.io/in-use" + // NetworkInUseAnnotationValTrue is the value to be set for NetworkInUseAnnotationKey to indicate + // the Network object is referenced by at least one NetworkInterface/pod object. + NetworkInUseAnnotationValTrue = "true" + // MultiNetworkAnnotationKey is the network annotation key used to hold network data per node, eg: PodCIDRs. + MultiNetworkAnnotationKey = "networking.gke.io/networks" + // AutoGenAnnotationKey is to indicate if the object is auto-generated. + AutoGenAnnotationKey = "networking.gke.io/auto-generated" + // AutoGenAnnotationValTrue is the value to be set for auto-generated objects. + AutoGenAnnotationValTrue = "true" +) + +// InterfaceAnnotation is the value of the interface annotation. +// +kubebuilder:object:generate:=false +type InterfaceAnnotation []InterfaceRef + +// InterfaceRef specifies the reference to network interface. +// All fields are mutual exclusive. +// Either Network or Interface field can be specified. +// +kubebuilder:object:generate:=false +type InterfaceRef struct { + // InterfaceName is the name of the interface in pod network namespace. + InterfaceName string `json:"interfaceName,omitempty"` + // Network refers to a network object within the cluster. + // When network is specified, NetworkInterface object is optionally generated with default configuration. + Network *string `json:"network,omitempty"` + // Interface reference the NetworkInterface object within the namespace. + Interface *string `json:"interface,omitempty"` +} + +// ParseInterfaceAnnotation parses the given annotation. +func ParseInterfaceAnnotation(annotation string) (InterfaceAnnotation, error) { + ret := &InterfaceAnnotation{} + err := json.Unmarshal([]byte(annotation), ret) + return *ret, err +} + +// MarshalAnnotation marshals any object into string using json.Marshal. +func MarshalAnnotation(a interface{}) (string, error) { + ret, err := json.Marshal(a) + if err != nil { + return "", fmt.Errorf("failed to marshal (%+v): %v", a, err) + } + return string(ret), nil +} + +// NodeNetworkAnnotation is the value of the network status annotation. +// +kubebuilder:object:generate:=false +type NodeNetworkAnnotation []NodeNetworkStatus + +// PodIPsAnnotation is the value of the pod IPs annotation. +// +kubebuilder:object:generate:=false +type PodIPsAnnotation []PodIP + +// MultiNetworkAnnotation is the value of networks annotation. +// +kubebuilder:object:generate:=false +type MultiNetworkAnnotation []NodeNetwork + +// NodeNetworkStatus specifies the status of a network. +// +kubebuilder:object:generate:=false +type NodeNetworkStatus struct { + // Name specifies the name of the network. + Name string `json:"name,omitempty"` + + // IPv4Subnet is the Node internal IPv4 subnet for the network. + IPv4Subnet string `json:"ipv4-subnet,omitempty"` + + // IPv6Subnet is the Node internal IPv6 subnet for the network. + IPv6Subnet string `json:"ipv6-subnet,omitempty"` +} + +// PodIP specifies the additional pod IPs assigned to the pod. +// This will eventually be merged into the `podIPs` field in PodStatus, so the fields must remain compatible. +// +kubebuilder:object:generate:=false +type PodIP struct { + // NetworkName refers to the network object associated with this IP. + NetworkName string `json:"networkName"` + + // IP is an IP address (IPv4 or IPv6) assigned to the pod. + IP string `json:"ip"` +} + +// NodeNetwork specifies network data on a node. +// +kubebuilder:object:generate:=false +type NodeNetwork struct { + // Name specifies the name of the network. + Name string `json:"name"` + // Cidrs denotes the IPv4/IPv6 ranges of the network. + Cidrs []string `json:"cidrs"` + // Scope specifies if the network is local to a node or global across a node pool. + Scope string `json:"scope"` +} + +// ParseNodeNetworkAnnotation parses the given annotation to NodeNetworkAnnotation. +func ParseNodeNetworkAnnotation(annotation string) (NodeNetworkAnnotation, error) { + ret := &NodeNetworkAnnotation{} + err := json.Unmarshal([]byte(annotation), ret) + return *ret, err +} + +// ParsePodIPsAnnotation parses the given annotation to PodIPsAnnotation. +func ParsePodIPsAnnotation(annotation string) (PodIPsAnnotation, error) { + ret := &PodIPsAnnotation{} + err := json.Unmarshal([]byte(annotation), ret) + return *ret, err +} + +// ParseMultiNetworkAnnotation parses given annotation to MultiNetworkAnnotation. +func ParseMultiNetworkAnnotation(annotation string) (MultiNetworkAnnotation, error) { + ret := &MultiNetworkAnnotation{} + err := json.Unmarshal([]byte(annotation), ret) + return *ret, err +} + +// MarshalNodeNetworkAnnotation marshals a NodeNetworkAnnotation into string. +func MarshalNodeNetworkAnnotation(a NodeNetworkAnnotation) (string, error) { + return MarshalAnnotation(a) +} diff --git a/crd/apis/network/v1/annotations_test.go b/crd/apis/network/v1/annotations_test.go new file mode 100644 index 0000000000..b8f19f39c6 --- /dev/null +++ b/crd/apis/network/v1/annotations_test.go @@ -0,0 +1,173 @@ +package v1 + +import ( + "testing" + + "github.com/google/go-cmp/cmp" +) + +func TestPodIPsAnnotation(t *testing.T) { + tests := []struct { + name string + input PodIPsAnnotation + expected string + }{ + { + name: "nil", + input: nil, + expected: "null", + }, + { + name: "empty list", + input: PodIPsAnnotation{}, + expected: "[]", + }, + { + name: "single pod IP", + input: PodIPsAnnotation{ + {NetworkName: "network-a", IP: "198.51.100.0"}, + }, + expected: `[{"networkName":"network-a","ip":"198.51.100.0"}]`, + }, + { + name: "missing network", + input: PodIPsAnnotation{ + {IP: "198.51.100.0"}, + }, + expected: `[{"networkName":"","ip":"198.51.100.0"}]`, + }, + { + name: "multiple pod IPs", + input: PodIPsAnnotation{ + {NetworkName: "network-a", IP: "198.51.100.0"}, + {NetworkName: "network-b", IP: "2001:db8::"}, + }, + expected: `[{"networkName":"network-a","ip":"198.51.100.0"},{"networkName":"network-b","ip":"2001:db8::"}]`, + }, + } + + for _, tc := range tests { + t.Run(tc.name, func(t *testing.T) { + marshalled, err := MarshalAnnotation(tc.input) + if err != nil { + t.Fatalf("MarshalAnnotation(%+v) failed with error: %v", tc.input, err) + } + if marshalled != tc.expected { + t.Fatalf("MarshalAnnotation(%+v) returns %q but want %q", tc.input, marshalled, tc.expected) + } + + parsed, err := ParsePodIPsAnnotation(marshalled) + if err != nil { + t.Fatalf("ParsePodIPsAnnotation(%s) failed with error: %v", marshalled, err) + } + + if diff := cmp.Diff(parsed, tc.input); diff != "" { + t.Fatalf("ParsePodIPsAnnotation(%s) returns diff: (-got +want): %s", marshalled, diff) + } + }) + } +} + +func TestNodeNetworkAnnotation(t *testing.T) { + tests := []struct { + name string + input NodeNetworkAnnotation + expected string + }{ + { + name: "nil", + input: nil, + expected: "null", + }, + { + name: "empty list", + input: NodeNetworkAnnotation{}, + expected: "[]", + }, + { + name: "list with items", + input: NodeNetworkAnnotation{ + {Name: "network-a"}, + {Name: "network-b"}, + }, + expected: `[{"name":"network-a"},{"name":"network-b"}]`, + }, + { + name: "list with items with subnets", + input: NodeNetworkAnnotation{ + {Name: "network-a", IPv4Subnet: "198.51.100.0/24", IPv6Subnet: "2001:db8::/32"}, + {Name: "network-b", IPv4Subnet: "198.52.100.0/24", IPv6Subnet: "2001:db9::/32"}, + }, + expected: `[{"name":"network-a","ipv4-subnet":"198.51.100.0/24","ipv6-subnet":"2001:db8::/32"},{"name":"network-b","ipv4-subnet":"198.52.100.0/24","ipv6-subnet":"2001:db9::/32"}]`, + }, + } + + for _, tc := range tests { + t.Run(tc.name, func(t *testing.T) { + marshalled, err := MarshalAnnotation(tc.input) + if err != nil { + t.Fatalf("MarshalAnnotation(%+v) failed with error: %v", tc.input, err) + } + if marshalled != tc.expected { + t.Fatalf("MarshalAnnotation(%+v) returns %q but want %q", tc.input, marshalled, tc.expected) + } + + parsed, err := ParseNodeNetworkAnnotation(marshalled) + if err != nil { + t.Fatalf("ParseNodeNetworkAnnotation(%s) failed with error: %v", marshalled, err) + } + + if diff := cmp.Diff(parsed, tc.input); diff != "" { + t.Fatalf("ParseNodeNetworkAnnotation(%s) returns diff: (-got +want): %s", marshalled, diff) + } + }) + } +} + +func TestParseMultiNetworkAnnotation(t *testing.T) { + tests := []struct { + name string + input MultiNetworkAnnotation + expected string + }{ + { + name: "nil", + input: nil, + expected: "null", + }, + { + name: "empty list", + input: MultiNetworkAnnotation{}, + expected: "[]", + }, + { + name: "list with items", + input: MultiNetworkAnnotation{ + {Name: "network-a", Cidrs: []string{"1.1.1.1/21"}, Scope: "host-local"}, + {Name: "network-b", Cidrs: []string{"2.2.2.2/12"}, Scope: "global"}, + }, + expected: `[{"name":"network-a","cidrs":["1.1.1.1/21"],"scope":"host-local"},{"name":"network-b","cidrs":["2.2.2.2/12"],"scope":"global"}]`, + }, + } + + for _, tc := range tests { + t.Run(tc.name, func(t *testing.T) { + marshalled, err := MarshalAnnotation(tc.input) + if err != nil { + t.Fatalf("MarshalAnnotation(%+v) failed with error: %v", tc.input, err) + } + if marshalled != tc.expected { + t.Fatalf("MarshalAnnotation(%+v) returns %q but want %q", tc.input, marshalled, tc.expected) + } + + parsed, err := ParseMultiNetworkAnnotation(marshalled) + if err != nil { + t.Fatalf("ParseMultiNetworkAnnotation(%s) failed with error: %v", marshalled, err) + } + + if diff := cmp.Diff(parsed, tc.input); diff != "" { + t.Fatalf("ParseMultiNetworkAnnotation(%s) returns diff: (-got +want): %s", marshalled, diff) + } + }) + } +} diff --git a/crd/apis/network/v1/groupversion_info.go b/crd/apis/network/v1/groupversion_info.go new file mode 100644 index 0000000000..70060d1ed0 --- /dev/null +++ b/crd/apis/network/v1/groupversion_info.go @@ -0,0 +1,42 @@ +// Package v1 contains API Schema definitions for the networking v1 API group +// +kubebuilder:object:generate=true +// +groupName=networking.gke.io + +package v1 + +import ( + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + runtime "k8s.io/apimachinery/pkg/runtime" + "k8s.io/apimachinery/pkg/runtime/schema" +) + +var ( + // GroupVersion is group version used to register these objects + GroupVersion = schema.GroupVersion{Group: "networking.gke.io", Version: "v1"} + + schemeBuilder = runtime.NewSchemeBuilder(addKnownTypes) + AddToScheme = schemeBuilder.AddToScheme +) + +// Kind names for the Network objects. +const ( + KindNetwork = "Network" + KindNetworkInterface = "NetworkInterface" +) + +// Adds the list of known types to Scheme. +func addKnownTypes(scheme *runtime.Scheme) error { + scheme.AddKnownTypes(GroupVersion, + &Network{}, + &NetworkList{}, + &NetworkInterface{}, + &NetworkInterfaceList{}, + ) + metav1.AddToGroupVersion(scheme, GroupVersion) + return nil +} + +// Kind takes an unqualified kind and returns back a Group qualified GroupKind +func Kind(kind string) schema.GroupKind { + return GroupVersion.WithKind(kind).GroupKind() +} diff --git a/crd/apis/network/v1/network.go b/crd/apis/network/v1/network.go new file mode 100644 index 0000000000..2c253be26c --- /dev/null +++ b/crd/apis/network/v1/network.go @@ -0,0 +1,30 @@ +package v1 + +import "fmt" + +// InterfaceName returns the expected host interface for this Network +// If vlanID is specified, the expected tagged interface Name is returned +// otherwise the user specified interfaceName is returned +func (n *Network) InterfaceName() (string, error) { + if n.Spec.NodeInterfaceMatcher.InterfaceName == nil || *n.Spec.NodeInterfaceMatcher.InterfaceName == "" { + return "", fmt.Errorf("invalid network %s: network.spec.nodeInterfaceMatcher.InterfaceName cannot be nil or empty", n.Name) + } + hostInterface := n.Spec.NodeInterfaceMatcher.InterfaceName + + if n.Spec.L2NetworkConfig == nil || n.Spec.L2NetworkConfig.VlanID == nil { + return *hostInterface, nil + } + + return fmt.Sprintf("%s.%d", *hostInterface, *n.Spec.L2NetworkConfig.VlanID), nil +} + +// DefaultNetworkIfEmpty takes a string corresponding to a network name and makes +// sure that if it is empty then it is set to the default network. This comes +// from the idea that a network is like a namespace, where an empty network is +// the same as the default. Use before comparisons of networks. +func DefaultNetworkIfEmpty(s string) string { + if s == "" { + return DefaultNetworkName + } + return s +} diff --git a/crd/apis/network/v1/network_types.go b/crd/apis/network/v1/network_types.go new file mode 100644 index 0000000000..cf4a1d4f96 --- /dev/null +++ b/crd/apis/network/v1/network_types.go @@ -0,0 +1,190 @@ +package v1 + +import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + +const ( + // DefaultNetworkName is the network used by the VETH interface. + DefaultNetworkName = "pod-network" + // NetworkResourceKeyPrefix is the prefix for extended resource + // name corresponding to the network. + // e.g. "networking.gke.io.networks/my-network.IP" + NetworkResourceKeyPrefix = "networking.gke.io.networks/" +) + +// NetworkType is the type of network. +// +kubebuilder:validation:Enum=L2;L3 +type NetworkType string + +const ( + // L2NetworkType enables L2 connectivity on the network. + L2NetworkType NetworkType = "L2" + // L3NetworkType enables L3 connectivity on the network. + L3NetworkType NetworkType = "L3" +) + +// LifecycleType defines who manages the lifecycle of the network. +// +kubebuilder:validation:Enum=AnthosManaged;UserManaged +type LifecycleType string + +const ( + // AnthosManagedLifecycle indicates that the Anthos will manage the Network + // lifecycle. + AnthosManagedLifecycle LifecycleType = "AnthosManaged" + // UserManaged indicates that the user will manage the Network + // Lifeycle and Anthos will not create or delete the network. + UserManagedLifecycle LifecycleType = "UserManaged" +) + +// ProviderType defines provider of the network. +// +kubebuilder:validation:Enum=GKE +type ProviderType string + +const ( + // GKE indicates network provider is "GKE" + GKE ProviderType = "GKE" +) + +// +genclient +// +genclient:nonNamespaced +// +kubebuilder:object:root=true +// +kubebuilder:subresource:status +// +kubebuilder:resource:scope=Cluster +// +kubebuilder:storageversion +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object + +// Network represent a logical network on the K8s Cluster. +// This logical network depends on the host networking setup on cluster nodes. +type Network struct { + metav1.TypeMeta `json:",inline"` + metav1.ObjectMeta `json:"metadata,omitempty"` + + Spec NetworkSpec `json:"spec,omitempty"` + Status NetworkStatus `json:"status,omitempty"` +} + +// NetworkSpec contains the specifications for network object +type NetworkSpec struct { + // Type defines type of network. + // Valid options include: L2, L3. + // L2 network type enables L2 connectivity on the network. + // L3 network type enables L3 connectivity on the network. + // +required + Type NetworkType `json:"type"` + + // Provider specifies the provider implementing this network, e.g. "GKE". + Provider *ProviderType `json:"provider,omitempty"` + + // NodeInterfaceMatcher defines the matcher to discover the corresponding node interface associated with the network. + // This field is required for L2 network. + // +optional + NodeInterfaceMatcher NodeInterfaceMatcher `json:"nodeInterfaceMatcher,omitempty"` + + // L2NetworkConfig includes all the network config related to L2 type network + // +optional + L2NetworkConfig *L2NetworkConfig `json:"l2NetworkConfig,omitempty"` + + // NetworkLifecycle specifies who manages the lifecycle of the network. + // This field can only be used when L2NetworkConfig.VlanID is specified. Otherwise the value will be ignored. If + // L2NetworkConfig.VlanID is specified and this field is empty, the value is assumed to be AnthosManaged. + // +optional + NetworkLifecycle *LifecycleType `json:"networkLifecycle,omitempty"` + + // Routes contains a list of routes for the network. + // +optional + Routes []Route `json:"routes,omitempty"` + + // Gateway4 defines the gateway IPv4 address for the network. + // Required if ExternalDHCP4 is false or not set on L2 type network. + // +optional + Gateway4 *string `json:"gateway4,omitempty"` + + // Specifies the DNS configuration of the network. + // Required if ExternalDHCP4 is false or not set on L2 type network. + // +optional + DNSConfig *DNSConfig `json:"dnsConfig,omitempty"` + + // ExternalDHCP4 indicates whether the IPAM is static or allocation by the external DHCP server + // +optional + ExternalDHCP4 *bool `json:"externalDHCP4,omitempty"` + + // ParametersRef is a reference to a resource that contains vendor or implementation specific + // configurations for the network. + // +optional + ParametersRef *NetworkParametersReference `json:"parametersRef,omitempty"` +} + +// NetworkParametersReference identifies an API object containing additional parameters for the network. +type NetworkParametersReference struct { + // Group is the API group of k8s resource, e.g. "networking.k8s.io". + Group string `json:"group"` + + // Kind is kind of the referent, e.g. "networkpolicy". + Kind string `json:"kind"` + + // Name is the name of the resource object. + Name string `json:"name"` + + // Namespace is the namespace of the referent. This field is required when referring to a + // Namespace-scoped resource and MUST be unset when referring to a Cluster-scoped resource. + // +optional + Namespace *string `json:"namespace,omitempty"` +} + +// DNSConfig defines the DNS configuration of a network. +// The fields follow k8s pod dnsConfig structure: +// https://github.com/kubernetes/kubernetes/blob/master/staging/src/k8s.io/api/core/v1/types.go#L3555 +type DNSConfig struct { + // A list of nameserver IP addresses. + // Duplicated nameservers will be removed. + // +required + // +kubebuilder:validation:MinItems:=1 + Nameservers []string `json:"nameservers"` + // A list of DNS search domains for host-name lookup. + // Duplicated search paths will be removed. + // +optional + Searches []string `json:"searches,omitempty"` +} + +// Route defines a routing table entry to a specific subnetwork. +type Route struct { + // To defines a destination IPv4 block in CIDR annotation. e.g. 192.168.0.0/24. + // The CIDR 0.0.0.0/0 will be rejected. + // +required + To string `json:"to"` +} + +// NetworkStatus contains the status information related to the network. +type NetworkStatus struct{} + +// NodeInterfaceMatcher defines criteria to find the matching interface on host networking. +type NodeInterfaceMatcher struct { + // InterfaceName specifies the interface name to search on the node. + // +kubebuilder:validation:MinLength=1 + // +optional + InterfaceName *string `json:"interfaceName,omitempty"` +} + +// L2NetworkConfig contains configurations for L2 type network. +type L2NetworkConfig struct { + // VlanID is the vlan ID used for the network. + // If unspecified, vlan tagging is not enabled. + // +optional + // +kubebuilder:validation:Maximum=4094 + // +kubebuilder:validation:Minimum=1 + VlanID *int32 `json:"vlanID,omitempty"` +} + +// +genclient +// +genclient:nonNamespaced +// +genclient:onlyVerbs=get +// +kubebuilder:object:root=true +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object + +// NetworkList contains a list of Network resources. +type NetworkList struct { + metav1.TypeMeta `json:",inline"` + metav1.ListMeta `json:"metadata,omitempty"` + + // Items is a slice of Network resources. + Items []Network `json:"items"` +} diff --git a/crd/apis/network/v1/networkinterface_types.go b/crd/apis/network/v1/networkinterface_types.go new file mode 100644 index 0000000000..dc6edadf9a --- /dev/null +++ b/crd/apis/network/v1/networkinterface_types.go @@ -0,0 +1,80 @@ +package v1 + +import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + +// +genclient +// +kubebuilder:object:root=true +// +kubebuilder:subresource:status +// +kubebuilder:printcolumn:name="AGE",type="date",JSONPath=".metadata.creationTimestamp",description="The age of this resource" +// +kubebuilder:printcolumn:name="IP",type="string",JSONPath=".status.ipAddresses[0]",description="IP address assigned to this interface" +// +kubebuilder:printcolumn:name="MAC",type="string",JSONPath=".status.macAddress",description="MAC address assigned to this interface" +// +kubebuilder:printcolumn:name="NETWORK",type="string",JSONPath=".spec.networkName",description="The Network this interface connects to" +// +kubebuilder:storageversion +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object + +// NetworkInterface defines the network interface for a pod to connect to a network. +type NetworkInterface struct { + metav1.TypeMeta `json:",inline"` + metav1.ObjectMeta `json:"metadata,omitempty"` + + Spec NetworkInterfaceSpec `json:"spec,omitempty"` + Status NetworkInterfaceStatus `json:"status,omitempty"` +} + +// NetworkInterfaceSpec is the specification for the NetworkInterface resource. +type NetworkInterfaceSpec struct { + // NetworkName refers to a network object that this NetworkInterface is connected. + // +required + // +kubebuilder:validation:MinLength=1 + NetworkName string `json:"networkName"` + + // IpAddresses specifies the static IP addresses on this NetworkInterface. + // Each IPAddress may contain subnet mask. If subnet mask is not included, /32 is taken as default. + // For example, IPAddress input 1.2.3.4 will be taken as 1.2.3.4/32. Alternatively, the input can be 1.2.3.4/24 + // with subnet mask of /24. + // +optional + IpAddresses []string `json:"ipAddresses,omitempty"` + + // Macddress specifies the static MAC address on this NetworkInterface. + // +optional + MacAddress *string `json:"macAddress,omitempty"` +} + +// NetworkInterfaceStatus is the status for the NetworkInterface resource. +type NetworkInterfaceStatus struct { + // IpAddresses are the IP addresses assigned to the NetworkInterface. + IpAddresses []string `json:"ipAddresses,omitempty"` + // MacAddress is the MAC address assigned to the NetworkInterface. + MacAddress string `json:"macAddress,omitempty"` + + // Routes contains a list of routes for the network this interface connects to. + Routes []Route `json:"routes,omitempty"` + + // Gateway4 defines the gateway IPv4 address for the network this interface connects to. + Gateway4 *string `json:"gateway4,omitempty"` + + // Specifies the DNS configuration of the network this interface connects to. + // +optional + DNSConfig *DNSConfig `json:"dnsConfig,omitempty"` + + // PodName specifies the current pod name this interface is connected to + // +optional + PodName *string `json:"podName,omitempty"` + + //// Conditions include the the conditions associated with this Interface + // Conditions []metav1.Condition `json:"conditions,omitempty"` +} + +// +genclient +// +genclient:onlyVerbs=get +// +kubebuilder:object:root=true +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object + +// NetworkInterfaceList contains a list of NetworkInterface resources. +type NetworkInterfaceList struct { + metav1.TypeMeta `json:",inline"` + metav1.ListMeta `json:"metadata,omitempty"` + + // Items is a slice of NetworkInterface resources. + Items []NetworkInterface `json:"items"` +} diff --git a/crd/apis/network/v1/zz_generated.deepcopy.go b/crd/apis/network/v1/zz_generated.deepcopy.go new file mode 100644 index 0000000000..83e48e4278 --- /dev/null +++ b/crd/apis/network/v1/zz_generated.deepcopy.go @@ -0,0 +1,380 @@ +//go:build !ignore_autogenerated +// +build !ignore_autogenerated + +/* +Copyright The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +// Code generated by controller-gen. DO NOT EDIT. + +package v1 + +import ( + "k8s.io/apimachinery/pkg/runtime" +) + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *DNSConfig) DeepCopyInto(out *DNSConfig) { + *out = *in + if in.Nameservers != nil { + in, out := &in.Nameservers, &out.Nameservers + *out = make([]string, len(*in)) + copy(*out, *in) + } + if in.Searches != nil { + in, out := &in.Searches, &out.Searches + *out = make([]string, len(*in)) + copy(*out, *in) + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DNSConfig. +func (in *DNSConfig) DeepCopy() *DNSConfig { + if in == nil { + return nil + } + out := new(DNSConfig) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *L2NetworkConfig) DeepCopyInto(out *L2NetworkConfig) { + *out = *in + if in.VlanID != nil { + in, out := &in.VlanID, &out.VlanID + *out = new(int32) + **out = **in + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new L2NetworkConfig. +func (in *L2NetworkConfig) DeepCopy() *L2NetworkConfig { + if in == nil { + return nil + } + out := new(L2NetworkConfig) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *Network) DeepCopyInto(out *Network) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) + in.Spec.DeepCopyInto(&out.Spec) + out.Status = in.Status +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Network. +func (in *Network) DeepCopy() *Network { + if in == nil { + return nil + } + out := new(Network) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *Network) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *NetworkInterface) DeepCopyInto(out *NetworkInterface) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) + in.Spec.DeepCopyInto(&out.Spec) + in.Status.DeepCopyInto(&out.Status) +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NetworkInterface. +func (in *NetworkInterface) DeepCopy() *NetworkInterface { + if in == nil { + return nil + } + out := new(NetworkInterface) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *NetworkInterface) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *NetworkInterfaceList) DeepCopyInto(out *NetworkInterfaceList) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ListMeta.DeepCopyInto(&out.ListMeta) + if in.Items != nil { + in, out := &in.Items, &out.Items + *out = make([]NetworkInterface, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NetworkInterfaceList. +func (in *NetworkInterfaceList) DeepCopy() *NetworkInterfaceList { + if in == nil { + return nil + } + out := new(NetworkInterfaceList) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *NetworkInterfaceList) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *NetworkInterfaceSpec) DeepCopyInto(out *NetworkInterfaceSpec) { + *out = *in + if in.IpAddresses != nil { + in, out := &in.IpAddresses, &out.IpAddresses + *out = make([]string, len(*in)) + copy(*out, *in) + } + if in.MacAddress != nil { + in, out := &in.MacAddress, &out.MacAddress + *out = new(string) + **out = **in + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NetworkInterfaceSpec. +func (in *NetworkInterfaceSpec) DeepCopy() *NetworkInterfaceSpec { + if in == nil { + return nil + } + out := new(NetworkInterfaceSpec) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *NetworkInterfaceStatus) DeepCopyInto(out *NetworkInterfaceStatus) { + *out = *in + if in.IpAddresses != nil { + in, out := &in.IpAddresses, &out.IpAddresses + *out = make([]string, len(*in)) + copy(*out, *in) + } + if in.Routes != nil { + in, out := &in.Routes, &out.Routes + *out = make([]Route, len(*in)) + copy(*out, *in) + } + if in.Gateway4 != nil { + in, out := &in.Gateway4, &out.Gateway4 + *out = new(string) + **out = **in + } + if in.DNSConfig != nil { + in, out := &in.DNSConfig, &out.DNSConfig + *out = new(DNSConfig) + (*in).DeepCopyInto(*out) + } + if in.PodName != nil { + in, out := &in.PodName, &out.PodName + *out = new(string) + **out = **in + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NetworkInterfaceStatus. +func (in *NetworkInterfaceStatus) DeepCopy() *NetworkInterfaceStatus { + if in == nil { + return nil + } + out := new(NetworkInterfaceStatus) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *NetworkList) DeepCopyInto(out *NetworkList) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ListMeta.DeepCopyInto(&out.ListMeta) + if in.Items != nil { + in, out := &in.Items, &out.Items + *out = make([]Network, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NetworkList. +func (in *NetworkList) DeepCopy() *NetworkList { + if in == nil { + return nil + } + out := new(NetworkList) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *NetworkList) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *NetworkParametersReference) DeepCopyInto(out *NetworkParametersReference) { + *out = *in + if in.Namespace != nil { + in, out := &in.Namespace, &out.Namespace + *out = new(string) + **out = **in + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NetworkParametersReference. +func (in *NetworkParametersReference) DeepCopy() *NetworkParametersReference { + if in == nil { + return nil + } + out := new(NetworkParametersReference) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *NetworkSpec) DeepCopyInto(out *NetworkSpec) { + *out = *in + if in.Provider != nil { + in, out := &in.Provider, &out.Provider + *out = new(ProviderType) + **out = **in + } + in.NodeInterfaceMatcher.DeepCopyInto(&out.NodeInterfaceMatcher) + if in.L2NetworkConfig != nil { + in, out := &in.L2NetworkConfig, &out.L2NetworkConfig + *out = new(L2NetworkConfig) + (*in).DeepCopyInto(*out) + } + if in.NetworkLifecycle != nil { + in, out := &in.NetworkLifecycle, &out.NetworkLifecycle + *out = new(LifecycleType) + **out = **in + } + if in.Routes != nil { + in, out := &in.Routes, &out.Routes + *out = make([]Route, len(*in)) + copy(*out, *in) + } + if in.Gateway4 != nil { + in, out := &in.Gateway4, &out.Gateway4 + *out = new(string) + **out = **in + } + if in.DNSConfig != nil { + in, out := &in.DNSConfig, &out.DNSConfig + *out = new(DNSConfig) + (*in).DeepCopyInto(*out) + } + if in.ExternalDHCP4 != nil { + in, out := &in.ExternalDHCP4, &out.ExternalDHCP4 + *out = new(bool) + **out = **in + } + if in.ParametersRef != nil { + in, out := &in.ParametersRef, &out.ParametersRef + *out = new(NetworkParametersReference) + (*in).DeepCopyInto(*out) + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NetworkSpec. +func (in *NetworkSpec) DeepCopy() *NetworkSpec { + if in == nil { + return nil + } + out := new(NetworkSpec) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *NetworkStatus) DeepCopyInto(out *NetworkStatus) { + *out = *in +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NetworkStatus. +func (in *NetworkStatus) DeepCopy() *NetworkStatus { + if in == nil { + return nil + } + out := new(NetworkStatus) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *NodeInterfaceMatcher) DeepCopyInto(out *NodeInterfaceMatcher) { + *out = *in + if in.InterfaceName != nil { + in, out := &in.InterfaceName, &out.InterfaceName + *out = new(string) + **out = **in + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NodeInterfaceMatcher. +func (in *NodeInterfaceMatcher) DeepCopy() *NodeInterfaceMatcher { + if in == nil { + return nil + } + out := new(NodeInterfaceMatcher) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *Route) DeepCopyInto(out *Route) { + *out = *in +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Route. +func (in *Route) DeepCopy() *Route { + if in == nil { + return nil + } + out := new(Route) + in.DeepCopyInto(out) + return out +} diff --git a/crd/apis/network/v1alpha1/BUILD b/crd/apis/network/v1alpha1/BUILD new file mode 100644 index 0000000000..5ce17adfc2 --- /dev/null +++ b/crd/apis/network/v1alpha1/BUILD @@ -0,0 +1,32 @@ +load("@io_bazel_rules_go//go:def.bzl", "go_library", "go_test") + +go_library( + name = "v1alpha1", + srcs = [ + "annotations.go", + "groupversion_info.go", + "network.go", + "network_types.go", + "networkinterface_types.go", + "zz_generated.deepcopy.go", + ], + importpath = "k8s.io/cloud-provider-gcp/crd/apis/network/v1alpha1", + visibility = ["//visibility:public"], + deps = [ + "//vendor/k8s.io/apimachinery/pkg/apis/meta/v1:meta", + "//vendor/k8s.io/apimachinery/pkg/runtime", + "//vendor/k8s.io/apimachinery/pkg/runtime/schema", + ], +) + +go_test( + name = "v1alpha1_test", + embed = [":v1alpha1"], + srcs = [ + "annotations_test.go", + ], + deps = [ + "//vendor/github.com/google/go-cmp/cmp", + ], +) + diff --git a/crd/apis/network/v1alpha1/annotations.go b/crd/apis/network/v1alpha1/annotations.go new file mode 100644 index 0000000000..ea8cbe2a04 --- /dev/null +++ b/crd/apis/network/v1alpha1/annotations.go @@ -0,0 +1,89 @@ +package v1alpha1 + +import ( + "encoding/json" + "fmt" +) + +// Annotations on pods. +const ( + // DisableSourceValidationAnnotationKey is the annotation on pod to disable source IP validation on L2 interfaces. + // Useful when you want to assign new IPs onto the interface. + DisableSourceIPValidationAnnotationKey = "networking.gke.io/disable-source-ip-validation" + // DisableSourceValidationAnnotationValTrue is the value to disable source IP validation for the pod. + DisableSourceIPValidationAnnotationValTrue = "true" + // DefaultInterfaceAnnotationKey specifies the default route interface with interface name in pod. + // The IP of the gateway comes from network CRs. + DefaultInterfaceAnnotationKey = "networking.gke.io/default-interface" + // InterfaceAnnotationKey specifies interfaces for pod. + InterfaceAnnotationKey = "networking.gke.io/interfaces" + // NodeNetworkAnnotationKey is the key of the annotation which indicates the status of + // networks on the node. + NodeNetworkAnnotationKey = "networking.gke.io/network-status" + // NetworkAnnotationKey is the network annotation on NetworkPolicy object. + // Value for this key will be the network on which network policy should be enforced. + NetworkAnnotationKey = "networking.gke.io/network" + // NetworkInUseAnnotationKey is the annotation on Network object. + // It's used to indicate if the Network object is referenced by NetworkInterface/pod objects. + NetworkInUseAnnotationKey = "networking.gke.io/in-use" + // NetworkInUseAnnotationValTrue is the value to be set for NetworkInUseAnnotationKey to indicate + // the Network object is referenced by at least one NetworkInterface/pod object. + NetworkInUseAnnotationValTrue = "true" +) + +// InterfaceAnnotation is the value of the interface annotation. +// +kubebuilder:object:generate:=false +type InterfaceAnnotation []InterfaceRef + +// InterfaceRef specifies the reference to network interface. +// All fields are mutual exclusive. +// Either Network or Interface field can be specified. +// +kubebuilder:object:generate:=false +type InterfaceRef struct { + // InterfaceName is the name of the interface in pod network namespace. + InterfaceName string `json:"interfaceName,omitempty"` + // Network refers to a network object within the cluster. + // When network is specified, NetworkInterface object is optionally generated with default configuration. + Network *string `json:"network,omitempty"` + // Interface reference the NetworkInterface object within the namespace. + Interface *string `json:"interface,omitempty"` +} + +// ParseInterfaceAnnotation parses the given annotation. +func ParseInterfaceAnnotation(annotation string) (InterfaceAnnotation, error) { + ret := &InterfaceAnnotation{} + err := json.Unmarshal([]byte(annotation), ret) + return *ret, err +} + +// MarshalAnnotation marshals any object into string using json.Marshal. +func MarshalAnnotation(a interface{}) (string, error) { + ret, err := json.Marshal(a) + if err != nil { + return "", fmt.Errorf("failed to marshal (%+v): %v", a, err) + } + return string(ret), nil +} + +// NodeNetworkAnnotation is the value of the network status annotation. +// +kubebuilder:object:generate:=false +type NodeNetworkAnnotation []NodeNetworkStatus + +// NodeNetworkStatus specifies the status of a network. +// +kubebuilder:object:generate:=false +type NodeNetworkStatus struct { + // Name specifies the name of the network. + Name string `json:"name,omitempty"` +} + +// ParseNodeNetworkAnnotation parses the given annotation to NodeNetworkAnnotation. +func ParseNodeNetworkAnnotation(annotation string) (NodeNetworkAnnotation, error) { + ret := &NodeNetworkAnnotation{} + err := json.Unmarshal([]byte(annotation), ret) + return *ret, err +} + +// MarshalNodeNetworkAnnotation marshals a NodeNetworkAnnotation into string. +func MarshalNodeNetworkAnnotation(a NodeNetworkAnnotation) (string, error) { + return MarshalAnnotation(a) +} diff --git a/crd/apis/network/v1alpha1/annotations_test.go b/crd/apis/network/v1alpha1/annotations_test.go new file mode 100644 index 0000000000..877db3379e --- /dev/null +++ b/crd/apis/network/v1alpha1/annotations_test.go @@ -0,0 +1,55 @@ +package v1alpha1 + +import ( + "testing" + + "github.com/google/go-cmp/cmp" +) + +func TestNodeNetworkAnnotation(t *testing.T) { + tests := []struct { + name string + input NodeNetworkAnnotation + expected string + }{ + { + name: "nil", + input: nil, + expected: "null", + }, + { + name: "empty list", + input: NodeNetworkAnnotation{}, + expected: "[]", + }, + { + name: "list with items", + input: NodeNetworkAnnotation{ + {Name: "network-a"}, + {Name: "network-b"}, + }, + expected: `[{"name":"network-a"},{"name":"network-b"}]`, + }, + } + + for _, tc := range tests { + t.Run(tc.name, func(t *testing.T) { + marshalled, err := MarshalAnnotation(tc.input) + if err != nil { + t.Fatalf("MarshalAnnotation(%+v) failed with error: %v", tc.input, err) + } + if marshalled != tc.expected { + t.Fatalf("MarshalAnnotation(%+v) returns %q but want %q", tc.input, marshalled, tc.expected) + } + + parsed, err := ParseNodeNetworkAnnotation(marshalled) + if err != nil { + t.Fatalf("ParseNodeNetworkAnnotation(%s) failed with error: %v", marshalled, err) + } + + if diff := cmp.Diff(parsed, tc.input); diff != "" { + t.Fatalf("ParseNodeNetworkAnnotation(%s) returns diff: (-got +want): %s", marshalled, diff) + } + }) + } +} diff --git a/crd/apis/network/v1alpha1/groupversion_info.go b/crd/apis/network/v1alpha1/groupversion_info.go new file mode 100644 index 0000000000..e007a801a6 --- /dev/null +++ b/crd/apis/network/v1alpha1/groupversion_info.go @@ -0,0 +1,41 @@ +// Package v1alpha1 contains API Schema definitions for the networking v1alpha1 API group +// +kubebuilder:object:generate=true +// +groupName=networking.gke.io +package v1alpha1 + +import ( + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + runtime "k8s.io/apimachinery/pkg/runtime" + "k8s.io/apimachinery/pkg/runtime/schema" +) + +var ( + // GroupVersion is group version used to register these objects + GroupVersion = schema.GroupVersion{Group: "networking.gke.io", Version: "v1alpha1"} + + schemeBuilder = runtime.NewSchemeBuilder(addKnownTypes) + AddToScheme = schemeBuilder.AddToScheme +) + +// Kind names for the Network objects. +const ( + KindNetwork = "Network" + KindNetworkInterface = "NetworkInterface" +) + +// Adds the list of known types to Scheme. +func addKnownTypes(scheme *runtime.Scheme) error { + scheme.AddKnownTypes(GroupVersion, + &Network{}, + &NetworkList{}, + &NetworkInterface{}, + &NetworkInterfaceList{}, + ) + metav1.AddToGroupVersion(scheme, GroupVersion) + return nil +} + +// Kind takes an unqualified kind and returns back a Group qualified GroupKind +func Kind(kind string) schema.GroupKind { + return GroupVersion.WithKind(kind).GroupKind() +} diff --git a/crd/apis/network/v1alpha1/network.go b/crd/apis/network/v1alpha1/network.go new file mode 100644 index 0000000000..3f12f1b64e --- /dev/null +++ b/crd/apis/network/v1alpha1/network.go @@ -0,0 +1,19 @@ +package v1alpha1 + +import "fmt" + +// InterfaceName returns the expected host interface for this Network +// If vlanID is specified, the expected tagged interface Name is returned +// otherwise the user specified interfaceName is returned +func (n *Network) InterfaceName() (string, error) { + if n.Spec.NodeInterfaceMatcher.InterfaceName == nil || *n.Spec.NodeInterfaceMatcher.InterfaceName == "" { + return "", fmt.Errorf("invalid network %s: network.spec.nodeInterfaceMatcher.InterfaceName cannot be nil or empty", n.Name) + } + hostInterface := n.Spec.NodeInterfaceMatcher.InterfaceName + + if n.Spec.L2NetworkConfig == nil || n.Spec.L2NetworkConfig.VlanID == nil { + return *hostInterface, nil + } + + return fmt.Sprintf("%s.%d", *hostInterface, *n.Spec.L2NetworkConfig.VlanID), nil +} diff --git a/crd/apis/network/v1alpha1/network_types.go b/crd/apis/network/v1alpha1/network_types.go new file mode 100644 index 0000000000..b70b0a0b81 --- /dev/null +++ b/crd/apis/network/v1alpha1/network_types.go @@ -0,0 +1,151 @@ +package v1alpha1 + +import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + +const ( + // DefaultNetworkName is the network used by the VETH interface. + DefaultNetworkName = "pod-network" +) + +// NetworkType is the type of network. +// +kubebuilder:validation:Enum=L2;L3 +type NetworkType string + +const ( + // L2NetworkType enables L2 connectivity on the network. + L2NetworkType NetworkType = "L2" + // L3NetworkType enables L3 connectivity on the network. + L3NetworkType NetworkType = "L3" +) + +// LifecycleType defines who manages the lifecycle of the network. +// +kubebuilder:validation:Enum=AnthosManaged;UserManaged +type LifecycleType string + +const ( + // AnthosManagedLifecycle indicates that the Anthos will manage the Network + // lifecycle. + AnthosManagedLifecycle LifecycleType = "AnthosManaged" + // UserManaged indicates that the user will manage the Network + // Lifeycle and Anthos will not create or delete the network. + UserManagedLifecycle LifecycleType = "UserManaged" +) + +// +genclient +// +genclient:nonNamespaced +// +kubebuilder:object:root=true +// +kubebuilder:subresource:status +// +kubebuilder:resource:scope=Cluster +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object + +// Network represent a logical network on the K8s Cluster. +// This logical network depends on the host networking setup on cluster nodes. +type Network struct { + metav1.TypeMeta `json:",inline"` + metav1.ObjectMeta `json:"metadata,omitempty"` + + Spec NetworkSpec `json:"spec,omitempty"` + Status NetworkStatus `json:"status,omitempty"` +} + +// NetworkSpec contains the specifications for network object +type NetworkSpec struct { + // Type defines type of network. + // Valid options include: L2, L3. + // L2 network type enables L2 connectivity on the network. + // L3 network type enables L3 connectivity on the network. + // +required + Type NetworkType `json:"type"` + + // NodeInterfaceMatcher defines the matcher to discover the corresponding node interface associated with the network. + // This field is required for L2 network. + // +optional + NodeInterfaceMatcher NodeInterfaceMatcher `json:"nodeInterfaceMatcher,omitempty"` + + // L2NetworkConfig includes all the network config related to L2 type network + // +optional + L2NetworkConfig *L2NetworkConfig `json:"l2NetworkConfig,omitempty"` + + // NetworkLifecycle specifies who manages the lifecycle of the network. + // This field can only be used when L2NetworkConfig.VlanID is specified. Otherwise the value will be ignored. If + // L2NetworkConfig.VlanID is specified and this field is empty, the value is assumed to be AnthosManaged. + // +optional + NetworkLifecycle *LifecycleType `json:"networkLifecycle,omitempty"` + + // Routes contains a list of routes for the network. + // +optional + Routes []Route `json:"routes,omitempty"` + + // Gateway4 defines the gateway IPv4 address for the network. + // Required if ExternalDHCP4 is false or not set on L2 type network. + // +optional + Gateway4 *string `json:"gateway4,omitempty"` + + // Specifies the DNS configuration of the network. + // Required if ExternalDHCP4 is false or not set on L2 type network. + // +optional + DNSConfig *DNSConfig `json:"dnsConfig,omitempty"` + + // ExternalDHCP4 indicates whether the IPAM is static or allocation by the external DHCP server + // +optional + ExternalDHCP4 *bool `json:"externalDHCP4,omitempty"` +} + +// DNSConfig defines the DNS configuration of a network. +// The fields follow k8s pod dnsConfig structure: +// https://github.com/kubernetes/kubernetes/blob/master/staging/src/k8s.io/api/core/v1/types.go#L3555 +type DNSConfig struct { + // A list of nameserver IP addresses. + // Duplicated nameservers will be removed. + // +required + // +kubebuilder:validation:MinItems:=1 + Nameservers []string `json:"nameservers"` + // A list of DNS search domains for host-name lookup. + // Duplicated search paths will be removed. + // +optional + Searches []string `json:"searches,omitempty"` +} + +// Route defines a routing table entry to a specific subnetwork. +type Route struct { + // To defines a destination IPv4 block in CIDR annotation. e.g. 192.168.0.0/24. + // The CIDR 0.0.0.0/0 will be rejected. + // +required + To string `json:"to"` +} + +// NetworkStatus contains the status information related to the network. +type NetworkStatus struct{} + +// NodeInterfaceMatcher defines criteria to find the matching interface on host networking. +type NodeInterfaceMatcher struct { + // InterfaceName specifies the interface name to search on the node. + // +kubebuilder:validation:MinLength=1 + // +optional + InterfaceName *string `json:"interfaceName,omitempty"` +} + +// L2NetworkConfig contains configurations for L2 type network. +type L2NetworkConfig struct { + // VlanID is the vlan ID used for the network. + // If unspecified, vlan tagging is not enabled. + // +optional + // +kubebuilder:validation:Maximum=4094 + // +kubebuilder:validation:Minimum=1 + VlanID *int32 `json:"vlanID,omitempty"` +} + +// +genclient +// +genclient:nonNamespaced +// +genclient:onlyVerbs=get +// +kubebuilder:object:root=true +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object + +// NetworkList contains a list of Network resources. +type NetworkList struct { + metav1.TypeMeta `json:",inline"` + metav1.ListMeta `json:"metadata,omitempty"` + + // Items is a slice of Network resources. + Items []Network `json:"items"` +} diff --git a/crd/apis/network/v1alpha1/networkinterface_types.go b/crd/apis/network/v1alpha1/networkinterface_types.go new file mode 100644 index 0000000000..1b0845d4a8 --- /dev/null +++ b/crd/apis/network/v1alpha1/networkinterface_types.go @@ -0,0 +1,79 @@ +package v1alpha1 + +import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + +// +genclient +// +kubebuilder:object:root=true +// +kubebuilder:subresource:status +// +kubebuilder:printcolumn:name="AGE",type="date",JSONPath=".metadata.creationTimestamp",description="The age of this resource" +// +kubebuilder:printcolumn:name="IP",type="string",JSONPath=".status.ipAddresses[0]",description="IP address assigned to this interface" +// +kubebuilder:printcolumn:name="MAC",type="string",JSONPath=".status.macAddress",description="MAC address assigned to this interface" +// +kubebuilder:printcolumn:name="NETWORK",type="string",JSONPath=".spec.networkName",description="The Network this interface connects to" +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object + +// NetworkInterface defines the network interface for a pod to connect to a network. +type NetworkInterface struct { + metav1.TypeMeta `json:",inline"` + metav1.ObjectMeta `json:"metadata,omitempty"` + + Spec NetworkInterfaceSpec `json:"spec,omitempty"` + Status NetworkInterfaceStatus `json:"status,omitempty"` +} + +// NetworkInterfaceSpec is the specification for the NetworkInterface resource. +type NetworkInterfaceSpec struct { + // NetworkName refers to a network object that this NetworkInterface is connected. + // +required + // +kubebuilder:validation:MinLength=1 + NetworkName string `json:"networkName"` + + // IpAddresses specifies the static IP addresses on this NetworkInterface. + // Each IPAddress may contain subnet mask. If subnet mask is not included, /32 is taken as default. + // For example, IPAddress input 1.2.3.4 will be taken as 1.2.3.4/32. Alternatively, the input can be 1.2.3.4/24 + // with subnet mask of /24. + // +optional + IpAddresses []string `json:"ipAddresses,omitempty"` + + // Macddress specifies the static MAC address on this NetworkInterface. + // +optional + MacAddress *string `json:"macAddress,omitempty"` +} + +// NetworkInterfaceStatus is the status for the NetworkInterface resource. +type NetworkInterfaceStatus struct { + // IpAddresses are the IP addresses assigned to the NetworkInterface. + IpAddresses []string `json:"ipAddresses,omitempty"` + // MacAddress is the MAC address assigned to the NetworkInterface. + MacAddress string `json:"macAddress,omitempty"` + + // Routes contains a list of routes for the network this interface connects to. + Routes []Route `json:"routes,omitempty"` + + // Gateway4 defines the gateway IPv4 address for the network this interface connects to. + Gateway4 *string `json:"gateway4,omitempty"` + + // Specifies the DNS configuration of the network this interface connects to. + // +optional + DNSConfig *DNSConfig `json:"dnsConfig,omitempty"` + + // PodName specifies the current pod name this interface is connected to + // +optional + PodName *string `json:"podName,omitempty"` + + //// Conditions include the the conditions associated with this Interface + // Conditions []metav1.Condition `json:"conditions,omitempty"` +} + +// +genclient +// +genclient:onlyVerbs=get +// +kubebuilder:object:root=true +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object + +// NetworkInterfaceList contains a list of NetworkInterface resources. +type NetworkInterfaceList struct { + metav1.TypeMeta `json:",inline"` + metav1.ListMeta `json:"metadata,omitempty"` + + // Items is a slice of NetworkInterface resources. + Items []NetworkInterface `json:"items"` +} diff --git a/crd/apis/network/v1alpha1/zz_generated.deepcopy.go b/crd/apis/network/v1alpha1/zz_generated.deepcopy.go new file mode 100644 index 0000000000..8c6bcba48d --- /dev/null +++ b/crd/apis/network/v1alpha1/zz_generated.deepcopy.go @@ -0,0 +1,334 @@ +//go:build !ignore_autogenerated +// +build !ignore_autogenerated + +// Code generated by controller-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + "k8s.io/apimachinery/pkg/runtime" +) + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *DNSConfig) DeepCopyInto(out *DNSConfig) { + *out = *in + if in.Nameservers != nil { + in, out := &in.Nameservers, &out.Nameservers + *out = make([]string, len(*in)) + copy(*out, *in) + } + if in.Searches != nil { + in, out := &in.Searches, &out.Searches + *out = make([]string, len(*in)) + copy(*out, *in) + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DNSConfig. +func (in *DNSConfig) DeepCopy() *DNSConfig { + if in == nil { + return nil + } + out := new(DNSConfig) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *L2NetworkConfig) DeepCopyInto(out *L2NetworkConfig) { + *out = *in + if in.VlanID != nil { + in, out := &in.VlanID, &out.VlanID + *out = new(int32) + **out = **in + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new L2NetworkConfig. +func (in *L2NetworkConfig) DeepCopy() *L2NetworkConfig { + if in == nil { + return nil + } + out := new(L2NetworkConfig) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *Network) DeepCopyInto(out *Network) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) + in.Spec.DeepCopyInto(&out.Spec) + out.Status = in.Status +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Network. +func (in *Network) DeepCopy() *Network { + if in == nil { + return nil + } + out := new(Network) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *Network) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *NetworkInterface) DeepCopyInto(out *NetworkInterface) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) + in.Spec.DeepCopyInto(&out.Spec) + in.Status.DeepCopyInto(&out.Status) +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NetworkInterface. +func (in *NetworkInterface) DeepCopy() *NetworkInterface { + if in == nil { + return nil + } + out := new(NetworkInterface) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *NetworkInterface) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *NetworkInterfaceList) DeepCopyInto(out *NetworkInterfaceList) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ListMeta.DeepCopyInto(&out.ListMeta) + if in.Items != nil { + in, out := &in.Items, &out.Items + *out = make([]NetworkInterface, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NetworkInterfaceList. +func (in *NetworkInterfaceList) DeepCopy() *NetworkInterfaceList { + if in == nil { + return nil + } + out := new(NetworkInterfaceList) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *NetworkInterfaceList) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *NetworkInterfaceSpec) DeepCopyInto(out *NetworkInterfaceSpec) { + *out = *in + if in.IpAddresses != nil { + in, out := &in.IpAddresses, &out.IpAddresses + *out = make([]string, len(*in)) + copy(*out, *in) + } + if in.MacAddress != nil { + in, out := &in.MacAddress, &out.MacAddress + *out = new(string) + **out = **in + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NetworkInterfaceSpec. +func (in *NetworkInterfaceSpec) DeepCopy() *NetworkInterfaceSpec { + if in == nil { + return nil + } + out := new(NetworkInterfaceSpec) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *NetworkInterfaceStatus) DeepCopyInto(out *NetworkInterfaceStatus) { + *out = *in + if in.IpAddresses != nil { + in, out := &in.IpAddresses, &out.IpAddresses + *out = make([]string, len(*in)) + copy(*out, *in) + } + if in.Routes != nil { + in, out := &in.Routes, &out.Routes + *out = make([]Route, len(*in)) + copy(*out, *in) + } + if in.Gateway4 != nil { + in, out := &in.Gateway4, &out.Gateway4 + *out = new(string) + **out = **in + } + if in.DNSConfig != nil { + in, out := &in.DNSConfig, &out.DNSConfig + *out = new(DNSConfig) + (*in).DeepCopyInto(*out) + } + if in.PodName != nil { + in, out := &in.PodName, &out.PodName + *out = new(string) + **out = **in + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NetworkInterfaceStatus. +func (in *NetworkInterfaceStatus) DeepCopy() *NetworkInterfaceStatus { + if in == nil { + return nil + } + out := new(NetworkInterfaceStatus) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *NetworkList) DeepCopyInto(out *NetworkList) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ListMeta.DeepCopyInto(&out.ListMeta) + if in.Items != nil { + in, out := &in.Items, &out.Items + *out = make([]Network, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NetworkList. +func (in *NetworkList) DeepCopy() *NetworkList { + if in == nil { + return nil + } + out := new(NetworkList) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *NetworkList) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *NetworkSpec) DeepCopyInto(out *NetworkSpec) { + *out = *in + in.NodeInterfaceMatcher.DeepCopyInto(&out.NodeInterfaceMatcher) + if in.L2NetworkConfig != nil { + in, out := &in.L2NetworkConfig, &out.L2NetworkConfig + *out = new(L2NetworkConfig) + (*in).DeepCopyInto(*out) + } + if in.NetworkLifecycle != nil { + in, out := &in.NetworkLifecycle, &out.NetworkLifecycle + *out = new(LifecycleType) + **out = **in + } + if in.Routes != nil { + in, out := &in.Routes, &out.Routes + *out = make([]Route, len(*in)) + copy(*out, *in) + } + if in.Gateway4 != nil { + in, out := &in.Gateway4, &out.Gateway4 + *out = new(string) + **out = **in + } + if in.DNSConfig != nil { + in, out := &in.DNSConfig, &out.DNSConfig + *out = new(DNSConfig) + (*in).DeepCopyInto(*out) + } + if in.ExternalDHCP4 != nil { + in, out := &in.ExternalDHCP4, &out.ExternalDHCP4 + *out = new(bool) + **out = **in + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NetworkSpec. +func (in *NetworkSpec) DeepCopy() *NetworkSpec { + if in == nil { + return nil + } + out := new(NetworkSpec) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *NetworkStatus) DeepCopyInto(out *NetworkStatus) { + *out = *in +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NetworkStatus. +func (in *NetworkStatus) DeepCopy() *NetworkStatus { + if in == nil { + return nil + } + out := new(NetworkStatus) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *NodeInterfaceMatcher) DeepCopyInto(out *NodeInterfaceMatcher) { + *out = *in + if in.InterfaceName != nil { + in, out := &in.InterfaceName, &out.InterfaceName + *out = new(string) + **out = **in + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NodeInterfaceMatcher. +func (in *NodeInterfaceMatcher) DeepCopy() *NodeInterfaceMatcher { + if in == nil { + return nil + } + out := new(NodeInterfaceMatcher) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *Route) DeepCopyInto(out *Route) { + *out = *in +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Route. +func (in *Route) DeepCopy() *Route { + if in == nil { + return nil + } + out := new(Route) + in.DeepCopyInto(out) + return out +} diff --git a/crd/config/crds/networking.gke.io_gcpfirewalls.yaml b/crd/config/crds/networking.gke.io_gcpfirewalls.yaml index ac5185a3a3..2d9d85cfcf 100644 --- a/crd/config/crds/networking.gke.io_gcpfirewalls.yaml +++ b/crd/config/crds/networking.gke.io_gcpfirewalls.yaml @@ -1,6 +1,6 @@ --- -apiVersion: apiextensions.k8s.io/v1 +apiVersion: apiextensions.k8s.io/v1beta1 kind: CustomResourceDefinition metadata: annotations: @@ -17,231 +17,227 @@ spec: - gf singular: gcpfirewall scope: Cluster - versions: - - name: v1beta1 - schema: - openAPIV3Schema: - description: GCPFirewall describes a GCP firewall spec that can be used to - configure GCE firewalls. A GCPFirewallSpec will correspond 1:1 with a GCE - firewall rule. - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: 'Spec is the desired configuration for GCP firewall More - info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status' - properties: - action: - default: ALLOW - description: Rule action of the firewall rule. Only allow action is - supported. If not specified, defaults to ALLOW. - enum: - - ALLOW - type: string - disabled: - description: If set to true, the GCPFirewall is not synced by the - controller. - type: boolean - ingress: - description: A collection of sources and destinations to determine - which ingress traffic is allowed. If source is nil or empty, the - traffic is allowed from all sources (0.0.0.0/0). If destination - is nil or empty, the traffic is allowed to all kubernetes cluster - entities (nodes, pods and services) from the specified sources. - If both are nil, the traffic is allowed from all sources (0.0.00/0) - to the cluster entities. - properties: - destination: - description: ' Destination specifies the target of the firewall - rule. If this field is empty, this rule allows traffic from - specified sources to all kubernetes cluster entities.' - properties: - ipBlocks: - description: IPBlocks specify the set of destination CIDRs - that the rule applies to. If this field is present and contains - at least one item, this rule allows traffic only if the - traffic matches at least one item in the list. If this field - is empty, this rule allows all destinations. Valid example - list items are "192.168.1.1/24" or "2001:db9::/64". - items: - description: CIDR defines a IP block. TODO(sugangli) Modify - the validation to include IPv6 CIDRs with FW 3.0 support. - pattern: ^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)(/(3[0-2]|2[0-9]|1[0-9]|[0-9]))?$ - type: string - maxItems: 256 - minItems: 1 - type: array - type: object - source: - description: Source describes a peer to allow traffic from. - properties: - ipBlocks: - description: IPBlocks specify the set of source CIDR ranges - that the rule applies to. If this field is present and contains - at least one item, this rule allows traffic only if the - traffic matches at least one item in the list. If this field - is empty, this rule allows all sources. Valid example list - items are "192.168.1.1/24" or "2001:db9::/64". - items: - description: CIDR defines a IP block. TODO(sugangli) Modify - the validation to include IPv6 CIDRs with FW 3.0 support. - pattern: ^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)(/(3[0-2]|2[0-9]|1[0-9]|[0-9]))?$ - type: string - maxItems: 256 - minItems: 1 - type: array - type: object - type: object - ports: - description: List of protocol/ ports which needs to be selected by - this rule. If this field is empty or missing, this rule matches - all protocol/ ports. If this field is present and contains at least - one item, then this rule allows traffic only if the traffic matches - at least one port in the list. - items: - description: ProtocolPort describes the protocol and ports to allow - traffic on. + validation: + openAPIV3Schema: + description: GCPFirewall describes a GCP firewall spec that can be used to configure + GCE firewalls. A GCPFirewallSpec will correspond 1:1 with a GCE firewall rule. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: 'Spec is the desired configuration for GCP firewall More info: + https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status' + properties: + action: + description: Rule action of the firewall rule. Only allow action is + supported. If not specified, defaults to ALLOW. + enum: + - ALLOW + type: string + disabled: + description: If set to true, the GCPFirewall is not synced by the controller. + type: boolean + ingress: + description: A collection of sources and destinations to determine which + ingress traffic is allowed. If source is nil or empty, the traffic + is allowed from all sources (0.0.0.0/0). If destination is nil or + empty, the traffic is allowed to all kubernetes cluster entities (nodes, + pods and services) from the specified sources. If both are nil, the + traffic is allowed from all sources (0.0.00/0) to the cluster entities. + properties: + destination: + description: ' Destination specifies the target of the firewall + rule. If this field is empty, this rule allows traffic from specified + sources to all kubernetes cluster entities.' properties: - endPort: - description: EndPort is the last port of the port range that - is selected on the firewall rule targets. If StartPort is - not specified or greater than this value, then this field - is ignored. - format: int32 - maximum: 65535 - minimum: 1 - type: integer - protocol: - description: The protocol which the traffic must match. - enum: - - TCP - - UDP - - ICMP - - SCTP - - AH - - ESP - type: string - startPort: - description: StartPort is the starting port of the port range - that is selected on the firewall rule targets for the specified - protocol. If EndPort is not specified, this is the only port - selected. If StartPort is not provided, all ports are matched. - format: int32 - maximum: 65535 - minimum: 1 - type: integer - required: - - protocol + ipBlocks: + description: IPBlocks specify the set of destination CIDRs that + the rule applies to. If this field is present and contains + at least one item, this rule allows traffic only if the traffic + matches at least one item in the list. If this field is empty, + this rule allows all destinations. Valid example list items + are "192.168.1.1/24" or "2001:db9::/64". + items: + description: CIDR defines a IP block. TODO(sugangli) Modify + the validation to include IPv6 CIDRs with FW 3.0 support. + pattern: ^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)(/(3[0-2]|2[0-9]|1[0-9]|[0-9]))?$ + type: string + maxItems: 256 + minItems: 1 + type: array type: object - type: array - type: object - status: - description: 'Status is the runtime status of this GCP firewall More info: - https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status' - properties: - conditions: - description: Conditions describe the current condition of the firewall - rule. - items: - description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: - \"Available\", \"Progressing\", and \"Degraded\" // +patchMergeKey=type - \ // +patchStrategy=merge // +listType=map // +listMapKey=type - \ Conditions []metav1.Condition `json:\"conditions,omitempty\" - patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` - \n // other fields }" + source: + description: Source describes a peer to allow traffic from. properties: - lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type + ipBlocks: + description: IPBlocks specify the set of source CIDR ranges + that the rule applies to. If this field is present and contains + at least one item, this rule allows traffic only if the traffic + matches at least one item in the list. If this field is empty, + this rule allows all sources. Valid example list items are + "192.168.1.1/24" or "2001:db9::/64". + items: + description: CIDR defines a IP block. TODO(sugangli) Modify + the validation to include IPv6 CIDRs with FW 3.0 support. + pattern: ^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)(/(3[0-2]|2[0-9]|1[0-9]|[0-9]))?$ + type: string + maxItems: 256 + minItems: 1 + type: array type: object - maxItems: 8 - type: array - x-kubernetes-list-map-keys: + type: object + ports: + description: List of protocol/ ports which needs to be selected by this + rule. If this field is empty or missing, this rule matches all protocol/ + ports. If this field is present and contains at least one item, then + this rule allows traffic only if the traffic matches at least one + port in the list. + items: + description: ProtocolPort describes the protocol and ports to allow + traffic on. + properties: + endPort: + description: EndPort is the last port of the port range that is + selected on the firewall rule targets. If StartPort is not specified + or greater than this value, then this field is ignored. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + protocol: + description: The protocol which the traffic must match. + enum: + - TCP + - UDP + - ICMP + - SCTP + - AH + - ESP + type: string + startPort: + description: StartPort is the starting port of the port range + that is selected on the firewall rule targets for the specified + protocol. If EndPort is not specified, this is the only port + selected. If StartPort is not provided, all ports are matched. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + required: + - protocol + type: object + type: array + type: object + status: + description: 'Status is the runtime status of this GCP firewall More info: + https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status' + properties: + conditions: + description: Conditions describe the current condition of the firewall + rule. + items: + description: "Condition contains details for one aspect of the current + state of this API Resource. --- This struct is intended for direct + use as an array at the field path .status.conditions. For example, + type FooStatus struct{ // Represents the observations of a foo's + current state. // Known .status.conditions.type are: \"Available\", + \"Progressing\", and \"Degraded\" // +patchMergeKey=type // + +patchStrategy=merge // +listType=map // +listMapKey=type + \ Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` + \n // other fields }" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition + transitioned from one status to another. This should be when + the underlying condition changed. If that is not known, then + using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating details + about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation + that the condition was set based upon. For instance, if .metadata.generation + is currently 12, but the .status.conditions[x].observedGeneration + is 9, the condition is out of date with respect to the current + state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating + the reason for the condition's last transition. Producers of + specific condition types may define expected values and meanings + for this field, and whether the values are considered a guaranteed + API. The value should be a CamelCase string. This field may + not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + --- Many .condition.type values are consistent across resources + like Available, but because arbitrary conditions can be useful + (see .node.status.conditions), the ability to deconflict is + important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status - type - x-kubernetes-list-type: map - priority: - description: Priority of the GCP firewall rule. - format: int32 - type: integer - resourceURL: - description: Resource link for the GCE firewall rule. In case of FW - 3.0, this is the GCE Network Firewall Policy resource. - type: string - type: - description: Type specifies the underlying GCE firewall implementation - type. Takes one of the values from [VPC, REGIONAL, GLOBAL] - enum: - - VPC - - REGIONAL - - GLOBAL - type: string - type: object - type: object + type: object + maxItems: 8 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + priority: + description: Priority of the GCP firewall rule. + format: int32 + type: integer + resourceURL: + description: Resource link for the GCE firewall rule. In case of FW + 3.0, this is the GCE Network Firewall Policy resource. + type: string + type: + description: Type specifies the underlying GCE firewall implementation + type. Takes one of the values from [VPC, REGIONAL, GLOBAL] + enum: + - VPC + - REGIONAL + - GLOBAL + type: string + type: object + type: object + version: v1beta1 + versions: + - name: v1beta1 served: true storage: true status: diff --git a/crd/config/crds/networking.gke.io_networkinterfaces.yaml b/crd/config/crds/networking.gke.io_networkinterfaces.yaml new file mode 100644 index 0000000000..baed81eb36 --- /dev/null +++ b/crd/config/crds/networking.gke.io_networkinterfaces.yaml @@ -0,0 +1,143 @@ + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.6.0 + creationTimestamp: null + name: networkinterfaces.networking.gke.io +spec: + group: networking.gke.io + names: + kind: NetworkInterface + listKind: NetworkInterfaceList + plural: networkinterfaces + singular: networkinterface + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The age of this resource + jsonPath: .metadata.creationTimestamp + name: AGE + type: date + - description: IP address assigned to this interface + jsonPath: .status.ipAddresses[0] + name: IP + type: string + - description: MAC address assigned to this interface + jsonPath: .status.macAddress + name: MAC + type: string + - description: The Network this interface connects to + jsonPath: .spec.networkName + name: NETWORK + type: string + name: v1 + schema: + openAPIV3Schema: + description: NetworkInterface defines the network interface for a pod to connect + to a network. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: NetworkInterfaceSpec is the specification for the NetworkInterface + resource. + properties: + ipAddresses: + description: IpAddresses specifies the static IP addresses on this + NetworkInterface. Each IPAddress may contain subnet mask. If subnet + mask is not included, /32 is taken as default. For example, IPAddress + input 1.2.3.4 will be taken as 1.2.3.4/32. Alternatively, the input + can be 1.2.3.4/24 with subnet mask of /24. + items: + type: string + type: array + macAddress: + description: Macddress specifies the static MAC address on this NetworkInterface. + type: string + networkName: + description: NetworkName refers to a network object that this NetworkInterface + is connected. + minLength: 1 + type: string + required: + - networkName + type: object + status: + description: NetworkInterfaceStatus is the status for the NetworkInterface + resource. + properties: + dnsConfig: + description: Specifies the DNS configuration of the network this interface + connects to. + properties: + nameservers: + description: A list of nameserver IP addresses. Duplicated nameservers + will be removed. + items: + type: string + minItems: 1 + type: array + searches: + description: A list of DNS search domains for host-name lookup. + Duplicated search paths will be removed. + items: + type: string + type: array + required: + - nameservers + type: object + gateway4: + description: Gateway4 defines the gateway IPv4 address for the network + this interface connects to. + type: string + ipAddresses: + description: IpAddresses are the IP addresses assigned to the NetworkInterface. + items: + type: string + type: array + macAddress: + description: MacAddress is the MAC address assigned to the NetworkInterface. + type: string + podName: + description: PodName specifies the current pod name this interface + is connected to + type: string + routes: + description: Routes contains a list of routes for the network this + interface connects to. + items: + description: Route defines a routing table entry to a specific subnetwork. + properties: + to: + description: To defines a destination IPv4 block in CIDR annotation. + e.g. 192.168.0.0/24. The CIDR 0.0.0.0/0 will be rejected. + type: string + required: + - to + type: object + type: array + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] diff --git a/crd/config/crds/networking.gke.io_networks.yaml b/crd/config/crds/networking.gke.io_networks.yaml new file mode 100644 index 0000000000..af2d552712 --- /dev/null +++ b/crd/config/crds/networking.gke.io_networks.yaml @@ -0,0 +1,168 @@ + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.6.0 + creationTimestamp: null + name: networks.networking.gke.io +spec: + group: networking.gke.io + names: + kind: Network + listKind: NetworkList + plural: networks + singular: network + scope: Cluster + versions: + - name: v1 + schema: + openAPIV3Schema: + description: Network represent a logical network on the K8s Cluster. This + logical network depends on the host networking setup on cluster nodes. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: NetworkSpec contains the specifications for network object + properties: + dnsConfig: + description: Specifies the DNS configuration of the network. Required + if ExternalDHCP4 is false or not set on L2 type network. + properties: + nameservers: + description: A list of nameserver IP addresses. Duplicated nameservers + will be removed. + items: + type: string + minItems: 1 + type: array + searches: + description: A list of DNS search domains for host-name lookup. + Duplicated search paths will be removed. + items: + type: string + type: array + required: + - nameservers + type: object + externalDHCP4: + description: ExternalDHCP4 indicates whether the IPAM is static or + allocation by the external DHCP server + type: boolean + gateway4: + description: Gateway4 defines the gateway IPv4 address for the network. + Required if ExternalDHCP4 is false or not set on L2 type network. + type: string + l2NetworkConfig: + description: L2NetworkConfig includes all the network config related + to L2 type network + properties: + vlanID: + description: VlanID is the vlan ID used for the network. If unspecified, + vlan tagging is not enabled. + format: int32 + maximum: 4094 + minimum: 1 + type: integer + type: object + networkLifecycle: + description: NetworkLifecycle specifies who manages the lifecycle + of the network. This field can only be used when L2NetworkConfig.VlanID + is specified. Otherwise the value will be ignored. If L2NetworkConfig.VlanID + is specified and this field is empty, the value is assumed to be + AnthosManaged. + enum: + - AnthosManaged + - UserManaged + type: string + nodeInterfaceMatcher: + description: NodeInterfaceMatcher defines the matcher to discover + the corresponding node interface associated with the network. This + field is required for L2 network. + properties: + interfaceName: + description: InterfaceName specifies the interface name to search + on the node. + minLength: 1 + type: string + type: object + parametersRef: + description: ParametersRef is a reference to a resource that contains + vendor or implementation specific configurations for the network. + properties: + group: + description: Group is the API group of k8s resource, e.g. "networking.k8s.io". + type: string + kind: + description: Kind is kind of the referent, e.g. "networkpolicy". + type: string + name: + description: Name is the name of the resource object. + type: string + namespace: + description: Namespace is the namespace of the referent. This + field is required when referring to a Namespace-scoped resource + and MUST be unset when referring to a Cluster-scoped resource. + type: string + required: + - group + - kind + - name + type: object + provider: + description: Provider specifies the provider implementing this network, + e.g. "GKE". + enum: + - GKE + type: string + routes: + description: Routes contains a list of routes for the network. + items: + description: Route defines a routing table entry to a specific subnetwork. + properties: + to: + description: To defines a destination IPv4 block in CIDR annotation. + e.g. 192.168.0.0/24. The CIDR 0.0.0.0/0 will be rejected. + type: string + required: + - to + type: object + type: array + type: + description: 'Type defines type of network. Valid options include: + L2, L3. L2 network type enables L2 connectivity on the network. + L3 network type enables L3 connectivity on the network.' + enum: + - L2 + - L3 + type: string + required: + - type + type: object + status: + description: NetworkStatus contains the status information related to + the network. + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] diff --git a/crd/hack/update-codegen.sh b/crd/hack/update-codegen.sh index c2a6fb7697..50e6d472f0 100755 --- a/crd/hack/update-codegen.sh +++ b/crd/hack/update-codegen.sh @@ -49,6 +49,21 @@ fi readonly COMMON_FLAGS="${VERIFY_FLAG:-} --go-header-file ${SCRIPT_ROOT}/hack/boilerplate.go.txt" +generate_config() { + local crd_name version apis_pkg + crd_name=${1} + version=${2} + apis_pkg=${APIS_BASE_PKG}/${1}/${2} + + echo "Performing code generation for ${crd_name} CRD" + echo "Generating deepcopy functions and CRD artifacts" + go run sigs.k8s.io/controller-tools/cmd/controller-gen \ + object:headerFile=${SCRIPT_ROOT}/hack/boilerplate.go.txt \ + crd:crdVersions=$version \ + paths=${apis_pkg}/... \ + output:crd:artifacts:config=${SCRIPT_ROOT}/config/crds +} + codegen_for () { local crd_name version apis_pkg output_pkg @@ -64,13 +79,7 @@ codegen_for () { output_pkg=${OUTPUT_BASE_PKG}/${1} apis_pkg=${APIS_BASE_PKG}/${1}/${2} - echo "Performing code generation for ${crd_name} CRD" - echo "Generating deepcopy functions and CRD artifacts" - go run sigs.k8s.io/controller-tools/cmd/controller-gen \ - object:headerFile=${SCRIPT_ROOT}/hack/boilerplate.go.txt \ - crd:crdVersions=v1 \ - paths=${apis_pkg}/... \ - output:crd:artifacts:config=${SCRIPT_ROOT}/config/crds + generate_config $crd_name $version echo "Generating clientset at ${output_pkg}/${CLIENTSET_PKG_NAME}" echo "apis_pkg ${apis_pkg}" @@ -103,4 +112,5 @@ codegen_for () { ${COMMON_FLAGS} } -codegen_for gcpfirewall v1beta1 \ No newline at end of file +codegen_for gcpfirewall v1beta1 +generate_config network v1