Add PolicyTypes to NetworkPolicy Spec
Signed-off-by: Christopher M. Luciano <cmluciano@us.ibm.com>
This commit is contained in:
		| @@ -121,7 +121,6 @@ pkg/apis/imagepolicy | ||||
| pkg/apis/imagepolicy/v1alpha1 | ||||
| pkg/apis/meta/v1 | ||||
| pkg/apis/networking | ||||
| pkg/apis/networking/v1 | ||||
| pkg/apis/policy | ||||
| pkg/apis/policy/v1alpha1 | ||||
| pkg/apis/policy/v1beta1 | ||||
|   | ||||
| @@ -109,6 +109,8 @@ func TestDefaulting(t *testing.T) { | ||||
| 		{Group: "apps", Version: "v1beta2", Kind: "ReplicaSetList"}:                                                  {}, | ||||
| 		{Group: "extensions", Version: "v1beta1", Kind: "ReplicaSet"}:                                                {}, | ||||
| 		{Group: "extensions", Version: "v1beta1", Kind: "ReplicaSetList"}:                                            {}, | ||||
| 		{Group: "extensions", Version: "v1beta1", Kind: "NetworkPolicy"}:                                             {}, | ||||
| 		{Group: "extensions", Version: "v1beta1", Kind: "NetworkPolicyList"}:                                         {}, | ||||
| 		{Group: "rbac.authorization.k8s.io", Version: "v1alpha1", Kind: "ClusterRoleBinding"}:                        {}, | ||||
| 		{Group: "rbac.authorization.k8s.io", Version: "v1alpha1", Kind: "ClusterRoleBindingList"}:                    {}, | ||||
| 		{Group: "rbac.authorization.k8s.io", Version: "v1alpha1", Kind: "RoleBinding"}:                               {}, | ||||
|   | ||||
| @@ -291,6 +291,15 @@ func Convert_v1beta1_NetworkPolicySpec_To_networking_NetworkPolicySpec(in *exten | ||||
| 			return err | ||||
| 		} | ||||
| 	} | ||||
| 	if in.PolicyTypes != nil { | ||||
| 		in, out := &in.PolicyTypes, &out.PolicyTypes | ||||
| 		*out = make([]networking.PolicyType, len(*in)) | ||||
| 		for i := range *in { | ||||
| 			if err := s.Convert(&(*in)[i], &(*out)[i], 0); err != nil { | ||||
| 				return err | ||||
| 			} | ||||
| 		} | ||||
| 	} | ||||
| 	return nil | ||||
| } | ||||
|  | ||||
| @@ -310,6 +319,15 @@ func Convert_networking_NetworkPolicySpec_To_v1beta1_NetworkPolicySpec(in *netwo | ||||
| 			return err | ||||
| 		} | ||||
| 	} | ||||
| 	if in.PolicyTypes != nil { | ||||
| 		in, out := &in.PolicyTypes, &out.PolicyTypes | ||||
| 		*out = make([]extensionsv1beta1.PolicyType, len(*in)) | ||||
| 		for i := range *in { | ||||
| 			if err := s.Convert(&(*in)[i], &(*out)[i], 0); err != nil { | ||||
| 				return err | ||||
| 			} | ||||
| 		} | ||||
| 	} | ||||
| 	return nil | ||||
| } | ||||
|  | ||||
|   | ||||
| @@ -133,4 +133,12 @@ func SetDefaults_NetworkPolicy(obj *extensionsv1beta1.NetworkPolicy) { | ||||
| 			} | ||||
| 		} | ||||
| 	} | ||||
|  | ||||
| 	if len(obj.Spec.PolicyTypes) == 0 { | ||||
| 		// Any policy that does not specify policyTypes implies at least "Ingress". | ||||
| 		obj.Spec.PolicyTypes = []extensionsv1beta1.PolicyType{extensionsv1beta1.PolicyTypeIngress} | ||||
| 		if len(obj.Spec.Egress) != 0 { | ||||
| 			obj.Spec.PolicyTypes = append(obj.Spec.PolicyTypes, extensionsv1beta1.PolicyTypeEgress) | ||||
| 		} | ||||
| 	} | ||||
| } | ||||
|   | ||||
| @@ -509,6 +509,210 @@ func TestDefaultRequestIsNotSetForReplicaSet(t *testing.T) { | ||||
| 	} | ||||
| } | ||||
|  | ||||
| func TestSetDefaultNetworkPolicy(t *testing.T) { | ||||
| 	tests := []struct { | ||||
| 		original *extensionsv1beta1.NetworkPolicy | ||||
| 		expected *extensionsv1beta1.NetworkPolicy | ||||
| 	}{ | ||||
| 		{ // Empty NetworkPolicy should be set to PolicyTypes Ingress | ||||
| 			original: &extensionsv1beta1.NetworkPolicy{ | ||||
| 				Spec: extensionsv1beta1.NetworkPolicySpec{ | ||||
| 					PodSelector: metav1.LabelSelector{ | ||||
| 						MatchLabels: map[string]string{"a": "b"}, | ||||
| 					}, | ||||
| 				}, | ||||
| 			}, | ||||
| 			expected: &extensionsv1beta1.NetworkPolicy{ | ||||
| 				Spec: extensionsv1beta1.NetworkPolicySpec{ | ||||
| 					PodSelector: metav1.LabelSelector{ | ||||
| 						MatchLabels: map[string]string{"a": "b"}, | ||||
| 					}, | ||||
| 					PolicyTypes: []extensionsv1beta1.PolicyType{extensionsv1beta1.PolicyTypeIngress}, | ||||
| 				}, | ||||
| 			}, | ||||
| 		}, | ||||
| 		{ // Empty Ingress NetworkPolicy should be set to PolicyTypes Ingress | ||||
| 			original: &extensionsv1beta1.NetworkPolicy{ | ||||
| 				Spec: extensionsv1beta1.NetworkPolicySpec{ | ||||
| 					PodSelector: metav1.LabelSelector{ | ||||
| 						MatchLabels: map[string]string{"a": "b"}, | ||||
| 					}, | ||||
| 					Ingress: []extensionsv1beta1.NetworkPolicyIngressRule{}, | ||||
| 				}, | ||||
| 			}, | ||||
| 			expected: &extensionsv1beta1.NetworkPolicy{ | ||||
| 				Spec: extensionsv1beta1.NetworkPolicySpec{ | ||||
| 					PodSelector: metav1.LabelSelector{ | ||||
| 						MatchLabels: map[string]string{"a": "b"}, | ||||
| 					}, | ||||
| 					Ingress:     []extensionsv1beta1.NetworkPolicyIngressRule{}, | ||||
| 					PolicyTypes: []extensionsv1beta1.PolicyType{extensionsv1beta1.PolicyTypeIngress}, | ||||
| 				}, | ||||
| 			}, | ||||
| 		}, | ||||
| 		{ // Defined Ingress and Egress should be set to Ingress,Egress | ||||
| 			original: &extensionsv1beta1.NetworkPolicy{ | ||||
| 				Spec: extensionsv1beta1.NetworkPolicySpec{ | ||||
| 					PodSelector: metav1.LabelSelector{ | ||||
| 						MatchLabels: map[string]string{"a": "b"}, | ||||
| 					}, | ||||
| 					Ingress: []extensionsv1beta1.NetworkPolicyIngressRule{ | ||||
| 						{ | ||||
| 							From: []extensionsv1beta1.NetworkPolicyPeer{ | ||||
| 								{ | ||||
| 									PodSelector: &metav1.LabelSelector{ | ||||
| 										MatchLabels: map[string]string{"c": "d"}, | ||||
| 									}, | ||||
| 									NamespaceSelector: &metav1.LabelSelector{ | ||||
| 										MatchLabels: map[string]string{"c": "d"}, | ||||
| 									}, | ||||
| 								}, | ||||
| 							}, | ||||
| 						}, | ||||
| 					}, | ||||
| 					Egress: []extensionsv1beta1.NetworkPolicyEgressRule{ | ||||
| 						{ | ||||
| 							To: []extensionsv1beta1.NetworkPolicyPeer{ | ||||
| 								{ | ||||
| 									NamespaceSelector: &metav1.LabelSelector{ | ||||
| 										MatchLabels: map[string]string{"c": "d"}, | ||||
| 									}, | ||||
| 								}, | ||||
| 							}, | ||||
| 						}, | ||||
| 					}, | ||||
| 				}, | ||||
| 			}, | ||||
| 			expected: &extensionsv1beta1.NetworkPolicy{ | ||||
| 				Spec: extensionsv1beta1.NetworkPolicySpec{ | ||||
| 					PodSelector: metav1.LabelSelector{ | ||||
| 						MatchLabels: map[string]string{"a": "b"}, | ||||
| 					}, | ||||
| 					Ingress: []extensionsv1beta1.NetworkPolicyIngressRule{ | ||||
| 						{ | ||||
| 							From: []extensionsv1beta1.NetworkPolicyPeer{ | ||||
| 								{ | ||||
| 									PodSelector: &metav1.LabelSelector{ | ||||
| 										MatchLabels: map[string]string{"c": "d"}, | ||||
| 									}, | ||||
| 									NamespaceSelector: &metav1.LabelSelector{ | ||||
| 										MatchLabels: map[string]string{"c": "d"}, | ||||
| 									}, | ||||
| 								}, | ||||
| 							}, | ||||
| 						}, | ||||
| 					}, | ||||
| 					Egress: []extensionsv1beta1.NetworkPolicyEgressRule{ | ||||
| 						{ | ||||
| 							To: []extensionsv1beta1.NetworkPolicyPeer{ | ||||
| 								{ | ||||
| 									NamespaceSelector: &metav1.LabelSelector{ | ||||
| 										MatchLabels: map[string]string{"c": "d"}, | ||||
| 									}, | ||||
| 								}, | ||||
| 							}, | ||||
| 						}, | ||||
| 					}, | ||||
| 					PolicyTypes: []extensionsv1beta1.PolicyType{extensionsv1beta1.PolicyTypeIngress, extensionsv1beta1.PolicyTypeEgress}, | ||||
| 				}, | ||||
| 			}, | ||||
| 		}, | ||||
| 		{ // Egress only with unset PolicyTypes should be set to Ingress, Egress | ||||
| 			original: &extensionsv1beta1.NetworkPolicy{ | ||||
| 				Spec: extensionsv1beta1.NetworkPolicySpec{ | ||||
| 					PodSelector: metav1.LabelSelector{ | ||||
| 						MatchLabels: map[string]string{"a": "b"}, | ||||
| 					}, | ||||
| 					Egress: []extensionsv1beta1.NetworkPolicyEgressRule{ | ||||
| 						{ | ||||
| 							To: []extensionsv1beta1.NetworkPolicyPeer{ | ||||
| 								{ | ||||
| 									NamespaceSelector: &metav1.LabelSelector{ | ||||
| 										MatchLabels: map[string]string{"c": "d"}, | ||||
| 									}, | ||||
| 								}, | ||||
| 							}, | ||||
| 						}, | ||||
| 					}, | ||||
| 				}, | ||||
| 			}, | ||||
| 			expected: &extensionsv1beta1.NetworkPolicy{ | ||||
| 				Spec: extensionsv1beta1.NetworkPolicySpec{ | ||||
| 					PodSelector: metav1.LabelSelector{ | ||||
| 						MatchLabels: map[string]string{"a": "b"}, | ||||
| 					}, | ||||
| 					Egress: []extensionsv1beta1.NetworkPolicyEgressRule{ | ||||
| 						{ | ||||
| 							To: []extensionsv1beta1.NetworkPolicyPeer{ | ||||
| 								{ | ||||
| 									NamespaceSelector: &metav1.LabelSelector{ | ||||
| 										MatchLabels: map[string]string{"c": "d"}, | ||||
| 									}, | ||||
| 								}, | ||||
| 							}, | ||||
| 						}, | ||||
| 					}, | ||||
| 					PolicyTypes: []extensionsv1beta1.PolicyType{extensionsv1beta1.PolicyTypeIngress, extensionsv1beta1.PolicyTypeEgress}, | ||||
| 				}, | ||||
| 			}, | ||||
| 		}, | ||||
| 		{ // Egress only with PolicyTypes set to Egress should be set to only Egress | ||||
| 			original: &extensionsv1beta1.NetworkPolicy{ | ||||
| 				Spec: extensionsv1beta1.NetworkPolicySpec{ | ||||
| 					PodSelector: metav1.LabelSelector{ | ||||
| 						MatchLabels: map[string]string{"a": "b"}, | ||||
| 					}, | ||||
| 					Egress: []extensionsv1beta1.NetworkPolicyEgressRule{ | ||||
| 						{ | ||||
| 							To: []extensionsv1beta1.NetworkPolicyPeer{ | ||||
| 								{ | ||||
| 									NamespaceSelector: &metav1.LabelSelector{ | ||||
| 										MatchLabels: map[string]string{"Egress": "only"}, | ||||
| 									}, | ||||
| 								}, | ||||
| 							}, | ||||
| 						}, | ||||
| 					}, | ||||
| 					PolicyTypes: []extensionsv1beta1.PolicyType{extensionsv1beta1.PolicyTypeEgress}, | ||||
| 				}, | ||||
| 			}, | ||||
| 			expected: &extensionsv1beta1.NetworkPolicy{ | ||||
| 				Spec: extensionsv1beta1.NetworkPolicySpec{ | ||||
| 					PodSelector: metav1.LabelSelector{ | ||||
| 						MatchLabels: map[string]string{"a": "b"}, | ||||
| 					}, | ||||
| 					Egress: []extensionsv1beta1.NetworkPolicyEgressRule{ | ||||
| 						{ | ||||
| 							To: []extensionsv1beta1.NetworkPolicyPeer{ | ||||
| 								{ | ||||
| 									NamespaceSelector: &metav1.LabelSelector{ | ||||
| 										MatchLabels: map[string]string{"Egress": "only"}, | ||||
| 									}, | ||||
| 								}, | ||||
| 							}, | ||||
| 						}, | ||||
| 					}, | ||||
| 					PolicyTypes: []extensionsv1beta1.PolicyType{extensionsv1beta1.PolicyTypeEgress}, | ||||
| 				}, | ||||
| 			}, | ||||
| 		}, | ||||
| 	} | ||||
|  | ||||
| 	for i, test := range tests { | ||||
| 		original := test.original | ||||
| 		expected := test.expected | ||||
| 		obj2 := roundTrip(t, runtime.Object(original)) | ||||
| 		got, ok := obj2.(*extensionsv1beta1.NetworkPolicy) | ||||
| 		if !ok { | ||||
| 			t.Errorf("(%d) unexpected object: %v", i, got) | ||||
| 			t.FailNow() | ||||
| 		} | ||||
| 		if !apiequality.Semantic.DeepEqual(got.Spec, expected.Spec) { | ||||
| 			t.Errorf("(%d) got different than expected\ngot:\n\t%+v\nexpected:\n\t%+v", i, got.Spec, expected.Spec) | ||||
| 		} | ||||
| 	} | ||||
| } | ||||
|  | ||||
| func roundTrip(t *testing.T, obj runtime.Object) runtime.Object { | ||||
| 	data, err := runtime.Encode(api.Codecs.LegacyCodec(SchemeGroupVersion), obj) | ||||
| 	if err != nil { | ||||
|   | ||||
| @@ -36,5 +36,13 @@ var Funcs = func(codecs runtimeserializer.CodecFactory) []interface{} { | ||||
| 				} | ||||
| 			} | ||||
| 		}, | ||||
| 		func(np *networking.NetworkPolicy, c fuzz.Continue) { | ||||
| 			c.FuzzNoCustom(np) // fuzz self without calling this function again | ||||
| 			// TODO: Implement a fuzzer to generate valid keys, values and operators for | ||||
| 			// selector requirements. | ||||
| 			if len(np.Spec.PolicyTypes) == 0 { | ||||
| 				np.Spec.PolicyTypes = []networking.PolicyType{networking.PolicyTypeIngress} | ||||
| 			} | ||||
| 		}, | ||||
| 	} | ||||
| } | ||||
|   | ||||
| @@ -36,6 +36,17 @@ type NetworkPolicy struct { | ||||
| 	Spec NetworkPolicySpec | ||||
| } | ||||
|  | ||||
| // Policy Type string describes the NetworkPolicy type | ||||
| // This type is beta-level in 1.8 | ||||
| type PolicyType string | ||||
|  | ||||
| const ( | ||||
| 	// PolicyTypeIngress is a NetworkPolicy that affects ingress traffic on selected pods | ||||
| 	PolicyTypeIngress PolicyType = "Ingress" | ||||
| 	// PolicyTypeEgress is a NetworkPolicy that affects egress traffic on selected pods | ||||
| 	PolicyTypeEgress PolicyType = "Egress" | ||||
| ) | ||||
|  | ||||
| // NetworkPolicySpec provides the specification of a NetworkPolicy | ||||
| type NetworkPolicySpec struct { | ||||
| 	// Selects the pods to which this NetworkPolicy object applies. The array of | ||||
| @@ -60,10 +71,24 @@ type NetworkPolicySpec struct { | ||||
| 	// allowed if there are no NetworkPolicies selecting the pod (and cluster policy | ||||
| 	// otherwise allows the traffic), OR if the traffic matches at least one egress rule | ||||
| 	// across all of the NetworkPolicy objects whose podSelector matches the pod. If | ||||
| 	// this field is empty then this NetworkPolicy does not limit any outgoing traffic | ||||
| 	// (and serves solely to ensure that the pods it selects does not allow any outgoing traffic.) | ||||
| 	// this field is empty then this NetworkPolicy limits all outgoing traffic (and serves | ||||
| 	// solely to ensure that the pods it selects are isolated by default). | ||||
| 	// This field is beta-level in 1.8 | ||||
| 	// +optional | ||||
| 	Egress []NetworkPolicyEgressRule | ||||
|  | ||||
| 	// List of rule types that the NetworkPolicy relates to. | ||||
| 	// Valid options are Ingress, Egress, or Ingress,Egress. | ||||
| 	// If this field is not specified, it will default based on the existence of Ingress or Egress rules; | ||||
| 	// policies that contain an Egress section are assumed to affect Egress, and all policies | ||||
| 	// (whether or not they contain an Ingress section) are assumed to affect Ingress. | ||||
| 	// If you want to write an egress-only policy, you must explicitly specify policyTypes [ "Egress" ]. | ||||
| 	// Likewise, if you want to write a policy that specifies that no egress is allowed, | ||||
| 	// you must specify a policyTypes value that include "Egress" (since such a policy would not include | ||||
| 	// an Egress section and would otherwise default to just [ "Ingress" ]). | ||||
| 	// This field is beta-level in 1.8 | ||||
| 	// +optional | ||||
| 	PolicyTypes []PolicyType | ||||
| } | ||||
|  | ||||
| // NetworkPolicyIngressRule describes a particular set of traffic that is allowed to the pods | ||||
| @@ -88,6 +113,7 @@ type NetworkPolicyIngressRule struct { | ||||
|  | ||||
| // NetworkPolicyEgressRule describes a particular set of traffic that is allowed out of pods | ||||
| // matched by a NetworkPolicySpec's podSelector. The traffic must match both ports and to. | ||||
| // This type is beta-level in 1.8 | ||||
| type NetworkPolicyEgressRule struct { | ||||
| 	// List of destination ports for outgoing traffic. | ||||
| 	// Each item in this list is combined using a logical OR. If this field is | ||||
|   | ||||
| @@ -33,3 +33,13 @@ func SetDefaults_NetworkPolicyPort(obj *networkingv1.NetworkPolicyPort) { | ||||
| 		obj.Protocol = &proto | ||||
| 	} | ||||
| } | ||||
|  | ||||
| func SetDefaults_NetworkPolicy(obj *networkingv1.NetworkPolicy) { | ||||
| 	if len(obj.Spec.PolicyTypes) == 0 { | ||||
| 		// Any policy that does not specify policyTypes implies at least "Ingress". | ||||
| 		obj.Spec.PolicyTypes = []networkingv1.PolicyType{networkingv1.PolicyTypeIngress} | ||||
| 		if len(obj.Spec.Egress) != 0 { | ||||
| 			obj.Spec.PolicyTypes = append(obj.Spec.PolicyTypes, networkingv1.PolicyTypeEgress) | ||||
| 		} | ||||
| 	} | ||||
| } | ||||
|   | ||||
							
								
								
									
										256
									
								
								pkg/apis/networking/v1/defaults_test.go
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										256
									
								
								pkg/apis/networking/v1/defaults_test.go
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,256 @@ | ||||
| /* | ||||
| Copyright 2017 The Kubernetes Authors. | ||||
|  | ||||
| Licensed under the Apache License, Version 2.0 (the "License"); | ||||
| you may not use this file except in compliance with the License. | ||||
| You may obtain a copy of the License at | ||||
|  | ||||
|     http://www.apache.org/licenses/LICENSE-2.0 | ||||
|  | ||||
| Unless required by applicable law or agreed to in writing, software | ||||
| distributed under the License is distributed on an "AS IS" BASIS, | ||||
| WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||||
| See the License for the specific language governing permissions and | ||||
| limitations under the License. | ||||
| */ | ||||
|  | ||||
| package v1_test | ||||
|  | ||||
| import ( | ||||
| 	"reflect" | ||||
| 	"testing" | ||||
|  | ||||
| 	networkingv1 "k8s.io/api/networking/v1" | ||||
|  | ||||
| 	apiequality "k8s.io/apimachinery/pkg/api/equality" | ||||
| 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" | ||||
| 	"k8s.io/apimachinery/pkg/runtime" | ||||
| 	"k8s.io/kubernetes/pkg/api" | ||||
| 	_ "k8s.io/kubernetes/pkg/api/install" | ||||
| 	_ "k8s.io/kubernetes/pkg/apis/networking/install" | ||||
| 	. "k8s.io/kubernetes/pkg/apis/networking/v1" | ||||
| ) | ||||
|  | ||||
| func TestSetDefaultNetworkPolicy(t *testing.T) { | ||||
| 	tests := []struct { | ||||
| 		original *networkingv1.NetworkPolicy | ||||
| 		expected *networkingv1.NetworkPolicy | ||||
| 	}{ | ||||
| 		{ // Empty NetworkPolicy should be set to PolicyTypes Ingress | ||||
| 			original: &networkingv1.NetworkPolicy{ | ||||
| 				Spec: networkingv1.NetworkPolicySpec{ | ||||
| 					PodSelector: metav1.LabelSelector{ | ||||
| 						MatchLabels: map[string]string{"a": "b"}, | ||||
| 					}, | ||||
| 				}, | ||||
| 			}, | ||||
| 			expected: &networkingv1.NetworkPolicy{ | ||||
| 				Spec: networkingv1.NetworkPolicySpec{ | ||||
| 					PodSelector: metav1.LabelSelector{ | ||||
| 						MatchLabels: map[string]string{"a": "b"}, | ||||
| 					}, | ||||
| 					PolicyTypes: []networkingv1.PolicyType{networkingv1.PolicyTypeIngress}, | ||||
| 				}, | ||||
| 			}, | ||||
| 		}, | ||||
| 		{ // Empty Ingress NetworkPolicy should be set to PolicyTypes Ingress | ||||
| 			original: &networkingv1.NetworkPolicy{ | ||||
| 				Spec: networkingv1.NetworkPolicySpec{ | ||||
| 					PodSelector: metav1.LabelSelector{ | ||||
| 						MatchLabels: map[string]string{"a": "b"}, | ||||
| 					}, | ||||
| 					Ingress: []networkingv1.NetworkPolicyIngressRule{}, | ||||
| 				}, | ||||
| 			}, | ||||
| 			expected: &networkingv1.NetworkPolicy{ | ||||
| 				Spec: networkingv1.NetworkPolicySpec{ | ||||
| 					PodSelector: metav1.LabelSelector{ | ||||
| 						MatchLabels: map[string]string{"a": "b"}, | ||||
| 					}, | ||||
| 					Ingress:     []networkingv1.NetworkPolicyIngressRule{}, | ||||
| 					PolicyTypes: []networkingv1.PolicyType{networkingv1.PolicyTypeIngress}, | ||||
| 				}, | ||||
| 			}, | ||||
| 		}, | ||||
| 		{ // Defined Ingress and Egress should be set to Ingress,Egress | ||||
| 			original: &networkingv1.NetworkPolicy{ | ||||
| 				Spec: networkingv1.NetworkPolicySpec{ | ||||
| 					PodSelector: metav1.LabelSelector{ | ||||
| 						MatchLabels: map[string]string{"a": "b"}, | ||||
| 					}, | ||||
| 					Ingress: []networkingv1.NetworkPolicyIngressRule{ | ||||
| 						{ | ||||
| 							From: []networkingv1.NetworkPolicyPeer{ | ||||
| 								{ | ||||
| 									PodSelector: &metav1.LabelSelector{ | ||||
| 										MatchLabels: map[string]string{"c": "d"}, | ||||
| 									}, | ||||
| 									NamespaceSelector: &metav1.LabelSelector{ | ||||
| 										MatchLabels: map[string]string{"c": "d"}, | ||||
| 									}, | ||||
| 								}, | ||||
| 							}, | ||||
| 						}, | ||||
| 					}, | ||||
| 					Egress: []networkingv1.NetworkPolicyEgressRule{ | ||||
| 						{ | ||||
| 							To: []networkingv1.NetworkPolicyPeer{ | ||||
| 								{ | ||||
| 									NamespaceSelector: &metav1.LabelSelector{ | ||||
| 										MatchLabels: map[string]string{"c": "d"}, | ||||
| 									}, | ||||
| 								}, | ||||
| 							}, | ||||
| 						}, | ||||
| 					}, | ||||
| 				}, | ||||
| 			}, | ||||
| 			expected: &networkingv1.NetworkPolicy{ | ||||
| 				Spec: networkingv1.NetworkPolicySpec{ | ||||
| 					PodSelector: metav1.LabelSelector{ | ||||
| 						MatchLabels: map[string]string{"a": "b"}, | ||||
| 					}, | ||||
| 					Ingress: []networkingv1.NetworkPolicyIngressRule{ | ||||
| 						{ | ||||
| 							From: []networkingv1.NetworkPolicyPeer{ | ||||
| 								{ | ||||
| 									PodSelector: &metav1.LabelSelector{ | ||||
| 										MatchLabels: map[string]string{"c": "d"}, | ||||
| 									}, | ||||
| 									NamespaceSelector: &metav1.LabelSelector{ | ||||
| 										MatchLabels: map[string]string{"c": "d"}, | ||||
| 									}, | ||||
| 								}, | ||||
| 							}, | ||||
| 						}, | ||||
| 					}, | ||||
| 					Egress: []networkingv1.NetworkPolicyEgressRule{ | ||||
| 						{ | ||||
| 							To: []networkingv1.NetworkPolicyPeer{ | ||||
| 								{ | ||||
| 									NamespaceSelector: &metav1.LabelSelector{ | ||||
| 										MatchLabels: map[string]string{"c": "d"}, | ||||
| 									}, | ||||
| 								}, | ||||
| 							}, | ||||
| 						}, | ||||
| 					}, | ||||
| 					PolicyTypes: []networkingv1.PolicyType{networkingv1.PolicyTypeIngress, networkingv1.PolicyTypeEgress}, | ||||
| 				}, | ||||
| 			}, | ||||
| 		}, | ||||
| 		{ // Egress only with unset PolicyTypes should be set to Ingress, Egress | ||||
| 			original: &networkingv1.NetworkPolicy{ | ||||
| 				Spec: networkingv1.NetworkPolicySpec{ | ||||
| 					PodSelector: metav1.LabelSelector{ | ||||
| 						MatchLabels: map[string]string{"a": "b"}, | ||||
| 					}, | ||||
| 					Egress: []networkingv1.NetworkPolicyEgressRule{ | ||||
| 						{ | ||||
| 							To: []networkingv1.NetworkPolicyPeer{ | ||||
| 								{ | ||||
| 									NamespaceSelector: &metav1.LabelSelector{ | ||||
| 										MatchLabels: map[string]string{"c": "d"}, | ||||
| 									}, | ||||
| 								}, | ||||
| 							}, | ||||
| 						}, | ||||
| 					}, | ||||
| 				}, | ||||
| 			}, | ||||
| 			expected: &networkingv1.NetworkPolicy{ | ||||
| 				Spec: networkingv1.NetworkPolicySpec{ | ||||
| 					PodSelector: metav1.LabelSelector{ | ||||
| 						MatchLabels: map[string]string{"a": "b"}, | ||||
| 					}, | ||||
| 					Egress: []networkingv1.NetworkPolicyEgressRule{ | ||||
| 						{ | ||||
| 							To: []networkingv1.NetworkPolicyPeer{ | ||||
| 								{ | ||||
| 									NamespaceSelector: &metav1.LabelSelector{ | ||||
| 										MatchLabels: map[string]string{"c": "d"}, | ||||
| 									}, | ||||
| 								}, | ||||
| 							}, | ||||
| 						}, | ||||
| 					}, | ||||
| 					PolicyTypes: []networkingv1.PolicyType{networkingv1.PolicyTypeIngress, networkingv1.PolicyTypeEgress}, | ||||
| 				}, | ||||
| 			}, | ||||
| 		}, | ||||
| 		{ // Egress only with PolicyTypes set to Egress should be set to only Egress | ||||
| 			original: &networkingv1.NetworkPolicy{ | ||||
| 				Spec: networkingv1.NetworkPolicySpec{ | ||||
| 					PodSelector: metav1.LabelSelector{ | ||||
| 						MatchLabels: map[string]string{"a": "b"}, | ||||
| 					}, | ||||
| 					Egress: []networkingv1.NetworkPolicyEgressRule{ | ||||
| 						{ | ||||
| 							To: []networkingv1.NetworkPolicyPeer{ | ||||
| 								{ | ||||
| 									NamespaceSelector: &metav1.LabelSelector{ | ||||
| 										MatchLabels: map[string]string{"Egress": "only"}, | ||||
| 									}, | ||||
| 								}, | ||||
| 							}, | ||||
| 						}, | ||||
| 					}, | ||||
| 					PolicyTypes: []networkingv1.PolicyType{networkingv1.PolicyTypeEgress}, | ||||
| 				}, | ||||
| 			}, | ||||
| 			expected: &networkingv1.NetworkPolicy{ | ||||
| 				Spec: networkingv1.NetworkPolicySpec{ | ||||
| 					PodSelector: metav1.LabelSelector{ | ||||
| 						MatchLabels: map[string]string{"a": "b"}, | ||||
| 					}, | ||||
| 					Egress: []networkingv1.NetworkPolicyEgressRule{ | ||||
| 						{ | ||||
| 							To: []networkingv1.NetworkPolicyPeer{ | ||||
| 								{ | ||||
| 									NamespaceSelector: &metav1.LabelSelector{ | ||||
| 										MatchLabels: map[string]string{"Egress": "only"}, | ||||
| 									}, | ||||
| 								}, | ||||
| 							}, | ||||
| 						}, | ||||
| 					}, | ||||
| 					PolicyTypes: []networkingv1.PolicyType{networkingv1.PolicyTypeEgress}, | ||||
| 				}, | ||||
| 			}, | ||||
| 		}, | ||||
| 	} | ||||
|  | ||||
| 	for i, test := range tests { | ||||
| 		original := test.original | ||||
| 		expected := test.expected | ||||
| 		obj2 := roundTrip(t, runtime.Object(original)) | ||||
| 		got, ok := obj2.(*networkingv1.NetworkPolicy) | ||||
| 		if !ok { | ||||
| 			t.Errorf("(%d) unexpected object: %v", i, got) | ||||
| 			t.FailNow() | ||||
| 		} | ||||
| 		if !apiequality.Semantic.DeepEqual(got.Spec, expected.Spec) { | ||||
| 			t.Errorf("(%d) got different than expected\ngot:\n\t%+v\nexpected:\n\t%+v", i, got.Spec, expected.Spec) | ||||
| 		} | ||||
| 	} | ||||
| } | ||||
|  | ||||
| func roundTrip(t *testing.T, obj runtime.Object) runtime.Object { | ||||
| 	data, err := runtime.Encode(api.Codecs.LegacyCodec(SchemeGroupVersion), obj) | ||||
| 	if err != nil { | ||||
| 		t.Errorf("%v\n %#v", err, obj) | ||||
| 		return nil | ||||
| 	} | ||||
| 	obj2, err := runtime.Decode(api.Codecs.UniversalDecoder(), data) | ||||
| 	if err != nil { | ||||
| 		t.Errorf("%v\nData: %s\nSource: %#v", err, string(data), obj) | ||||
| 		return nil | ||||
| 	} | ||||
| 	obj3 := reflect.New(reflect.TypeOf(obj).Elem()).Interface().(runtime.Object) | ||||
| 	err = api.Scheme.Convert(obj2, obj3, nil) | ||||
| 	if err != nil { | ||||
| 		t.Errorf("%v\nSource: %#v", err, obj2) | ||||
| 		return nil | ||||
| 	} | ||||
| 	return obj3 | ||||
| } | ||||
| @@ -21,6 +21,7 @@ import ( | ||||
|  | ||||
| 	unversionedvalidation "k8s.io/apimachinery/pkg/apis/meta/v1/validation" | ||||
| 	"k8s.io/apimachinery/pkg/util/intstr" | ||||
| 	"k8s.io/apimachinery/pkg/util/sets" | ||||
| 	"k8s.io/apimachinery/pkg/util/validation" | ||||
| 	"k8s.io/apimachinery/pkg/util/validation/field" | ||||
| 	"k8s.io/kubernetes/pkg/api" | ||||
| @@ -123,6 +124,20 @@ func ValidateNetworkPolicySpec(spec *networking.NetworkPolicySpec, fldPath *fiel | ||||
| 			} | ||||
| 		} | ||||
| 	} | ||||
| 	// Validate PolicyTypes | ||||
| 	allowed := sets.NewString(string(networking.PolicyTypeIngress), string(networking.PolicyTypeEgress)) | ||||
| 	if len(spec.PolicyTypes) > len(allowed) { | ||||
| 		allErrs = append(allErrs, field.Invalid(fldPath.Child("policyTypes"), &spec.PolicyTypes, "may not specify more than two policyTypes")) | ||||
| 		return allErrs | ||||
| 	} | ||||
| 	for i, pType := range spec.PolicyTypes { | ||||
| 		policyPath := fldPath.Child("policyTypes").Index(i) | ||||
| 		for _, p := range spec.PolicyTypes { | ||||
| 			if !allowed.Has(string(p)) { | ||||
| 				allErrs = append(allErrs, field.NotSupported(policyPath, pType, []string{string(networking.PolicyTypeIngress), string(networking.PolicyTypeEgress)})) | ||||
| 			} | ||||
| 		} | ||||
| 	} | ||||
| 	return allErrs | ||||
| } | ||||
|  | ||||
|   | ||||
| @@ -191,6 +191,28 @@ func TestValidateNetworkPolicy(t *testing.T) { | ||||
| 						}, | ||||
| 					}, | ||||
| 				}, | ||||
| 				PolicyTypes: []networking.PolicyType{networking.PolicyTypeEgress}, | ||||
| 			}, | ||||
| 		}, | ||||
| 		{ | ||||
| 			ObjectMeta: metav1.ObjectMeta{Name: "foo", Namespace: "bar"}, | ||||
| 			Spec: networking.NetworkPolicySpec{ | ||||
| 				PodSelector: metav1.LabelSelector{ | ||||
| 					MatchLabels: map[string]string{"a": "b"}, | ||||
| 				}, | ||||
| 				Egress: []networking.NetworkPolicyEgressRule{ | ||||
| 					{ | ||||
| 						To: []networking.NetworkPolicyPeer{ | ||||
| 							{ | ||||
| 								IPBlock: &networking.IPBlock{ | ||||
| 									CIDR:   "192.168.0.0/16", | ||||
| 									Except: []string{"192.168.3.0/24", "192.168.4.0/24"}, | ||||
| 								}, | ||||
| 							}, | ||||
| 						}, | ||||
| 					}, | ||||
| 				}, | ||||
| 				PolicyTypes: []networking.PolicyType{networking.PolicyTypeIngress, networking.PolicyTypeEgress}, | ||||
| 			}, | ||||
| 		}, | ||||
| 	} | ||||
| @@ -421,6 +443,48 @@ func TestValidateNetworkPolicy(t *testing.T) { | ||||
| 				}, | ||||
| 			}, | ||||
| 		}, | ||||
| 		"invalid policyTypes": { | ||||
| 			ObjectMeta: metav1.ObjectMeta{Name: "foo", Namespace: "bar"}, | ||||
| 			Spec: networking.NetworkPolicySpec{ | ||||
| 				PodSelector: metav1.LabelSelector{ | ||||
| 					MatchLabels: map[string]string{"a": "b"}, | ||||
| 				}, | ||||
| 				Egress: []networking.NetworkPolicyEgressRule{ | ||||
| 					{ | ||||
| 						To: []networking.NetworkPolicyPeer{ | ||||
| 							{ | ||||
| 								IPBlock: &networking.IPBlock{ | ||||
| 									CIDR:   "192.168.0.0/16", | ||||
| 									Except: []string{"192.168.3.0/24", "192.168.4.0/24"}, | ||||
| 								}, | ||||
| 							}, | ||||
| 						}, | ||||
| 					}, | ||||
| 				}, | ||||
| 				PolicyTypes: []networking.PolicyType{"foo", "bar"}, | ||||
| 			}, | ||||
| 		}, | ||||
| 		"too many policyTypes": { | ||||
| 			ObjectMeta: metav1.ObjectMeta{Name: "foo", Namespace: "bar"}, | ||||
| 			Spec: networking.NetworkPolicySpec{ | ||||
| 				PodSelector: metav1.LabelSelector{ | ||||
| 					MatchLabels: map[string]string{"a": "b"}, | ||||
| 				}, | ||||
| 				Egress: []networking.NetworkPolicyEgressRule{ | ||||
| 					{ | ||||
| 						To: []networking.NetworkPolicyPeer{ | ||||
| 							{ | ||||
| 								IPBlock: &networking.IPBlock{ | ||||
| 									CIDR:   "192.168.0.0/16", | ||||
| 									Except: []string{"192.168.3.0/24", "192.168.4.0/24"}, | ||||
| 								}, | ||||
| 							}, | ||||
| 						}, | ||||
| 					}, | ||||
| 				}, | ||||
| 				PolicyTypes: []networking.PolicyType{"foo", "bar", "baz"}, | ||||
| 			}, | ||||
| 		}, | ||||
| 	} | ||||
|  | ||||
| 	// Error cases are not expected to pass validation. | ||||
|   | ||||
| @@ -1157,6 +1157,17 @@ type NetworkPolicy struct { | ||||
| 	Spec NetworkPolicySpec `json:"spec,omitempty" protobuf:"bytes,2,opt,name=spec"` | ||||
| } | ||||
|  | ||||
| // Policy Type string describes the NetworkPolicy type | ||||
| // This type is beta-level in 1.8 | ||||
| type PolicyType string | ||||
|  | ||||
| const ( | ||||
| 	// PolicyTypeIngress is a NetworkPolicy that affects ingress traffic on selected pods | ||||
| 	PolicyTypeIngress PolicyType = "Ingress" | ||||
| 	// PolicyTypeEgress is a NetworkPolicy that affects egress traffic on selected pods | ||||
| 	PolicyTypeEgress PolicyType = "Egress" | ||||
| ) | ||||
|  | ||||
| type NetworkPolicySpec struct { | ||||
| 	// Selects the pods to which this NetworkPolicy object applies.  The array of ingress rules | ||||
| 	// is applied to any pods selected by this field. Multiple network policies can select the | ||||
| @@ -1179,10 +1190,24 @@ type NetworkPolicySpec struct { | ||||
| 	// allowed if there are no NetworkPolicies selecting the pod (and cluster policy | ||||
| 	// otherwise allows the traffic), OR if the traffic matches at least one egress rule | ||||
| 	// across all of the NetworkPolicy objects whose podSelector matches the pod. If | ||||
| 	// this field is empty then this NetworkPolicy does not limit any outgoing traffic | ||||
| 	// (and serves solely to ensure that the pods it selects does not allow any outgoing traffic.) | ||||
| 	// this field is empty then this NetworkPolicy limits all outgoing traffic (and serves | ||||
| 	// solely to ensure that the pods it selects are isolated by default). | ||||
| 	// This field is beta-level in 1.8 | ||||
| 	// +optional | ||||
| 	Egress []NetworkPolicyEgressRule `json:"egress,omitempty" protobuf:"bytes,3,rep,name=egress"` | ||||
|  | ||||
| 	// List of rule types that the NetworkPolicy relates to. | ||||
| 	// Valid options are Ingress, Egress, or Ingress,Egress. | ||||
| 	// If this field is not specified, it will default based on the existence of Ingress or Egress rules; | ||||
| 	// policies that contain an Egress section are assumed to affect Egress, and all policies | ||||
| 	// (whether or not they contain an Ingress section) are assumed to affect Ingress. | ||||
| 	// If you want to write an egress-only policy, you must explicitly specify policyTypes [ "Egress" ]. | ||||
| 	// Likewise, if you want to write a policy that specifies that no egress is allowed, | ||||
| 	// you must specify a policyTypes value that include "Egress" (since such a policy would not include | ||||
| 	// an Egress section and would otherwise default to just [ "Ingress" ]). | ||||
| 	// This field is beta-level in 1.8 | ||||
| 	// +optional | ||||
| 	PolicyTypes []PolicyType `json:"policyTypes,omitempty" protobuf:"bytes,4,rep,name=policyTypes,casttype=PolicyType"` | ||||
| } | ||||
|  | ||||
| // This NetworkPolicyIngressRule matches traffic if and only if the traffic matches both ports AND from. | ||||
| @@ -1206,6 +1231,7 @@ type NetworkPolicyIngressRule struct { | ||||
|  | ||||
| // NetworkPolicyEgressRule describes a particular set of traffic that is allowed out of pods | ||||
| // matched by a NetworkPolicySpec's podSelector. The traffic must match both ports and to. | ||||
| // This type is beta-level in 1.8 | ||||
| type NetworkPolicyEgressRule struct { | ||||
| 	// List of destination ports for outgoing traffic. | ||||
| 	// Each item in this list is combined using a logical OR. If this field is | ||||
|   | ||||
| @@ -38,6 +38,17 @@ type NetworkPolicy struct { | ||||
| 	Spec NetworkPolicySpec `json:"spec,omitempty" protobuf:"bytes,2,opt,name=spec"` | ||||
| } | ||||
|  | ||||
| // Policy Type string describes the NetworkPolicy type | ||||
| // This type is beta-level in 1.8 | ||||
| type PolicyType string | ||||
|  | ||||
| const ( | ||||
| 	// PolicyTypeIngress is a NetworkPolicy that affects ingress traffic on selected pods | ||||
| 	PolicyTypeIngress PolicyType = "Ingress" | ||||
| 	// PolicyTypeEgress is a NetworkPolicy that affects egress traffic on selected pods | ||||
| 	PolicyTypeEgress PolicyType = "Egress" | ||||
| ) | ||||
|  | ||||
| // NetworkPolicySpec provides the specification of a NetworkPolicy | ||||
| type NetworkPolicySpec struct { | ||||
| 	// Selects the pods to which this NetworkPolicy object applies. The array of | ||||
| @@ -62,10 +73,24 @@ type NetworkPolicySpec struct { | ||||
| 	// allowed if there are no NetworkPolicies selecting the pod (and cluster policy | ||||
| 	// otherwise allows the traffic), OR if the traffic matches at least one egress rule | ||||
| 	// across all of the NetworkPolicy objects whose podSelector matches the pod. If | ||||
| 	// this field is empty then this NetworkPolicy does not limit any outgoing traffic | ||||
| 	// (and serves solely to ensure that the pods it selects does not allow any outgoing traffic.) | ||||
| 	// this field is empty then this NetworkPolicy limits all outgoing traffic (and serves | ||||
| 	// solely to ensure that the pods it selects are isolated by default). | ||||
| 	// This field is beta-level in 1.8 | ||||
| 	// +optional | ||||
| 	Egress []NetworkPolicyEgressRule `json:"egress,omitempty" protobuf:"bytes,3,rep,name=egress"` | ||||
|  | ||||
| 	// List of rule types that the NetworkPolicy relates to. | ||||
| 	// Valid options are Ingress, Egress, or Ingress,Egress. | ||||
| 	// If this field is not specified, it will default based on the existence of Ingress or Egress rules; | ||||
| 	// policies that contain an Egress section are assumed to affect Egress, and all policies | ||||
| 	// (whether or not they contain an Ingress section) are assumed to affect Ingress. | ||||
| 	// If you want to write an egress-only policy, you must explicitly specify policyTypes [ "Egress" ]. | ||||
| 	// Likewise, if you want to write a policy that specifies that no egress is allowed, | ||||
| 	// you must specify a policyTypes value that include "Egress" (since such a policy would not include | ||||
| 	// an Egress section and would otherwise default to just [ "Ingress" ]). | ||||
| 	// This field is beta-level in 1.8 | ||||
| 	// +optional | ||||
| 	PolicyTypes []PolicyType `json:"policyTypes,omitempty" protobuf:"bytes,4,rep,name=policyTypes,casttype=PolicyType"` | ||||
| } | ||||
|  | ||||
| // NetworkPolicyIngressRule describes a particular set of traffic that is allowed to the pods | ||||
| @@ -90,6 +115,7 @@ type NetworkPolicyIngressRule struct { | ||||
|  | ||||
| // NetworkPolicyEgressRule describes a particular set of traffic that is allowed out of pods | ||||
| // matched by a NetworkPolicySpec's podSelector. The traffic must match both ports and to. | ||||
| // This type is beta-level in 1.8 | ||||
| type NetworkPolicyEgressRule struct { | ||||
| 	// List of destination ports for outgoing traffic. | ||||
| 	// Each item in this list is combined using a logical OR. If this field is | ||||
|   | ||||
		Reference in New Issue
	
	Block a user
	 Christopher M. Luciano
					Christopher M. Luciano