ANP global policies

Author: Joseph Chen

Makefile

@@ -13,7 +13,7 @@
 # limitations under the License.
 
 # Image URL to use all building/pushing image targets
-IMG ?= public.ecr.aws/eks/amazon-network-policy-controller-k8s:v1.0.2
+IMG ?= public.ecr.aws/q1l2n4k8/npc:anp
 # ENVTEST_K8S_VERSION refers to the version of kubebuilder assets to be downloaded by envtest binary.
 ENVTEST_K8S_VERSION = 1.26.1
 # ARCHS define the target architectures for the controller image be build

adminpol.yaml

@@ -48,6 +48,9 @@ type Port struct {
 
 // EndpointInfo defines the network endpoint information for the policy ingress/egress
 type EndpointInfo struct {
+	// Action is the action to enforce on an IP/CIDR (Allow, Deny, Pass)
+	Action string `json:"action"`
+
 	// CIDR is the network address(s) of the endpoint
 	CIDR NetworkAddress `json:"cidr"`
 
@@ -72,6 +75,15 @@ type PodEndpoint struct {
 
 // PolicyEndpointSpec defines the desired state of PolicyEndpoint
 type PolicyEndpointSpec struct {
+	// IsGlobal specifies whether the parent policy is an admin policy
+	IsGlobal bool `json:"isGlobal"`
+
+	// Namespaces of the pod selector, will be empty for cluster wide
+	Namespaces []string `json:"namespaces"`
+
+	// Priority of the policy, lower value is higher priority
+	Priority int `json:"priority"`
+
 	// PodSelector is the podSelector from the policy resource
 	PodSelector *metav1.LabelSelector `json:"podSelector,omitempty"`
 

api/v1alpha1/policyendpoint_types.go

@@ -1,11 +1,9 @@
+---
 apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.15.0
-  creationTimestamp: null
-  labels:
-    app.kubernetes.io/name: amazon-network-policy-controller-k8s
+    controller-gen.kubebuilder.io/version: v0.12.1
   name: policyendpoints.networking.k8s.aws
 spec:
   group: networking.k8s.aws
@@ -43,6 +41,8 @@ spec:
                   description: EndpointInfo defines the network endpoint information
                     for the policy ingress/egress
                   properties:
+                    action:
+                      type: string
                     cidr:
                       description: CIDR is the network address(s) of the endpoint
                       type: string
@@ -77,6 +77,7 @@ spec:
                         type: object
                       type: array
                   required:
+                  - action
                   - cidr
                   type: object
                 type: array
@@ -87,6 +88,8 @@ spec:
                   description: EndpointInfo defines the network endpoint information
                     for the policy ingress/egress
                   properties:
+                    action:
+                      type: string
                     cidr:
                       description: CIDR is the network address(s) of the endpoint
                       type: string
@@ -121,9 +124,18 @@ spec:
                         type: object
                       type: array
                   required:
+                  - action
                   - cidr
                   type: object
                 type: array
+              isGlobal:
+                type: boolean
+              namespaces:
+                description: Namespaces of the pod selector, will be empty for cluster
+                  wide
+                items:
+                  type: string
+                type: array
               podIsolation:
                 description: PodIsolation specifies whether the pod needs to be isolated
                   for a particular traffic direction Ingress or Egress, or both. If
@@ -164,11 +176,13 @@ spec:
                           items:
                             type: string
                           type: array
+                          x-kubernetes-list-type: atomic
                       required:
                       - key
                       - operator
                       type: object
                     type: array
+                    x-kubernetes-list-type: atomic
                   matchLabels:
                     additionalProperties:
                       type: string
@@ -221,8 +235,12 @@ spec:
                 - name
                 - namespace
                 type: object
+              priority:
+                type: integer
             required:
+            - isGlobal
             - policyRef
+            - priority
             type: object
           status:
             description: PolicyEndpointStatus defines the observed state of PolicyEndpoint
@@ -231,4 +249,4 @@ spec:
     served: true
     storage: true
     subresources:
-      status: {}
+      status: {}

charts/amazon-network-policy-controller-k8s/crds/crds.yaml

@@ -116,6 +116,16 @@ rules:
   - patch
   - update
   - watch
+- apiGroups:
+  - policy.networking.k8s.io
+  resources:
+  - adminnetworkpolicies
+  verbs:
+  - get
+  - list
+  - patch
+  - update
+  - watch
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding

charts/amazon-network-policy-controller-k8s/templates/rbac.yaml

@@ -43,6 +43,7 @@ import (
 	"github.com/aws/amazon-network-policy-controller-k8s/pkg/policyendpoints"
 	"github.com/aws/amazon-network-policy-controller-k8s/pkg/utils/configmap"
 	"github.com/aws/amazon-network-policy-controller-k8s/pkg/version"
+	adminnetworking "sigs.k8s.io/network-policy-api/apis/v1alpha1"
 	//+kubebuilder:scaffold:imports
 )
 
@@ -55,6 +56,8 @@ func init() {
 	utilruntime.Must(clientgoscheme.AddToScheme(scheme))
 
 	utilruntime.Must(policyinfo.AddToScheme(scheme))
+
+	utilruntime.Must(adminnetworking.AddToScheme(scheme))
 	//+kubebuilder:scaffold:scheme
 }
 
@@ -121,12 +124,19 @@ func main() {
 	finalizerManager := k8s.NewDefaultFinalizerManager(mgr.GetClient(), ctrl.Log.WithName("finalizer-manager"))
 	policyController := controllers.NewPolicyReconciler(mgr.GetClient(), policyEndpointsManager,
 		controllerCFG, finalizerManager, ctrl.Log.WithName("controllers").WithName("policy"))
+	adminPolicyController := controllers.NewAdminPolicyReconciler(mgr.GetClient(), policyEndpointsManager,
+		controllerCFG, finalizerManager, ctrl.Log.WithName("controllers").WithName("admin-policy"))
 	if enableNetworkPolicyController {
 		setupLog.Info("Network Policy controller is enabled, starting watches")
 		if err := policyController.SetupWithManager(ctx, mgr); err != nil {
 			setupLog.Error(err, "Unable to setup network policy controller")
 			os.Exit(1)
 		}
+		setupLog.Info("Admin Network Policy controller is enabled, starting watches")
+		if err := adminPolicyController.SetupWithManager(ctx, mgr); err != nil {
+			setupLog.Error(err, "Unable to setup admin network policy controller")
+			os.Exit(1)
+		}
 	}
 
 	//+kubebuilder:scaffold:builder

cmd/main.go

@@ -18,6 +18,7 @@ spec:
     spec:
       containers:
         - image: controller:latest
+          imagePullPolicy: Always
           args:
             - --enable-configmap-check=false
           name: controller

config/controller/controller.yaml

@@ -4,5 +4,5 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 images:
 - name: controller
-  newName: public.ecr.aws/eks/amazon-network-policy-controller-k8s
-  newTag: v0.5.0
+  newName: public.ecr.aws/q1l2n4k8/npc
+  newTag: anp

config/controller/kustomization.yaml

@@ -46,6 +46,8 @@ spec:
                   description: EndpointInfo defines the network endpoint information
                     for the policy ingress/egress
                   properties:
+                    action:
+                      type: string
                     cidr:
                       description: CIDR is the network address(s) of the endpoint
                       type: string
@@ -80,6 +82,7 @@ spec:
                         type: object
                       type: array
                   required:
+                  - action
                   - cidr
                   type: object
                 type: array
@@ -90,6 +93,8 @@ spec:
                   description: EndpointInfo defines the network endpoint information
                     for the policy ingress/egress
                   properties:
+                    action:
+                      type: string
                     cidr:
                       description: CIDR is the network address(s) of the endpoint
                       type: string
@@ -124,9 +129,18 @@ spec:
                         type: object
                       type: array
                   required:
+                  - action
                   - cidr
                   type: object
                 type: array
+              isGlobal:
+                type: boolean
+              namespaces:
+                description: Namespaces of the pod selector, will be empty for cluster
+                  wide
+                items:
+                  type: string
+                type: array
               podIsolation:
                 description: |-
                   PodIsolation specifies whether the pod needs to be isolated for a
@@ -227,8 +241,13 @@ spec:
                 - name
                 - namespace
                 type: object
+              priority:
+                type: integer
             required:
+            - isGlobal
+            - namespaces
             - policyRef
+            - priority
             type: object
           status:
             description: PolicyEndpointStatus defines the observed state of PolicyEndpoint

config/crd/bases/networking.k8s.aws_policyendpoints.yaml

@@ -64,6 +64,16 @@ rules:
   - patch
   - update
   - watch
+- apiGroups:
+  - policy.networking.k8s.io
+  resources:
+  - adminnetworkpolicies
+  verbs:
+  - get
+  - list
+  - patch
+  - update
+  - watch
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role

config/rbac/role.yaml

@@ -20,6 +20,7 @@ require (
 	k8s.io/apimachinery v0.30.1
 	k8s.io/client-go v0.30.1
 	sigs.k8s.io/controller-runtime v0.18.3
+	sigs.k8s.io/network-policy-api v0.1.5
 )
 
 require (

go.mod

@@ -199,6 +199,8 @@ sigs.k8s.io/controller-runtime v0.18.3 h1:B5Wmmo8WMWK7izei+2LlXLVDGzMwAHBNLX68lw
 sigs.k8s.io/controller-runtime v0.18.3/go.mod h1:TVoGrfdpbA9VRFaRnKgk9P5/atA0pMwq+f+msb9M8Sg=
 sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd h1:EDPBXCAspyGV4jQlpZSudPeMmr1bNJefnuqLsRAsHZo=
 sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd/go.mod h1:B8JuhiUyNFVKdsE8h686QcCxMaH6HrOAZj4vswFpcB0=
+sigs.k8s.io/network-policy-api v0.1.5 h1:xyS7VAaM9EfyB428oFk7WjWaCK6B129i+ILUF4C8l6E=
+sigs.k8s.io/network-policy-api v0.1.5/go.mod h1:D7Nkr43VLNd7iYryemnj8qf0N/WjBzTZDxYA+g4u1/Y=
 sigs.k8s.io/structured-merge-diff/v4 v4.4.1 h1:150L+0vs/8DA78h1u02ooW1/fFq/Lwr+sGiqlzvrtq4=
 sigs.k8s.io/structured-merge-diff/v4 v4.4.1/go.mod h1:N8hJocpFajUSSeSJ9bOZ77VzejKZaXsTtZo4/u7Io08=
 sigs.k8s.io/yaml v1.4.0 h1:Mk1wCc2gy/F0THH0TAp1QYyJNzRm2KCLy3o5ASXVI5E=