From bef3711f82e76a14fab86cacf5821e3857418ea6 Mon Sep 17 00:00:00 2001 From: GraysonWu Date: Mon, 24 Jul 2023 21:05:46 -0700 Subject: [PATCH] Upgrade ACNP and ANNP to v1beta1 (#5186) Signed-off-by: graysonwu --- .../antrea/crds/clusternetworkpolicy.yaml | 730 +++- build/charts/antrea/crds/networkpolicy.yaml | 644 +++- .../webhooks/validating/crdvalidator.yaml | 4 +- build/yamls/antrea-aks.yml | 3002 ++++++++++++----- build/yamls/antrea-crds.yml | 2908 +++++++++++----- build/yamls/antrea-eks.yml | 3002 ++++++++++++----- build/yamls/antrea-gke.yml | 3002 ++++++++++++----- build/yamls/antrea-ipsec.yml | 3002 ++++++++++++----- build/yamls/antrea.yml | 3002 ++++++++++++----- cmd/antrea-controller/controller.go | 4 +- docs/api.md | 6 +- .../v1alpha1/resourceexport_types.go | 4 +- .../v1alpha1/resourceimport_types.go | 4 +- .../v1alpha1/zz_generated.deepcopy.go | 6 +- .../multicluster/common/test_data.go | 4 +- .../leader/resourceexport_controller_test.go | 16 +- .../member/acnp_resourceimport_controller.go | 9 +- .../acnp_resourceimport_controller_test.go | 65 +- .../multicluster/stale_controller.go | 8 +- .../multicluster/stale_controller_test.go | 20 +- multicluster/test/e2e/framework.go | 6 +- multicluster/test/e2e/service_test.go | 26 +- pkg/agent/controller/networkpolicy/cache.go | 6 +- .../networkpolicy_controller_test.go | 12 +- pkg/agent/controller/traceflow/packetin.go | 3 +- .../connections/conntrack_connections_test.go | 4 +- pkg/agent/multicast/mcast_controller_test.go | 6 +- pkg/agent/multicast/mcast_discovery.go | 4 +- pkg/agent/openflow/network_policy.go | 10 +- pkg/agent/openflow/network_policy_test.go | 10 +- pkg/agent/types/multicast.go | 4 +- pkg/agent/types/networkpolicy.go | 4 +- pkg/apis/controlplane/types.go | 4 +- pkg/apis/controlplane/v1beta2/generated.pb.go | 286 +- pkg/apis/controlplane/v1beta2/types.go | 4 +- .../v1beta2/zz_generated.conversion.go | 12 +- .../v1beta2/zz_generated.deepcopy.go | 8 +- .../controlplane/zz_generated.deepcopy.go | 8 +- pkg/apis/crd/v1beta1/register.go | 4 + pkg/apis/crd/v1beta1/types.go | 467 ++- pkg/apis/crd/v1beta1/zz_generated.deepcopy.go | 639 +++- pkg/apiserver/openapi/zz_generated.openapi.go | 1162 ++++++- .../typed/crd/v1beta1/clusternetworkpolicy.go | 182 + .../versioned/typed/crd/v1beta1/crd_client.go | 10 + .../v1beta1/fake/fake_clusternetworkpolicy.go | 131 + .../typed/crd/v1beta1/fake/fake_crd_client.go | 8 + .../crd/v1beta1/fake/fake_networkpolicy.go | 140 + .../typed/crd/v1beta1/generated_expansion.go | 4 + .../typed/crd/v1beta1/networkpolicy.go | 193 ++ .../crd/v1beta1/clusternetworkpolicy.go | 87 + .../externalversions/crd/v1beta1/interface.go | 14 + .../crd/v1beta1/networkpolicy.go | 88 + .../informers/externalversions/generic.go | 4 + .../crd/v1beta1/clusternetworkpolicy.go | 66 + .../crd/v1beta1/expansion_generated.go | 12 + .../listers/crd/v1beta1/networkpolicy.go | 97 + .../networkpolicy/antreanetworkpolicy.go | 18 +- .../networkpolicy/antreanetworkpolicy_test.go | 160 +- pkg/controller/networkpolicy/clustergroup.go | 3 +- .../networkpolicy/clustergroup_test.go | 37 +- .../networkpolicy/clusternetworkpolicy.go | 42 +- .../clusternetworkpolicy_test.go | 419 ++- pkg/controller/networkpolicy/crd_utils.go | 47 +- .../networkpolicy/crd_utils_test.go | 89 +- pkg/controller/networkpolicy/group.go | 3 +- pkg/controller/networkpolicy/group_test.go | 11 +- pkg/controller/networkpolicy/mutate.go | 12 +- pkg/controller/networkpolicy/mutate_test.go | 70 +- .../networkpolicy/networkpolicy_controller.go | 31 +- .../networkpolicy_controller_perf_test.go | 30 +- .../networkpolicy_controller_test.go | 81 +- .../networkpolicy/status_controller.go | 60 +- .../networkpolicy/status_controller_test.go | 80 +- pkg/controller/networkpolicy/validate.go | 61 +- pkg/controller/networkpolicy/validate_test.go | 629 ++-- pkg/controller/stats/aggregator.go | 16 +- pkg/controller/stats/aggregator_test.go | 18 +- pkg/monitor/controller_test.go | 4 +- test/e2e/antreaipam_anp_test.go | 10 +- test/e2e/antreapolicy_test.go | 382 +-- test/e2e/clustergroup_test.go | 17 +- test/e2e/flowaggregator_test.go | 18 +- test/e2e/group_test.go | 15 +- test/e2e/k8s_util.go | 41 +- test/e2e/l7networkpolicy_test.go | 34 +- test/e2e/multicast_test.go | 54 +- test/e2e/traceflow_test.go | 33 +- test/e2e/utils/annp_spec_builder.go | 50 +- test/e2e/utils/cg_spec_builder.go | 5 +- test/e2e/utils/cnp_spec_builder.go | 104 +- test/e2e/utils/grp_spec_builder.go | 5 +- test/e2e/utils/helper.go | 18 +- test/e2e/vmagent_test.go | 49 +- test/integration/agent/openflow_test.go | 6 +- 94 files changed, 19343 insertions(+), 6586 deletions(-) create mode 100644 pkg/client/clientset/versioned/typed/crd/v1beta1/clusternetworkpolicy.go create mode 100644 pkg/client/clientset/versioned/typed/crd/v1beta1/fake/fake_clusternetworkpolicy.go create mode 100644 pkg/client/clientset/versioned/typed/crd/v1beta1/fake/fake_networkpolicy.go create mode 100644 pkg/client/clientset/versioned/typed/crd/v1beta1/networkpolicy.go create mode 100644 pkg/client/informers/externalversions/crd/v1beta1/clusternetworkpolicy.go create mode 100644 pkg/client/informers/externalversions/crd/v1beta1/networkpolicy.go create mode 100644 pkg/client/listers/crd/v1beta1/clusternetworkpolicy.go create mode 100644 pkg/client/listers/crd/v1beta1/networkpolicy.go diff --git a/build/charts/antrea/crds/clusternetworkpolicy.yaml b/build/charts/antrea/crds/clusternetworkpolicy.yaml index 3c9308b985f..f28acf63c97 100644 --- a/build/charts/antrea/crds/clusternetworkpolicy.yaml +++ b/build/charts/antrea/crds/clusternetworkpolicy.yaml @@ -9,7 +9,7 @@ spec: versions: - name: v1alpha1 served: true - storage: true + storage: false additionalPrinterColumns: - name: Tier type: string @@ -699,6 +699,734 @@ spec: type: string subresources: status: {} + - name: v1beta1 + served: true + storage: true + additionalPrinterColumns: + - name: Tier + type: string + description: The Tier to which this ClusterNetworkPolicy belongs to. + jsonPath: .spec.tier + - name: Priority + type: number + format: float + description: The Priority of this ClusterNetworkPolicy relative to other policies. + jsonPath: .spec.priority + - name: Desired Nodes + type: number + format: int32 + description: The total number of Nodes that should realize the NetworkPolicy. + jsonPath: .status.desiredNodesRealized + - name: Current Nodes + type: number + format: int32 + description: The number of Nodes that have realized the NetworkPolicy. + jsonPath: .status.currentNodesRealized + - name: Age + type: date + jsonPath: .metadata.creationTimestamp + schema: + openAPIV3Schema: + type: object + properties: + spec: + # Ensure that Spec.Priority field is set + required: + - priority + type: object + properties: + tier: + type: string + priority: + type: number + format: float + # Ensure that Spec.Priority field is between 1 and 10000 + minimum: 1.0 + maximum: 10000.0 + appliedTo: + type: array + items: + type: object + # Ensure that Spec.AppliedTo does not allow IPBlock field + properties: + podSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + additionalProperties: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: object + namespaceSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + additionalProperties: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: object + group: + type: string + serviceAccount: + type: object + properties: + name: + type: string + namespace: + type: string + required: + - name + - namespace + service: + type: object + properties: + name: + type: string + namespace: + type: string + required: + - name + - namespace + ingress: + type: array + items: + type: object + required: + - action + properties: + appliedTo: + type: array + items: + type: object + # Ensure that rule AppliedTo does not allow IPBlock field + properties: + podSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + additionalProperties: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: object + namespaceSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + additionalProperties: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: object + group: + type: string + serviceAccount: + type: object + properties: + name: + type: string + namespace: + type: string + required: + - name + - namespace + service: + type: object + properties: + name: + type: string + namespace: + type: string + required: + - name + - namespace + # Ensure that Action field allows only ALLOW, DROP, REJECT and PASS values + action: + type: string + enum: [ 'Allow', 'Drop', 'Reject', 'Pass' ] + ports: + type: array + items: + type: object + properties: + protocol: + type: string + enum: [ 'TCP', 'UDP', 'SCTP' ] + port: + x-kubernetes-int-or-string: true + endPort: + type: integer + sourcePort: + type: integer + sourceEndPort: + type: integer + protocols: + type: array + items: + type: object + oneOf: + - required: [ icmp ] + - required: [ igmp ] + properties: + icmp: + type: object + properties: + icmpType: + type: integer + minimum: 0 + maximum: 255 + icmpCode: + type: integer + minimum: 0 + maximum: 255 + igmp: + type: object + properties: + igmpType: + type: integer + # Only IGMP query (0x11) is valid igmpType in ingress rules. + enum: [ 0x11 ] + groupAddress: + type: string + oneOf: + - format: ipv4 + - format: ipv6 + l7Protocols: + type: array + items: + type: object + oneOf: + - required: [ http ] + - required: [ tls ] + properties: + http: + type: object + properties: + host: + type: string + method: + type: string + enum: [ 'GET', 'POST', 'PUT', 'HEAD', 'DELETE', 'TRACE', 'OPTIONS', 'CONNECT', 'PATCH' ] + path: + type: string + tls: + type: object + properties: + sni: + type: string + from: + type: array + items: + type: object + properties: + podSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + additionalProperties: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: object + namespaceSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + additionalProperties: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: object + namespaces: + type: object + properties: + match: + enum: + - Self + type: string + ipBlock: + type: object + properties: + cidr: + type: string + format: cidr + group: + type: string + serviceAccount: + type: object + properties: + name: + type: string + namespace: + type: string + required: + - name + - namespace + nodeSelector: + type: object + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: array + type: object + type: array + matchLabels: + additionalProperties: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: object + scope: + type: string + enum: [ 'Cluster', 'ClusterSet' ] + name: + type: string + enableLogging: + type: boolean + logLabel: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]{0,61})?[A-Za-z0-9])?$" + egress: + type: array + items: + type: object + required: + - action + properties: + appliedTo: + type: array + items: + type: object + # Ensure that rule AppliedTo does not allow IPBlock field + properties: + podSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + additionalProperties: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: object + namespaceSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + additionalProperties: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: object + group: + type: string + serviceAccount: + type: object + properties: + name: + type: string + namespace: + type: string + required: + - name + - namespace + # Ensure that Action field allows only ALLOW, DROP, REJECT and PASS values + action: + type: string + enum: [ 'Allow', 'Drop', 'Reject', 'Pass' ] + ports: + type: array + items: + type: object + properties: + protocol: + type: string + enum: [ 'TCP', 'UDP', 'SCTP' ] + port: + x-kubernetes-int-or-string: true + endPort: + type: integer + sourcePort: + type: integer + sourceEndPort: + type: integer + protocols: + type: array + items: + type: object + oneOf: + - required: [ icmp ] + - required: [ igmp ] + properties: + icmp: + type: object + properties: + icmpType: + type: integer + minimum: 0 + maximum: 255 + icmpCode: + type: integer + minimum: 0 + maximum: 255 + igmp: + type: object + properties: + igmpType: + type: integer + # Only IGMP reports are igmpType in egress rules, + # 0x12 is IGMP report V1, 0x16 is IGMP report v2, 0x22 is IGMP report v3. + # It will match all IGMP report types if igmpType is not set. + enum: [ 0x12, 0x16, 0x22 ] + groupAddress: + type: string + oneOf: + - format: ipv4 + - format: ipv6 + l7Protocols: + type: array + items: + type: object + oneOf: + - required: [ http ] + - required: [ tls ] + properties: + http: + type: object + properties: + host: + type: string + method: + type: string + enum: [ 'GET', 'POST', 'PUT', 'HEAD', 'DELETE', 'TRACE', 'OPTIONS', 'CONNECT', 'PATCH' ] + path: + type: string + tls: + type: object + properties: + sni: + type: string + to: + type: array + items: + type: object + properties: + podSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + additionalProperties: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: object + namespaceSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + additionalProperties: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: object + namespaces: + type: object + properties: + match: + enum: + - Self + type: string + ipBlock: + type: object + properties: + cidr: + type: string + format: cidr + group: + type: string + fqdn: + type: string + serviceAccount: + type: object + properties: + name: + type: string + namespace: + type: string + required: + - name + - namespace + nodeSelector: + type: object + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: array + type: object + type: array + matchLabels: + additionalProperties: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: object + toServices: + type: array + items: + type: object + required: + - name + - namespace + properties: + name: + type: string + namespace: + type: string + scope: + type: string + enum: [ 'Cluster', 'ClusterSet' ] + name: + type: string + enableLogging: + type: boolean + logLabel: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]{0,61})?[A-Za-z0-9])?$" + status: + type: object + properties: + phase: + type: string + observedGeneration: + type: integer + currentNodesRealized: + type: integer + desiredNodesRealized: + type: integer + conditions: + type: array + items: + type: object + properties: + type: + type: string + status: + type: string + lastTransitionTime: + type: string + reason: + type: string + message: + type: string + subresources: + status: { } scope: Cluster names: plural: clusternetworkpolicies diff --git a/build/charts/antrea/crds/networkpolicy.yaml b/build/charts/antrea/crds/networkpolicy.yaml index 424c056ffe3..f9b281dd97a 100644 --- a/build/charts/antrea/crds/networkpolicy.yaml +++ b/build/charts/antrea/crds/networkpolicy.yaml @@ -9,7 +9,7 @@ spec: versions: - name: v1alpha1 served: true - storage: true + storage: false additionalPrinterColumns: - name: Tier type: string @@ -613,6 +613,648 @@ spec: type: string subresources: status: {} + - name: v1beta1 + served: true + storage: true + additionalPrinterColumns: + - name: Tier + type: string + description: The Tier to which this Antrea NetworkPolicy belongs to. + jsonPath: .spec.tier + - name: Priority + type: number + format: float + description: The Priority of this Antrea NetworkPolicy relative to other policies. + jsonPath: .spec.priority + - name: Desired Nodes + type: number + format: int32 + description: The total number of Nodes that should realize the NetworkPolicy. + jsonPath: .status.desiredNodesRealized + - name: Current Nodes + type: number + format: int32 + description: The number of Nodes that have realized the NetworkPolicy. + jsonPath: .status.currentNodesRealized + - name: Age + type: date + jsonPath: .metadata.creationTimestamp + schema: + openAPIV3Schema: + type: object + properties: + spec: + # Ensure that Spec.Priority field is set + required: + - priority + type: object + properties: + tier: + type: string + priority: + type: number + format: float + # Ensure that Spec.Priority field is between 1 and 10000 + minimum: 1.0 + maximum: 10000.0 + appliedTo: + type: array + items: + type: object + # Ensure that Spec.AppliedTo does not allow NamespaceSelector/IPBlock field + properties: + externalEntitySelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + additionalProperties: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: object + podSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + additionalProperties: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: object + group: + type: string + ingress: + type: array + items: + type: object + required: + - action + properties: + appliedTo: + type: array + items: + type: object + # Ensure that rule AppliedTo does not allow NamespaceSelector/IPBlock field + properties: + podSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + additionalProperties: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: object + group: + type: string + # Ensure that Action field allows only ALLOW, DROP, REJECT and PASS values + action: + type: string + enum: [ 'Allow', 'Drop', 'Reject', 'Pass' ] + ports: + type: array + items: + type: object + properties: + protocol: + type: string + enum: [ 'TCP', 'UDP', 'SCTP' ] + port: + x-kubernetes-int-or-string: true + endPort: + type: integer + sourcePort: + type: integer + sourceEndPort: + type: integer + protocols: + type: array + items: + type: object + oneOf: + - required: [ icmp ] + - required: [ igmp ] + properties: + icmp: + type: object + properties: + icmpType: + type: integer + minimum: 0 + maximum: 255 + icmpCode: + type: integer + minimum: 0 + maximum: 255 + igmp: + type: object + properties: + igmpType: + type: integer + # Only IGMP query (0x11) is valid igmpType in ingress rules. + enum: [ 0x11 ] + groupAddress: + type: string + oneOf: + - format: ipv4 + - format: ipv6 + l7Protocols: + type: array + items: + type: object + oneOf: + - required: [ http ] + - required: [ tls ] + properties: + http: + type: object + properties: + host: + type: string + method: + type: string + enum: [ 'GET', 'POST', 'PUT', 'HEAD', 'DELETE', 'TRACE', 'OPTIONS', 'CONNECT', 'PATCH' ] + path: + type: string + tls: + type: object + properties: + sni: + type: string + from: + type: array + items: + type: object + properties: + podSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + additionalProperties: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: object + namespaceSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + additionalProperties: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: object + externalEntitySelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + additionalProperties: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: object + ipBlock: + type: object + properties: + cidr: + type: string + format: cidr + nodeSelector: + type: object + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: array + type: object + type: array + matchLabels: + additionalProperties: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: object + group: + type: string + scope: + type: string + enum: [ 'Cluster', 'ClusterSet' ] + name: + type: string + enableLogging: + type: boolean + logLabel: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]{0,61})?[A-Za-z0-9])?$" + egress: + type: array + items: + type: object + required: + - action + properties: + appliedTo: + type: array + items: + type: object + # Ensure that rule AppliedTo does not allow NamespaceSelector/IPBlock field + properties: + podSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + additionalProperties: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: object + group: + type: string + # Ensure that Action field allows only ALLOW, DROP, REJECT and PASS values + action: + type: string + enum: [ 'Allow', 'Drop', 'Reject', 'Pass' ] + ports: + type: array + items: + type: object + properties: + protocol: + type: string + enum: [ 'TCP', 'UDP', 'SCTP' ] + port: + x-kubernetes-int-or-string: true + endPort: + type: integer + sourcePort: + type: integer + sourceEndPort: + type: integer + protocols: + type: array + items: + type: object + oneOf: + - required: [ icmp ] + - required: [ igmp ] + properties: + icmp: + type: object + properties: + icmpType: + type: integer + minimum: 0 + maximum: 255 + icmpCode: + type: integer + minimum: 0 + maximum: 255 + igmp: + type: object + properties: + igmpType: + type: integer + # Only IGMP reports are igmpType in egress rules, + # 0x12 is IGMP report V1, 0x16 is IGMP report v2, 0x22 is IGMP report v3. + # It will match all IGMP report types if igmpType is not set. + enum: [ 0x12, 0x16, 0x22 ] + groupAddress: + type: string + oneOf: + - format: ipv4 + - format: ipv6 + l7Protocols: + type: array + items: + type: object + oneOf: + - required: [ http ] + - required: [ tls ] + properties: + http: + type: object + properties: + host: + type: string + method: + type: string + enum: [ 'GET', 'POST', 'PUT', 'HEAD', 'DELETE', 'TRACE', 'OPTIONS', 'CONNECT', 'PATCH' ] + path: + type: string + tls: + type: object + properties: + sni: + type: string + to: + type: array + items: + type: object + properties: + podSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + additionalProperties: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: object + namespaceSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + additionalProperties: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: object + externalEntitySelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + additionalProperties: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: object + ipBlock: + type: object + properties: + cidr: + type: string + format: cidr + fqdn: + type: string + nodeSelector: + type: object + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: array + type: object + type: array + matchLabels: + additionalProperties: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: object + group: + type: string + toServices: + type: array + items: + type: object + required: + - name + properties: + name: + type: string + namespace: + type: string + scope: + type: string + name: + type: string + enableLogging: + type: boolean + logLabel: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]{0,61})?[A-Za-z0-9])?$" + status: + type: object + properties: + phase: + type: string + observedGeneration: + type: integer + currentNodesRealized: + type: integer + desiredNodesRealized: + type: integer + conditions: + type: array + items: + type: object + properties: + type: + type: string + status: + type: string + lastTransitionTime: + type: string + reason: + type: string + message: + type: string + subresources: + status: { } scope: Namespaced names: plural: networkpolicies diff --git a/build/charts/antrea/templates/webhooks/validating/crdvalidator.yaml b/build/charts/antrea/templates/webhooks/validating/crdvalidator.yaml index a1e1648ca43..86c466b08eb 100644 --- a/build/charts/antrea/templates/webhooks/validating/crdvalidator.yaml +++ b/build/charts/antrea/templates/webhooks/validating/crdvalidator.yaml @@ -30,7 +30,7 @@ webhooks: rules: - operations: ["CREATE", "UPDATE"] apiGroups: ["crd.antrea.io"] - apiVersions: ["v1alpha1"] + apiVersions: ["v1beta1"] resources: ["clusternetworkpolicies"] scope: "Cluster" admissionReviewVersions: ["v1", "v1beta1"] @@ -45,7 +45,7 @@ webhooks: rules: - operations: ["CREATE", "UPDATE"] apiGroups: ["crd.antrea.io"] - apiVersions: ["v1alpha1"] + apiVersions: ["v1beta1"] resources: ["networkpolicies"] scope: "Namespaced" admissionReviewVersions: ["v1", "v1beta1"] diff --git a/build/yamls/antrea-aks.yml b/build/yamls/antrea-aks.yml index dbbe093060e..1024463b2ee 100644 --- a/build/yamls/antrea-aks.yml +++ b/build/yamls/antrea-aks.yml @@ -706,7 +706,7 @@ spec: versions: - name: v1alpha1 served: true - storage: true + storage: false additionalPrinterColumns: - name: Tier type: string @@ -1396,682 +1396,2165 @@ spec: type: string subresources: status: {} - scope: Cluster - names: - plural: clusternetworkpolicies - singular: clusternetworkpolicy - kind: ClusterNetworkPolicy - shortNames: - - acnp - ---- -# Source: crds/egress.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: egresses.crd.antrea.io - labels: - app: antrea -spec: - group: crd.antrea.io - versions: - - name: v1alpha2 + - name: v1beta1 served: true storage: true - schema: - openAPIV3Schema: - type: object - required: - - spec - properties: - spec: - type: object - required: - - appliedTo - oneOf: - - anyOf: - - required: - - egressIP - - required: - - externalIPPool - - anyOf: - - required: - - egressIPs - - required: - - externalIPPools - properties: - appliedTo: - type: object - properties: - podSelector: - type: object - properties: - matchExpressions: - type: array - items: - type: object - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - type: array - items: - type: string - pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" - matchLabels: - x-kubernetes-preserve-unknown-fields: true - namespaceSelector: - type: object - properties: - matchExpressions: - type: array - items: - type: object - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - type: array - items: - type: string - pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" - matchLabels: - x-kubernetes-preserve-unknown-fields: true - egressIP: - type: string - oneOf: - - format: ipv4 - - format: ipv6 - egressIPs: - type: array - items: - type: string - oneOf: - - maxLength: 0 - - format: ipv4 - - format: ipv6 - externalIPPool: - type: string - externalIPPools: - type: array - items: - type: string - status: - type: object - properties: - egressNode: - type: string - egressIP: - type: string additionalPrinterColumns: - - description: The effective SNAT IP address for the selected workloads. - jsonPath: .status.egressIP - name: EgressIP + - name: Tier type: string - - jsonPath: .metadata.creationTimestamp - name: Age + description: The Tier to which this ClusterNetworkPolicy belongs to. + jsonPath: .spec.tier + - name: Priority + type: number + format: float + description: The Priority of this ClusterNetworkPolicy relative to other policies. + jsonPath: .spec.priority + - name: Desired Nodes + type: number + format: int32 + description: The total number of Nodes that should realize the NetworkPolicy. + jsonPath: .status.desiredNodesRealized + - name: Current Nodes + type: number + format: int32 + description: The number of Nodes that have realized the NetworkPolicy. + jsonPath: .status.currentNodesRealized + - name: Age type: date - - description: The Owner Node of egress IP - jsonPath: .status.egressNode - name: Node - type: string - subresources: - status: {} - scope: Cluster - names: - plural: egresses - singular: egress - kind: Egress - shortNames: - - eg - ---- -# Source: crds/externalentity.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: externalentities.crd.antrea.io - labels: - app: antrea -spec: - group: crd.antrea.io - versions: - - name: v1alpha2 - served: true - storage: true + jsonPath: .metadata.creationTimestamp schema: openAPIV3Schema: type: object properties: spec: + # Ensure that Spec.Priority field is set + required: + - priority type: object properties: - endpoints: - type: array - items: - type: object - properties: - ip: - type: string - oneOf: - - format: ipv4 - - format: ipv6 - name: - type: string - ports: + tier: + type: string + priority: + type: number + format: float + # Ensure that Spec.Priority field is between 1 and 10000 + minimum: 1.0 + maximum: 10000.0 + appliedTo: type: array items: type: object + # Ensure that Spec.AppliedTo does not allow IPBlock field properties: - protocol: + podSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + additionalProperties: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: object + namespaceSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + additionalProperties: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: object + group: type: string - enum: ['TCP', 'UDP', 'SCTP'] - port: - x-kubernetes-int-or-string: true - name: - type: string - externalNode: - type: string - - name: v1alpha1 - served: false - storage: false - schema: - openAPIV3Schema: - type: object - scope: Namespaced - names: - plural: externalentities - singular: externalentity - kind: ExternalEntity - shortNames: - - ee - ---- -# Source: crds/externalippool.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: externalippools.crd.antrea.io - labels: - app: antrea -spec: - group: crd.antrea.io - versions: - - name: v1alpha2 - served: true - storage: false - schema: - openAPIV3Schema: - type: object - required: - - spec - properties: - spec: - type: object - required: - - ipRanges - - nodeSelector - properties: - ipRanges: - type: array - items: - type: object - oneOf: - - required: - - cidr - - required: - - start - - end - properties: - cidr: - type: string - format: cidr - start: - type: string - oneOf: - - format: ipv4 - - format: ipv6 - end: - type: string - oneOf: - - format: ipv4 - - format: ipv6 - nodeSelector: - type: object - properties: - matchExpressions: - items: + serviceAccount: + type: object properties: - key: + name: type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist + namespace: type: string - values: - items: - type: string - pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" - type: array + required: + - name + - namespace + service: type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - status: - type: object - properties: - usage: - type: object - properties: - total: - type: integer - used: - type: integer - additionalPrinterColumns: - - description: The number of total IPs - jsonPath: .status.usage.total - name: Total - type: integer - - description: The number of allocated IPs - jsonPath: .status.usage.used - name: Used - type: integer - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - subresources: - status: {} - - name: v1beta1 - served: true - storage: true - schema: - openAPIV3Schema: - type: object - required: - - spec - properties: - spec: - type: object - required: - - ipRanges - - nodeSelector - properties: - ipRanges: - type: array - items: - type: object - oneOf: - - required: - - cidr - - required: - - start - - end - properties: - cidr: - type: string - format: cidr - start: - type: string - oneOf: - - format: ipv4 - - format: ipv6 - end: - type: string - oneOf: - - format: ipv4 - - format: ipv6 - nodeSelector: - type: object - properties: - matchExpressions: - items: properties: - key: + name: type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist + namespace: type: string - values: - items: - type: string - pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" - type: array - type: object - type: array - matchLabels: - additionalProperties: - type: string - pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" - type: object - status: - type: object - properties: - usage: - type: object - properties: - total: - type: integer - used: - type: integer - additionalPrinterColumns: - - description: The number of total IPs - jsonPath: .status.usage.total - name: Total - type: integer - - description: The number of allocated IPs - jsonPath: .status.usage.used - name: Used - type: integer - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - subresources: - status: { } - scope: Cluster - names: - plural: externalippools - singular: externalippool - kind: ExternalIPPool - shortNames: - - eip - ---- -# Source: crds/externalnode.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - labels: - app: antrea - name: externalnodes.crd.antrea.io -spec: - group: crd.antrea.io - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - type: object - required: - - spec - properties: - spec: - type: object - required: - - interfaces - properties: - interfaces: + required: + - name + - namespace + ingress: type: array - minItems: 1 - maxItems: 1 - required: - - ips items: type: object + required: + - action properties: - ips: + appliedTo: type: array - minItems: 1 items: - type: string - oneOf: - - format: ipv4 - - format: ipv6 - name: - type: string - served: true - storage: true - scope: Namespaced - names: - plural: externalnodes - singular: externalnode - kind: ExternalNode - shortNames: - - en - ---- -# Source: crds/group.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: groups.crd.antrea.io -spec: - group: crd.antrea.io - versions: - - name: v1alpha3 - served: true - storage: false - schema: - openAPIV3Schema: - type: object - properties: - spec: - type: object - properties: - childGroups: - type: array - items: - type: string - podSelector: - type: object - properties: - matchExpressions: - type: array - items: - type: object - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - type: array - items: - type: string - matchLabels: - x-kubernetes-preserve-unknown-fields: true - namespaceSelector: - type: object - properties: - matchExpressions: - type: array - items: - type: object - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - type: array - items: - type: string - matchLabels: - x-kubernetes-preserve-unknown-fields: true - externalEntitySelector: - type: object - properties: - matchExpressions: - type: array - items: - type: object - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - type: array - items: + type: object + # Ensure that rule AppliedTo does not allow IPBlock field + properties: + podSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + additionalProperties: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: object + namespaceSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + additionalProperties: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: object + group: type: string - matchLabels: - x-kubernetes-preserve-unknown-fields: true - ipBlocks: - type: array - items: - type: object - properties: - cidr: - type: string - format: cidr - serviceReference: - type: object - properties: - name: - type: string - namespace: - type: string - status: - type: object - properties: - conditions: - type: array - items: - type: object - properties: - type: - type: string - status: - type: string - lastTransitionTime: + serviceAccount: + type: object + properties: + name: + type: string + namespace: + type: string + required: + - name + - namespace + service: + type: object + properties: + name: + type: string + namespace: + type: string + required: + - name + - namespace + # Ensure that Action field allows only ALLOW, DROP, REJECT and PASS values + action: type: string - subresources: - status: {} - - name: v1beta1 - served: true - storage: true - schema: - openAPIV3Schema: - type: object - properties: - spec: - type: object - properties: - childGroups: - type: array - items: - type: string - podSelector: - type: object - properties: - matchExpressions: - type: array - items: - type: object - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - type: array - items: + enum: [ 'Allow', 'Drop', 'Reject', 'Pass' ] + ports: + type: array + items: + type: object + properties: + protocol: type: string - matchLabels: - x-kubernetes-preserve-unknown-fields: true - namespaceSelector: - type: object - properties: - matchExpressions: - type: array + enum: [ 'TCP', 'UDP', 'SCTP' ] + port: + x-kubernetes-int-or-string: true + endPort: + type: integer + sourcePort: + type: integer + sourceEndPort: + type: integer + protocols: + type: array + items: + type: object + oneOf: + - required: [ icmp ] + - required: [ igmp ] + properties: + icmp: + type: object + properties: + icmpType: + type: integer + minimum: 0 + maximum: 255 + icmpCode: + type: integer + minimum: 0 + maximum: 255 + igmp: + type: object + properties: + igmpType: + type: integer + # Only IGMP query (0x11) is valid igmpType in ingress rules. + enum: [ 0x11 ] + groupAddress: + type: string + oneOf: + - format: ipv4 + - format: ipv6 + l7Protocols: + type: array + items: + type: object + oneOf: + - required: [ http ] + - required: [ tls ] + properties: + http: + type: object + properties: + host: + type: string + method: + type: string + enum: [ 'GET', 'POST', 'PUT', 'HEAD', 'DELETE', 'TRACE', 'OPTIONS', 'CONNECT', 'PATCH' ] + path: + type: string + tls: + type: object + properties: + sni: + type: string + from: + type: array + items: + type: object + properties: + podSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + additionalProperties: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: object + namespaceSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + additionalProperties: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: object + namespaces: + type: object + properties: + match: + enum: + - Self + type: string + ipBlock: + type: object + properties: + cidr: + type: string + format: cidr + group: + type: string + serviceAccount: + type: object + properties: + name: + type: string + namespace: + type: string + required: + - name + - namespace + nodeSelector: + type: object + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: array + type: object + type: array + matchLabels: + additionalProperties: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: object + scope: + type: string + enum: [ 'Cluster', 'ClusterSet' ] + name: + type: string + enableLogging: + type: boolean + logLabel: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]{0,61})?[A-Za-z0-9])?$" + egress: + type: array + items: + type: object + required: + - action + properties: + appliedTo: + type: array + items: + type: object + # Ensure that rule AppliedTo does not allow IPBlock field + properties: + podSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + additionalProperties: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: object + namespaceSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + additionalProperties: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: object + group: + type: string + serviceAccount: + type: object + properties: + name: + type: string + namespace: + type: string + required: + - name + - namespace + # Ensure that Action field allows only ALLOW, DROP, REJECT and PASS values + action: + type: string + enum: [ 'Allow', 'Drop', 'Reject', 'Pass' ] + ports: + type: array + items: + type: object + properties: + protocol: + type: string + enum: [ 'TCP', 'UDP', 'SCTP' ] + port: + x-kubernetes-int-or-string: true + endPort: + type: integer + sourcePort: + type: integer + sourceEndPort: + type: integer + protocols: + type: array + items: + type: object + oneOf: + - required: [ icmp ] + - required: [ igmp ] + properties: + icmp: + type: object + properties: + icmpType: + type: integer + minimum: 0 + maximum: 255 + icmpCode: + type: integer + minimum: 0 + maximum: 255 + igmp: + type: object + properties: + igmpType: + type: integer + # Only IGMP reports are igmpType in egress rules, + # 0x12 is IGMP report V1, 0x16 is IGMP report v2, 0x22 is IGMP report v3. + # It will match all IGMP report types if igmpType is not set. + enum: [ 0x12, 0x16, 0x22 ] + groupAddress: + type: string + oneOf: + - format: ipv4 + - format: ipv6 + l7Protocols: + type: array + items: + type: object + oneOf: + - required: [ http ] + - required: [ tls ] + properties: + http: + type: object + properties: + host: + type: string + method: + type: string + enum: [ 'GET', 'POST', 'PUT', 'HEAD', 'DELETE', 'TRACE', 'OPTIONS', 'CONNECT', 'PATCH' ] + path: + type: string + tls: + type: object + properties: + sni: + type: string + to: + type: array + items: + type: object + properties: + podSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + additionalProperties: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: object + namespaceSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + additionalProperties: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: object + namespaces: + type: object + properties: + match: + enum: + - Self + type: string + ipBlock: + type: object + properties: + cidr: + type: string + format: cidr + group: + type: string + fqdn: + type: string + serviceAccount: + type: object + properties: + name: + type: string + namespace: + type: string + required: + - name + - namespace + nodeSelector: + type: object + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: array + type: object + type: array + matchLabels: + additionalProperties: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: object + toServices: + type: array + items: + type: object + required: + - name + - namespace + properties: + name: + type: string + namespace: + type: string + scope: + type: string + enum: [ 'Cluster', 'ClusterSet' ] + name: + type: string + enableLogging: + type: boolean + logLabel: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]{0,61})?[A-Za-z0-9])?$" + status: + type: object + properties: + phase: + type: string + observedGeneration: + type: integer + currentNodesRealized: + type: integer + desiredNodesRealized: + type: integer + conditions: + type: array + items: + type: object + properties: + type: + type: string + status: + type: string + lastTransitionTime: + type: string + reason: + type: string + message: + type: string + subresources: + status: { } + scope: Cluster + names: + plural: clusternetworkpolicies + singular: clusternetworkpolicy + kind: ClusterNetworkPolicy + shortNames: + - acnp + +--- +# Source: crds/egress.yaml +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: egresses.crd.antrea.io + labels: + app: antrea +spec: + group: crd.antrea.io + versions: + - name: v1alpha2 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + required: + - spec + properties: + spec: + type: object + required: + - appliedTo + oneOf: + - anyOf: + - required: + - egressIP + - required: + - externalIPPool + - anyOf: + - required: + - egressIPs + - required: + - externalIPPools + properties: + appliedTo: + type: object + properties: + podSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + namespaceSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + egressIP: + type: string + oneOf: + - format: ipv4 + - format: ipv6 + egressIPs: + type: array + items: + type: string + oneOf: + - maxLength: 0 + - format: ipv4 + - format: ipv6 + externalIPPool: + type: string + externalIPPools: + type: array + items: + type: string + status: + type: object + properties: + egressNode: + type: string + egressIP: + type: string + additionalPrinterColumns: + - description: The effective SNAT IP address for the selected workloads. + jsonPath: .status.egressIP + name: EgressIP + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + - description: The Owner Node of egress IP + jsonPath: .status.egressNode + name: Node + type: string + subresources: + status: {} + scope: Cluster + names: + plural: egresses + singular: egress + kind: Egress + shortNames: + - eg + +--- +# Source: crds/externalentity.yaml +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: externalentities.crd.antrea.io + labels: + app: antrea +spec: + group: crd.antrea.io + versions: + - name: v1alpha2 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + properties: + spec: + type: object + properties: + endpoints: + type: array + items: + type: object + properties: + ip: + type: string + oneOf: + - format: ipv4 + - format: ipv6 + name: + type: string + ports: + type: array + items: + type: object + properties: + protocol: + type: string + enum: ['TCP', 'UDP', 'SCTP'] + port: + x-kubernetes-int-or-string: true + name: + type: string + externalNode: + type: string + - name: v1alpha1 + served: false + storage: false + schema: + openAPIV3Schema: + type: object + scope: Namespaced + names: + plural: externalentities + singular: externalentity + kind: ExternalEntity + shortNames: + - ee + +--- +# Source: crds/externalippool.yaml +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: externalippools.crd.antrea.io + labels: + app: antrea +spec: + group: crd.antrea.io + versions: + - name: v1alpha2 + served: true + storage: false + schema: + openAPIV3Schema: + type: object + required: + - spec + properties: + spec: + type: object + required: + - ipRanges + - nodeSelector + properties: + ipRanges: + type: array + items: + type: object + oneOf: + - required: + - cidr + - required: + - start + - end + properties: + cidr: + type: string + format: cidr + start: + type: string + oneOf: + - format: ipv4 + - format: ipv6 + end: + type: string + oneOf: + - format: ipv4 + - format: ipv6 + nodeSelector: + type: object + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + status: + type: object + properties: + usage: + type: object + properties: + total: + type: integer + used: + type: integer + additionalPrinterColumns: + - description: The number of total IPs + jsonPath: .status.usage.total + name: Total + type: integer + - description: The number of allocated IPs + jsonPath: .status.usage.used + name: Used + type: integer + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + subresources: + status: {} + - name: v1beta1 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + required: + - spec + properties: + spec: + type: object + required: + - ipRanges + - nodeSelector + properties: + ipRanges: + type: array + items: + type: object + oneOf: + - required: + - cidr + - required: + - start + - end + properties: + cidr: + type: string + format: cidr + start: + type: string + oneOf: + - format: ipv4 + - format: ipv6 + end: + type: string + oneOf: + - format: ipv4 + - format: ipv6 + nodeSelector: + type: object + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: array + type: object + type: array + matchLabels: + additionalProperties: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: object + status: + type: object + properties: + usage: + type: object + properties: + total: + type: integer + used: + type: integer + additionalPrinterColumns: + - description: The number of total IPs + jsonPath: .status.usage.total + name: Total + type: integer + - description: The number of allocated IPs + jsonPath: .status.usage.used + name: Used + type: integer + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + subresources: + status: { } + scope: Cluster + names: + plural: externalippools + singular: externalippool + kind: ExternalIPPool + shortNames: + - eip + +--- +# Source: crds/externalnode.yaml +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: externalnodes.crd.antrea.io +spec: + group: crd.antrea.io + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + type: object + required: + - spec + properties: + spec: + type: object + required: + - interfaces + properties: + interfaces: + type: array + minItems: 1 + maxItems: 1 + required: + - ips + items: + type: object + properties: + ips: + type: array + minItems: 1 + items: + type: string + oneOf: + - format: ipv4 + - format: ipv6 + name: + type: string + served: true + storage: true + scope: Namespaced + names: + plural: externalnodes + singular: externalnode + kind: ExternalNode + shortNames: + - en + +--- +# Source: crds/group.yaml +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: groups.crd.antrea.io +spec: + group: crd.antrea.io + versions: + - name: v1alpha3 + served: true + storage: false + schema: + openAPIV3Schema: + type: object + properties: + spec: + type: object + properties: + childGroups: + type: array + items: + type: string + podSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + matchLabels: + x-kubernetes-preserve-unknown-fields: true + namespaceSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + matchLabels: + x-kubernetes-preserve-unknown-fields: true + externalEntitySelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + matchLabels: + x-kubernetes-preserve-unknown-fields: true + ipBlocks: + type: array + items: + type: object + properties: + cidr: + type: string + format: cidr + serviceReference: + type: object + properties: + name: + type: string + namespace: + type: string + status: + type: object + properties: + conditions: + type: array + items: + type: object + properties: + type: + type: string + status: + type: string + lastTransitionTime: + type: string + subresources: + status: {} + - name: v1beta1 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + properties: + spec: + type: object + properties: + childGroups: + type: array + items: + type: string + podSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + matchLabels: + x-kubernetes-preserve-unknown-fields: true + namespaceSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + matchLabels: + x-kubernetes-preserve-unknown-fields: true + externalEntitySelector: + type: object + properties: + matchExpressions: + type: array items: type: object properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + matchLabels: + x-kubernetes-preserve-unknown-fields: true + ipBlocks: + type: array + items: + type: object + properties: + cidr: + type: string + format: cidr + serviceReference: + type: object + properties: + name: + type: string + namespace: + type: string + status: + type: object + properties: + conditions: + type: array + items: + type: object + properties: + type: + type: string + status: + type: string + lastTransitionTime: + type: string + subresources: + status: { } + scope: Namespaced + names: + plural: groups + singular: group + kind: Group + shortNames: + - grp + +--- +# Source: crds/ippool.yaml +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: ippools.crd.antrea.io + labels: + app: antrea +spec: + group: crd.antrea.io + versions: + - name: v1alpha2 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + required: + - spec + properties: + spec: + required: + - ipVersion + - ipRanges + type: object + properties: + ipVersion: + type: integer + enum: [ 4, 6 ] + ipRanges: + items: + oneOf: + - required: + - cidr + - gateway + - prefixLength + - required: + - start + - end + - gateway + - prefixLength + properties: + cidr: + format: cidr + type: string + start: + oneOf: + - format: ipv4 + - format: ipv6 + type: string + end: + oneOf: + - format: ipv4 + - format: ipv6 + type: string + gateway: + oneOf: + - format: ipv4 + - format: ipv6 + type: string + prefixLength: + type: integer + minimum: 1 + maximum: 128 + vlan: + type: integer + minimum: 0 + maximum: 4094 + type: object + type: array + status: + properties: + ipAddresses: + items: + properties: + ipAddress: + type: string + owner: + properties: + pod: + properties: + name: + type: string + namespace: + type: string + containerID: + type: string + ifName: + type: string + type: object + statefulSet: + properties: + name: + type: string + namespace: + type: string + index: + type: integer + type: object + type: object + phase: + type: string + type: object + type: array + usage: + properties: + used: + type: integer + total: + type: integer + type: object + type: object + additionalPrinterColumns: + - description: The number of total IPs + jsonPath: .status.usage.total + name: Total + type: integer + - description: The number of allocated IPs + jsonPath: .status.usage.used + name: Used + type: integer + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + subresources: + status: {} + scope: Cluster + names: + plural: ippools + singular: ippool + kind: IPPool + shortNames: + - ipp + +--- +# Source: crds/networkpolicy.yaml +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: networkpolicies.crd.antrea.io + labels: + app: antrea +spec: + group: crd.antrea.io + versions: + - name: v1alpha1 + served: true + storage: false + additionalPrinterColumns: + - name: Tier + type: string + description: The Tier to which this Antrea NetworkPolicy belongs to. + jsonPath: .spec.tier + - name: Priority + type: number + format: float + description: The Priority of this Antrea NetworkPolicy relative to other policies. + jsonPath: .spec.priority + - name: Desired Nodes + type: number + format: int32 + description: The total number of Nodes that should realize the NetworkPolicy. + jsonPath: .status.desiredNodesRealized + - name: Current Nodes + type: number + format: int32 + description: The number of Nodes that have realized the NetworkPolicy. + jsonPath: .status.currentNodesRealized + - name: Age + type: date + jsonPath: .metadata.creationTimestamp + schema: + openAPIV3Schema: + type: object + properties: + spec: + # Ensure that Spec.Priority field is set + required: + - priority + type: object + properties: + tier: + type: string + priority: + type: number + format: float + # Ensure that Spec.Priority field is between 1 and 10000 + minimum: 1.0 + maximum: 10000.0 + appliedTo: + type: array + items: + type: object + # Ensure that Spec.AppliedTo does not allow NamespaceSelector/IPBlock field + properties: + externalEntitySelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + podSelector: + type: object + properties: + matchExpressions: type: array items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + group: + type: string + ingress: + type: array + items: + type: object + required: + - action + properties: + appliedTo: + type: array + items: + type: object + # Ensure that rule AppliedTo does not allow NamespaceSelector/IPBlock field + properties: + podSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + group: + type: string + # Ensure that Action field allows only ALLOW, DROP, REJECT and PASS values + action: + type: string + enum: ['Allow', 'Drop', 'Reject', 'Pass'] + ports: + type: array + items: + type: object + properties: + protocol: + type: string + enum: ['TCP', 'UDP', 'SCTP'] + port: + x-kubernetes-int-or-string: true + endPort: + type: integer + sourcePort: + type: integer + sourceEndPort: + type: integer + protocols: + type: array + items: + type: object + oneOf: + - required: [icmp] + - required: [igmp] + properties: + icmp: + type: object + properties: + icmpType: + type: integer + minimum: 0 + maximum: 255 + icmpCode: + type: integer + minimum: 0 + maximum: 255 + igmp: + type: object + properties: + igmpType: + type: integer + # Only IGMP query (0x11) is valid igmpType in ingress rules. + enum: [ 0x11 ] + groupAddress: + type: string + oneOf: + - format: ipv4 + - format: ipv6 + l7Protocols: + type: array + items: + type: object + oneOf: + - required: [http] + - required: [tls] + properties: + http: + type: object + properties: + host: + type: string + method: + type: string + enum: ['GET', 'POST', 'PUT', 'HEAD', 'DELETE', 'TRACE', 'OPTIONS', 'CONNECT', 'PATCH'] + path: + type: string + tls: + type: object + properties: + sni: + type: string + from: + type: array + items: + type: object + properties: + podSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + namespaceSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + externalEntitySelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + ipBlock: + type: object + properties: + cidr: + type: string + format: cidr + nodeSelector: + type: object + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + group: + type: string + scope: + type: string + enum: ['Cluster', 'ClusterSet'] + name: + type: string + enableLogging: + type: boolean + logLabel: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]{0,61})?[A-Za-z0-9])?$" + egress: + type: array + items: + type: object + required: + - action + properties: + appliedTo: + type: array + items: + type: object + # Ensure that rule AppliedTo does not allow NamespaceSelector/IPBlock field + properties: + podSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + group: type: string - matchLabels: - x-kubernetes-preserve-unknown-fields: true - externalEntitySelector: - type: object - properties: - matchExpressions: - type: array - items: - type: object - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - type: array - items: + # Ensure that Action field allows only ALLOW, DROP, REJECT and PASS values + action: + type: string + enum: ['Allow', 'Drop', 'Reject', 'Pass'] + ports: + type: array + items: + type: object + properties: + protocol: + type: string + enum: ['TCP', 'UDP', 'SCTP'] + port: + x-kubernetes-int-or-string: true + endPort: + type: integer + sourcePort: + type: integer + sourceEndPort: + type: integer + protocols: + type: array + items: + type: object + oneOf: + - required: [icmp] + - required: [igmp] + properties: + icmp: + type: object + properties: + icmpType: + type: integer + minimum: 0 + maximum: 255 + icmpCode: + type: integer + minimum: 0 + maximum: 255 + igmp: + type: object + properties: + igmpType: + type: integer + # Only IGMP reports are igmpType in egress rules, + # 0x12 is IGMP report V1, 0x16 is IGMP report v2, 0x22 is IGMP report v3. + # It will match all IGMP report types if igmpType is not set. + enum: [ 0x12, 0x16, 0x22 ] + groupAddress: + type: string + oneOf: + - format: ipv4 + - format: ipv6 + l7Protocols: + type: array + items: + type: object + oneOf: + - required: [http] + - required: [tls] + properties: + http: + type: object + properties: + host: + type: string + method: + type: string + enum: ['GET', 'POST', 'PUT', 'HEAD', 'DELETE', 'TRACE', 'OPTIONS', 'CONNECT', 'PATCH'] + path: + type: string + tls: + type: object + properties: + sni: + type: string + to: + type: array + items: + type: object + properties: + podSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + namespaceSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + externalEntitySelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + ipBlock: + type: object + properties: + cidr: + type: string + format: cidr + fqdn: + type: string + nodeSelector: + type: object + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + group: + type: string + toServices: + type: array + items: + type: object + required: + - name + properties: + name: type: string - matchLabels: - x-kubernetes-preserve-unknown-fields: true - ipBlocks: - type: array - items: - type: object - properties: - cidr: + namespace: + type: string + scope: + type: string + name: type: string - format: cidr - serviceReference: - type: object - properties: - name: - type: string - namespace: - type: string + enableLogging: + type: boolean + logLabel: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]{0,61})?[A-Za-z0-9])?$" status: type: object properties: + phase: + type: string + observedGeneration: + type: integer + currentNodesRealized: + type: integer + desiredNodesRealized: + type: integer conditions: type: array items: @@ -2083,162 +3566,13 @@ spec: type: string lastTransitionTime: type: string - subresources: - status: { } - scope: Namespaced - names: - plural: groups - singular: group - kind: Group - shortNames: - - grp - ---- -# Source: crds/ippool.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: ippools.crd.antrea.io - labels: - app: antrea -spec: - group: crd.antrea.io - versions: - - name: v1alpha2 - served: true - storage: true - schema: - openAPIV3Schema: - type: object - required: - - spec - properties: - spec: - required: - - ipVersion - - ipRanges - type: object - properties: - ipVersion: - type: integer - enum: [ 4, 6 ] - ipRanges: - items: - oneOf: - - required: - - cidr - - gateway - - prefixLength - - required: - - start - - end - - gateway - - prefixLength - properties: - cidr: - format: cidr - type: string - start: - oneOf: - - format: ipv4 - - format: ipv6 - type: string - end: - oneOf: - - format: ipv4 - - format: ipv6 - type: string - gateway: - oneOf: - - format: ipv4 - - format: ipv6 - type: string - prefixLength: - type: integer - minimum: 1 - maximum: 128 - vlan: - type: integer - minimum: 0 - maximum: 4094 - type: object - type: array - status: - properties: - ipAddresses: - items: - properties: - ipAddress: + reason: type: string - owner: - properties: - pod: - properties: - name: - type: string - namespace: - type: string - containerID: - type: string - ifName: - type: string - type: object - statefulSet: - properties: - name: - type: string - namespace: - type: string - index: - type: integer - type: object - type: object - phase: + message: type: string - type: object - type: array - usage: - properties: - used: - type: integer - total: - type: integer - type: object - type: object - additionalPrinterColumns: - - description: The number of total IPs - jsonPath: .status.usage.total - name: Total - type: integer - - description: The number of allocated IPs - jsonPath: .status.usage.used - name: Used - type: integer - - jsonPath: .metadata.creationTimestamp - name: Age - type: date subresources: status: {} - scope: Cluster - names: - plural: ippools - singular: ippool - kind: IPPool - shortNames: - - ipp - ---- -# Source: crds/networkpolicy.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: networkpolicies.crd.antrea.io - labels: - app: antrea -spec: - group: crd.antrea.io - versions: - - name: v1alpha1 + - name: v1beta1 served: true storage: true additionalPrinterColumns: @@ -2311,7 +3645,10 @@ spec: type: string pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" matchLabels: - x-kubernetes-preserve-unknown-fields: true + additionalProperties: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: object podSelector: type: object properties: @@ -2335,7 +3672,10 @@ spec: type: string pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" matchLabels: - x-kubernetes-preserve-unknown-fields: true + additionalProperties: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: object group: type: string ingress: @@ -2374,13 +3714,16 @@ spec: type: string pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" matchLabels: - x-kubernetes-preserve-unknown-fields: true + additionalProperties: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: object group: type: string # Ensure that Action field allows only ALLOW, DROP, REJECT and PASS values action: type: string - enum: ['Allow', 'Drop', 'Reject', 'Pass'] + enum: [ 'Allow', 'Drop', 'Reject', 'Pass' ] ports: type: array items: @@ -2388,7 +3731,7 @@ spec: properties: protocol: type: string - enum: ['TCP', 'UDP', 'SCTP'] + enum: [ 'TCP', 'UDP', 'SCTP' ] port: x-kubernetes-int-or-string: true endPort: @@ -2402,8 +3745,8 @@ spec: items: type: object oneOf: - - required: [icmp] - - required: [igmp] + - required: [ icmp ] + - required: [ igmp ] properties: icmp: type: object @@ -2433,8 +3776,8 @@ spec: items: type: object oneOf: - - required: [http] - - required: [tls] + - required: [ http ] + - required: [ tls ] properties: http: type: object @@ -2443,7 +3786,7 @@ spec: type: string method: type: string - enum: ['GET', 'POST', 'PUT', 'HEAD', 'DELETE', 'TRACE', 'OPTIONS', 'CONNECT', 'PATCH'] + enum: [ 'GET', 'POST', 'PUT', 'HEAD', 'DELETE', 'TRACE', 'OPTIONS', 'CONNECT', 'PATCH' ] path: type: string tls: @@ -2479,7 +3822,10 @@ spec: type: string pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" matchLabels: - x-kubernetes-preserve-unknown-fields: true + additionalProperties: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: object namespaceSelector: type: object properties: @@ -2503,7 +3849,10 @@ spec: type: string pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" matchLabels: - x-kubernetes-preserve-unknown-fields: true + additionalProperties: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: object externalEntitySelector: type: object properties: @@ -2527,7 +3876,10 @@ spec: type: string pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" matchLabels: - x-kubernetes-preserve-unknown-fields: true + additionalProperties: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: object ipBlock: type: object properties: @@ -2557,12 +3909,15 @@ spec: type: object type: array matchLabels: - x-kubernetes-preserve-unknown-fields: true + additionalProperties: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: object group: type: string scope: type: string - enum: ['Cluster', 'ClusterSet'] + enum: [ 'Cluster', 'ClusterSet' ] name: type: string enableLogging: @@ -2606,13 +3961,16 @@ spec: type: string pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" matchLabels: - x-kubernetes-preserve-unknown-fields: true + additionalProperties: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: object group: type: string # Ensure that Action field allows only ALLOW, DROP, REJECT and PASS values action: type: string - enum: ['Allow', 'Drop', 'Reject', 'Pass'] + enum: [ 'Allow', 'Drop', 'Reject', 'Pass' ] ports: type: array items: @@ -2620,7 +3978,7 @@ spec: properties: protocol: type: string - enum: ['TCP', 'UDP', 'SCTP'] + enum: [ 'TCP', 'UDP', 'SCTP' ] port: x-kubernetes-int-or-string: true endPort: @@ -2634,8 +3992,8 @@ spec: items: type: object oneOf: - - required: [icmp] - - required: [igmp] + - required: [ icmp ] + - required: [ igmp ] properties: icmp: type: object @@ -2667,8 +4025,8 @@ spec: items: type: object oneOf: - - required: [http] - - required: [tls] + - required: [ http ] + - required: [ tls ] properties: http: type: object @@ -2677,7 +4035,7 @@ spec: type: string method: type: string - enum: ['GET', 'POST', 'PUT', 'HEAD', 'DELETE', 'TRACE', 'OPTIONS', 'CONNECT', 'PATCH'] + enum: [ 'GET', 'POST', 'PUT', 'HEAD', 'DELETE', 'TRACE', 'OPTIONS', 'CONNECT', 'PATCH' ] path: type: string tls: @@ -2713,7 +4071,10 @@ spec: type: string pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" matchLabels: - x-kubernetes-preserve-unknown-fields: true + additionalProperties: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: object namespaceSelector: type: object properties: @@ -2737,7 +4098,10 @@ spec: type: string pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" matchLabels: - x-kubernetes-preserve-unknown-fields: true + additionalProperties: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: object externalEntitySelector: type: object properties: @@ -2761,7 +4125,10 @@ spec: type: string pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" matchLabels: - x-kubernetes-preserve-unknown-fields: true + additionalProperties: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: object ipBlock: type: object properties: @@ -2793,7 +4160,10 @@ spec: type: object type: array matchLabels: - x-kubernetes-preserve-unknown-fields: true + additionalProperties: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: object group: type: string toServices: @@ -2801,7 +4171,7 @@ spec: items: type: object required: - - name + - name properties: name: type: string @@ -2843,7 +4213,7 @@ spec: message: type: string subresources: - status: {} + status: { } scope: Namespaced names: plural: networkpolicies @@ -5480,7 +6850,7 @@ webhooks: rules: - operations: ["CREATE", "UPDATE"] apiGroups: ["crd.antrea.io"] - apiVersions: ["v1alpha1"] + apiVersions: ["v1beta1"] resources: ["clusternetworkpolicies"] scope: "Cluster" admissionReviewVersions: ["v1", "v1beta1"] @@ -5495,7 +6865,7 @@ webhooks: rules: - operations: ["CREATE", "UPDATE"] apiGroups: ["crd.antrea.io"] - apiVersions: ["v1alpha1"] + apiVersions: ["v1beta1"] resources: ["networkpolicies"] scope: "Namespaced" admissionReviewVersions: ["v1", "v1beta1"] diff --git a/build/yamls/antrea-crds.yml b/build/yamls/antrea-crds.yml index 34d6877a636..9ad81bb4555 100644 --- a/build/yamls/antrea-crds.yml +++ b/build/yamls/antrea-crds.yml @@ -699,7 +699,7 @@ spec: versions: - name: v1alpha1 served: true - storage: true + storage: false additionalPrinterColumns: - name: Tier type: string @@ -1389,672 +1389,2151 @@ spec: type: string subresources: status: {} - scope: Cluster - names: - plural: clusternetworkpolicies - singular: clusternetworkpolicy - kind: ClusterNetworkPolicy - shortNames: - - acnp ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: egresses.crd.antrea.io - labels: - app: antrea -spec: - group: crd.antrea.io - versions: - - name: v1alpha2 + - name: v1beta1 served: true storage: true - schema: - openAPIV3Schema: - type: object - required: - - spec - properties: - spec: - type: object - required: - - appliedTo - oneOf: - - anyOf: - - required: - - egressIP - - required: - - externalIPPool - - anyOf: - - required: - - egressIPs - - required: - - externalIPPools - properties: - appliedTo: - type: object - properties: - podSelector: - type: object - properties: - matchExpressions: - type: array - items: - type: object - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - type: array - items: - type: string - pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" - matchLabels: - x-kubernetes-preserve-unknown-fields: true - namespaceSelector: - type: object - properties: - matchExpressions: - type: array - items: - type: object - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - type: array - items: - type: string - pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" - matchLabels: - x-kubernetes-preserve-unknown-fields: true - egressIP: - type: string - oneOf: - - format: ipv4 - - format: ipv6 - egressIPs: - type: array - items: - type: string - oneOf: - - maxLength: 0 - - format: ipv4 - - format: ipv6 - externalIPPool: - type: string - externalIPPools: - type: array - items: - type: string - status: - type: object - properties: - egressNode: - type: string - egressIP: - type: string additionalPrinterColumns: - - description: The effective SNAT IP address for the selected workloads. - jsonPath: .status.egressIP - name: EgressIP + - name: Tier type: string - - jsonPath: .metadata.creationTimestamp - name: Age + description: The Tier to which this ClusterNetworkPolicy belongs to. + jsonPath: .spec.tier + - name: Priority + type: number + format: float + description: The Priority of this ClusterNetworkPolicy relative to other policies. + jsonPath: .spec.priority + - name: Desired Nodes + type: number + format: int32 + description: The total number of Nodes that should realize the NetworkPolicy. + jsonPath: .status.desiredNodesRealized + - name: Current Nodes + type: number + format: int32 + description: The number of Nodes that have realized the NetworkPolicy. + jsonPath: .status.currentNodesRealized + - name: Age type: date - - description: The Owner Node of egress IP - jsonPath: .status.egressNode - name: Node - type: string - subresources: - status: {} - scope: Cluster - names: - plural: egresses - singular: egress - kind: Egress - shortNames: - - eg ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: externalentities.crd.antrea.io - labels: - app: antrea -spec: - group: crd.antrea.io - versions: - - name: v1alpha2 - served: true - storage: true + jsonPath: .metadata.creationTimestamp schema: openAPIV3Schema: type: object properties: spec: + # Ensure that Spec.Priority field is set + required: + - priority type: object properties: - endpoints: - type: array - items: - type: object - properties: - ip: - type: string - oneOf: - - format: ipv4 - - format: ipv6 - name: - type: string - ports: - type: array - items: - type: object - properties: - protocol: - type: string - enum: ['TCP', 'UDP', 'SCTP'] - port: - x-kubernetes-int-or-string: true - name: - type: string - externalNode: + tier: type: string - - name: v1alpha1 - served: false - storage: false - schema: - openAPIV3Schema: - type: object - scope: Namespaced - names: - plural: externalentities - singular: externalentity - kind: ExternalEntity - shortNames: - - ee ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: externalippools.crd.antrea.io - labels: - app: antrea -spec: - group: crd.antrea.io - versions: - - name: v1alpha2 - served: true - storage: false - schema: - openAPIV3Schema: - type: object - required: - - spec - properties: - spec: - type: object - required: - - ipRanges - - nodeSelector - properties: - ipRanges: + priority: + type: number + format: float + # Ensure that Spec.Priority field is between 1 and 10000 + minimum: 1.0 + maximum: 10000.0 + appliedTo: type: array items: type: object - oneOf: - - required: - - cidr - - required: - - start - - end + # Ensure that Spec.AppliedTo does not allow IPBlock field properties: - cidr: - type: string - format: cidr - start: - type: string - oneOf: - - format: ipv4 - - format: ipv6 - end: - type: string - oneOf: - - format: ipv4 - - format: ipv6 - nodeSelector: - type: object - properties: - matchExpressions: - items: + podSelector: + type: object properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: + matchExpressions: + type: array items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + additionalProperties: type: string pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" - type: array + type: object + namespaceSelector: type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - status: - type: object - properties: - usage: - type: object - properties: - total: - type: integer - used: - type: integer - additionalPrinterColumns: - - description: The number of total IPs - jsonPath: .status.usage.total - name: Total - type: integer - - description: The number of allocated IPs - jsonPath: .status.usage.used - name: Used - type: integer - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - subresources: - status: {} - - name: v1beta1 - served: true - storage: true - schema: - openAPIV3Schema: - type: object - required: - - spec - properties: - spec: - type: object - required: - - ipRanges - - nodeSelector - properties: - ipRanges: - type: array - items: - type: object - oneOf: - - required: - - cidr - - required: - - start - - end - properties: - cidr: - type: string - format: cidr - start: - type: string - oneOf: - - format: ipv4 - - format: ipv6 - end: - type: string - oneOf: - - format: ipv4 - - format: ipv6 - nodeSelector: - type: object - properties: - matchExpressions: - items: properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: + matchExpressions: + type: array items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + additionalProperties: type: string pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" - type: array - type: object - type: array - matchLabels: - additionalProperties: + type: object + group: type: string - pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" - type: object - status: - type: object - properties: - usage: - type: object - properties: - total: - type: integer - used: - type: integer - additionalPrinterColumns: - - description: The number of total IPs - jsonPath: .status.usage.total - name: Total - type: integer - - description: The number of allocated IPs - jsonPath: .status.usage.used - name: Used - type: integer - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - subresources: - status: { } - scope: Cluster - names: - plural: externalippools - singular: externalippool - kind: ExternalIPPool - shortNames: - - eip ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - labels: - app: antrea - name: externalnodes.crd.antrea.io -spec: - group: crd.antrea.io - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - type: object - required: - - spec - properties: - spec: - type: object - required: - - interfaces - properties: - interfaces: + serviceAccount: + type: object + properties: + name: + type: string + namespace: + type: string + required: + - name + - namespace + service: + type: object + properties: + name: + type: string + namespace: + type: string + required: + - name + - namespace + ingress: type: array - minItems: 1 - maxItems: 1 - required: - - ips items: type: object + required: + - action properties: - ips: + appliedTo: type: array - minItems: 1 items: - type: string - oneOf: - - format: ipv4 - - format: ipv6 - name: - type: string - served: true - storage: true - scope: Namespaced - names: - plural: externalnodes - singular: externalnode - kind: ExternalNode - shortNames: + type: object + # Ensure that rule AppliedTo does not allow IPBlock field + properties: + podSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + additionalProperties: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: object + namespaceSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + additionalProperties: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: object + group: + type: string + serviceAccount: + type: object + properties: + name: + type: string + namespace: + type: string + required: + - name + - namespace + service: + type: object + properties: + name: + type: string + namespace: + type: string + required: + - name + - namespace + # Ensure that Action field allows only ALLOW, DROP, REJECT and PASS values + action: + type: string + enum: [ 'Allow', 'Drop', 'Reject', 'Pass' ] + ports: + type: array + items: + type: object + properties: + protocol: + type: string + enum: [ 'TCP', 'UDP', 'SCTP' ] + port: + x-kubernetes-int-or-string: true + endPort: + type: integer + sourcePort: + type: integer + sourceEndPort: + type: integer + protocols: + type: array + items: + type: object + oneOf: + - required: [ icmp ] + - required: [ igmp ] + properties: + icmp: + type: object + properties: + icmpType: + type: integer + minimum: 0 + maximum: 255 + icmpCode: + type: integer + minimum: 0 + maximum: 255 + igmp: + type: object + properties: + igmpType: + type: integer + # Only IGMP query (0x11) is valid igmpType in ingress rules. + enum: [ 0x11 ] + groupAddress: + type: string + oneOf: + - format: ipv4 + - format: ipv6 + l7Protocols: + type: array + items: + type: object + oneOf: + - required: [ http ] + - required: [ tls ] + properties: + http: + type: object + properties: + host: + type: string + method: + type: string + enum: [ 'GET', 'POST', 'PUT', 'HEAD', 'DELETE', 'TRACE', 'OPTIONS', 'CONNECT', 'PATCH' ] + path: + type: string + tls: + type: object + properties: + sni: + type: string + from: + type: array + items: + type: object + properties: + podSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + additionalProperties: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: object + namespaceSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + additionalProperties: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: object + namespaces: + type: object + properties: + match: + enum: + - Self + type: string + ipBlock: + type: object + properties: + cidr: + type: string + format: cidr + group: + type: string + serviceAccount: + type: object + properties: + name: + type: string + namespace: + type: string + required: + - name + - namespace + nodeSelector: + type: object + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: array + type: object + type: array + matchLabels: + additionalProperties: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: object + scope: + type: string + enum: [ 'Cluster', 'ClusterSet' ] + name: + type: string + enableLogging: + type: boolean + logLabel: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]{0,61})?[A-Za-z0-9])?$" + egress: + type: array + items: + type: object + required: + - action + properties: + appliedTo: + type: array + items: + type: object + # Ensure that rule AppliedTo does not allow IPBlock field + properties: + podSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + additionalProperties: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: object + namespaceSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + additionalProperties: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: object + group: + type: string + serviceAccount: + type: object + properties: + name: + type: string + namespace: + type: string + required: + - name + - namespace + # Ensure that Action field allows only ALLOW, DROP, REJECT and PASS values + action: + type: string + enum: [ 'Allow', 'Drop', 'Reject', 'Pass' ] + ports: + type: array + items: + type: object + properties: + protocol: + type: string + enum: [ 'TCP', 'UDP', 'SCTP' ] + port: + x-kubernetes-int-or-string: true + endPort: + type: integer + sourcePort: + type: integer + sourceEndPort: + type: integer + protocols: + type: array + items: + type: object + oneOf: + - required: [ icmp ] + - required: [ igmp ] + properties: + icmp: + type: object + properties: + icmpType: + type: integer + minimum: 0 + maximum: 255 + icmpCode: + type: integer + minimum: 0 + maximum: 255 + igmp: + type: object + properties: + igmpType: + type: integer + # Only IGMP reports are igmpType in egress rules, + # 0x12 is IGMP report V1, 0x16 is IGMP report v2, 0x22 is IGMP report v3. + # It will match all IGMP report types if igmpType is not set. + enum: [ 0x12, 0x16, 0x22 ] + groupAddress: + type: string + oneOf: + - format: ipv4 + - format: ipv6 + l7Protocols: + type: array + items: + type: object + oneOf: + - required: [ http ] + - required: [ tls ] + properties: + http: + type: object + properties: + host: + type: string + method: + type: string + enum: [ 'GET', 'POST', 'PUT', 'HEAD', 'DELETE', 'TRACE', 'OPTIONS', 'CONNECT', 'PATCH' ] + path: + type: string + tls: + type: object + properties: + sni: + type: string + to: + type: array + items: + type: object + properties: + podSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + additionalProperties: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: object + namespaceSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + additionalProperties: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: object + namespaces: + type: object + properties: + match: + enum: + - Self + type: string + ipBlock: + type: object + properties: + cidr: + type: string + format: cidr + group: + type: string + fqdn: + type: string + serviceAccount: + type: object + properties: + name: + type: string + namespace: + type: string + required: + - name + - namespace + nodeSelector: + type: object + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: array + type: object + type: array + matchLabels: + additionalProperties: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: object + toServices: + type: array + items: + type: object + required: + - name + - namespace + properties: + name: + type: string + namespace: + type: string + scope: + type: string + enum: [ 'Cluster', 'ClusterSet' ] + name: + type: string + enableLogging: + type: boolean + logLabel: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]{0,61})?[A-Za-z0-9])?$" + status: + type: object + properties: + phase: + type: string + observedGeneration: + type: integer + currentNodesRealized: + type: integer + desiredNodesRealized: + type: integer + conditions: + type: array + items: + type: object + properties: + type: + type: string + status: + type: string + lastTransitionTime: + type: string + reason: + type: string + message: + type: string + subresources: + status: { } + scope: Cluster + names: + plural: clusternetworkpolicies + singular: clusternetworkpolicy + kind: ClusterNetworkPolicy + shortNames: + - acnp +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: egresses.crd.antrea.io + labels: + app: antrea +spec: + group: crd.antrea.io + versions: + - name: v1alpha2 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + required: + - spec + properties: + spec: + type: object + required: + - appliedTo + oneOf: + - anyOf: + - required: + - egressIP + - required: + - externalIPPool + - anyOf: + - required: + - egressIPs + - required: + - externalIPPools + properties: + appliedTo: + type: object + properties: + podSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + namespaceSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + egressIP: + type: string + oneOf: + - format: ipv4 + - format: ipv6 + egressIPs: + type: array + items: + type: string + oneOf: + - maxLength: 0 + - format: ipv4 + - format: ipv6 + externalIPPool: + type: string + externalIPPools: + type: array + items: + type: string + status: + type: object + properties: + egressNode: + type: string + egressIP: + type: string + additionalPrinterColumns: + - description: The effective SNAT IP address for the selected workloads. + jsonPath: .status.egressIP + name: EgressIP + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + - description: The Owner Node of egress IP + jsonPath: .status.egressNode + name: Node + type: string + subresources: + status: {} + scope: Cluster + names: + plural: egresses + singular: egress + kind: Egress + shortNames: + - eg +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: externalentities.crd.antrea.io + labels: + app: antrea +spec: + group: crd.antrea.io + versions: + - name: v1alpha2 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + properties: + spec: + type: object + properties: + endpoints: + type: array + items: + type: object + properties: + ip: + type: string + oneOf: + - format: ipv4 + - format: ipv6 + name: + type: string + ports: + type: array + items: + type: object + properties: + protocol: + type: string + enum: ['TCP', 'UDP', 'SCTP'] + port: + x-kubernetes-int-or-string: true + name: + type: string + externalNode: + type: string + - name: v1alpha1 + served: false + storage: false + schema: + openAPIV3Schema: + type: object + scope: Namespaced + names: + plural: externalentities + singular: externalentity + kind: ExternalEntity + shortNames: + - ee +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: externalippools.crd.antrea.io + labels: + app: antrea +spec: + group: crd.antrea.io + versions: + - name: v1alpha2 + served: true + storage: false + schema: + openAPIV3Schema: + type: object + required: + - spec + properties: + spec: + type: object + required: + - ipRanges + - nodeSelector + properties: + ipRanges: + type: array + items: + type: object + oneOf: + - required: + - cidr + - required: + - start + - end + properties: + cidr: + type: string + format: cidr + start: + type: string + oneOf: + - format: ipv4 + - format: ipv6 + end: + type: string + oneOf: + - format: ipv4 + - format: ipv6 + nodeSelector: + type: object + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + status: + type: object + properties: + usage: + type: object + properties: + total: + type: integer + used: + type: integer + additionalPrinterColumns: + - description: The number of total IPs + jsonPath: .status.usage.total + name: Total + type: integer + - description: The number of allocated IPs + jsonPath: .status.usage.used + name: Used + type: integer + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + subresources: + status: {} + - name: v1beta1 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + required: + - spec + properties: + spec: + type: object + required: + - ipRanges + - nodeSelector + properties: + ipRanges: + type: array + items: + type: object + oneOf: + - required: + - cidr + - required: + - start + - end + properties: + cidr: + type: string + format: cidr + start: + type: string + oneOf: + - format: ipv4 + - format: ipv6 + end: + type: string + oneOf: + - format: ipv4 + - format: ipv6 + nodeSelector: + type: object + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: array + type: object + type: array + matchLabels: + additionalProperties: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: object + status: + type: object + properties: + usage: + type: object + properties: + total: + type: integer + used: + type: integer + additionalPrinterColumns: + - description: The number of total IPs + jsonPath: .status.usage.total + name: Total + type: integer + - description: The number of allocated IPs + jsonPath: .status.usage.used + name: Used + type: integer + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + subresources: + status: { } + scope: Cluster + names: + plural: externalippools + singular: externalippool + kind: ExternalIPPool + shortNames: + - eip +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: externalnodes.crd.antrea.io +spec: + group: crd.antrea.io + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + type: object + required: + - spec + properties: + spec: + type: object + required: + - interfaces + properties: + interfaces: + type: array + minItems: 1 + maxItems: 1 + required: + - ips + items: + type: object + properties: + ips: + type: array + minItems: 1 + items: + type: string + oneOf: + - format: ipv4 + - format: ipv6 + name: + type: string + served: true + storage: true + scope: Namespaced + names: + plural: externalnodes + singular: externalnode + kind: ExternalNode + shortNames: - en --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: - name: groups.crd.antrea.io + name: groups.crd.antrea.io +spec: + group: crd.antrea.io + versions: + - name: v1alpha3 + served: true + storage: false + schema: + openAPIV3Schema: + type: object + properties: + spec: + type: object + properties: + childGroups: + type: array + items: + type: string + podSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + matchLabels: + x-kubernetes-preserve-unknown-fields: true + namespaceSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + matchLabels: + x-kubernetes-preserve-unknown-fields: true + externalEntitySelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + matchLabels: + x-kubernetes-preserve-unknown-fields: true + ipBlocks: + type: array + items: + type: object + properties: + cidr: + type: string + format: cidr + serviceReference: + type: object + properties: + name: + type: string + namespace: + type: string + status: + type: object + properties: + conditions: + type: array + items: + type: object + properties: + type: + type: string + status: + type: string + lastTransitionTime: + type: string + subresources: + status: {} + - name: v1beta1 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + properties: + spec: + type: object + properties: + childGroups: + type: array + items: + type: string + podSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + matchLabels: + x-kubernetes-preserve-unknown-fields: true + namespaceSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + matchLabels: + x-kubernetes-preserve-unknown-fields: true + externalEntitySelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + matchLabels: + x-kubernetes-preserve-unknown-fields: true + ipBlocks: + type: array + items: + type: object + properties: + cidr: + type: string + format: cidr + serviceReference: + type: object + properties: + name: + type: string + namespace: + type: string + status: + type: object + properties: + conditions: + type: array + items: + type: object + properties: + type: + type: string + status: + type: string + lastTransitionTime: + type: string + subresources: + status: { } + scope: Namespaced + names: + plural: groups + singular: group + kind: Group + shortNames: + - grp +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: ippools.crd.antrea.io + labels: + app: antrea +spec: + group: crd.antrea.io + versions: + - name: v1alpha2 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + required: + - spec + properties: + spec: + required: + - ipVersion + - ipRanges + type: object + properties: + ipVersion: + type: integer + enum: [ 4, 6 ] + ipRanges: + items: + oneOf: + - required: + - cidr + - gateway + - prefixLength + - required: + - start + - end + - gateway + - prefixLength + properties: + cidr: + format: cidr + type: string + start: + oneOf: + - format: ipv4 + - format: ipv6 + type: string + end: + oneOf: + - format: ipv4 + - format: ipv6 + type: string + gateway: + oneOf: + - format: ipv4 + - format: ipv6 + type: string + prefixLength: + type: integer + minimum: 1 + maximum: 128 + vlan: + type: integer + minimum: 0 + maximum: 4094 + type: object + type: array + status: + properties: + ipAddresses: + items: + properties: + ipAddress: + type: string + owner: + properties: + pod: + properties: + name: + type: string + namespace: + type: string + containerID: + type: string + ifName: + type: string + type: object + statefulSet: + properties: + name: + type: string + namespace: + type: string + index: + type: integer + type: object + type: object + phase: + type: string + type: object + type: array + usage: + properties: + used: + type: integer + total: + type: integer + type: object + type: object + additionalPrinterColumns: + - description: The number of total IPs + jsonPath: .status.usage.total + name: Total + type: integer + - description: The number of allocated IPs + jsonPath: .status.usage.used + name: Used + type: integer + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + subresources: + status: {} + scope: Cluster + names: + plural: ippools + singular: ippool + kind: IPPool + shortNames: + - ipp +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: networkpolicies.crd.antrea.io + labels: + app: antrea spec: group: crd.antrea.io versions: - - name: v1alpha3 + - name: v1alpha1 served: true storage: false + additionalPrinterColumns: + - name: Tier + type: string + description: The Tier to which this Antrea NetworkPolicy belongs to. + jsonPath: .spec.tier + - name: Priority + type: number + format: float + description: The Priority of this Antrea NetworkPolicy relative to other policies. + jsonPath: .spec.priority + - name: Desired Nodes + type: number + format: int32 + description: The total number of Nodes that should realize the NetworkPolicy. + jsonPath: .status.desiredNodesRealized + - name: Current Nodes + type: number + format: int32 + description: The number of Nodes that have realized the NetworkPolicy. + jsonPath: .status.currentNodesRealized + - name: Age + type: date + jsonPath: .metadata.creationTimestamp schema: openAPIV3Schema: type: object properties: spec: + # Ensure that Spec.Priority field is set + required: + - priority type: object properties: - childGroups: + tier: + type: string + priority: + type: number + format: float + # Ensure that Spec.Priority field is between 1 and 10000 + minimum: 1.0 + maximum: 10000.0 + appliedTo: type: array items: - type: string - podSelector: - type: object - properties: - matchExpressions: - type: array - items: + type: object + # Ensure that Spec.AppliedTo does not allow NamespaceSelector/IPBlock field + properties: + externalEntitySelector: type: object properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: + matchExpressions: type: array items: - type: string - matchLabels: - x-kubernetes-preserve-unknown-fields: true - namespaceSelector: - type: object - properties: - matchExpressions: - type: array - items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + podSelector: type: object properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: + matchExpressions: type: array items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + group: + type: string + ingress: + type: array + items: + type: object + required: + - action + properties: + appliedTo: + type: array + items: + type: object + # Ensure that rule AppliedTo does not allow NamespaceSelector/IPBlock field + properties: + podSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + group: + type: string + # Ensure that Action field allows only ALLOW, DROP, REJECT and PASS values + action: + type: string + enum: ['Allow', 'Drop', 'Reject', 'Pass'] + ports: + type: array + items: + type: object + properties: + protocol: + type: string + enum: ['TCP', 'UDP', 'SCTP'] + port: + x-kubernetes-int-or-string: true + endPort: + type: integer + sourcePort: + type: integer + sourceEndPort: + type: integer + protocols: + type: array + items: + type: object + oneOf: + - required: [icmp] + - required: [igmp] + properties: + icmp: + type: object + properties: + icmpType: + type: integer + minimum: 0 + maximum: 255 + icmpCode: + type: integer + minimum: 0 + maximum: 255 + igmp: + type: object + properties: + igmpType: + type: integer + # Only IGMP query (0x11) is valid igmpType in ingress rules. + enum: [ 0x11 ] + groupAddress: + type: string + oneOf: + - format: ipv4 + - format: ipv6 + l7Protocols: + type: array + items: + type: object + oneOf: + - required: [http] + - required: [tls] + properties: + http: + type: object + properties: + host: + type: string + method: + type: string + enum: ['GET', 'POST', 'PUT', 'HEAD', 'DELETE', 'TRACE', 'OPTIONS', 'CONNECT', 'PATCH'] + path: + type: string + tls: + type: object + properties: + sni: + type: string + from: + type: array + items: + type: object + properties: + podSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + namespaceSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + externalEntitySelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + ipBlock: + type: object + properties: + cidr: + type: string + format: cidr + nodeSelector: + type: object + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + group: type: string - matchLabels: - x-kubernetes-preserve-unknown-fields: true - externalEntitySelector: - type: object - properties: - matchExpressions: - type: array - items: - type: object - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - type: array - items: + scope: type: string - matchLabels: - x-kubernetes-preserve-unknown-fields: true - ipBlocks: - type: array - items: - type: object - properties: - cidr: + enum: ['Cluster', 'ClusterSet'] + name: type: string - format: cidr - serviceReference: - type: object - properties: - name: - type: string - namespace: - type: string - status: - type: object - properties: - conditions: + enableLogging: + type: boolean + logLabel: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]{0,61})?[A-Za-z0-9])?$" + egress: type: array items: type: object + required: + - action properties: - type: - type: string - status: - type: string - lastTransitionTime: + appliedTo: + type: array + items: + type: object + # Ensure that rule AppliedTo does not allow NamespaceSelector/IPBlock field + properties: + podSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + group: + type: string + # Ensure that Action field allows only ALLOW, DROP, REJECT and PASS values + action: type: string - subresources: - status: {} - - name: v1beta1 - served: true - storage: true - schema: - openAPIV3Schema: - type: object - properties: - spec: - type: object - properties: - childGroups: - type: array - items: - type: string - podSelector: - type: object - properties: - matchExpressions: - type: array - items: - type: object - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - type: array - items: + enum: ['Allow', 'Drop', 'Reject', 'Pass'] + ports: + type: array + items: + type: object + properties: + protocol: type: string - matchLabels: - x-kubernetes-preserve-unknown-fields: true - namespaceSelector: - type: object - properties: - matchExpressions: - type: array - items: - type: object - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - type: array - items: + enum: ['TCP', 'UDP', 'SCTP'] + port: + x-kubernetes-int-or-string: true + endPort: + type: integer + sourcePort: + type: integer + sourceEndPort: + type: integer + protocols: + type: array + items: + type: object + oneOf: + - required: [icmp] + - required: [igmp] + properties: + icmp: + type: object + properties: + icmpType: + type: integer + minimum: 0 + maximum: 255 + icmpCode: + type: integer + minimum: 0 + maximum: 255 + igmp: + type: object + properties: + igmpType: + type: integer + # Only IGMP reports are igmpType in egress rules, + # 0x12 is IGMP report V1, 0x16 is IGMP report v2, 0x22 is IGMP report v3. + # It will match all IGMP report types if igmpType is not set. + enum: [ 0x12, 0x16, 0x22 ] + groupAddress: + type: string + oneOf: + - format: ipv4 + - format: ipv6 + l7Protocols: + type: array + items: + type: object + oneOf: + - required: [http] + - required: [tls] + properties: + http: + type: object + properties: + host: + type: string + method: + type: string + enum: ['GET', 'POST', 'PUT', 'HEAD', 'DELETE', 'TRACE', 'OPTIONS', 'CONNECT', 'PATCH'] + path: + type: string + tls: + type: object + properties: + sni: + type: string + to: + type: array + items: + type: object + properties: + podSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + namespaceSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + externalEntitySelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + ipBlock: + type: object + properties: + cidr: + type: string + format: cidr + fqdn: type: string - matchLabels: - x-kubernetes-preserve-unknown-fields: true - externalEntitySelector: - type: object - properties: - matchExpressions: - type: array - items: - type: object - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - type: array - items: + nodeSelector: + type: object + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + group: type: string - matchLabels: - x-kubernetes-preserve-unknown-fields: true - ipBlocks: - type: array - items: - type: object - properties: - cidr: + toServices: + type: array + items: + type: object + required: + - name + properties: + name: + type: string + namespace: + type: string + scope: + type: string + name: type: string - format: cidr - serviceReference: - type: object - properties: - name: - type: string - namespace: - type: string + enableLogging: + type: boolean + logLabel: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]{0,61})?[A-Za-z0-9])?$" status: type: object properties: + phase: + type: string + observedGeneration: + type: integer + currentNodesRealized: + type: integer + desiredNodesRealized: + type: integer conditions: type: array items: @@ -2066,158 +3545,13 @@ spec: type: string lastTransitionTime: type: string - subresources: - status: { } - scope: Namespaced - names: - plural: groups - singular: group - kind: Group - shortNames: - - grp ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: ippools.crd.antrea.io - labels: - app: antrea -spec: - group: crd.antrea.io - versions: - - name: v1alpha2 - served: true - storage: true - schema: - openAPIV3Schema: - type: object - required: - - spec - properties: - spec: - required: - - ipVersion - - ipRanges - type: object - properties: - ipVersion: - type: integer - enum: [ 4, 6 ] - ipRanges: - items: - oneOf: - - required: - - cidr - - gateway - - prefixLength - - required: - - start - - end - - gateway - - prefixLength - properties: - cidr: - format: cidr - type: string - start: - oneOf: - - format: ipv4 - - format: ipv6 - type: string - end: - oneOf: - - format: ipv4 - - format: ipv6 - type: string - gateway: - oneOf: - - format: ipv4 - - format: ipv6 - type: string - prefixLength: - type: integer - minimum: 1 - maximum: 128 - vlan: - type: integer - minimum: 0 - maximum: 4094 - type: object - type: array - status: - properties: - ipAddresses: - items: - properties: - ipAddress: + reason: type: string - owner: - properties: - pod: - properties: - name: - type: string - namespace: - type: string - containerID: - type: string - ifName: - type: string - type: object - statefulSet: - properties: - name: - type: string - namespace: - type: string - index: - type: integer - type: object - type: object - phase: + message: type: string - type: object - type: array - usage: - properties: - used: - type: integer - total: - type: integer - type: object - type: object - additionalPrinterColumns: - - description: The number of total IPs - jsonPath: .status.usage.total - name: Total - type: integer - - description: The number of allocated IPs - jsonPath: .status.usage.used - name: Used - type: integer - - jsonPath: .metadata.creationTimestamp - name: Age - type: date subresources: status: {} - scope: Cluster - names: - plural: ippools - singular: ippool - kind: IPPool - shortNames: - - ipp ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: networkpolicies.crd.antrea.io - labels: - app: antrea -spec: - group: crd.antrea.io - versions: - - name: v1alpha1 + - name: v1beta1 served: true storage: true additionalPrinterColumns: @@ -2290,7 +3624,10 @@ spec: type: string pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" matchLabels: - x-kubernetes-preserve-unknown-fields: true + additionalProperties: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: object podSelector: type: object properties: @@ -2314,7 +3651,10 @@ spec: type: string pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" matchLabels: - x-kubernetes-preserve-unknown-fields: true + additionalProperties: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: object group: type: string ingress: @@ -2353,13 +3693,16 @@ spec: type: string pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" matchLabels: - x-kubernetes-preserve-unknown-fields: true + additionalProperties: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: object group: type: string # Ensure that Action field allows only ALLOW, DROP, REJECT and PASS values action: type: string - enum: ['Allow', 'Drop', 'Reject', 'Pass'] + enum: [ 'Allow', 'Drop', 'Reject', 'Pass' ] ports: type: array items: @@ -2367,7 +3710,7 @@ spec: properties: protocol: type: string - enum: ['TCP', 'UDP', 'SCTP'] + enum: [ 'TCP', 'UDP', 'SCTP' ] port: x-kubernetes-int-or-string: true endPort: @@ -2381,8 +3724,8 @@ spec: items: type: object oneOf: - - required: [icmp] - - required: [igmp] + - required: [ icmp ] + - required: [ igmp ] properties: icmp: type: object @@ -2412,8 +3755,8 @@ spec: items: type: object oneOf: - - required: [http] - - required: [tls] + - required: [ http ] + - required: [ tls ] properties: http: type: object @@ -2422,7 +3765,7 @@ spec: type: string method: type: string - enum: ['GET', 'POST', 'PUT', 'HEAD', 'DELETE', 'TRACE', 'OPTIONS', 'CONNECT', 'PATCH'] + enum: [ 'GET', 'POST', 'PUT', 'HEAD', 'DELETE', 'TRACE', 'OPTIONS', 'CONNECT', 'PATCH' ] path: type: string tls: @@ -2458,7 +3801,10 @@ spec: type: string pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" matchLabels: - x-kubernetes-preserve-unknown-fields: true + additionalProperties: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: object namespaceSelector: type: object properties: @@ -2482,7 +3828,10 @@ spec: type: string pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" matchLabels: - x-kubernetes-preserve-unknown-fields: true + additionalProperties: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: object externalEntitySelector: type: object properties: @@ -2506,7 +3855,10 @@ spec: type: string pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" matchLabels: - x-kubernetes-preserve-unknown-fields: true + additionalProperties: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: object ipBlock: type: object properties: @@ -2536,12 +3888,15 @@ spec: type: object type: array matchLabels: - x-kubernetes-preserve-unknown-fields: true + additionalProperties: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: object group: type: string scope: type: string - enum: ['Cluster', 'ClusterSet'] + enum: [ 'Cluster', 'ClusterSet' ] name: type: string enableLogging: @@ -2585,13 +3940,16 @@ spec: type: string pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" matchLabels: - x-kubernetes-preserve-unknown-fields: true + additionalProperties: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: object group: type: string # Ensure that Action field allows only ALLOW, DROP, REJECT and PASS values action: type: string - enum: ['Allow', 'Drop', 'Reject', 'Pass'] + enum: [ 'Allow', 'Drop', 'Reject', 'Pass' ] ports: type: array items: @@ -2599,7 +3957,7 @@ spec: properties: protocol: type: string - enum: ['TCP', 'UDP', 'SCTP'] + enum: [ 'TCP', 'UDP', 'SCTP' ] port: x-kubernetes-int-or-string: true endPort: @@ -2613,8 +3971,8 @@ spec: items: type: object oneOf: - - required: [icmp] - - required: [igmp] + - required: [ icmp ] + - required: [ igmp ] properties: icmp: type: object @@ -2646,8 +4004,8 @@ spec: items: type: object oneOf: - - required: [http] - - required: [tls] + - required: [ http ] + - required: [ tls ] properties: http: type: object @@ -2656,7 +4014,7 @@ spec: type: string method: type: string - enum: ['GET', 'POST', 'PUT', 'HEAD', 'DELETE', 'TRACE', 'OPTIONS', 'CONNECT', 'PATCH'] + enum: [ 'GET', 'POST', 'PUT', 'HEAD', 'DELETE', 'TRACE', 'OPTIONS', 'CONNECT', 'PATCH' ] path: type: string tls: @@ -2692,7 +4050,10 @@ spec: type: string pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" matchLabels: - x-kubernetes-preserve-unknown-fields: true + additionalProperties: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: object namespaceSelector: type: object properties: @@ -2716,7 +4077,10 @@ spec: type: string pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" matchLabels: - x-kubernetes-preserve-unknown-fields: true + additionalProperties: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: object externalEntitySelector: type: object properties: @@ -2740,7 +4104,10 @@ spec: type: string pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" matchLabels: - x-kubernetes-preserve-unknown-fields: true + additionalProperties: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: object ipBlock: type: object properties: @@ -2772,7 +4139,10 @@ spec: type: object type: array matchLabels: - x-kubernetes-preserve-unknown-fields: true + additionalProperties: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: object group: type: string toServices: @@ -2780,7 +4150,7 @@ spec: items: type: object required: - - name + - name properties: name: type: string @@ -2822,7 +4192,7 @@ spec: message: type: string subresources: - status: {} + status: { } scope: Namespaced names: plural: networkpolicies diff --git a/build/yamls/antrea-eks.yml b/build/yamls/antrea-eks.yml index 90df532f592..c115f7e1f9a 100644 --- a/build/yamls/antrea-eks.yml +++ b/build/yamls/antrea-eks.yml @@ -706,7 +706,7 @@ spec: versions: - name: v1alpha1 served: true - storage: true + storage: false additionalPrinterColumns: - name: Tier type: string @@ -1396,682 +1396,2165 @@ spec: type: string subresources: status: {} - scope: Cluster - names: - plural: clusternetworkpolicies - singular: clusternetworkpolicy - kind: ClusterNetworkPolicy - shortNames: - - acnp - ---- -# Source: crds/egress.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: egresses.crd.antrea.io - labels: - app: antrea -spec: - group: crd.antrea.io - versions: - - name: v1alpha2 + - name: v1beta1 served: true storage: true - schema: - openAPIV3Schema: - type: object - required: - - spec - properties: - spec: - type: object - required: - - appliedTo - oneOf: - - anyOf: - - required: - - egressIP - - required: - - externalIPPool - - anyOf: - - required: - - egressIPs - - required: - - externalIPPools - properties: - appliedTo: - type: object - properties: - podSelector: - type: object - properties: - matchExpressions: - type: array - items: - type: object - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - type: array - items: - type: string - pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" - matchLabels: - x-kubernetes-preserve-unknown-fields: true - namespaceSelector: - type: object - properties: - matchExpressions: - type: array - items: - type: object - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - type: array - items: - type: string - pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" - matchLabels: - x-kubernetes-preserve-unknown-fields: true - egressIP: - type: string - oneOf: - - format: ipv4 - - format: ipv6 - egressIPs: - type: array - items: - type: string - oneOf: - - maxLength: 0 - - format: ipv4 - - format: ipv6 - externalIPPool: - type: string - externalIPPools: - type: array - items: - type: string - status: - type: object - properties: - egressNode: - type: string - egressIP: - type: string additionalPrinterColumns: - - description: The effective SNAT IP address for the selected workloads. - jsonPath: .status.egressIP - name: EgressIP + - name: Tier type: string - - jsonPath: .metadata.creationTimestamp - name: Age + description: The Tier to which this ClusterNetworkPolicy belongs to. + jsonPath: .spec.tier + - name: Priority + type: number + format: float + description: The Priority of this ClusterNetworkPolicy relative to other policies. + jsonPath: .spec.priority + - name: Desired Nodes + type: number + format: int32 + description: The total number of Nodes that should realize the NetworkPolicy. + jsonPath: .status.desiredNodesRealized + - name: Current Nodes + type: number + format: int32 + description: The number of Nodes that have realized the NetworkPolicy. + jsonPath: .status.currentNodesRealized + - name: Age type: date - - description: The Owner Node of egress IP - jsonPath: .status.egressNode - name: Node - type: string - subresources: - status: {} - scope: Cluster - names: - plural: egresses - singular: egress - kind: Egress - shortNames: - - eg - ---- -# Source: crds/externalentity.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: externalentities.crd.antrea.io - labels: - app: antrea -spec: - group: crd.antrea.io - versions: - - name: v1alpha2 - served: true - storage: true + jsonPath: .metadata.creationTimestamp schema: openAPIV3Schema: type: object properties: spec: + # Ensure that Spec.Priority field is set + required: + - priority type: object properties: - endpoints: - type: array - items: - type: object - properties: - ip: - type: string - oneOf: - - format: ipv4 - - format: ipv6 - name: - type: string - ports: + tier: + type: string + priority: + type: number + format: float + # Ensure that Spec.Priority field is between 1 and 10000 + minimum: 1.0 + maximum: 10000.0 + appliedTo: type: array items: type: object + # Ensure that Spec.AppliedTo does not allow IPBlock field properties: - protocol: + podSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + additionalProperties: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: object + namespaceSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + additionalProperties: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: object + group: type: string - enum: ['TCP', 'UDP', 'SCTP'] - port: - x-kubernetes-int-or-string: true - name: - type: string - externalNode: - type: string - - name: v1alpha1 - served: false - storage: false - schema: - openAPIV3Schema: - type: object - scope: Namespaced - names: - plural: externalentities - singular: externalentity - kind: ExternalEntity - shortNames: - - ee - ---- -# Source: crds/externalippool.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: externalippools.crd.antrea.io - labels: - app: antrea -spec: - group: crd.antrea.io - versions: - - name: v1alpha2 - served: true - storage: false - schema: - openAPIV3Schema: - type: object - required: - - spec - properties: - spec: - type: object - required: - - ipRanges - - nodeSelector - properties: - ipRanges: - type: array - items: - type: object - oneOf: - - required: - - cidr - - required: - - start - - end - properties: - cidr: - type: string - format: cidr - start: - type: string - oneOf: - - format: ipv4 - - format: ipv6 - end: - type: string - oneOf: - - format: ipv4 - - format: ipv6 - nodeSelector: - type: object - properties: - matchExpressions: - items: + serviceAccount: + type: object properties: - key: + name: type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist + namespace: type: string - values: - items: - type: string - pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" - type: array + required: + - name + - namespace + service: type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - status: - type: object - properties: - usage: - type: object - properties: - total: - type: integer - used: - type: integer - additionalPrinterColumns: - - description: The number of total IPs - jsonPath: .status.usage.total - name: Total - type: integer - - description: The number of allocated IPs - jsonPath: .status.usage.used - name: Used - type: integer - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - subresources: - status: {} - - name: v1beta1 - served: true - storage: true - schema: - openAPIV3Schema: - type: object - required: - - spec - properties: - spec: - type: object - required: - - ipRanges - - nodeSelector - properties: - ipRanges: - type: array - items: - type: object - oneOf: - - required: - - cidr - - required: - - start - - end - properties: - cidr: - type: string - format: cidr - start: - type: string - oneOf: - - format: ipv4 - - format: ipv6 - end: - type: string - oneOf: - - format: ipv4 - - format: ipv6 - nodeSelector: - type: object - properties: - matchExpressions: - items: properties: - key: + name: type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist + namespace: type: string - values: - items: - type: string - pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" - type: array - type: object - type: array - matchLabels: - additionalProperties: - type: string - pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" - type: object - status: - type: object - properties: - usage: - type: object - properties: - total: - type: integer - used: - type: integer - additionalPrinterColumns: - - description: The number of total IPs - jsonPath: .status.usage.total - name: Total - type: integer - - description: The number of allocated IPs - jsonPath: .status.usage.used - name: Used - type: integer - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - subresources: - status: { } - scope: Cluster - names: - plural: externalippools - singular: externalippool - kind: ExternalIPPool - shortNames: - - eip - ---- -# Source: crds/externalnode.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - labels: - app: antrea - name: externalnodes.crd.antrea.io -spec: - group: crd.antrea.io - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - type: object - required: - - spec - properties: - spec: - type: object - required: - - interfaces - properties: - interfaces: + required: + - name + - namespace + ingress: type: array - minItems: 1 - maxItems: 1 - required: - - ips items: type: object + required: + - action properties: - ips: + appliedTo: type: array - minItems: 1 items: - type: string - oneOf: - - format: ipv4 - - format: ipv6 - name: - type: string - served: true - storage: true - scope: Namespaced - names: - plural: externalnodes - singular: externalnode - kind: ExternalNode - shortNames: - - en - ---- -# Source: crds/group.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: groups.crd.antrea.io -spec: - group: crd.antrea.io - versions: - - name: v1alpha3 - served: true - storage: false - schema: - openAPIV3Schema: - type: object - properties: - spec: - type: object - properties: - childGroups: - type: array - items: - type: string - podSelector: - type: object - properties: - matchExpressions: - type: array - items: - type: object - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - type: array - items: - type: string - matchLabels: - x-kubernetes-preserve-unknown-fields: true - namespaceSelector: - type: object - properties: - matchExpressions: - type: array - items: - type: object - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - type: array - items: - type: string - matchLabels: - x-kubernetes-preserve-unknown-fields: true - externalEntitySelector: - type: object - properties: - matchExpressions: - type: array - items: - type: object - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - type: array - items: + type: object + # Ensure that rule AppliedTo does not allow IPBlock field + properties: + podSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + additionalProperties: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: object + namespaceSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + additionalProperties: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: object + group: type: string - matchLabels: - x-kubernetes-preserve-unknown-fields: true - ipBlocks: - type: array - items: - type: object - properties: - cidr: - type: string - format: cidr - serviceReference: - type: object - properties: - name: - type: string - namespace: - type: string - status: - type: object - properties: - conditions: - type: array - items: - type: object - properties: - type: - type: string - status: - type: string - lastTransitionTime: + serviceAccount: + type: object + properties: + name: + type: string + namespace: + type: string + required: + - name + - namespace + service: + type: object + properties: + name: + type: string + namespace: + type: string + required: + - name + - namespace + # Ensure that Action field allows only ALLOW, DROP, REJECT and PASS values + action: type: string - subresources: - status: {} - - name: v1beta1 - served: true - storage: true - schema: - openAPIV3Schema: - type: object - properties: - spec: - type: object - properties: - childGroups: - type: array - items: - type: string - podSelector: - type: object - properties: - matchExpressions: - type: array - items: - type: object - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - type: array - items: + enum: [ 'Allow', 'Drop', 'Reject', 'Pass' ] + ports: + type: array + items: + type: object + properties: + protocol: type: string - matchLabels: - x-kubernetes-preserve-unknown-fields: true - namespaceSelector: - type: object - properties: - matchExpressions: - type: array + enum: [ 'TCP', 'UDP', 'SCTP' ] + port: + x-kubernetes-int-or-string: true + endPort: + type: integer + sourcePort: + type: integer + sourceEndPort: + type: integer + protocols: + type: array + items: + type: object + oneOf: + - required: [ icmp ] + - required: [ igmp ] + properties: + icmp: + type: object + properties: + icmpType: + type: integer + minimum: 0 + maximum: 255 + icmpCode: + type: integer + minimum: 0 + maximum: 255 + igmp: + type: object + properties: + igmpType: + type: integer + # Only IGMP query (0x11) is valid igmpType in ingress rules. + enum: [ 0x11 ] + groupAddress: + type: string + oneOf: + - format: ipv4 + - format: ipv6 + l7Protocols: + type: array + items: + type: object + oneOf: + - required: [ http ] + - required: [ tls ] + properties: + http: + type: object + properties: + host: + type: string + method: + type: string + enum: [ 'GET', 'POST', 'PUT', 'HEAD', 'DELETE', 'TRACE', 'OPTIONS', 'CONNECT', 'PATCH' ] + path: + type: string + tls: + type: object + properties: + sni: + type: string + from: + type: array + items: + type: object + properties: + podSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + additionalProperties: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: object + namespaceSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + additionalProperties: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: object + namespaces: + type: object + properties: + match: + enum: + - Self + type: string + ipBlock: + type: object + properties: + cidr: + type: string + format: cidr + group: + type: string + serviceAccount: + type: object + properties: + name: + type: string + namespace: + type: string + required: + - name + - namespace + nodeSelector: + type: object + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: array + type: object + type: array + matchLabels: + additionalProperties: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: object + scope: + type: string + enum: [ 'Cluster', 'ClusterSet' ] + name: + type: string + enableLogging: + type: boolean + logLabel: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]{0,61})?[A-Za-z0-9])?$" + egress: + type: array + items: + type: object + required: + - action + properties: + appliedTo: + type: array + items: + type: object + # Ensure that rule AppliedTo does not allow IPBlock field + properties: + podSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + additionalProperties: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: object + namespaceSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + additionalProperties: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: object + group: + type: string + serviceAccount: + type: object + properties: + name: + type: string + namespace: + type: string + required: + - name + - namespace + # Ensure that Action field allows only ALLOW, DROP, REJECT and PASS values + action: + type: string + enum: [ 'Allow', 'Drop', 'Reject', 'Pass' ] + ports: + type: array + items: + type: object + properties: + protocol: + type: string + enum: [ 'TCP', 'UDP', 'SCTP' ] + port: + x-kubernetes-int-or-string: true + endPort: + type: integer + sourcePort: + type: integer + sourceEndPort: + type: integer + protocols: + type: array + items: + type: object + oneOf: + - required: [ icmp ] + - required: [ igmp ] + properties: + icmp: + type: object + properties: + icmpType: + type: integer + minimum: 0 + maximum: 255 + icmpCode: + type: integer + minimum: 0 + maximum: 255 + igmp: + type: object + properties: + igmpType: + type: integer + # Only IGMP reports are igmpType in egress rules, + # 0x12 is IGMP report V1, 0x16 is IGMP report v2, 0x22 is IGMP report v3. + # It will match all IGMP report types if igmpType is not set. + enum: [ 0x12, 0x16, 0x22 ] + groupAddress: + type: string + oneOf: + - format: ipv4 + - format: ipv6 + l7Protocols: + type: array + items: + type: object + oneOf: + - required: [ http ] + - required: [ tls ] + properties: + http: + type: object + properties: + host: + type: string + method: + type: string + enum: [ 'GET', 'POST', 'PUT', 'HEAD', 'DELETE', 'TRACE', 'OPTIONS', 'CONNECT', 'PATCH' ] + path: + type: string + tls: + type: object + properties: + sni: + type: string + to: + type: array + items: + type: object + properties: + podSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + additionalProperties: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: object + namespaceSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + additionalProperties: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: object + namespaces: + type: object + properties: + match: + enum: + - Self + type: string + ipBlock: + type: object + properties: + cidr: + type: string + format: cidr + group: + type: string + fqdn: + type: string + serviceAccount: + type: object + properties: + name: + type: string + namespace: + type: string + required: + - name + - namespace + nodeSelector: + type: object + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: array + type: object + type: array + matchLabels: + additionalProperties: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: object + toServices: + type: array + items: + type: object + required: + - name + - namespace + properties: + name: + type: string + namespace: + type: string + scope: + type: string + enum: [ 'Cluster', 'ClusterSet' ] + name: + type: string + enableLogging: + type: boolean + logLabel: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]{0,61})?[A-Za-z0-9])?$" + status: + type: object + properties: + phase: + type: string + observedGeneration: + type: integer + currentNodesRealized: + type: integer + desiredNodesRealized: + type: integer + conditions: + type: array + items: + type: object + properties: + type: + type: string + status: + type: string + lastTransitionTime: + type: string + reason: + type: string + message: + type: string + subresources: + status: { } + scope: Cluster + names: + plural: clusternetworkpolicies + singular: clusternetworkpolicy + kind: ClusterNetworkPolicy + shortNames: + - acnp + +--- +# Source: crds/egress.yaml +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: egresses.crd.antrea.io + labels: + app: antrea +spec: + group: crd.antrea.io + versions: + - name: v1alpha2 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + required: + - spec + properties: + spec: + type: object + required: + - appliedTo + oneOf: + - anyOf: + - required: + - egressIP + - required: + - externalIPPool + - anyOf: + - required: + - egressIPs + - required: + - externalIPPools + properties: + appliedTo: + type: object + properties: + podSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + namespaceSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + egressIP: + type: string + oneOf: + - format: ipv4 + - format: ipv6 + egressIPs: + type: array + items: + type: string + oneOf: + - maxLength: 0 + - format: ipv4 + - format: ipv6 + externalIPPool: + type: string + externalIPPools: + type: array + items: + type: string + status: + type: object + properties: + egressNode: + type: string + egressIP: + type: string + additionalPrinterColumns: + - description: The effective SNAT IP address for the selected workloads. + jsonPath: .status.egressIP + name: EgressIP + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + - description: The Owner Node of egress IP + jsonPath: .status.egressNode + name: Node + type: string + subresources: + status: {} + scope: Cluster + names: + plural: egresses + singular: egress + kind: Egress + shortNames: + - eg + +--- +# Source: crds/externalentity.yaml +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: externalentities.crd.antrea.io + labels: + app: antrea +spec: + group: crd.antrea.io + versions: + - name: v1alpha2 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + properties: + spec: + type: object + properties: + endpoints: + type: array + items: + type: object + properties: + ip: + type: string + oneOf: + - format: ipv4 + - format: ipv6 + name: + type: string + ports: + type: array + items: + type: object + properties: + protocol: + type: string + enum: ['TCP', 'UDP', 'SCTP'] + port: + x-kubernetes-int-or-string: true + name: + type: string + externalNode: + type: string + - name: v1alpha1 + served: false + storage: false + schema: + openAPIV3Schema: + type: object + scope: Namespaced + names: + plural: externalentities + singular: externalentity + kind: ExternalEntity + shortNames: + - ee + +--- +# Source: crds/externalippool.yaml +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: externalippools.crd.antrea.io + labels: + app: antrea +spec: + group: crd.antrea.io + versions: + - name: v1alpha2 + served: true + storage: false + schema: + openAPIV3Schema: + type: object + required: + - spec + properties: + spec: + type: object + required: + - ipRanges + - nodeSelector + properties: + ipRanges: + type: array + items: + type: object + oneOf: + - required: + - cidr + - required: + - start + - end + properties: + cidr: + type: string + format: cidr + start: + type: string + oneOf: + - format: ipv4 + - format: ipv6 + end: + type: string + oneOf: + - format: ipv4 + - format: ipv6 + nodeSelector: + type: object + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + status: + type: object + properties: + usage: + type: object + properties: + total: + type: integer + used: + type: integer + additionalPrinterColumns: + - description: The number of total IPs + jsonPath: .status.usage.total + name: Total + type: integer + - description: The number of allocated IPs + jsonPath: .status.usage.used + name: Used + type: integer + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + subresources: + status: {} + - name: v1beta1 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + required: + - spec + properties: + spec: + type: object + required: + - ipRanges + - nodeSelector + properties: + ipRanges: + type: array + items: + type: object + oneOf: + - required: + - cidr + - required: + - start + - end + properties: + cidr: + type: string + format: cidr + start: + type: string + oneOf: + - format: ipv4 + - format: ipv6 + end: + type: string + oneOf: + - format: ipv4 + - format: ipv6 + nodeSelector: + type: object + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: array + type: object + type: array + matchLabels: + additionalProperties: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: object + status: + type: object + properties: + usage: + type: object + properties: + total: + type: integer + used: + type: integer + additionalPrinterColumns: + - description: The number of total IPs + jsonPath: .status.usage.total + name: Total + type: integer + - description: The number of allocated IPs + jsonPath: .status.usage.used + name: Used + type: integer + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + subresources: + status: { } + scope: Cluster + names: + plural: externalippools + singular: externalippool + kind: ExternalIPPool + shortNames: + - eip + +--- +# Source: crds/externalnode.yaml +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: externalnodes.crd.antrea.io +spec: + group: crd.antrea.io + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + type: object + required: + - spec + properties: + spec: + type: object + required: + - interfaces + properties: + interfaces: + type: array + minItems: 1 + maxItems: 1 + required: + - ips + items: + type: object + properties: + ips: + type: array + minItems: 1 + items: + type: string + oneOf: + - format: ipv4 + - format: ipv6 + name: + type: string + served: true + storage: true + scope: Namespaced + names: + plural: externalnodes + singular: externalnode + kind: ExternalNode + shortNames: + - en + +--- +# Source: crds/group.yaml +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: groups.crd.antrea.io +spec: + group: crd.antrea.io + versions: + - name: v1alpha3 + served: true + storage: false + schema: + openAPIV3Schema: + type: object + properties: + spec: + type: object + properties: + childGroups: + type: array + items: + type: string + podSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + matchLabels: + x-kubernetes-preserve-unknown-fields: true + namespaceSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + matchLabels: + x-kubernetes-preserve-unknown-fields: true + externalEntitySelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + matchLabels: + x-kubernetes-preserve-unknown-fields: true + ipBlocks: + type: array + items: + type: object + properties: + cidr: + type: string + format: cidr + serviceReference: + type: object + properties: + name: + type: string + namespace: + type: string + status: + type: object + properties: + conditions: + type: array + items: + type: object + properties: + type: + type: string + status: + type: string + lastTransitionTime: + type: string + subresources: + status: {} + - name: v1beta1 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + properties: + spec: + type: object + properties: + childGroups: + type: array + items: + type: string + podSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + matchLabels: + x-kubernetes-preserve-unknown-fields: true + namespaceSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + matchLabels: + x-kubernetes-preserve-unknown-fields: true + externalEntitySelector: + type: object + properties: + matchExpressions: + type: array items: type: object properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + matchLabels: + x-kubernetes-preserve-unknown-fields: true + ipBlocks: + type: array + items: + type: object + properties: + cidr: + type: string + format: cidr + serviceReference: + type: object + properties: + name: + type: string + namespace: + type: string + status: + type: object + properties: + conditions: + type: array + items: + type: object + properties: + type: + type: string + status: + type: string + lastTransitionTime: + type: string + subresources: + status: { } + scope: Namespaced + names: + plural: groups + singular: group + kind: Group + shortNames: + - grp + +--- +# Source: crds/ippool.yaml +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: ippools.crd.antrea.io + labels: + app: antrea +spec: + group: crd.antrea.io + versions: + - name: v1alpha2 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + required: + - spec + properties: + spec: + required: + - ipVersion + - ipRanges + type: object + properties: + ipVersion: + type: integer + enum: [ 4, 6 ] + ipRanges: + items: + oneOf: + - required: + - cidr + - gateway + - prefixLength + - required: + - start + - end + - gateway + - prefixLength + properties: + cidr: + format: cidr + type: string + start: + oneOf: + - format: ipv4 + - format: ipv6 + type: string + end: + oneOf: + - format: ipv4 + - format: ipv6 + type: string + gateway: + oneOf: + - format: ipv4 + - format: ipv6 + type: string + prefixLength: + type: integer + minimum: 1 + maximum: 128 + vlan: + type: integer + minimum: 0 + maximum: 4094 + type: object + type: array + status: + properties: + ipAddresses: + items: + properties: + ipAddress: + type: string + owner: + properties: + pod: + properties: + name: + type: string + namespace: + type: string + containerID: + type: string + ifName: + type: string + type: object + statefulSet: + properties: + name: + type: string + namespace: + type: string + index: + type: integer + type: object + type: object + phase: + type: string + type: object + type: array + usage: + properties: + used: + type: integer + total: + type: integer + type: object + type: object + additionalPrinterColumns: + - description: The number of total IPs + jsonPath: .status.usage.total + name: Total + type: integer + - description: The number of allocated IPs + jsonPath: .status.usage.used + name: Used + type: integer + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + subresources: + status: {} + scope: Cluster + names: + plural: ippools + singular: ippool + kind: IPPool + shortNames: + - ipp + +--- +# Source: crds/networkpolicy.yaml +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: networkpolicies.crd.antrea.io + labels: + app: antrea +spec: + group: crd.antrea.io + versions: + - name: v1alpha1 + served: true + storage: false + additionalPrinterColumns: + - name: Tier + type: string + description: The Tier to which this Antrea NetworkPolicy belongs to. + jsonPath: .spec.tier + - name: Priority + type: number + format: float + description: The Priority of this Antrea NetworkPolicy relative to other policies. + jsonPath: .spec.priority + - name: Desired Nodes + type: number + format: int32 + description: The total number of Nodes that should realize the NetworkPolicy. + jsonPath: .status.desiredNodesRealized + - name: Current Nodes + type: number + format: int32 + description: The number of Nodes that have realized the NetworkPolicy. + jsonPath: .status.currentNodesRealized + - name: Age + type: date + jsonPath: .metadata.creationTimestamp + schema: + openAPIV3Schema: + type: object + properties: + spec: + # Ensure that Spec.Priority field is set + required: + - priority + type: object + properties: + tier: + type: string + priority: + type: number + format: float + # Ensure that Spec.Priority field is between 1 and 10000 + minimum: 1.0 + maximum: 10000.0 + appliedTo: + type: array + items: + type: object + # Ensure that Spec.AppliedTo does not allow NamespaceSelector/IPBlock field + properties: + externalEntitySelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + podSelector: + type: object + properties: + matchExpressions: type: array items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + group: + type: string + ingress: + type: array + items: + type: object + required: + - action + properties: + appliedTo: + type: array + items: + type: object + # Ensure that rule AppliedTo does not allow NamespaceSelector/IPBlock field + properties: + podSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + group: + type: string + # Ensure that Action field allows only ALLOW, DROP, REJECT and PASS values + action: + type: string + enum: ['Allow', 'Drop', 'Reject', 'Pass'] + ports: + type: array + items: + type: object + properties: + protocol: + type: string + enum: ['TCP', 'UDP', 'SCTP'] + port: + x-kubernetes-int-or-string: true + endPort: + type: integer + sourcePort: + type: integer + sourceEndPort: + type: integer + protocols: + type: array + items: + type: object + oneOf: + - required: [icmp] + - required: [igmp] + properties: + icmp: + type: object + properties: + icmpType: + type: integer + minimum: 0 + maximum: 255 + icmpCode: + type: integer + minimum: 0 + maximum: 255 + igmp: + type: object + properties: + igmpType: + type: integer + # Only IGMP query (0x11) is valid igmpType in ingress rules. + enum: [ 0x11 ] + groupAddress: + type: string + oneOf: + - format: ipv4 + - format: ipv6 + l7Protocols: + type: array + items: + type: object + oneOf: + - required: [http] + - required: [tls] + properties: + http: + type: object + properties: + host: + type: string + method: + type: string + enum: ['GET', 'POST', 'PUT', 'HEAD', 'DELETE', 'TRACE', 'OPTIONS', 'CONNECT', 'PATCH'] + path: + type: string + tls: + type: object + properties: + sni: + type: string + from: + type: array + items: + type: object + properties: + podSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + namespaceSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + externalEntitySelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + ipBlock: + type: object + properties: + cidr: + type: string + format: cidr + nodeSelector: + type: object + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + group: + type: string + scope: + type: string + enum: ['Cluster', 'ClusterSet'] + name: + type: string + enableLogging: + type: boolean + logLabel: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]{0,61})?[A-Za-z0-9])?$" + egress: + type: array + items: + type: object + required: + - action + properties: + appliedTo: + type: array + items: + type: object + # Ensure that rule AppliedTo does not allow NamespaceSelector/IPBlock field + properties: + podSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + group: type: string - matchLabels: - x-kubernetes-preserve-unknown-fields: true - externalEntitySelector: - type: object - properties: - matchExpressions: - type: array - items: - type: object - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - type: array - items: + # Ensure that Action field allows only ALLOW, DROP, REJECT and PASS values + action: + type: string + enum: ['Allow', 'Drop', 'Reject', 'Pass'] + ports: + type: array + items: + type: object + properties: + protocol: + type: string + enum: ['TCP', 'UDP', 'SCTP'] + port: + x-kubernetes-int-or-string: true + endPort: + type: integer + sourcePort: + type: integer + sourceEndPort: + type: integer + protocols: + type: array + items: + type: object + oneOf: + - required: [icmp] + - required: [igmp] + properties: + icmp: + type: object + properties: + icmpType: + type: integer + minimum: 0 + maximum: 255 + icmpCode: + type: integer + minimum: 0 + maximum: 255 + igmp: + type: object + properties: + igmpType: + type: integer + # Only IGMP reports are igmpType in egress rules, + # 0x12 is IGMP report V1, 0x16 is IGMP report v2, 0x22 is IGMP report v3. + # It will match all IGMP report types if igmpType is not set. + enum: [ 0x12, 0x16, 0x22 ] + groupAddress: + type: string + oneOf: + - format: ipv4 + - format: ipv6 + l7Protocols: + type: array + items: + type: object + oneOf: + - required: [http] + - required: [tls] + properties: + http: + type: object + properties: + host: + type: string + method: + type: string + enum: ['GET', 'POST', 'PUT', 'HEAD', 'DELETE', 'TRACE', 'OPTIONS', 'CONNECT', 'PATCH'] + path: + type: string + tls: + type: object + properties: + sni: + type: string + to: + type: array + items: + type: object + properties: + podSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + namespaceSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + externalEntitySelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + ipBlock: + type: object + properties: + cidr: + type: string + format: cidr + fqdn: + type: string + nodeSelector: + type: object + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + group: + type: string + toServices: + type: array + items: + type: object + required: + - name + properties: + name: type: string - matchLabels: - x-kubernetes-preserve-unknown-fields: true - ipBlocks: - type: array - items: - type: object - properties: - cidr: + namespace: + type: string + scope: + type: string + name: type: string - format: cidr - serviceReference: - type: object - properties: - name: - type: string - namespace: - type: string + enableLogging: + type: boolean + logLabel: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]{0,61})?[A-Za-z0-9])?$" status: type: object properties: + phase: + type: string + observedGeneration: + type: integer + currentNodesRealized: + type: integer + desiredNodesRealized: + type: integer conditions: type: array items: @@ -2083,162 +3566,13 @@ spec: type: string lastTransitionTime: type: string - subresources: - status: { } - scope: Namespaced - names: - plural: groups - singular: group - kind: Group - shortNames: - - grp - ---- -# Source: crds/ippool.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: ippools.crd.antrea.io - labels: - app: antrea -spec: - group: crd.antrea.io - versions: - - name: v1alpha2 - served: true - storage: true - schema: - openAPIV3Schema: - type: object - required: - - spec - properties: - spec: - required: - - ipVersion - - ipRanges - type: object - properties: - ipVersion: - type: integer - enum: [ 4, 6 ] - ipRanges: - items: - oneOf: - - required: - - cidr - - gateway - - prefixLength - - required: - - start - - end - - gateway - - prefixLength - properties: - cidr: - format: cidr - type: string - start: - oneOf: - - format: ipv4 - - format: ipv6 - type: string - end: - oneOf: - - format: ipv4 - - format: ipv6 - type: string - gateway: - oneOf: - - format: ipv4 - - format: ipv6 - type: string - prefixLength: - type: integer - minimum: 1 - maximum: 128 - vlan: - type: integer - minimum: 0 - maximum: 4094 - type: object - type: array - status: - properties: - ipAddresses: - items: - properties: - ipAddress: + reason: type: string - owner: - properties: - pod: - properties: - name: - type: string - namespace: - type: string - containerID: - type: string - ifName: - type: string - type: object - statefulSet: - properties: - name: - type: string - namespace: - type: string - index: - type: integer - type: object - type: object - phase: + message: type: string - type: object - type: array - usage: - properties: - used: - type: integer - total: - type: integer - type: object - type: object - additionalPrinterColumns: - - description: The number of total IPs - jsonPath: .status.usage.total - name: Total - type: integer - - description: The number of allocated IPs - jsonPath: .status.usage.used - name: Used - type: integer - - jsonPath: .metadata.creationTimestamp - name: Age - type: date subresources: status: {} - scope: Cluster - names: - plural: ippools - singular: ippool - kind: IPPool - shortNames: - - ipp - ---- -# Source: crds/networkpolicy.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: networkpolicies.crd.antrea.io - labels: - app: antrea -spec: - group: crd.antrea.io - versions: - - name: v1alpha1 + - name: v1beta1 served: true storage: true additionalPrinterColumns: @@ -2311,7 +3645,10 @@ spec: type: string pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" matchLabels: - x-kubernetes-preserve-unknown-fields: true + additionalProperties: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: object podSelector: type: object properties: @@ -2335,7 +3672,10 @@ spec: type: string pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" matchLabels: - x-kubernetes-preserve-unknown-fields: true + additionalProperties: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: object group: type: string ingress: @@ -2374,13 +3714,16 @@ spec: type: string pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" matchLabels: - x-kubernetes-preserve-unknown-fields: true + additionalProperties: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: object group: type: string # Ensure that Action field allows only ALLOW, DROP, REJECT and PASS values action: type: string - enum: ['Allow', 'Drop', 'Reject', 'Pass'] + enum: [ 'Allow', 'Drop', 'Reject', 'Pass' ] ports: type: array items: @@ -2388,7 +3731,7 @@ spec: properties: protocol: type: string - enum: ['TCP', 'UDP', 'SCTP'] + enum: [ 'TCP', 'UDP', 'SCTP' ] port: x-kubernetes-int-or-string: true endPort: @@ -2402,8 +3745,8 @@ spec: items: type: object oneOf: - - required: [icmp] - - required: [igmp] + - required: [ icmp ] + - required: [ igmp ] properties: icmp: type: object @@ -2433,8 +3776,8 @@ spec: items: type: object oneOf: - - required: [http] - - required: [tls] + - required: [ http ] + - required: [ tls ] properties: http: type: object @@ -2443,7 +3786,7 @@ spec: type: string method: type: string - enum: ['GET', 'POST', 'PUT', 'HEAD', 'DELETE', 'TRACE', 'OPTIONS', 'CONNECT', 'PATCH'] + enum: [ 'GET', 'POST', 'PUT', 'HEAD', 'DELETE', 'TRACE', 'OPTIONS', 'CONNECT', 'PATCH' ] path: type: string tls: @@ -2479,7 +3822,10 @@ spec: type: string pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" matchLabels: - x-kubernetes-preserve-unknown-fields: true + additionalProperties: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: object namespaceSelector: type: object properties: @@ -2503,7 +3849,10 @@ spec: type: string pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" matchLabels: - x-kubernetes-preserve-unknown-fields: true + additionalProperties: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: object externalEntitySelector: type: object properties: @@ -2527,7 +3876,10 @@ spec: type: string pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" matchLabels: - x-kubernetes-preserve-unknown-fields: true + additionalProperties: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: object ipBlock: type: object properties: @@ -2557,12 +3909,15 @@ spec: type: object type: array matchLabels: - x-kubernetes-preserve-unknown-fields: true + additionalProperties: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: object group: type: string scope: type: string - enum: ['Cluster', 'ClusterSet'] + enum: [ 'Cluster', 'ClusterSet' ] name: type: string enableLogging: @@ -2606,13 +3961,16 @@ spec: type: string pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" matchLabels: - x-kubernetes-preserve-unknown-fields: true + additionalProperties: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: object group: type: string # Ensure that Action field allows only ALLOW, DROP, REJECT and PASS values action: type: string - enum: ['Allow', 'Drop', 'Reject', 'Pass'] + enum: [ 'Allow', 'Drop', 'Reject', 'Pass' ] ports: type: array items: @@ -2620,7 +3978,7 @@ spec: properties: protocol: type: string - enum: ['TCP', 'UDP', 'SCTP'] + enum: [ 'TCP', 'UDP', 'SCTP' ] port: x-kubernetes-int-or-string: true endPort: @@ -2634,8 +3992,8 @@ spec: items: type: object oneOf: - - required: [icmp] - - required: [igmp] + - required: [ icmp ] + - required: [ igmp ] properties: icmp: type: object @@ -2667,8 +4025,8 @@ spec: items: type: object oneOf: - - required: [http] - - required: [tls] + - required: [ http ] + - required: [ tls ] properties: http: type: object @@ -2677,7 +4035,7 @@ spec: type: string method: type: string - enum: ['GET', 'POST', 'PUT', 'HEAD', 'DELETE', 'TRACE', 'OPTIONS', 'CONNECT', 'PATCH'] + enum: [ 'GET', 'POST', 'PUT', 'HEAD', 'DELETE', 'TRACE', 'OPTIONS', 'CONNECT', 'PATCH' ] path: type: string tls: @@ -2713,7 +4071,10 @@ spec: type: string pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" matchLabels: - x-kubernetes-preserve-unknown-fields: true + additionalProperties: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: object namespaceSelector: type: object properties: @@ -2737,7 +4098,10 @@ spec: type: string pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" matchLabels: - x-kubernetes-preserve-unknown-fields: true + additionalProperties: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: object externalEntitySelector: type: object properties: @@ -2761,7 +4125,10 @@ spec: type: string pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" matchLabels: - x-kubernetes-preserve-unknown-fields: true + additionalProperties: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: object ipBlock: type: object properties: @@ -2793,7 +4160,10 @@ spec: type: object type: array matchLabels: - x-kubernetes-preserve-unknown-fields: true + additionalProperties: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: object group: type: string toServices: @@ -2801,7 +4171,7 @@ spec: items: type: object required: - - name + - name properties: name: type: string @@ -2843,7 +4213,7 @@ spec: message: type: string subresources: - status: {} + status: { } scope: Namespaced names: plural: networkpolicies @@ -5481,7 +6851,7 @@ webhooks: rules: - operations: ["CREATE", "UPDATE"] apiGroups: ["crd.antrea.io"] - apiVersions: ["v1alpha1"] + apiVersions: ["v1beta1"] resources: ["clusternetworkpolicies"] scope: "Cluster" admissionReviewVersions: ["v1", "v1beta1"] @@ -5496,7 +6866,7 @@ webhooks: rules: - operations: ["CREATE", "UPDATE"] apiGroups: ["crd.antrea.io"] - apiVersions: ["v1alpha1"] + apiVersions: ["v1beta1"] resources: ["networkpolicies"] scope: "Namespaced" admissionReviewVersions: ["v1", "v1beta1"] diff --git a/build/yamls/antrea-gke.yml b/build/yamls/antrea-gke.yml index 3b6c0ef5b0b..74ec048e352 100644 --- a/build/yamls/antrea-gke.yml +++ b/build/yamls/antrea-gke.yml @@ -706,7 +706,7 @@ spec: versions: - name: v1alpha1 served: true - storage: true + storage: false additionalPrinterColumns: - name: Tier type: string @@ -1396,682 +1396,2165 @@ spec: type: string subresources: status: {} - scope: Cluster - names: - plural: clusternetworkpolicies - singular: clusternetworkpolicy - kind: ClusterNetworkPolicy - shortNames: - - acnp - ---- -# Source: crds/egress.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: egresses.crd.antrea.io - labels: - app: antrea -spec: - group: crd.antrea.io - versions: - - name: v1alpha2 + - name: v1beta1 served: true storage: true - schema: - openAPIV3Schema: - type: object - required: - - spec - properties: - spec: - type: object - required: - - appliedTo - oneOf: - - anyOf: - - required: - - egressIP - - required: - - externalIPPool - - anyOf: - - required: - - egressIPs - - required: - - externalIPPools - properties: - appliedTo: - type: object - properties: - podSelector: - type: object - properties: - matchExpressions: - type: array - items: - type: object - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - type: array - items: - type: string - pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" - matchLabels: - x-kubernetes-preserve-unknown-fields: true - namespaceSelector: - type: object - properties: - matchExpressions: - type: array - items: - type: object - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - type: array - items: - type: string - pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" - matchLabels: - x-kubernetes-preserve-unknown-fields: true - egressIP: - type: string - oneOf: - - format: ipv4 - - format: ipv6 - egressIPs: - type: array - items: - type: string - oneOf: - - maxLength: 0 - - format: ipv4 - - format: ipv6 - externalIPPool: - type: string - externalIPPools: - type: array - items: - type: string - status: - type: object - properties: - egressNode: - type: string - egressIP: - type: string additionalPrinterColumns: - - description: The effective SNAT IP address for the selected workloads. - jsonPath: .status.egressIP - name: EgressIP + - name: Tier type: string - - jsonPath: .metadata.creationTimestamp - name: Age + description: The Tier to which this ClusterNetworkPolicy belongs to. + jsonPath: .spec.tier + - name: Priority + type: number + format: float + description: The Priority of this ClusterNetworkPolicy relative to other policies. + jsonPath: .spec.priority + - name: Desired Nodes + type: number + format: int32 + description: The total number of Nodes that should realize the NetworkPolicy. + jsonPath: .status.desiredNodesRealized + - name: Current Nodes + type: number + format: int32 + description: The number of Nodes that have realized the NetworkPolicy. + jsonPath: .status.currentNodesRealized + - name: Age type: date - - description: The Owner Node of egress IP - jsonPath: .status.egressNode - name: Node - type: string - subresources: - status: {} - scope: Cluster - names: - plural: egresses - singular: egress - kind: Egress - shortNames: - - eg - ---- -# Source: crds/externalentity.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: externalentities.crd.antrea.io - labels: - app: antrea -spec: - group: crd.antrea.io - versions: - - name: v1alpha2 - served: true - storage: true + jsonPath: .metadata.creationTimestamp schema: openAPIV3Schema: type: object properties: spec: + # Ensure that Spec.Priority field is set + required: + - priority type: object properties: - endpoints: - type: array - items: - type: object - properties: - ip: - type: string - oneOf: - - format: ipv4 - - format: ipv6 - name: - type: string - ports: + tier: + type: string + priority: + type: number + format: float + # Ensure that Spec.Priority field is between 1 and 10000 + minimum: 1.0 + maximum: 10000.0 + appliedTo: type: array items: type: object + # Ensure that Spec.AppliedTo does not allow IPBlock field properties: - protocol: + podSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + additionalProperties: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: object + namespaceSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + additionalProperties: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: object + group: type: string - enum: ['TCP', 'UDP', 'SCTP'] - port: - x-kubernetes-int-or-string: true - name: - type: string - externalNode: - type: string - - name: v1alpha1 - served: false - storage: false - schema: - openAPIV3Schema: - type: object - scope: Namespaced - names: - plural: externalentities - singular: externalentity - kind: ExternalEntity - shortNames: - - ee - ---- -# Source: crds/externalippool.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: externalippools.crd.antrea.io - labels: - app: antrea -spec: - group: crd.antrea.io - versions: - - name: v1alpha2 - served: true - storage: false - schema: - openAPIV3Schema: - type: object - required: - - spec - properties: - spec: - type: object - required: - - ipRanges - - nodeSelector - properties: - ipRanges: - type: array - items: - type: object - oneOf: - - required: - - cidr - - required: - - start - - end - properties: - cidr: - type: string - format: cidr - start: - type: string - oneOf: - - format: ipv4 - - format: ipv6 - end: - type: string - oneOf: - - format: ipv4 - - format: ipv6 - nodeSelector: - type: object - properties: - matchExpressions: - items: + serviceAccount: + type: object properties: - key: + name: type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist + namespace: type: string - values: - items: - type: string - pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" - type: array + required: + - name + - namespace + service: type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - status: - type: object - properties: - usage: - type: object - properties: - total: - type: integer - used: - type: integer - additionalPrinterColumns: - - description: The number of total IPs - jsonPath: .status.usage.total - name: Total - type: integer - - description: The number of allocated IPs - jsonPath: .status.usage.used - name: Used - type: integer - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - subresources: - status: {} - - name: v1beta1 - served: true - storage: true - schema: - openAPIV3Schema: - type: object - required: - - spec - properties: - spec: - type: object - required: - - ipRanges - - nodeSelector - properties: - ipRanges: - type: array - items: - type: object - oneOf: - - required: - - cidr - - required: - - start - - end - properties: - cidr: - type: string - format: cidr - start: - type: string - oneOf: - - format: ipv4 - - format: ipv6 - end: - type: string - oneOf: - - format: ipv4 - - format: ipv6 - nodeSelector: - type: object - properties: - matchExpressions: - items: properties: - key: + name: type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist + namespace: type: string - values: - items: - type: string - pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" - type: array - type: object - type: array - matchLabels: - additionalProperties: - type: string - pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" - type: object - status: - type: object - properties: - usage: - type: object - properties: - total: - type: integer - used: - type: integer - additionalPrinterColumns: - - description: The number of total IPs - jsonPath: .status.usage.total - name: Total - type: integer - - description: The number of allocated IPs - jsonPath: .status.usage.used - name: Used - type: integer - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - subresources: - status: { } - scope: Cluster - names: - plural: externalippools - singular: externalippool - kind: ExternalIPPool - shortNames: - - eip - ---- -# Source: crds/externalnode.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - labels: - app: antrea - name: externalnodes.crd.antrea.io -spec: - group: crd.antrea.io - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - type: object - required: - - spec - properties: - spec: - type: object - required: - - interfaces - properties: - interfaces: + required: + - name + - namespace + ingress: type: array - minItems: 1 - maxItems: 1 - required: - - ips items: type: object + required: + - action properties: - ips: + appliedTo: type: array - minItems: 1 items: - type: string - oneOf: - - format: ipv4 - - format: ipv6 - name: - type: string - served: true - storage: true - scope: Namespaced - names: - plural: externalnodes - singular: externalnode - kind: ExternalNode - shortNames: - - en - ---- -# Source: crds/group.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: groups.crd.antrea.io -spec: - group: crd.antrea.io - versions: - - name: v1alpha3 - served: true - storage: false - schema: - openAPIV3Schema: - type: object - properties: - spec: - type: object - properties: - childGroups: - type: array - items: - type: string - podSelector: - type: object - properties: - matchExpressions: - type: array - items: - type: object - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - type: array - items: - type: string - matchLabels: - x-kubernetes-preserve-unknown-fields: true - namespaceSelector: - type: object - properties: - matchExpressions: - type: array - items: - type: object - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - type: array - items: - type: string - matchLabels: - x-kubernetes-preserve-unknown-fields: true - externalEntitySelector: - type: object - properties: - matchExpressions: - type: array - items: - type: object - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - type: array - items: + type: object + # Ensure that rule AppliedTo does not allow IPBlock field + properties: + podSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + additionalProperties: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: object + namespaceSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + additionalProperties: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: object + group: type: string - matchLabels: - x-kubernetes-preserve-unknown-fields: true - ipBlocks: - type: array - items: - type: object - properties: - cidr: - type: string - format: cidr - serviceReference: - type: object - properties: - name: - type: string - namespace: - type: string - status: - type: object - properties: - conditions: - type: array - items: - type: object - properties: - type: - type: string - status: - type: string - lastTransitionTime: + serviceAccount: + type: object + properties: + name: + type: string + namespace: + type: string + required: + - name + - namespace + service: + type: object + properties: + name: + type: string + namespace: + type: string + required: + - name + - namespace + # Ensure that Action field allows only ALLOW, DROP, REJECT and PASS values + action: type: string - subresources: - status: {} - - name: v1beta1 - served: true - storage: true - schema: - openAPIV3Schema: - type: object - properties: - spec: - type: object - properties: - childGroups: - type: array - items: - type: string - podSelector: - type: object - properties: - matchExpressions: - type: array - items: - type: object - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - type: array - items: + enum: [ 'Allow', 'Drop', 'Reject', 'Pass' ] + ports: + type: array + items: + type: object + properties: + protocol: type: string - matchLabels: - x-kubernetes-preserve-unknown-fields: true - namespaceSelector: - type: object - properties: - matchExpressions: - type: array + enum: [ 'TCP', 'UDP', 'SCTP' ] + port: + x-kubernetes-int-or-string: true + endPort: + type: integer + sourcePort: + type: integer + sourceEndPort: + type: integer + protocols: + type: array + items: + type: object + oneOf: + - required: [ icmp ] + - required: [ igmp ] + properties: + icmp: + type: object + properties: + icmpType: + type: integer + minimum: 0 + maximum: 255 + icmpCode: + type: integer + minimum: 0 + maximum: 255 + igmp: + type: object + properties: + igmpType: + type: integer + # Only IGMP query (0x11) is valid igmpType in ingress rules. + enum: [ 0x11 ] + groupAddress: + type: string + oneOf: + - format: ipv4 + - format: ipv6 + l7Protocols: + type: array + items: + type: object + oneOf: + - required: [ http ] + - required: [ tls ] + properties: + http: + type: object + properties: + host: + type: string + method: + type: string + enum: [ 'GET', 'POST', 'PUT', 'HEAD', 'DELETE', 'TRACE', 'OPTIONS', 'CONNECT', 'PATCH' ] + path: + type: string + tls: + type: object + properties: + sni: + type: string + from: + type: array + items: + type: object + properties: + podSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + additionalProperties: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: object + namespaceSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + additionalProperties: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: object + namespaces: + type: object + properties: + match: + enum: + - Self + type: string + ipBlock: + type: object + properties: + cidr: + type: string + format: cidr + group: + type: string + serviceAccount: + type: object + properties: + name: + type: string + namespace: + type: string + required: + - name + - namespace + nodeSelector: + type: object + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: array + type: object + type: array + matchLabels: + additionalProperties: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: object + scope: + type: string + enum: [ 'Cluster', 'ClusterSet' ] + name: + type: string + enableLogging: + type: boolean + logLabel: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]{0,61})?[A-Za-z0-9])?$" + egress: + type: array + items: + type: object + required: + - action + properties: + appliedTo: + type: array + items: + type: object + # Ensure that rule AppliedTo does not allow IPBlock field + properties: + podSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + additionalProperties: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: object + namespaceSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + additionalProperties: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: object + group: + type: string + serviceAccount: + type: object + properties: + name: + type: string + namespace: + type: string + required: + - name + - namespace + # Ensure that Action field allows only ALLOW, DROP, REJECT and PASS values + action: + type: string + enum: [ 'Allow', 'Drop', 'Reject', 'Pass' ] + ports: + type: array + items: + type: object + properties: + protocol: + type: string + enum: [ 'TCP', 'UDP', 'SCTP' ] + port: + x-kubernetes-int-or-string: true + endPort: + type: integer + sourcePort: + type: integer + sourceEndPort: + type: integer + protocols: + type: array + items: + type: object + oneOf: + - required: [ icmp ] + - required: [ igmp ] + properties: + icmp: + type: object + properties: + icmpType: + type: integer + minimum: 0 + maximum: 255 + icmpCode: + type: integer + minimum: 0 + maximum: 255 + igmp: + type: object + properties: + igmpType: + type: integer + # Only IGMP reports are igmpType in egress rules, + # 0x12 is IGMP report V1, 0x16 is IGMP report v2, 0x22 is IGMP report v3. + # It will match all IGMP report types if igmpType is not set. + enum: [ 0x12, 0x16, 0x22 ] + groupAddress: + type: string + oneOf: + - format: ipv4 + - format: ipv6 + l7Protocols: + type: array + items: + type: object + oneOf: + - required: [ http ] + - required: [ tls ] + properties: + http: + type: object + properties: + host: + type: string + method: + type: string + enum: [ 'GET', 'POST', 'PUT', 'HEAD', 'DELETE', 'TRACE', 'OPTIONS', 'CONNECT', 'PATCH' ] + path: + type: string + tls: + type: object + properties: + sni: + type: string + to: + type: array + items: + type: object + properties: + podSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + additionalProperties: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: object + namespaceSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + additionalProperties: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: object + namespaces: + type: object + properties: + match: + enum: + - Self + type: string + ipBlock: + type: object + properties: + cidr: + type: string + format: cidr + group: + type: string + fqdn: + type: string + serviceAccount: + type: object + properties: + name: + type: string + namespace: + type: string + required: + - name + - namespace + nodeSelector: + type: object + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: array + type: object + type: array + matchLabels: + additionalProperties: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: object + toServices: + type: array + items: + type: object + required: + - name + - namespace + properties: + name: + type: string + namespace: + type: string + scope: + type: string + enum: [ 'Cluster', 'ClusterSet' ] + name: + type: string + enableLogging: + type: boolean + logLabel: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]{0,61})?[A-Za-z0-9])?$" + status: + type: object + properties: + phase: + type: string + observedGeneration: + type: integer + currentNodesRealized: + type: integer + desiredNodesRealized: + type: integer + conditions: + type: array + items: + type: object + properties: + type: + type: string + status: + type: string + lastTransitionTime: + type: string + reason: + type: string + message: + type: string + subresources: + status: { } + scope: Cluster + names: + plural: clusternetworkpolicies + singular: clusternetworkpolicy + kind: ClusterNetworkPolicy + shortNames: + - acnp + +--- +# Source: crds/egress.yaml +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: egresses.crd.antrea.io + labels: + app: antrea +spec: + group: crd.antrea.io + versions: + - name: v1alpha2 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + required: + - spec + properties: + spec: + type: object + required: + - appliedTo + oneOf: + - anyOf: + - required: + - egressIP + - required: + - externalIPPool + - anyOf: + - required: + - egressIPs + - required: + - externalIPPools + properties: + appliedTo: + type: object + properties: + podSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + namespaceSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + egressIP: + type: string + oneOf: + - format: ipv4 + - format: ipv6 + egressIPs: + type: array + items: + type: string + oneOf: + - maxLength: 0 + - format: ipv4 + - format: ipv6 + externalIPPool: + type: string + externalIPPools: + type: array + items: + type: string + status: + type: object + properties: + egressNode: + type: string + egressIP: + type: string + additionalPrinterColumns: + - description: The effective SNAT IP address for the selected workloads. + jsonPath: .status.egressIP + name: EgressIP + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + - description: The Owner Node of egress IP + jsonPath: .status.egressNode + name: Node + type: string + subresources: + status: {} + scope: Cluster + names: + plural: egresses + singular: egress + kind: Egress + shortNames: + - eg + +--- +# Source: crds/externalentity.yaml +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: externalentities.crd.antrea.io + labels: + app: antrea +spec: + group: crd.antrea.io + versions: + - name: v1alpha2 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + properties: + spec: + type: object + properties: + endpoints: + type: array + items: + type: object + properties: + ip: + type: string + oneOf: + - format: ipv4 + - format: ipv6 + name: + type: string + ports: + type: array + items: + type: object + properties: + protocol: + type: string + enum: ['TCP', 'UDP', 'SCTP'] + port: + x-kubernetes-int-or-string: true + name: + type: string + externalNode: + type: string + - name: v1alpha1 + served: false + storage: false + schema: + openAPIV3Schema: + type: object + scope: Namespaced + names: + plural: externalentities + singular: externalentity + kind: ExternalEntity + shortNames: + - ee + +--- +# Source: crds/externalippool.yaml +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: externalippools.crd.antrea.io + labels: + app: antrea +spec: + group: crd.antrea.io + versions: + - name: v1alpha2 + served: true + storage: false + schema: + openAPIV3Schema: + type: object + required: + - spec + properties: + spec: + type: object + required: + - ipRanges + - nodeSelector + properties: + ipRanges: + type: array + items: + type: object + oneOf: + - required: + - cidr + - required: + - start + - end + properties: + cidr: + type: string + format: cidr + start: + type: string + oneOf: + - format: ipv4 + - format: ipv6 + end: + type: string + oneOf: + - format: ipv4 + - format: ipv6 + nodeSelector: + type: object + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + status: + type: object + properties: + usage: + type: object + properties: + total: + type: integer + used: + type: integer + additionalPrinterColumns: + - description: The number of total IPs + jsonPath: .status.usage.total + name: Total + type: integer + - description: The number of allocated IPs + jsonPath: .status.usage.used + name: Used + type: integer + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + subresources: + status: {} + - name: v1beta1 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + required: + - spec + properties: + spec: + type: object + required: + - ipRanges + - nodeSelector + properties: + ipRanges: + type: array + items: + type: object + oneOf: + - required: + - cidr + - required: + - start + - end + properties: + cidr: + type: string + format: cidr + start: + type: string + oneOf: + - format: ipv4 + - format: ipv6 + end: + type: string + oneOf: + - format: ipv4 + - format: ipv6 + nodeSelector: + type: object + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: array + type: object + type: array + matchLabels: + additionalProperties: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: object + status: + type: object + properties: + usage: + type: object + properties: + total: + type: integer + used: + type: integer + additionalPrinterColumns: + - description: The number of total IPs + jsonPath: .status.usage.total + name: Total + type: integer + - description: The number of allocated IPs + jsonPath: .status.usage.used + name: Used + type: integer + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + subresources: + status: { } + scope: Cluster + names: + plural: externalippools + singular: externalippool + kind: ExternalIPPool + shortNames: + - eip + +--- +# Source: crds/externalnode.yaml +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: externalnodes.crd.antrea.io +spec: + group: crd.antrea.io + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + type: object + required: + - spec + properties: + spec: + type: object + required: + - interfaces + properties: + interfaces: + type: array + minItems: 1 + maxItems: 1 + required: + - ips + items: + type: object + properties: + ips: + type: array + minItems: 1 + items: + type: string + oneOf: + - format: ipv4 + - format: ipv6 + name: + type: string + served: true + storage: true + scope: Namespaced + names: + plural: externalnodes + singular: externalnode + kind: ExternalNode + shortNames: + - en + +--- +# Source: crds/group.yaml +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: groups.crd.antrea.io +spec: + group: crd.antrea.io + versions: + - name: v1alpha3 + served: true + storage: false + schema: + openAPIV3Schema: + type: object + properties: + spec: + type: object + properties: + childGroups: + type: array + items: + type: string + podSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + matchLabels: + x-kubernetes-preserve-unknown-fields: true + namespaceSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + matchLabels: + x-kubernetes-preserve-unknown-fields: true + externalEntitySelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + matchLabels: + x-kubernetes-preserve-unknown-fields: true + ipBlocks: + type: array + items: + type: object + properties: + cidr: + type: string + format: cidr + serviceReference: + type: object + properties: + name: + type: string + namespace: + type: string + status: + type: object + properties: + conditions: + type: array + items: + type: object + properties: + type: + type: string + status: + type: string + lastTransitionTime: + type: string + subresources: + status: {} + - name: v1beta1 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + properties: + spec: + type: object + properties: + childGroups: + type: array + items: + type: string + podSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + matchLabels: + x-kubernetes-preserve-unknown-fields: true + namespaceSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + matchLabels: + x-kubernetes-preserve-unknown-fields: true + externalEntitySelector: + type: object + properties: + matchExpressions: + type: array items: type: object properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + matchLabels: + x-kubernetes-preserve-unknown-fields: true + ipBlocks: + type: array + items: + type: object + properties: + cidr: + type: string + format: cidr + serviceReference: + type: object + properties: + name: + type: string + namespace: + type: string + status: + type: object + properties: + conditions: + type: array + items: + type: object + properties: + type: + type: string + status: + type: string + lastTransitionTime: + type: string + subresources: + status: { } + scope: Namespaced + names: + plural: groups + singular: group + kind: Group + shortNames: + - grp + +--- +# Source: crds/ippool.yaml +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: ippools.crd.antrea.io + labels: + app: antrea +spec: + group: crd.antrea.io + versions: + - name: v1alpha2 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + required: + - spec + properties: + spec: + required: + - ipVersion + - ipRanges + type: object + properties: + ipVersion: + type: integer + enum: [ 4, 6 ] + ipRanges: + items: + oneOf: + - required: + - cidr + - gateway + - prefixLength + - required: + - start + - end + - gateway + - prefixLength + properties: + cidr: + format: cidr + type: string + start: + oneOf: + - format: ipv4 + - format: ipv6 + type: string + end: + oneOf: + - format: ipv4 + - format: ipv6 + type: string + gateway: + oneOf: + - format: ipv4 + - format: ipv6 + type: string + prefixLength: + type: integer + minimum: 1 + maximum: 128 + vlan: + type: integer + minimum: 0 + maximum: 4094 + type: object + type: array + status: + properties: + ipAddresses: + items: + properties: + ipAddress: + type: string + owner: + properties: + pod: + properties: + name: + type: string + namespace: + type: string + containerID: + type: string + ifName: + type: string + type: object + statefulSet: + properties: + name: + type: string + namespace: + type: string + index: + type: integer + type: object + type: object + phase: + type: string + type: object + type: array + usage: + properties: + used: + type: integer + total: + type: integer + type: object + type: object + additionalPrinterColumns: + - description: The number of total IPs + jsonPath: .status.usage.total + name: Total + type: integer + - description: The number of allocated IPs + jsonPath: .status.usage.used + name: Used + type: integer + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + subresources: + status: {} + scope: Cluster + names: + plural: ippools + singular: ippool + kind: IPPool + shortNames: + - ipp + +--- +# Source: crds/networkpolicy.yaml +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: networkpolicies.crd.antrea.io + labels: + app: antrea +spec: + group: crd.antrea.io + versions: + - name: v1alpha1 + served: true + storage: false + additionalPrinterColumns: + - name: Tier + type: string + description: The Tier to which this Antrea NetworkPolicy belongs to. + jsonPath: .spec.tier + - name: Priority + type: number + format: float + description: The Priority of this Antrea NetworkPolicy relative to other policies. + jsonPath: .spec.priority + - name: Desired Nodes + type: number + format: int32 + description: The total number of Nodes that should realize the NetworkPolicy. + jsonPath: .status.desiredNodesRealized + - name: Current Nodes + type: number + format: int32 + description: The number of Nodes that have realized the NetworkPolicy. + jsonPath: .status.currentNodesRealized + - name: Age + type: date + jsonPath: .metadata.creationTimestamp + schema: + openAPIV3Schema: + type: object + properties: + spec: + # Ensure that Spec.Priority field is set + required: + - priority + type: object + properties: + tier: + type: string + priority: + type: number + format: float + # Ensure that Spec.Priority field is between 1 and 10000 + minimum: 1.0 + maximum: 10000.0 + appliedTo: + type: array + items: + type: object + # Ensure that Spec.AppliedTo does not allow NamespaceSelector/IPBlock field + properties: + externalEntitySelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + podSelector: + type: object + properties: + matchExpressions: type: array items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + group: + type: string + ingress: + type: array + items: + type: object + required: + - action + properties: + appliedTo: + type: array + items: + type: object + # Ensure that rule AppliedTo does not allow NamespaceSelector/IPBlock field + properties: + podSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + group: + type: string + # Ensure that Action field allows only ALLOW, DROP, REJECT and PASS values + action: + type: string + enum: ['Allow', 'Drop', 'Reject', 'Pass'] + ports: + type: array + items: + type: object + properties: + protocol: + type: string + enum: ['TCP', 'UDP', 'SCTP'] + port: + x-kubernetes-int-or-string: true + endPort: + type: integer + sourcePort: + type: integer + sourceEndPort: + type: integer + protocols: + type: array + items: + type: object + oneOf: + - required: [icmp] + - required: [igmp] + properties: + icmp: + type: object + properties: + icmpType: + type: integer + minimum: 0 + maximum: 255 + icmpCode: + type: integer + minimum: 0 + maximum: 255 + igmp: + type: object + properties: + igmpType: + type: integer + # Only IGMP query (0x11) is valid igmpType in ingress rules. + enum: [ 0x11 ] + groupAddress: + type: string + oneOf: + - format: ipv4 + - format: ipv6 + l7Protocols: + type: array + items: + type: object + oneOf: + - required: [http] + - required: [tls] + properties: + http: + type: object + properties: + host: + type: string + method: + type: string + enum: ['GET', 'POST', 'PUT', 'HEAD', 'DELETE', 'TRACE', 'OPTIONS', 'CONNECT', 'PATCH'] + path: + type: string + tls: + type: object + properties: + sni: + type: string + from: + type: array + items: + type: object + properties: + podSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + namespaceSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + externalEntitySelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + ipBlock: + type: object + properties: + cidr: + type: string + format: cidr + nodeSelector: + type: object + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + group: + type: string + scope: + type: string + enum: ['Cluster', 'ClusterSet'] + name: + type: string + enableLogging: + type: boolean + logLabel: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]{0,61})?[A-Za-z0-9])?$" + egress: + type: array + items: + type: object + required: + - action + properties: + appliedTo: + type: array + items: + type: object + # Ensure that rule AppliedTo does not allow NamespaceSelector/IPBlock field + properties: + podSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + group: type: string - matchLabels: - x-kubernetes-preserve-unknown-fields: true - externalEntitySelector: - type: object - properties: - matchExpressions: - type: array - items: - type: object - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - type: array - items: + # Ensure that Action field allows only ALLOW, DROP, REJECT and PASS values + action: + type: string + enum: ['Allow', 'Drop', 'Reject', 'Pass'] + ports: + type: array + items: + type: object + properties: + protocol: + type: string + enum: ['TCP', 'UDP', 'SCTP'] + port: + x-kubernetes-int-or-string: true + endPort: + type: integer + sourcePort: + type: integer + sourceEndPort: + type: integer + protocols: + type: array + items: + type: object + oneOf: + - required: [icmp] + - required: [igmp] + properties: + icmp: + type: object + properties: + icmpType: + type: integer + minimum: 0 + maximum: 255 + icmpCode: + type: integer + minimum: 0 + maximum: 255 + igmp: + type: object + properties: + igmpType: + type: integer + # Only IGMP reports are igmpType in egress rules, + # 0x12 is IGMP report V1, 0x16 is IGMP report v2, 0x22 is IGMP report v3. + # It will match all IGMP report types if igmpType is not set. + enum: [ 0x12, 0x16, 0x22 ] + groupAddress: + type: string + oneOf: + - format: ipv4 + - format: ipv6 + l7Protocols: + type: array + items: + type: object + oneOf: + - required: [http] + - required: [tls] + properties: + http: + type: object + properties: + host: + type: string + method: + type: string + enum: ['GET', 'POST', 'PUT', 'HEAD', 'DELETE', 'TRACE', 'OPTIONS', 'CONNECT', 'PATCH'] + path: + type: string + tls: + type: object + properties: + sni: + type: string + to: + type: array + items: + type: object + properties: + podSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + namespaceSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + externalEntitySelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + ipBlock: + type: object + properties: + cidr: + type: string + format: cidr + fqdn: + type: string + nodeSelector: + type: object + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + group: + type: string + toServices: + type: array + items: + type: object + required: + - name + properties: + name: type: string - matchLabels: - x-kubernetes-preserve-unknown-fields: true - ipBlocks: - type: array - items: - type: object - properties: - cidr: + namespace: + type: string + scope: + type: string + name: type: string - format: cidr - serviceReference: - type: object - properties: - name: - type: string - namespace: - type: string + enableLogging: + type: boolean + logLabel: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]{0,61})?[A-Za-z0-9])?$" status: type: object properties: + phase: + type: string + observedGeneration: + type: integer + currentNodesRealized: + type: integer + desiredNodesRealized: + type: integer conditions: type: array items: @@ -2083,162 +3566,13 @@ spec: type: string lastTransitionTime: type: string - subresources: - status: { } - scope: Namespaced - names: - plural: groups - singular: group - kind: Group - shortNames: - - grp - ---- -# Source: crds/ippool.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: ippools.crd.antrea.io - labels: - app: antrea -spec: - group: crd.antrea.io - versions: - - name: v1alpha2 - served: true - storage: true - schema: - openAPIV3Schema: - type: object - required: - - spec - properties: - spec: - required: - - ipVersion - - ipRanges - type: object - properties: - ipVersion: - type: integer - enum: [ 4, 6 ] - ipRanges: - items: - oneOf: - - required: - - cidr - - gateway - - prefixLength - - required: - - start - - end - - gateway - - prefixLength - properties: - cidr: - format: cidr - type: string - start: - oneOf: - - format: ipv4 - - format: ipv6 - type: string - end: - oneOf: - - format: ipv4 - - format: ipv6 - type: string - gateway: - oneOf: - - format: ipv4 - - format: ipv6 - type: string - prefixLength: - type: integer - minimum: 1 - maximum: 128 - vlan: - type: integer - minimum: 0 - maximum: 4094 - type: object - type: array - status: - properties: - ipAddresses: - items: - properties: - ipAddress: + reason: type: string - owner: - properties: - pod: - properties: - name: - type: string - namespace: - type: string - containerID: - type: string - ifName: - type: string - type: object - statefulSet: - properties: - name: - type: string - namespace: - type: string - index: - type: integer - type: object - type: object - phase: + message: type: string - type: object - type: array - usage: - properties: - used: - type: integer - total: - type: integer - type: object - type: object - additionalPrinterColumns: - - description: The number of total IPs - jsonPath: .status.usage.total - name: Total - type: integer - - description: The number of allocated IPs - jsonPath: .status.usage.used - name: Used - type: integer - - jsonPath: .metadata.creationTimestamp - name: Age - type: date subresources: status: {} - scope: Cluster - names: - plural: ippools - singular: ippool - kind: IPPool - shortNames: - - ipp - ---- -# Source: crds/networkpolicy.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: networkpolicies.crd.antrea.io - labels: - app: antrea -spec: - group: crd.antrea.io - versions: - - name: v1alpha1 + - name: v1beta1 served: true storage: true additionalPrinterColumns: @@ -2311,7 +3645,10 @@ spec: type: string pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" matchLabels: - x-kubernetes-preserve-unknown-fields: true + additionalProperties: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: object podSelector: type: object properties: @@ -2335,7 +3672,10 @@ spec: type: string pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" matchLabels: - x-kubernetes-preserve-unknown-fields: true + additionalProperties: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: object group: type: string ingress: @@ -2374,13 +3714,16 @@ spec: type: string pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" matchLabels: - x-kubernetes-preserve-unknown-fields: true + additionalProperties: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: object group: type: string # Ensure that Action field allows only ALLOW, DROP, REJECT and PASS values action: type: string - enum: ['Allow', 'Drop', 'Reject', 'Pass'] + enum: [ 'Allow', 'Drop', 'Reject', 'Pass' ] ports: type: array items: @@ -2388,7 +3731,7 @@ spec: properties: protocol: type: string - enum: ['TCP', 'UDP', 'SCTP'] + enum: [ 'TCP', 'UDP', 'SCTP' ] port: x-kubernetes-int-or-string: true endPort: @@ -2402,8 +3745,8 @@ spec: items: type: object oneOf: - - required: [icmp] - - required: [igmp] + - required: [ icmp ] + - required: [ igmp ] properties: icmp: type: object @@ -2433,8 +3776,8 @@ spec: items: type: object oneOf: - - required: [http] - - required: [tls] + - required: [ http ] + - required: [ tls ] properties: http: type: object @@ -2443,7 +3786,7 @@ spec: type: string method: type: string - enum: ['GET', 'POST', 'PUT', 'HEAD', 'DELETE', 'TRACE', 'OPTIONS', 'CONNECT', 'PATCH'] + enum: [ 'GET', 'POST', 'PUT', 'HEAD', 'DELETE', 'TRACE', 'OPTIONS', 'CONNECT', 'PATCH' ] path: type: string tls: @@ -2479,7 +3822,10 @@ spec: type: string pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" matchLabels: - x-kubernetes-preserve-unknown-fields: true + additionalProperties: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: object namespaceSelector: type: object properties: @@ -2503,7 +3849,10 @@ spec: type: string pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" matchLabels: - x-kubernetes-preserve-unknown-fields: true + additionalProperties: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: object externalEntitySelector: type: object properties: @@ -2527,7 +3876,10 @@ spec: type: string pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" matchLabels: - x-kubernetes-preserve-unknown-fields: true + additionalProperties: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: object ipBlock: type: object properties: @@ -2557,12 +3909,15 @@ spec: type: object type: array matchLabels: - x-kubernetes-preserve-unknown-fields: true + additionalProperties: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: object group: type: string scope: type: string - enum: ['Cluster', 'ClusterSet'] + enum: [ 'Cluster', 'ClusterSet' ] name: type: string enableLogging: @@ -2606,13 +3961,16 @@ spec: type: string pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" matchLabels: - x-kubernetes-preserve-unknown-fields: true + additionalProperties: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: object group: type: string # Ensure that Action field allows only ALLOW, DROP, REJECT and PASS values action: type: string - enum: ['Allow', 'Drop', 'Reject', 'Pass'] + enum: [ 'Allow', 'Drop', 'Reject', 'Pass' ] ports: type: array items: @@ -2620,7 +3978,7 @@ spec: properties: protocol: type: string - enum: ['TCP', 'UDP', 'SCTP'] + enum: [ 'TCP', 'UDP', 'SCTP' ] port: x-kubernetes-int-or-string: true endPort: @@ -2634,8 +3992,8 @@ spec: items: type: object oneOf: - - required: [icmp] - - required: [igmp] + - required: [ icmp ] + - required: [ igmp ] properties: icmp: type: object @@ -2667,8 +4025,8 @@ spec: items: type: object oneOf: - - required: [http] - - required: [tls] + - required: [ http ] + - required: [ tls ] properties: http: type: object @@ -2677,7 +4035,7 @@ spec: type: string method: type: string - enum: ['GET', 'POST', 'PUT', 'HEAD', 'DELETE', 'TRACE', 'OPTIONS', 'CONNECT', 'PATCH'] + enum: [ 'GET', 'POST', 'PUT', 'HEAD', 'DELETE', 'TRACE', 'OPTIONS', 'CONNECT', 'PATCH' ] path: type: string tls: @@ -2713,7 +4071,10 @@ spec: type: string pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" matchLabels: - x-kubernetes-preserve-unknown-fields: true + additionalProperties: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: object namespaceSelector: type: object properties: @@ -2737,7 +4098,10 @@ spec: type: string pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" matchLabels: - x-kubernetes-preserve-unknown-fields: true + additionalProperties: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: object externalEntitySelector: type: object properties: @@ -2761,7 +4125,10 @@ spec: type: string pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" matchLabels: - x-kubernetes-preserve-unknown-fields: true + additionalProperties: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: object ipBlock: type: object properties: @@ -2793,7 +4160,10 @@ spec: type: object type: array matchLabels: - x-kubernetes-preserve-unknown-fields: true + additionalProperties: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: object group: type: string toServices: @@ -2801,7 +4171,7 @@ spec: items: type: object required: - - name + - name properties: name: type: string @@ -2843,7 +4213,7 @@ spec: message: type: string subresources: - status: {} + status: { } scope: Namespaced names: plural: networkpolicies @@ -5478,7 +6848,7 @@ webhooks: rules: - operations: ["CREATE", "UPDATE"] apiGroups: ["crd.antrea.io"] - apiVersions: ["v1alpha1"] + apiVersions: ["v1beta1"] resources: ["clusternetworkpolicies"] scope: "Cluster" admissionReviewVersions: ["v1", "v1beta1"] @@ -5493,7 +6863,7 @@ webhooks: rules: - operations: ["CREATE", "UPDATE"] apiGroups: ["crd.antrea.io"] - apiVersions: ["v1alpha1"] + apiVersions: ["v1beta1"] resources: ["networkpolicies"] scope: "Namespaced" admissionReviewVersions: ["v1", "v1beta1"] diff --git a/build/yamls/antrea-ipsec.yml b/build/yamls/antrea-ipsec.yml index 26a0d62a085..3187da16457 100644 --- a/build/yamls/antrea-ipsec.yml +++ b/build/yamls/antrea-ipsec.yml @@ -706,7 +706,7 @@ spec: versions: - name: v1alpha1 served: true - storage: true + storage: false additionalPrinterColumns: - name: Tier type: string @@ -1396,682 +1396,2165 @@ spec: type: string subresources: status: {} - scope: Cluster - names: - plural: clusternetworkpolicies - singular: clusternetworkpolicy - kind: ClusterNetworkPolicy - shortNames: - - acnp - ---- -# Source: crds/egress.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: egresses.crd.antrea.io - labels: - app: antrea -spec: - group: crd.antrea.io - versions: - - name: v1alpha2 + - name: v1beta1 served: true storage: true - schema: - openAPIV3Schema: - type: object - required: - - spec - properties: - spec: - type: object - required: - - appliedTo - oneOf: - - anyOf: - - required: - - egressIP - - required: - - externalIPPool - - anyOf: - - required: - - egressIPs - - required: - - externalIPPools - properties: - appliedTo: - type: object - properties: - podSelector: - type: object - properties: - matchExpressions: - type: array - items: - type: object - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - type: array - items: - type: string - pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" - matchLabels: - x-kubernetes-preserve-unknown-fields: true - namespaceSelector: - type: object - properties: - matchExpressions: - type: array - items: - type: object - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - type: array - items: - type: string - pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" - matchLabels: - x-kubernetes-preserve-unknown-fields: true - egressIP: - type: string - oneOf: - - format: ipv4 - - format: ipv6 - egressIPs: - type: array - items: - type: string - oneOf: - - maxLength: 0 - - format: ipv4 - - format: ipv6 - externalIPPool: - type: string - externalIPPools: - type: array - items: - type: string - status: - type: object - properties: - egressNode: - type: string - egressIP: - type: string additionalPrinterColumns: - - description: The effective SNAT IP address for the selected workloads. - jsonPath: .status.egressIP - name: EgressIP + - name: Tier type: string - - jsonPath: .metadata.creationTimestamp - name: Age + description: The Tier to which this ClusterNetworkPolicy belongs to. + jsonPath: .spec.tier + - name: Priority + type: number + format: float + description: The Priority of this ClusterNetworkPolicy relative to other policies. + jsonPath: .spec.priority + - name: Desired Nodes + type: number + format: int32 + description: The total number of Nodes that should realize the NetworkPolicy. + jsonPath: .status.desiredNodesRealized + - name: Current Nodes + type: number + format: int32 + description: The number of Nodes that have realized the NetworkPolicy. + jsonPath: .status.currentNodesRealized + - name: Age type: date - - description: The Owner Node of egress IP - jsonPath: .status.egressNode - name: Node - type: string - subresources: - status: {} - scope: Cluster - names: - plural: egresses - singular: egress - kind: Egress - shortNames: - - eg - ---- -# Source: crds/externalentity.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: externalentities.crd.antrea.io - labels: - app: antrea -spec: - group: crd.antrea.io - versions: - - name: v1alpha2 - served: true - storage: true + jsonPath: .metadata.creationTimestamp schema: openAPIV3Schema: type: object properties: spec: + # Ensure that Spec.Priority field is set + required: + - priority type: object properties: - endpoints: - type: array - items: - type: object - properties: - ip: - type: string - oneOf: - - format: ipv4 - - format: ipv6 - name: - type: string - ports: + tier: + type: string + priority: + type: number + format: float + # Ensure that Spec.Priority field is between 1 and 10000 + minimum: 1.0 + maximum: 10000.0 + appliedTo: type: array items: type: object + # Ensure that Spec.AppliedTo does not allow IPBlock field properties: - protocol: + podSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + additionalProperties: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: object + namespaceSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + additionalProperties: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: object + group: type: string - enum: ['TCP', 'UDP', 'SCTP'] - port: - x-kubernetes-int-or-string: true - name: - type: string - externalNode: - type: string - - name: v1alpha1 - served: false - storage: false - schema: - openAPIV3Schema: - type: object - scope: Namespaced - names: - plural: externalentities - singular: externalentity - kind: ExternalEntity - shortNames: - - ee - ---- -# Source: crds/externalippool.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: externalippools.crd.antrea.io - labels: - app: antrea -spec: - group: crd.antrea.io - versions: - - name: v1alpha2 - served: true - storage: false - schema: - openAPIV3Schema: - type: object - required: - - spec - properties: - spec: - type: object - required: - - ipRanges - - nodeSelector - properties: - ipRanges: - type: array - items: - type: object - oneOf: - - required: - - cidr - - required: - - start - - end - properties: - cidr: - type: string - format: cidr - start: - type: string - oneOf: - - format: ipv4 - - format: ipv6 - end: - type: string - oneOf: - - format: ipv4 - - format: ipv6 - nodeSelector: - type: object - properties: - matchExpressions: - items: + serviceAccount: + type: object properties: - key: + name: type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist + namespace: type: string - values: - items: - type: string - pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" - type: array + required: + - name + - namespace + service: type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - status: - type: object - properties: - usage: - type: object - properties: - total: - type: integer - used: - type: integer - additionalPrinterColumns: - - description: The number of total IPs - jsonPath: .status.usage.total - name: Total - type: integer - - description: The number of allocated IPs - jsonPath: .status.usage.used - name: Used - type: integer - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - subresources: - status: {} - - name: v1beta1 - served: true - storage: true - schema: - openAPIV3Schema: - type: object - required: - - spec - properties: - spec: - type: object - required: - - ipRanges - - nodeSelector - properties: - ipRanges: - type: array - items: - type: object - oneOf: - - required: - - cidr - - required: - - start - - end - properties: - cidr: - type: string - format: cidr - start: - type: string - oneOf: - - format: ipv4 - - format: ipv6 - end: - type: string - oneOf: - - format: ipv4 - - format: ipv6 - nodeSelector: - type: object - properties: - matchExpressions: - items: properties: - key: + name: type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist + namespace: type: string - values: - items: - type: string - pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" - type: array - type: object - type: array - matchLabels: - additionalProperties: - type: string - pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" - type: object - status: - type: object - properties: - usage: - type: object - properties: - total: - type: integer - used: - type: integer - additionalPrinterColumns: - - description: The number of total IPs - jsonPath: .status.usage.total - name: Total - type: integer - - description: The number of allocated IPs - jsonPath: .status.usage.used - name: Used - type: integer - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - subresources: - status: { } - scope: Cluster - names: - plural: externalippools - singular: externalippool - kind: ExternalIPPool - shortNames: - - eip - ---- -# Source: crds/externalnode.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - labels: - app: antrea - name: externalnodes.crd.antrea.io -spec: - group: crd.antrea.io - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - type: object - required: - - spec - properties: - spec: - type: object - required: - - interfaces - properties: - interfaces: + required: + - name + - namespace + ingress: type: array - minItems: 1 - maxItems: 1 - required: - - ips items: type: object + required: + - action properties: - ips: + appliedTo: type: array - minItems: 1 items: - type: string - oneOf: - - format: ipv4 - - format: ipv6 - name: - type: string - served: true - storage: true - scope: Namespaced - names: - plural: externalnodes - singular: externalnode - kind: ExternalNode - shortNames: - - en - ---- -# Source: crds/group.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: groups.crd.antrea.io -spec: - group: crd.antrea.io - versions: - - name: v1alpha3 - served: true - storage: false - schema: - openAPIV3Schema: - type: object - properties: - spec: - type: object - properties: - childGroups: - type: array - items: - type: string - podSelector: - type: object - properties: - matchExpressions: - type: array - items: - type: object - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - type: array - items: - type: string - matchLabels: - x-kubernetes-preserve-unknown-fields: true - namespaceSelector: - type: object - properties: - matchExpressions: - type: array - items: - type: object - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - type: array - items: - type: string - matchLabels: - x-kubernetes-preserve-unknown-fields: true - externalEntitySelector: - type: object - properties: - matchExpressions: - type: array - items: - type: object - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - type: array - items: + type: object + # Ensure that rule AppliedTo does not allow IPBlock field + properties: + podSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + additionalProperties: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: object + namespaceSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + additionalProperties: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: object + group: type: string - matchLabels: - x-kubernetes-preserve-unknown-fields: true - ipBlocks: - type: array - items: - type: object - properties: - cidr: - type: string - format: cidr - serviceReference: - type: object - properties: - name: - type: string - namespace: - type: string - status: - type: object - properties: - conditions: - type: array - items: - type: object - properties: - type: - type: string - status: - type: string - lastTransitionTime: + serviceAccount: + type: object + properties: + name: + type: string + namespace: + type: string + required: + - name + - namespace + service: + type: object + properties: + name: + type: string + namespace: + type: string + required: + - name + - namespace + # Ensure that Action field allows only ALLOW, DROP, REJECT and PASS values + action: type: string - subresources: - status: {} - - name: v1beta1 - served: true - storage: true - schema: - openAPIV3Schema: - type: object - properties: - spec: - type: object - properties: - childGroups: - type: array - items: - type: string - podSelector: - type: object - properties: - matchExpressions: - type: array - items: - type: object - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - type: array - items: + enum: [ 'Allow', 'Drop', 'Reject', 'Pass' ] + ports: + type: array + items: + type: object + properties: + protocol: type: string - matchLabels: - x-kubernetes-preserve-unknown-fields: true - namespaceSelector: - type: object - properties: - matchExpressions: - type: array + enum: [ 'TCP', 'UDP', 'SCTP' ] + port: + x-kubernetes-int-or-string: true + endPort: + type: integer + sourcePort: + type: integer + sourceEndPort: + type: integer + protocols: + type: array + items: + type: object + oneOf: + - required: [ icmp ] + - required: [ igmp ] + properties: + icmp: + type: object + properties: + icmpType: + type: integer + minimum: 0 + maximum: 255 + icmpCode: + type: integer + minimum: 0 + maximum: 255 + igmp: + type: object + properties: + igmpType: + type: integer + # Only IGMP query (0x11) is valid igmpType in ingress rules. + enum: [ 0x11 ] + groupAddress: + type: string + oneOf: + - format: ipv4 + - format: ipv6 + l7Protocols: + type: array + items: + type: object + oneOf: + - required: [ http ] + - required: [ tls ] + properties: + http: + type: object + properties: + host: + type: string + method: + type: string + enum: [ 'GET', 'POST', 'PUT', 'HEAD', 'DELETE', 'TRACE', 'OPTIONS', 'CONNECT', 'PATCH' ] + path: + type: string + tls: + type: object + properties: + sni: + type: string + from: + type: array + items: + type: object + properties: + podSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + additionalProperties: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: object + namespaceSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + additionalProperties: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: object + namespaces: + type: object + properties: + match: + enum: + - Self + type: string + ipBlock: + type: object + properties: + cidr: + type: string + format: cidr + group: + type: string + serviceAccount: + type: object + properties: + name: + type: string + namespace: + type: string + required: + - name + - namespace + nodeSelector: + type: object + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: array + type: object + type: array + matchLabels: + additionalProperties: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: object + scope: + type: string + enum: [ 'Cluster', 'ClusterSet' ] + name: + type: string + enableLogging: + type: boolean + logLabel: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]{0,61})?[A-Za-z0-9])?$" + egress: + type: array + items: + type: object + required: + - action + properties: + appliedTo: + type: array + items: + type: object + # Ensure that rule AppliedTo does not allow IPBlock field + properties: + podSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + additionalProperties: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: object + namespaceSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + additionalProperties: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: object + group: + type: string + serviceAccount: + type: object + properties: + name: + type: string + namespace: + type: string + required: + - name + - namespace + # Ensure that Action field allows only ALLOW, DROP, REJECT and PASS values + action: + type: string + enum: [ 'Allow', 'Drop', 'Reject', 'Pass' ] + ports: + type: array + items: + type: object + properties: + protocol: + type: string + enum: [ 'TCP', 'UDP', 'SCTP' ] + port: + x-kubernetes-int-or-string: true + endPort: + type: integer + sourcePort: + type: integer + sourceEndPort: + type: integer + protocols: + type: array + items: + type: object + oneOf: + - required: [ icmp ] + - required: [ igmp ] + properties: + icmp: + type: object + properties: + icmpType: + type: integer + minimum: 0 + maximum: 255 + icmpCode: + type: integer + minimum: 0 + maximum: 255 + igmp: + type: object + properties: + igmpType: + type: integer + # Only IGMP reports are igmpType in egress rules, + # 0x12 is IGMP report V1, 0x16 is IGMP report v2, 0x22 is IGMP report v3. + # It will match all IGMP report types if igmpType is not set. + enum: [ 0x12, 0x16, 0x22 ] + groupAddress: + type: string + oneOf: + - format: ipv4 + - format: ipv6 + l7Protocols: + type: array + items: + type: object + oneOf: + - required: [ http ] + - required: [ tls ] + properties: + http: + type: object + properties: + host: + type: string + method: + type: string + enum: [ 'GET', 'POST', 'PUT', 'HEAD', 'DELETE', 'TRACE', 'OPTIONS', 'CONNECT', 'PATCH' ] + path: + type: string + tls: + type: object + properties: + sni: + type: string + to: + type: array + items: + type: object + properties: + podSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + additionalProperties: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: object + namespaceSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + additionalProperties: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: object + namespaces: + type: object + properties: + match: + enum: + - Self + type: string + ipBlock: + type: object + properties: + cidr: + type: string + format: cidr + group: + type: string + fqdn: + type: string + serviceAccount: + type: object + properties: + name: + type: string + namespace: + type: string + required: + - name + - namespace + nodeSelector: + type: object + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: array + type: object + type: array + matchLabels: + additionalProperties: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: object + toServices: + type: array + items: + type: object + required: + - name + - namespace + properties: + name: + type: string + namespace: + type: string + scope: + type: string + enum: [ 'Cluster', 'ClusterSet' ] + name: + type: string + enableLogging: + type: boolean + logLabel: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]{0,61})?[A-Za-z0-9])?$" + status: + type: object + properties: + phase: + type: string + observedGeneration: + type: integer + currentNodesRealized: + type: integer + desiredNodesRealized: + type: integer + conditions: + type: array + items: + type: object + properties: + type: + type: string + status: + type: string + lastTransitionTime: + type: string + reason: + type: string + message: + type: string + subresources: + status: { } + scope: Cluster + names: + plural: clusternetworkpolicies + singular: clusternetworkpolicy + kind: ClusterNetworkPolicy + shortNames: + - acnp + +--- +# Source: crds/egress.yaml +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: egresses.crd.antrea.io + labels: + app: antrea +spec: + group: crd.antrea.io + versions: + - name: v1alpha2 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + required: + - spec + properties: + spec: + type: object + required: + - appliedTo + oneOf: + - anyOf: + - required: + - egressIP + - required: + - externalIPPool + - anyOf: + - required: + - egressIPs + - required: + - externalIPPools + properties: + appliedTo: + type: object + properties: + podSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + namespaceSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + egressIP: + type: string + oneOf: + - format: ipv4 + - format: ipv6 + egressIPs: + type: array + items: + type: string + oneOf: + - maxLength: 0 + - format: ipv4 + - format: ipv6 + externalIPPool: + type: string + externalIPPools: + type: array + items: + type: string + status: + type: object + properties: + egressNode: + type: string + egressIP: + type: string + additionalPrinterColumns: + - description: The effective SNAT IP address for the selected workloads. + jsonPath: .status.egressIP + name: EgressIP + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + - description: The Owner Node of egress IP + jsonPath: .status.egressNode + name: Node + type: string + subresources: + status: {} + scope: Cluster + names: + plural: egresses + singular: egress + kind: Egress + shortNames: + - eg + +--- +# Source: crds/externalentity.yaml +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: externalentities.crd.antrea.io + labels: + app: antrea +spec: + group: crd.antrea.io + versions: + - name: v1alpha2 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + properties: + spec: + type: object + properties: + endpoints: + type: array + items: + type: object + properties: + ip: + type: string + oneOf: + - format: ipv4 + - format: ipv6 + name: + type: string + ports: + type: array + items: + type: object + properties: + protocol: + type: string + enum: ['TCP', 'UDP', 'SCTP'] + port: + x-kubernetes-int-or-string: true + name: + type: string + externalNode: + type: string + - name: v1alpha1 + served: false + storage: false + schema: + openAPIV3Schema: + type: object + scope: Namespaced + names: + plural: externalentities + singular: externalentity + kind: ExternalEntity + shortNames: + - ee + +--- +# Source: crds/externalippool.yaml +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: externalippools.crd.antrea.io + labels: + app: antrea +spec: + group: crd.antrea.io + versions: + - name: v1alpha2 + served: true + storage: false + schema: + openAPIV3Schema: + type: object + required: + - spec + properties: + spec: + type: object + required: + - ipRanges + - nodeSelector + properties: + ipRanges: + type: array + items: + type: object + oneOf: + - required: + - cidr + - required: + - start + - end + properties: + cidr: + type: string + format: cidr + start: + type: string + oneOf: + - format: ipv4 + - format: ipv6 + end: + type: string + oneOf: + - format: ipv4 + - format: ipv6 + nodeSelector: + type: object + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + status: + type: object + properties: + usage: + type: object + properties: + total: + type: integer + used: + type: integer + additionalPrinterColumns: + - description: The number of total IPs + jsonPath: .status.usage.total + name: Total + type: integer + - description: The number of allocated IPs + jsonPath: .status.usage.used + name: Used + type: integer + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + subresources: + status: {} + - name: v1beta1 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + required: + - spec + properties: + spec: + type: object + required: + - ipRanges + - nodeSelector + properties: + ipRanges: + type: array + items: + type: object + oneOf: + - required: + - cidr + - required: + - start + - end + properties: + cidr: + type: string + format: cidr + start: + type: string + oneOf: + - format: ipv4 + - format: ipv6 + end: + type: string + oneOf: + - format: ipv4 + - format: ipv6 + nodeSelector: + type: object + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: array + type: object + type: array + matchLabels: + additionalProperties: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: object + status: + type: object + properties: + usage: + type: object + properties: + total: + type: integer + used: + type: integer + additionalPrinterColumns: + - description: The number of total IPs + jsonPath: .status.usage.total + name: Total + type: integer + - description: The number of allocated IPs + jsonPath: .status.usage.used + name: Used + type: integer + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + subresources: + status: { } + scope: Cluster + names: + plural: externalippools + singular: externalippool + kind: ExternalIPPool + shortNames: + - eip + +--- +# Source: crds/externalnode.yaml +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: externalnodes.crd.antrea.io +spec: + group: crd.antrea.io + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + type: object + required: + - spec + properties: + spec: + type: object + required: + - interfaces + properties: + interfaces: + type: array + minItems: 1 + maxItems: 1 + required: + - ips + items: + type: object + properties: + ips: + type: array + minItems: 1 + items: + type: string + oneOf: + - format: ipv4 + - format: ipv6 + name: + type: string + served: true + storage: true + scope: Namespaced + names: + plural: externalnodes + singular: externalnode + kind: ExternalNode + shortNames: + - en + +--- +# Source: crds/group.yaml +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: groups.crd.antrea.io +spec: + group: crd.antrea.io + versions: + - name: v1alpha3 + served: true + storage: false + schema: + openAPIV3Schema: + type: object + properties: + spec: + type: object + properties: + childGroups: + type: array + items: + type: string + podSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + matchLabels: + x-kubernetes-preserve-unknown-fields: true + namespaceSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + matchLabels: + x-kubernetes-preserve-unknown-fields: true + externalEntitySelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + matchLabels: + x-kubernetes-preserve-unknown-fields: true + ipBlocks: + type: array + items: + type: object + properties: + cidr: + type: string + format: cidr + serviceReference: + type: object + properties: + name: + type: string + namespace: + type: string + status: + type: object + properties: + conditions: + type: array + items: + type: object + properties: + type: + type: string + status: + type: string + lastTransitionTime: + type: string + subresources: + status: {} + - name: v1beta1 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + properties: + spec: + type: object + properties: + childGroups: + type: array + items: + type: string + podSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + matchLabels: + x-kubernetes-preserve-unknown-fields: true + namespaceSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + matchLabels: + x-kubernetes-preserve-unknown-fields: true + externalEntitySelector: + type: object + properties: + matchExpressions: + type: array items: type: object properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + matchLabels: + x-kubernetes-preserve-unknown-fields: true + ipBlocks: + type: array + items: + type: object + properties: + cidr: + type: string + format: cidr + serviceReference: + type: object + properties: + name: + type: string + namespace: + type: string + status: + type: object + properties: + conditions: + type: array + items: + type: object + properties: + type: + type: string + status: + type: string + lastTransitionTime: + type: string + subresources: + status: { } + scope: Namespaced + names: + plural: groups + singular: group + kind: Group + shortNames: + - grp + +--- +# Source: crds/ippool.yaml +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: ippools.crd.antrea.io + labels: + app: antrea +spec: + group: crd.antrea.io + versions: + - name: v1alpha2 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + required: + - spec + properties: + spec: + required: + - ipVersion + - ipRanges + type: object + properties: + ipVersion: + type: integer + enum: [ 4, 6 ] + ipRanges: + items: + oneOf: + - required: + - cidr + - gateway + - prefixLength + - required: + - start + - end + - gateway + - prefixLength + properties: + cidr: + format: cidr + type: string + start: + oneOf: + - format: ipv4 + - format: ipv6 + type: string + end: + oneOf: + - format: ipv4 + - format: ipv6 + type: string + gateway: + oneOf: + - format: ipv4 + - format: ipv6 + type: string + prefixLength: + type: integer + minimum: 1 + maximum: 128 + vlan: + type: integer + minimum: 0 + maximum: 4094 + type: object + type: array + status: + properties: + ipAddresses: + items: + properties: + ipAddress: + type: string + owner: + properties: + pod: + properties: + name: + type: string + namespace: + type: string + containerID: + type: string + ifName: + type: string + type: object + statefulSet: + properties: + name: + type: string + namespace: + type: string + index: + type: integer + type: object + type: object + phase: + type: string + type: object + type: array + usage: + properties: + used: + type: integer + total: + type: integer + type: object + type: object + additionalPrinterColumns: + - description: The number of total IPs + jsonPath: .status.usage.total + name: Total + type: integer + - description: The number of allocated IPs + jsonPath: .status.usage.used + name: Used + type: integer + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + subresources: + status: {} + scope: Cluster + names: + plural: ippools + singular: ippool + kind: IPPool + shortNames: + - ipp + +--- +# Source: crds/networkpolicy.yaml +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: networkpolicies.crd.antrea.io + labels: + app: antrea +spec: + group: crd.antrea.io + versions: + - name: v1alpha1 + served: true + storage: false + additionalPrinterColumns: + - name: Tier + type: string + description: The Tier to which this Antrea NetworkPolicy belongs to. + jsonPath: .spec.tier + - name: Priority + type: number + format: float + description: The Priority of this Antrea NetworkPolicy relative to other policies. + jsonPath: .spec.priority + - name: Desired Nodes + type: number + format: int32 + description: The total number of Nodes that should realize the NetworkPolicy. + jsonPath: .status.desiredNodesRealized + - name: Current Nodes + type: number + format: int32 + description: The number of Nodes that have realized the NetworkPolicy. + jsonPath: .status.currentNodesRealized + - name: Age + type: date + jsonPath: .metadata.creationTimestamp + schema: + openAPIV3Schema: + type: object + properties: + spec: + # Ensure that Spec.Priority field is set + required: + - priority + type: object + properties: + tier: + type: string + priority: + type: number + format: float + # Ensure that Spec.Priority field is between 1 and 10000 + minimum: 1.0 + maximum: 10000.0 + appliedTo: + type: array + items: + type: object + # Ensure that Spec.AppliedTo does not allow NamespaceSelector/IPBlock field + properties: + externalEntitySelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + podSelector: + type: object + properties: + matchExpressions: type: array items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + group: + type: string + ingress: + type: array + items: + type: object + required: + - action + properties: + appliedTo: + type: array + items: + type: object + # Ensure that rule AppliedTo does not allow NamespaceSelector/IPBlock field + properties: + podSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + group: + type: string + # Ensure that Action field allows only ALLOW, DROP, REJECT and PASS values + action: + type: string + enum: ['Allow', 'Drop', 'Reject', 'Pass'] + ports: + type: array + items: + type: object + properties: + protocol: + type: string + enum: ['TCP', 'UDP', 'SCTP'] + port: + x-kubernetes-int-or-string: true + endPort: + type: integer + sourcePort: + type: integer + sourceEndPort: + type: integer + protocols: + type: array + items: + type: object + oneOf: + - required: [icmp] + - required: [igmp] + properties: + icmp: + type: object + properties: + icmpType: + type: integer + minimum: 0 + maximum: 255 + icmpCode: + type: integer + minimum: 0 + maximum: 255 + igmp: + type: object + properties: + igmpType: + type: integer + # Only IGMP query (0x11) is valid igmpType in ingress rules. + enum: [ 0x11 ] + groupAddress: + type: string + oneOf: + - format: ipv4 + - format: ipv6 + l7Protocols: + type: array + items: + type: object + oneOf: + - required: [http] + - required: [tls] + properties: + http: + type: object + properties: + host: + type: string + method: + type: string + enum: ['GET', 'POST', 'PUT', 'HEAD', 'DELETE', 'TRACE', 'OPTIONS', 'CONNECT', 'PATCH'] + path: + type: string + tls: + type: object + properties: + sni: + type: string + from: + type: array + items: + type: object + properties: + podSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + namespaceSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + externalEntitySelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + ipBlock: + type: object + properties: + cidr: + type: string + format: cidr + nodeSelector: + type: object + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + group: + type: string + scope: + type: string + enum: ['Cluster', 'ClusterSet'] + name: + type: string + enableLogging: + type: boolean + logLabel: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]{0,61})?[A-Za-z0-9])?$" + egress: + type: array + items: + type: object + required: + - action + properties: + appliedTo: + type: array + items: + type: object + # Ensure that rule AppliedTo does not allow NamespaceSelector/IPBlock field + properties: + podSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + group: type: string - matchLabels: - x-kubernetes-preserve-unknown-fields: true - externalEntitySelector: - type: object - properties: - matchExpressions: - type: array - items: - type: object - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - type: array - items: + # Ensure that Action field allows only ALLOW, DROP, REJECT and PASS values + action: + type: string + enum: ['Allow', 'Drop', 'Reject', 'Pass'] + ports: + type: array + items: + type: object + properties: + protocol: + type: string + enum: ['TCP', 'UDP', 'SCTP'] + port: + x-kubernetes-int-or-string: true + endPort: + type: integer + sourcePort: + type: integer + sourceEndPort: + type: integer + protocols: + type: array + items: + type: object + oneOf: + - required: [icmp] + - required: [igmp] + properties: + icmp: + type: object + properties: + icmpType: + type: integer + minimum: 0 + maximum: 255 + icmpCode: + type: integer + minimum: 0 + maximum: 255 + igmp: + type: object + properties: + igmpType: + type: integer + # Only IGMP reports are igmpType in egress rules, + # 0x12 is IGMP report V1, 0x16 is IGMP report v2, 0x22 is IGMP report v3. + # It will match all IGMP report types if igmpType is not set. + enum: [ 0x12, 0x16, 0x22 ] + groupAddress: + type: string + oneOf: + - format: ipv4 + - format: ipv6 + l7Protocols: + type: array + items: + type: object + oneOf: + - required: [http] + - required: [tls] + properties: + http: + type: object + properties: + host: + type: string + method: + type: string + enum: ['GET', 'POST', 'PUT', 'HEAD', 'DELETE', 'TRACE', 'OPTIONS', 'CONNECT', 'PATCH'] + path: + type: string + tls: + type: object + properties: + sni: + type: string + to: + type: array + items: + type: object + properties: + podSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + namespaceSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + externalEntitySelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + ipBlock: + type: object + properties: + cidr: + type: string + format: cidr + fqdn: + type: string + nodeSelector: + type: object + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + group: + type: string + toServices: + type: array + items: + type: object + required: + - name + properties: + name: type: string - matchLabels: - x-kubernetes-preserve-unknown-fields: true - ipBlocks: - type: array - items: - type: object - properties: - cidr: + namespace: + type: string + scope: + type: string + name: type: string - format: cidr - serviceReference: - type: object - properties: - name: - type: string - namespace: - type: string + enableLogging: + type: boolean + logLabel: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]{0,61})?[A-Za-z0-9])?$" status: type: object properties: + phase: + type: string + observedGeneration: + type: integer + currentNodesRealized: + type: integer + desiredNodesRealized: + type: integer conditions: type: array items: @@ -2083,162 +3566,13 @@ spec: type: string lastTransitionTime: type: string - subresources: - status: { } - scope: Namespaced - names: - plural: groups - singular: group - kind: Group - shortNames: - - grp - ---- -# Source: crds/ippool.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: ippools.crd.antrea.io - labels: - app: antrea -spec: - group: crd.antrea.io - versions: - - name: v1alpha2 - served: true - storage: true - schema: - openAPIV3Schema: - type: object - required: - - spec - properties: - spec: - required: - - ipVersion - - ipRanges - type: object - properties: - ipVersion: - type: integer - enum: [ 4, 6 ] - ipRanges: - items: - oneOf: - - required: - - cidr - - gateway - - prefixLength - - required: - - start - - end - - gateway - - prefixLength - properties: - cidr: - format: cidr - type: string - start: - oneOf: - - format: ipv4 - - format: ipv6 - type: string - end: - oneOf: - - format: ipv4 - - format: ipv6 - type: string - gateway: - oneOf: - - format: ipv4 - - format: ipv6 - type: string - prefixLength: - type: integer - minimum: 1 - maximum: 128 - vlan: - type: integer - minimum: 0 - maximum: 4094 - type: object - type: array - status: - properties: - ipAddresses: - items: - properties: - ipAddress: + reason: type: string - owner: - properties: - pod: - properties: - name: - type: string - namespace: - type: string - containerID: - type: string - ifName: - type: string - type: object - statefulSet: - properties: - name: - type: string - namespace: - type: string - index: - type: integer - type: object - type: object - phase: + message: type: string - type: object - type: array - usage: - properties: - used: - type: integer - total: - type: integer - type: object - type: object - additionalPrinterColumns: - - description: The number of total IPs - jsonPath: .status.usage.total - name: Total - type: integer - - description: The number of allocated IPs - jsonPath: .status.usage.used - name: Used - type: integer - - jsonPath: .metadata.creationTimestamp - name: Age - type: date subresources: status: {} - scope: Cluster - names: - plural: ippools - singular: ippool - kind: IPPool - shortNames: - - ipp - ---- -# Source: crds/networkpolicy.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: networkpolicies.crd.antrea.io - labels: - app: antrea -spec: - group: crd.antrea.io - versions: - - name: v1alpha1 + - name: v1beta1 served: true storage: true additionalPrinterColumns: @@ -2311,7 +3645,10 @@ spec: type: string pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" matchLabels: - x-kubernetes-preserve-unknown-fields: true + additionalProperties: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: object podSelector: type: object properties: @@ -2335,7 +3672,10 @@ spec: type: string pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" matchLabels: - x-kubernetes-preserve-unknown-fields: true + additionalProperties: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: object group: type: string ingress: @@ -2374,13 +3714,16 @@ spec: type: string pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" matchLabels: - x-kubernetes-preserve-unknown-fields: true + additionalProperties: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: object group: type: string # Ensure that Action field allows only ALLOW, DROP, REJECT and PASS values action: type: string - enum: ['Allow', 'Drop', 'Reject', 'Pass'] + enum: [ 'Allow', 'Drop', 'Reject', 'Pass' ] ports: type: array items: @@ -2388,7 +3731,7 @@ spec: properties: protocol: type: string - enum: ['TCP', 'UDP', 'SCTP'] + enum: [ 'TCP', 'UDP', 'SCTP' ] port: x-kubernetes-int-or-string: true endPort: @@ -2402,8 +3745,8 @@ spec: items: type: object oneOf: - - required: [icmp] - - required: [igmp] + - required: [ icmp ] + - required: [ igmp ] properties: icmp: type: object @@ -2433,8 +3776,8 @@ spec: items: type: object oneOf: - - required: [http] - - required: [tls] + - required: [ http ] + - required: [ tls ] properties: http: type: object @@ -2443,7 +3786,7 @@ spec: type: string method: type: string - enum: ['GET', 'POST', 'PUT', 'HEAD', 'DELETE', 'TRACE', 'OPTIONS', 'CONNECT', 'PATCH'] + enum: [ 'GET', 'POST', 'PUT', 'HEAD', 'DELETE', 'TRACE', 'OPTIONS', 'CONNECT', 'PATCH' ] path: type: string tls: @@ -2479,7 +3822,10 @@ spec: type: string pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" matchLabels: - x-kubernetes-preserve-unknown-fields: true + additionalProperties: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: object namespaceSelector: type: object properties: @@ -2503,7 +3849,10 @@ spec: type: string pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" matchLabels: - x-kubernetes-preserve-unknown-fields: true + additionalProperties: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: object externalEntitySelector: type: object properties: @@ -2527,7 +3876,10 @@ spec: type: string pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" matchLabels: - x-kubernetes-preserve-unknown-fields: true + additionalProperties: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: object ipBlock: type: object properties: @@ -2557,12 +3909,15 @@ spec: type: object type: array matchLabels: - x-kubernetes-preserve-unknown-fields: true + additionalProperties: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: object group: type: string scope: type: string - enum: ['Cluster', 'ClusterSet'] + enum: [ 'Cluster', 'ClusterSet' ] name: type: string enableLogging: @@ -2606,13 +3961,16 @@ spec: type: string pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" matchLabels: - x-kubernetes-preserve-unknown-fields: true + additionalProperties: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: object group: type: string # Ensure that Action field allows only ALLOW, DROP, REJECT and PASS values action: type: string - enum: ['Allow', 'Drop', 'Reject', 'Pass'] + enum: [ 'Allow', 'Drop', 'Reject', 'Pass' ] ports: type: array items: @@ -2620,7 +3978,7 @@ spec: properties: protocol: type: string - enum: ['TCP', 'UDP', 'SCTP'] + enum: [ 'TCP', 'UDP', 'SCTP' ] port: x-kubernetes-int-or-string: true endPort: @@ -2634,8 +3992,8 @@ spec: items: type: object oneOf: - - required: [icmp] - - required: [igmp] + - required: [ icmp ] + - required: [ igmp ] properties: icmp: type: object @@ -2667,8 +4025,8 @@ spec: items: type: object oneOf: - - required: [http] - - required: [tls] + - required: [ http ] + - required: [ tls ] properties: http: type: object @@ -2677,7 +4035,7 @@ spec: type: string method: type: string - enum: ['GET', 'POST', 'PUT', 'HEAD', 'DELETE', 'TRACE', 'OPTIONS', 'CONNECT', 'PATCH'] + enum: [ 'GET', 'POST', 'PUT', 'HEAD', 'DELETE', 'TRACE', 'OPTIONS', 'CONNECT', 'PATCH' ] path: type: string tls: @@ -2713,7 +4071,10 @@ spec: type: string pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" matchLabels: - x-kubernetes-preserve-unknown-fields: true + additionalProperties: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: object namespaceSelector: type: object properties: @@ -2737,7 +4098,10 @@ spec: type: string pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" matchLabels: - x-kubernetes-preserve-unknown-fields: true + additionalProperties: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: object externalEntitySelector: type: object properties: @@ -2761,7 +4125,10 @@ spec: type: string pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" matchLabels: - x-kubernetes-preserve-unknown-fields: true + additionalProperties: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: object ipBlock: type: object properties: @@ -2793,7 +4160,10 @@ spec: type: object type: array matchLabels: - x-kubernetes-preserve-unknown-fields: true + additionalProperties: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: object group: type: string toServices: @@ -2801,7 +4171,7 @@ spec: items: type: object required: - - name + - name properties: name: type: string @@ -2843,7 +4213,7 @@ spec: message: type: string subresources: - status: {} + status: { } scope: Namespaced names: plural: networkpolicies @@ -5537,7 +6907,7 @@ webhooks: rules: - operations: ["CREATE", "UPDATE"] apiGroups: ["crd.antrea.io"] - apiVersions: ["v1alpha1"] + apiVersions: ["v1beta1"] resources: ["clusternetworkpolicies"] scope: "Cluster" admissionReviewVersions: ["v1", "v1beta1"] @@ -5552,7 +6922,7 @@ webhooks: rules: - operations: ["CREATE", "UPDATE"] apiGroups: ["crd.antrea.io"] - apiVersions: ["v1alpha1"] + apiVersions: ["v1beta1"] resources: ["networkpolicies"] scope: "Namespaced" admissionReviewVersions: ["v1", "v1beta1"] diff --git a/build/yamls/antrea.yml b/build/yamls/antrea.yml index 5084c8df511..53413391563 100644 --- a/build/yamls/antrea.yml +++ b/build/yamls/antrea.yml @@ -706,7 +706,7 @@ spec: versions: - name: v1alpha1 served: true - storage: true + storage: false additionalPrinterColumns: - name: Tier type: string @@ -1396,682 +1396,2165 @@ spec: type: string subresources: status: {} - scope: Cluster - names: - plural: clusternetworkpolicies - singular: clusternetworkpolicy - kind: ClusterNetworkPolicy - shortNames: - - acnp - ---- -# Source: crds/egress.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: egresses.crd.antrea.io - labels: - app: antrea -spec: - group: crd.antrea.io - versions: - - name: v1alpha2 + - name: v1beta1 served: true storage: true - schema: - openAPIV3Schema: - type: object - required: - - spec - properties: - spec: - type: object - required: - - appliedTo - oneOf: - - anyOf: - - required: - - egressIP - - required: - - externalIPPool - - anyOf: - - required: - - egressIPs - - required: - - externalIPPools - properties: - appliedTo: - type: object - properties: - podSelector: - type: object - properties: - matchExpressions: - type: array - items: - type: object - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - type: array - items: - type: string - pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" - matchLabels: - x-kubernetes-preserve-unknown-fields: true - namespaceSelector: - type: object - properties: - matchExpressions: - type: array - items: - type: object - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - type: array - items: - type: string - pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" - matchLabels: - x-kubernetes-preserve-unknown-fields: true - egressIP: - type: string - oneOf: - - format: ipv4 - - format: ipv6 - egressIPs: - type: array - items: - type: string - oneOf: - - maxLength: 0 - - format: ipv4 - - format: ipv6 - externalIPPool: - type: string - externalIPPools: - type: array - items: - type: string - status: - type: object - properties: - egressNode: - type: string - egressIP: - type: string additionalPrinterColumns: - - description: The effective SNAT IP address for the selected workloads. - jsonPath: .status.egressIP - name: EgressIP + - name: Tier type: string - - jsonPath: .metadata.creationTimestamp - name: Age + description: The Tier to which this ClusterNetworkPolicy belongs to. + jsonPath: .spec.tier + - name: Priority + type: number + format: float + description: The Priority of this ClusterNetworkPolicy relative to other policies. + jsonPath: .spec.priority + - name: Desired Nodes + type: number + format: int32 + description: The total number of Nodes that should realize the NetworkPolicy. + jsonPath: .status.desiredNodesRealized + - name: Current Nodes + type: number + format: int32 + description: The number of Nodes that have realized the NetworkPolicy. + jsonPath: .status.currentNodesRealized + - name: Age type: date - - description: The Owner Node of egress IP - jsonPath: .status.egressNode - name: Node - type: string - subresources: - status: {} - scope: Cluster - names: - plural: egresses - singular: egress - kind: Egress - shortNames: - - eg - ---- -# Source: crds/externalentity.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: externalentities.crd.antrea.io - labels: - app: antrea -spec: - group: crd.antrea.io - versions: - - name: v1alpha2 - served: true - storage: true + jsonPath: .metadata.creationTimestamp schema: openAPIV3Schema: type: object properties: spec: + # Ensure that Spec.Priority field is set + required: + - priority type: object properties: - endpoints: - type: array - items: - type: object - properties: - ip: - type: string - oneOf: - - format: ipv4 - - format: ipv6 - name: - type: string - ports: + tier: + type: string + priority: + type: number + format: float + # Ensure that Spec.Priority field is between 1 and 10000 + minimum: 1.0 + maximum: 10000.0 + appliedTo: type: array items: type: object + # Ensure that Spec.AppliedTo does not allow IPBlock field properties: - protocol: + podSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + additionalProperties: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: object + namespaceSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + additionalProperties: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: object + group: type: string - enum: ['TCP', 'UDP', 'SCTP'] - port: - x-kubernetes-int-or-string: true - name: - type: string - externalNode: - type: string - - name: v1alpha1 - served: false - storage: false - schema: - openAPIV3Schema: - type: object - scope: Namespaced - names: - plural: externalentities - singular: externalentity - kind: ExternalEntity - shortNames: - - ee - ---- -# Source: crds/externalippool.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: externalippools.crd.antrea.io - labels: - app: antrea -spec: - group: crd.antrea.io - versions: - - name: v1alpha2 - served: true - storage: false - schema: - openAPIV3Schema: - type: object - required: - - spec - properties: - spec: - type: object - required: - - ipRanges - - nodeSelector - properties: - ipRanges: - type: array - items: - type: object - oneOf: - - required: - - cidr - - required: - - start - - end - properties: - cidr: - type: string - format: cidr - start: - type: string - oneOf: - - format: ipv4 - - format: ipv6 - end: - type: string - oneOf: - - format: ipv4 - - format: ipv6 - nodeSelector: - type: object - properties: - matchExpressions: - items: + serviceAccount: + type: object properties: - key: + name: type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist + namespace: type: string - values: - items: - type: string - pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" - type: array + required: + - name + - namespace + service: type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - status: - type: object - properties: - usage: - type: object - properties: - total: - type: integer - used: - type: integer - additionalPrinterColumns: - - description: The number of total IPs - jsonPath: .status.usage.total - name: Total - type: integer - - description: The number of allocated IPs - jsonPath: .status.usage.used - name: Used - type: integer - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - subresources: - status: {} - - name: v1beta1 - served: true - storage: true - schema: - openAPIV3Schema: - type: object - required: - - spec - properties: - spec: - type: object - required: - - ipRanges - - nodeSelector - properties: - ipRanges: - type: array - items: - type: object - oneOf: - - required: - - cidr - - required: - - start - - end - properties: - cidr: - type: string - format: cidr - start: - type: string - oneOf: - - format: ipv4 - - format: ipv6 - end: - type: string - oneOf: - - format: ipv4 - - format: ipv6 - nodeSelector: - type: object - properties: - matchExpressions: - items: properties: - key: + name: type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist + namespace: type: string - values: - items: - type: string - pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" - type: array - type: object - type: array - matchLabels: - additionalProperties: - type: string - pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" - type: object - status: - type: object - properties: - usage: - type: object - properties: - total: - type: integer - used: - type: integer - additionalPrinterColumns: - - description: The number of total IPs - jsonPath: .status.usage.total - name: Total - type: integer - - description: The number of allocated IPs - jsonPath: .status.usage.used - name: Used - type: integer - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - subresources: - status: { } - scope: Cluster - names: - plural: externalippools - singular: externalippool - kind: ExternalIPPool - shortNames: - - eip - ---- -# Source: crds/externalnode.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - labels: - app: antrea - name: externalnodes.crd.antrea.io -spec: - group: crd.antrea.io - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - type: object - required: - - spec - properties: - spec: - type: object - required: - - interfaces - properties: - interfaces: + required: + - name + - namespace + ingress: type: array - minItems: 1 - maxItems: 1 - required: - - ips items: type: object + required: + - action properties: - ips: + appliedTo: type: array - minItems: 1 items: - type: string - oneOf: - - format: ipv4 - - format: ipv6 - name: - type: string - served: true - storage: true - scope: Namespaced - names: - plural: externalnodes - singular: externalnode - kind: ExternalNode - shortNames: - - en - ---- -# Source: crds/group.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: groups.crd.antrea.io -spec: - group: crd.antrea.io - versions: - - name: v1alpha3 - served: true - storage: false - schema: - openAPIV3Schema: - type: object - properties: - spec: - type: object - properties: - childGroups: - type: array - items: - type: string - podSelector: - type: object - properties: - matchExpressions: - type: array - items: - type: object - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - type: array - items: - type: string - matchLabels: - x-kubernetes-preserve-unknown-fields: true - namespaceSelector: - type: object - properties: - matchExpressions: - type: array - items: - type: object - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - type: array - items: - type: string - matchLabels: - x-kubernetes-preserve-unknown-fields: true - externalEntitySelector: - type: object - properties: - matchExpressions: - type: array - items: - type: object - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - type: array - items: + type: object + # Ensure that rule AppliedTo does not allow IPBlock field + properties: + podSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + additionalProperties: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: object + namespaceSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + additionalProperties: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: object + group: type: string - matchLabels: - x-kubernetes-preserve-unknown-fields: true - ipBlocks: - type: array - items: - type: object - properties: - cidr: - type: string - format: cidr - serviceReference: - type: object - properties: - name: - type: string - namespace: - type: string - status: - type: object - properties: - conditions: - type: array - items: - type: object - properties: - type: - type: string - status: - type: string - lastTransitionTime: + serviceAccount: + type: object + properties: + name: + type: string + namespace: + type: string + required: + - name + - namespace + service: + type: object + properties: + name: + type: string + namespace: + type: string + required: + - name + - namespace + # Ensure that Action field allows only ALLOW, DROP, REJECT and PASS values + action: type: string - subresources: - status: {} - - name: v1beta1 - served: true - storage: true - schema: - openAPIV3Schema: - type: object - properties: - spec: - type: object - properties: - childGroups: - type: array - items: - type: string - podSelector: - type: object - properties: - matchExpressions: - type: array - items: - type: object - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - type: array - items: + enum: [ 'Allow', 'Drop', 'Reject', 'Pass' ] + ports: + type: array + items: + type: object + properties: + protocol: type: string - matchLabels: - x-kubernetes-preserve-unknown-fields: true - namespaceSelector: - type: object - properties: - matchExpressions: - type: array + enum: [ 'TCP', 'UDP', 'SCTP' ] + port: + x-kubernetes-int-or-string: true + endPort: + type: integer + sourcePort: + type: integer + sourceEndPort: + type: integer + protocols: + type: array + items: + type: object + oneOf: + - required: [ icmp ] + - required: [ igmp ] + properties: + icmp: + type: object + properties: + icmpType: + type: integer + minimum: 0 + maximum: 255 + icmpCode: + type: integer + minimum: 0 + maximum: 255 + igmp: + type: object + properties: + igmpType: + type: integer + # Only IGMP query (0x11) is valid igmpType in ingress rules. + enum: [ 0x11 ] + groupAddress: + type: string + oneOf: + - format: ipv4 + - format: ipv6 + l7Protocols: + type: array + items: + type: object + oneOf: + - required: [ http ] + - required: [ tls ] + properties: + http: + type: object + properties: + host: + type: string + method: + type: string + enum: [ 'GET', 'POST', 'PUT', 'HEAD', 'DELETE', 'TRACE', 'OPTIONS', 'CONNECT', 'PATCH' ] + path: + type: string + tls: + type: object + properties: + sni: + type: string + from: + type: array + items: + type: object + properties: + podSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + additionalProperties: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: object + namespaceSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + additionalProperties: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: object + namespaces: + type: object + properties: + match: + enum: + - Self + type: string + ipBlock: + type: object + properties: + cidr: + type: string + format: cidr + group: + type: string + serviceAccount: + type: object + properties: + name: + type: string + namespace: + type: string + required: + - name + - namespace + nodeSelector: + type: object + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: array + type: object + type: array + matchLabels: + additionalProperties: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: object + scope: + type: string + enum: [ 'Cluster', 'ClusterSet' ] + name: + type: string + enableLogging: + type: boolean + logLabel: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]{0,61})?[A-Za-z0-9])?$" + egress: + type: array + items: + type: object + required: + - action + properties: + appliedTo: + type: array + items: + type: object + # Ensure that rule AppliedTo does not allow IPBlock field + properties: + podSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + additionalProperties: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: object + namespaceSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + additionalProperties: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: object + group: + type: string + serviceAccount: + type: object + properties: + name: + type: string + namespace: + type: string + required: + - name + - namespace + # Ensure that Action field allows only ALLOW, DROP, REJECT and PASS values + action: + type: string + enum: [ 'Allow', 'Drop', 'Reject', 'Pass' ] + ports: + type: array + items: + type: object + properties: + protocol: + type: string + enum: [ 'TCP', 'UDP', 'SCTP' ] + port: + x-kubernetes-int-or-string: true + endPort: + type: integer + sourcePort: + type: integer + sourceEndPort: + type: integer + protocols: + type: array + items: + type: object + oneOf: + - required: [ icmp ] + - required: [ igmp ] + properties: + icmp: + type: object + properties: + icmpType: + type: integer + minimum: 0 + maximum: 255 + icmpCode: + type: integer + minimum: 0 + maximum: 255 + igmp: + type: object + properties: + igmpType: + type: integer + # Only IGMP reports are igmpType in egress rules, + # 0x12 is IGMP report V1, 0x16 is IGMP report v2, 0x22 is IGMP report v3. + # It will match all IGMP report types if igmpType is not set. + enum: [ 0x12, 0x16, 0x22 ] + groupAddress: + type: string + oneOf: + - format: ipv4 + - format: ipv6 + l7Protocols: + type: array + items: + type: object + oneOf: + - required: [ http ] + - required: [ tls ] + properties: + http: + type: object + properties: + host: + type: string + method: + type: string + enum: [ 'GET', 'POST', 'PUT', 'HEAD', 'DELETE', 'TRACE', 'OPTIONS', 'CONNECT', 'PATCH' ] + path: + type: string + tls: + type: object + properties: + sni: + type: string + to: + type: array + items: + type: object + properties: + podSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + additionalProperties: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: object + namespaceSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + additionalProperties: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: object + namespaces: + type: object + properties: + match: + enum: + - Self + type: string + ipBlock: + type: object + properties: + cidr: + type: string + format: cidr + group: + type: string + fqdn: + type: string + serviceAccount: + type: object + properties: + name: + type: string + namespace: + type: string + required: + - name + - namespace + nodeSelector: + type: object + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: array + type: object + type: array + matchLabels: + additionalProperties: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: object + toServices: + type: array + items: + type: object + required: + - name + - namespace + properties: + name: + type: string + namespace: + type: string + scope: + type: string + enum: [ 'Cluster', 'ClusterSet' ] + name: + type: string + enableLogging: + type: boolean + logLabel: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]{0,61})?[A-Za-z0-9])?$" + status: + type: object + properties: + phase: + type: string + observedGeneration: + type: integer + currentNodesRealized: + type: integer + desiredNodesRealized: + type: integer + conditions: + type: array + items: + type: object + properties: + type: + type: string + status: + type: string + lastTransitionTime: + type: string + reason: + type: string + message: + type: string + subresources: + status: { } + scope: Cluster + names: + plural: clusternetworkpolicies + singular: clusternetworkpolicy + kind: ClusterNetworkPolicy + shortNames: + - acnp + +--- +# Source: crds/egress.yaml +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: egresses.crd.antrea.io + labels: + app: antrea +spec: + group: crd.antrea.io + versions: + - name: v1alpha2 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + required: + - spec + properties: + spec: + type: object + required: + - appliedTo + oneOf: + - anyOf: + - required: + - egressIP + - required: + - externalIPPool + - anyOf: + - required: + - egressIPs + - required: + - externalIPPools + properties: + appliedTo: + type: object + properties: + podSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + namespaceSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + egressIP: + type: string + oneOf: + - format: ipv4 + - format: ipv6 + egressIPs: + type: array + items: + type: string + oneOf: + - maxLength: 0 + - format: ipv4 + - format: ipv6 + externalIPPool: + type: string + externalIPPools: + type: array + items: + type: string + status: + type: object + properties: + egressNode: + type: string + egressIP: + type: string + additionalPrinterColumns: + - description: The effective SNAT IP address for the selected workloads. + jsonPath: .status.egressIP + name: EgressIP + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + - description: The Owner Node of egress IP + jsonPath: .status.egressNode + name: Node + type: string + subresources: + status: {} + scope: Cluster + names: + plural: egresses + singular: egress + kind: Egress + shortNames: + - eg + +--- +# Source: crds/externalentity.yaml +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: externalentities.crd.antrea.io + labels: + app: antrea +spec: + group: crd.antrea.io + versions: + - name: v1alpha2 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + properties: + spec: + type: object + properties: + endpoints: + type: array + items: + type: object + properties: + ip: + type: string + oneOf: + - format: ipv4 + - format: ipv6 + name: + type: string + ports: + type: array + items: + type: object + properties: + protocol: + type: string + enum: ['TCP', 'UDP', 'SCTP'] + port: + x-kubernetes-int-or-string: true + name: + type: string + externalNode: + type: string + - name: v1alpha1 + served: false + storage: false + schema: + openAPIV3Schema: + type: object + scope: Namespaced + names: + plural: externalentities + singular: externalentity + kind: ExternalEntity + shortNames: + - ee + +--- +# Source: crds/externalippool.yaml +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: externalippools.crd.antrea.io + labels: + app: antrea +spec: + group: crd.antrea.io + versions: + - name: v1alpha2 + served: true + storage: false + schema: + openAPIV3Schema: + type: object + required: + - spec + properties: + spec: + type: object + required: + - ipRanges + - nodeSelector + properties: + ipRanges: + type: array + items: + type: object + oneOf: + - required: + - cidr + - required: + - start + - end + properties: + cidr: + type: string + format: cidr + start: + type: string + oneOf: + - format: ipv4 + - format: ipv6 + end: + type: string + oneOf: + - format: ipv4 + - format: ipv6 + nodeSelector: + type: object + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + status: + type: object + properties: + usage: + type: object + properties: + total: + type: integer + used: + type: integer + additionalPrinterColumns: + - description: The number of total IPs + jsonPath: .status.usage.total + name: Total + type: integer + - description: The number of allocated IPs + jsonPath: .status.usage.used + name: Used + type: integer + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + subresources: + status: {} + - name: v1beta1 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + required: + - spec + properties: + spec: + type: object + required: + - ipRanges + - nodeSelector + properties: + ipRanges: + type: array + items: + type: object + oneOf: + - required: + - cidr + - required: + - start + - end + properties: + cidr: + type: string + format: cidr + start: + type: string + oneOf: + - format: ipv4 + - format: ipv6 + end: + type: string + oneOf: + - format: ipv4 + - format: ipv6 + nodeSelector: + type: object + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: array + type: object + type: array + matchLabels: + additionalProperties: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: object + status: + type: object + properties: + usage: + type: object + properties: + total: + type: integer + used: + type: integer + additionalPrinterColumns: + - description: The number of total IPs + jsonPath: .status.usage.total + name: Total + type: integer + - description: The number of allocated IPs + jsonPath: .status.usage.used + name: Used + type: integer + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + subresources: + status: { } + scope: Cluster + names: + plural: externalippools + singular: externalippool + kind: ExternalIPPool + shortNames: + - eip + +--- +# Source: crds/externalnode.yaml +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: externalnodes.crd.antrea.io +spec: + group: crd.antrea.io + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + type: object + required: + - spec + properties: + spec: + type: object + required: + - interfaces + properties: + interfaces: + type: array + minItems: 1 + maxItems: 1 + required: + - ips + items: + type: object + properties: + ips: + type: array + minItems: 1 + items: + type: string + oneOf: + - format: ipv4 + - format: ipv6 + name: + type: string + served: true + storage: true + scope: Namespaced + names: + plural: externalnodes + singular: externalnode + kind: ExternalNode + shortNames: + - en + +--- +# Source: crds/group.yaml +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: groups.crd.antrea.io +spec: + group: crd.antrea.io + versions: + - name: v1alpha3 + served: true + storage: false + schema: + openAPIV3Schema: + type: object + properties: + spec: + type: object + properties: + childGroups: + type: array + items: + type: string + podSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + matchLabels: + x-kubernetes-preserve-unknown-fields: true + namespaceSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + matchLabels: + x-kubernetes-preserve-unknown-fields: true + externalEntitySelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + matchLabels: + x-kubernetes-preserve-unknown-fields: true + ipBlocks: + type: array + items: + type: object + properties: + cidr: + type: string + format: cidr + serviceReference: + type: object + properties: + name: + type: string + namespace: + type: string + status: + type: object + properties: + conditions: + type: array + items: + type: object + properties: + type: + type: string + status: + type: string + lastTransitionTime: + type: string + subresources: + status: {} + - name: v1beta1 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + properties: + spec: + type: object + properties: + childGroups: + type: array + items: + type: string + podSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + matchLabels: + x-kubernetes-preserve-unknown-fields: true + namespaceSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + matchLabels: + x-kubernetes-preserve-unknown-fields: true + externalEntitySelector: + type: object + properties: + matchExpressions: + type: array items: type: object properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + matchLabels: + x-kubernetes-preserve-unknown-fields: true + ipBlocks: + type: array + items: + type: object + properties: + cidr: + type: string + format: cidr + serviceReference: + type: object + properties: + name: + type: string + namespace: + type: string + status: + type: object + properties: + conditions: + type: array + items: + type: object + properties: + type: + type: string + status: + type: string + lastTransitionTime: + type: string + subresources: + status: { } + scope: Namespaced + names: + plural: groups + singular: group + kind: Group + shortNames: + - grp + +--- +# Source: crds/ippool.yaml +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: ippools.crd.antrea.io + labels: + app: antrea +spec: + group: crd.antrea.io + versions: + - name: v1alpha2 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + required: + - spec + properties: + spec: + required: + - ipVersion + - ipRanges + type: object + properties: + ipVersion: + type: integer + enum: [ 4, 6 ] + ipRanges: + items: + oneOf: + - required: + - cidr + - gateway + - prefixLength + - required: + - start + - end + - gateway + - prefixLength + properties: + cidr: + format: cidr + type: string + start: + oneOf: + - format: ipv4 + - format: ipv6 + type: string + end: + oneOf: + - format: ipv4 + - format: ipv6 + type: string + gateway: + oneOf: + - format: ipv4 + - format: ipv6 + type: string + prefixLength: + type: integer + minimum: 1 + maximum: 128 + vlan: + type: integer + minimum: 0 + maximum: 4094 + type: object + type: array + status: + properties: + ipAddresses: + items: + properties: + ipAddress: + type: string + owner: + properties: + pod: + properties: + name: + type: string + namespace: + type: string + containerID: + type: string + ifName: + type: string + type: object + statefulSet: + properties: + name: + type: string + namespace: + type: string + index: + type: integer + type: object + type: object + phase: + type: string + type: object + type: array + usage: + properties: + used: + type: integer + total: + type: integer + type: object + type: object + additionalPrinterColumns: + - description: The number of total IPs + jsonPath: .status.usage.total + name: Total + type: integer + - description: The number of allocated IPs + jsonPath: .status.usage.used + name: Used + type: integer + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + subresources: + status: {} + scope: Cluster + names: + plural: ippools + singular: ippool + kind: IPPool + shortNames: + - ipp + +--- +# Source: crds/networkpolicy.yaml +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: networkpolicies.crd.antrea.io + labels: + app: antrea +spec: + group: crd.antrea.io + versions: + - name: v1alpha1 + served: true + storage: false + additionalPrinterColumns: + - name: Tier + type: string + description: The Tier to which this Antrea NetworkPolicy belongs to. + jsonPath: .spec.tier + - name: Priority + type: number + format: float + description: The Priority of this Antrea NetworkPolicy relative to other policies. + jsonPath: .spec.priority + - name: Desired Nodes + type: number + format: int32 + description: The total number of Nodes that should realize the NetworkPolicy. + jsonPath: .status.desiredNodesRealized + - name: Current Nodes + type: number + format: int32 + description: The number of Nodes that have realized the NetworkPolicy. + jsonPath: .status.currentNodesRealized + - name: Age + type: date + jsonPath: .metadata.creationTimestamp + schema: + openAPIV3Schema: + type: object + properties: + spec: + # Ensure that Spec.Priority field is set + required: + - priority + type: object + properties: + tier: + type: string + priority: + type: number + format: float + # Ensure that Spec.Priority field is between 1 and 10000 + minimum: 1.0 + maximum: 10000.0 + appliedTo: + type: array + items: + type: object + # Ensure that Spec.AppliedTo does not allow NamespaceSelector/IPBlock field + properties: + externalEntitySelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + podSelector: + type: object + properties: + matchExpressions: type: array items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + group: + type: string + ingress: + type: array + items: + type: object + required: + - action + properties: + appliedTo: + type: array + items: + type: object + # Ensure that rule AppliedTo does not allow NamespaceSelector/IPBlock field + properties: + podSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + group: + type: string + # Ensure that Action field allows only ALLOW, DROP, REJECT and PASS values + action: + type: string + enum: ['Allow', 'Drop', 'Reject', 'Pass'] + ports: + type: array + items: + type: object + properties: + protocol: + type: string + enum: ['TCP', 'UDP', 'SCTP'] + port: + x-kubernetes-int-or-string: true + endPort: + type: integer + sourcePort: + type: integer + sourceEndPort: + type: integer + protocols: + type: array + items: + type: object + oneOf: + - required: [icmp] + - required: [igmp] + properties: + icmp: + type: object + properties: + icmpType: + type: integer + minimum: 0 + maximum: 255 + icmpCode: + type: integer + minimum: 0 + maximum: 255 + igmp: + type: object + properties: + igmpType: + type: integer + # Only IGMP query (0x11) is valid igmpType in ingress rules. + enum: [ 0x11 ] + groupAddress: + type: string + oneOf: + - format: ipv4 + - format: ipv6 + l7Protocols: + type: array + items: + type: object + oneOf: + - required: [http] + - required: [tls] + properties: + http: + type: object + properties: + host: + type: string + method: + type: string + enum: ['GET', 'POST', 'PUT', 'HEAD', 'DELETE', 'TRACE', 'OPTIONS', 'CONNECT', 'PATCH'] + path: + type: string + tls: + type: object + properties: + sni: + type: string + from: + type: array + items: + type: object + properties: + podSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + namespaceSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + externalEntitySelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + ipBlock: + type: object + properties: + cidr: + type: string + format: cidr + nodeSelector: + type: object + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + group: + type: string + scope: + type: string + enum: ['Cluster', 'ClusterSet'] + name: + type: string + enableLogging: + type: boolean + logLabel: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]{0,61})?[A-Za-z0-9])?$" + egress: + type: array + items: + type: object + required: + - action + properties: + appliedTo: + type: array + items: + type: object + # Ensure that rule AppliedTo does not allow NamespaceSelector/IPBlock field + properties: + podSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + group: type: string - matchLabels: - x-kubernetes-preserve-unknown-fields: true - externalEntitySelector: - type: object - properties: - matchExpressions: - type: array - items: - type: object - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - type: array - items: + # Ensure that Action field allows only ALLOW, DROP, REJECT and PASS values + action: + type: string + enum: ['Allow', 'Drop', 'Reject', 'Pass'] + ports: + type: array + items: + type: object + properties: + protocol: + type: string + enum: ['TCP', 'UDP', 'SCTP'] + port: + x-kubernetes-int-or-string: true + endPort: + type: integer + sourcePort: + type: integer + sourceEndPort: + type: integer + protocols: + type: array + items: + type: object + oneOf: + - required: [icmp] + - required: [igmp] + properties: + icmp: + type: object + properties: + icmpType: + type: integer + minimum: 0 + maximum: 255 + icmpCode: + type: integer + minimum: 0 + maximum: 255 + igmp: + type: object + properties: + igmpType: + type: integer + # Only IGMP reports are igmpType in egress rules, + # 0x12 is IGMP report V1, 0x16 is IGMP report v2, 0x22 is IGMP report v3. + # It will match all IGMP report types if igmpType is not set. + enum: [ 0x12, 0x16, 0x22 ] + groupAddress: + type: string + oneOf: + - format: ipv4 + - format: ipv6 + l7Protocols: + type: array + items: + type: object + oneOf: + - required: [http] + - required: [tls] + properties: + http: + type: object + properties: + host: + type: string + method: + type: string + enum: ['GET', 'POST', 'PUT', 'HEAD', 'DELETE', 'TRACE', 'OPTIONS', 'CONNECT', 'PATCH'] + path: + type: string + tls: + type: object + properties: + sni: + type: string + to: + type: array + items: + type: object + properties: + podSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + namespaceSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + externalEntitySelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + ipBlock: + type: object + properties: + cidr: + type: string + format: cidr + fqdn: + type: string + nodeSelector: + type: object + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + group: + type: string + toServices: + type: array + items: + type: object + required: + - name + properties: + name: type: string - matchLabels: - x-kubernetes-preserve-unknown-fields: true - ipBlocks: - type: array - items: - type: object - properties: - cidr: + namespace: + type: string + scope: + type: string + name: type: string - format: cidr - serviceReference: - type: object - properties: - name: - type: string - namespace: - type: string + enableLogging: + type: boolean + logLabel: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]{0,61})?[A-Za-z0-9])?$" status: type: object properties: + phase: + type: string + observedGeneration: + type: integer + currentNodesRealized: + type: integer + desiredNodesRealized: + type: integer conditions: type: array items: @@ -2083,162 +3566,13 @@ spec: type: string lastTransitionTime: type: string - subresources: - status: { } - scope: Namespaced - names: - plural: groups - singular: group - kind: Group - shortNames: - - grp - ---- -# Source: crds/ippool.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: ippools.crd.antrea.io - labels: - app: antrea -spec: - group: crd.antrea.io - versions: - - name: v1alpha2 - served: true - storage: true - schema: - openAPIV3Schema: - type: object - required: - - spec - properties: - spec: - required: - - ipVersion - - ipRanges - type: object - properties: - ipVersion: - type: integer - enum: [ 4, 6 ] - ipRanges: - items: - oneOf: - - required: - - cidr - - gateway - - prefixLength - - required: - - start - - end - - gateway - - prefixLength - properties: - cidr: - format: cidr - type: string - start: - oneOf: - - format: ipv4 - - format: ipv6 - type: string - end: - oneOf: - - format: ipv4 - - format: ipv6 - type: string - gateway: - oneOf: - - format: ipv4 - - format: ipv6 - type: string - prefixLength: - type: integer - minimum: 1 - maximum: 128 - vlan: - type: integer - minimum: 0 - maximum: 4094 - type: object - type: array - status: - properties: - ipAddresses: - items: - properties: - ipAddress: + reason: type: string - owner: - properties: - pod: - properties: - name: - type: string - namespace: - type: string - containerID: - type: string - ifName: - type: string - type: object - statefulSet: - properties: - name: - type: string - namespace: - type: string - index: - type: integer - type: object - type: object - phase: + message: type: string - type: object - type: array - usage: - properties: - used: - type: integer - total: - type: integer - type: object - type: object - additionalPrinterColumns: - - description: The number of total IPs - jsonPath: .status.usage.total - name: Total - type: integer - - description: The number of allocated IPs - jsonPath: .status.usage.used - name: Used - type: integer - - jsonPath: .metadata.creationTimestamp - name: Age - type: date subresources: status: {} - scope: Cluster - names: - plural: ippools - singular: ippool - kind: IPPool - shortNames: - - ipp - ---- -# Source: crds/networkpolicy.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: networkpolicies.crd.antrea.io - labels: - app: antrea -spec: - group: crd.antrea.io - versions: - - name: v1alpha1 + - name: v1beta1 served: true storage: true additionalPrinterColumns: @@ -2311,7 +3645,10 @@ spec: type: string pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" matchLabels: - x-kubernetes-preserve-unknown-fields: true + additionalProperties: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: object podSelector: type: object properties: @@ -2335,7 +3672,10 @@ spec: type: string pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" matchLabels: - x-kubernetes-preserve-unknown-fields: true + additionalProperties: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: object group: type: string ingress: @@ -2374,13 +3714,16 @@ spec: type: string pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" matchLabels: - x-kubernetes-preserve-unknown-fields: true + additionalProperties: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: object group: type: string # Ensure that Action field allows only ALLOW, DROP, REJECT and PASS values action: type: string - enum: ['Allow', 'Drop', 'Reject', 'Pass'] + enum: [ 'Allow', 'Drop', 'Reject', 'Pass' ] ports: type: array items: @@ -2388,7 +3731,7 @@ spec: properties: protocol: type: string - enum: ['TCP', 'UDP', 'SCTP'] + enum: [ 'TCP', 'UDP', 'SCTP' ] port: x-kubernetes-int-or-string: true endPort: @@ -2402,8 +3745,8 @@ spec: items: type: object oneOf: - - required: [icmp] - - required: [igmp] + - required: [ icmp ] + - required: [ igmp ] properties: icmp: type: object @@ -2433,8 +3776,8 @@ spec: items: type: object oneOf: - - required: [http] - - required: [tls] + - required: [ http ] + - required: [ tls ] properties: http: type: object @@ -2443,7 +3786,7 @@ spec: type: string method: type: string - enum: ['GET', 'POST', 'PUT', 'HEAD', 'DELETE', 'TRACE', 'OPTIONS', 'CONNECT', 'PATCH'] + enum: [ 'GET', 'POST', 'PUT', 'HEAD', 'DELETE', 'TRACE', 'OPTIONS', 'CONNECT', 'PATCH' ] path: type: string tls: @@ -2479,7 +3822,10 @@ spec: type: string pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" matchLabels: - x-kubernetes-preserve-unknown-fields: true + additionalProperties: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: object namespaceSelector: type: object properties: @@ -2503,7 +3849,10 @@ spec: type: string pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" matchLabels: - x-kubernetes-preserve-unknown-fields: true + additionalProperties: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: object externalEntitySelector: type: object properties: @@ -2527,7 +3876,10 @@ spec: type: string pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" matchLabels: - x-kubernetes-preserve-unknown-fields: true + additionalProperties: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: object ipBlock: type: object properties: @@ -2557,12 +3909,15 @@ spec: type: object type: array matchLabels: - x-kubernetes-preserve-unknown-fields: true + additionalProperties: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: object group: type: string scope: type: string - enum: ['Cluster', 'ClusterSet'] + enum: [ 'Cluster', 'ClusterSet' ] name: type: string enableLogging: @@ -2606,13 +3961,16 @@ spec: type: string pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" matchLabels: - x-kubernetes-preserve-unknown-fields: true + additionalProperties: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: object group: type: string # Ensure that Action field allows only ALLOW, DROP, REJECT and PASS values action: type: string - enum: ['Allow', 'Drop', 'Reject', 'Pass'] + enum: [ 'Allow', 'Drop', 'Reject', 'Pass' ] ports: type: array items: @@ -2620,7 +3978,7 @@ spec: properties: protocol: type: string - enum: ['TCP', 'UDP', 'SCTP'] + enum: [ 'TCP', 'UDP', 'SCTP' ] port: x-kubernetes-int-or-string: true endPort: @@ -2634,8 +3992,8 @@ spec: items: type: object oneOf: - - required: [icmp] - - required: [igmp] + - required: [ icmp ] + - required: [ igmp ] properties: icmp: type: object @@ -2667,8 +4025,8 @@ spec: items: type: object oneOf: - - required: [http] - - required: [tls] + - required: [ http ] + - required: [ tls ] properties: http: type: object @@ -2677,7 +4035,7 @@ spec: type: string method: type: string - enum: ['GET', 'POST', 'PUT', 'HEAD', 'DELETE', 'TRACE', 'OPTIONS', 'CONNECT', 'PATCH'] + enum: [ 'GET', 'POST', 'PUT', 'HEAD', 'DELETE', 'TRACE', 'OPTIONS', 'CONNECT', 'PATCH' ] path: type: string tls: @@ -2713,7 +4071,10 @@ spec: type: string pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" matchLabels: - x-kubernetes-preserve-unknown-fields: true + additionalProperties: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: object namespaceSelector: type: object properties: @@ -2737,7 +4098,10 @@ spec: type: string pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" matchLabels: - x-kubernetes-preserve-unknown-fields: true + additionalProperties: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: object externalEntitySelector: type: object properties: @@ -2761,7 +4125,10 @@ spec: type: string pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" matchLabels: - x-kubernetes-preserve-unknown-fields: true + additionalProperties: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: object ipBlock: type: object properties: @@ -2793,7 +4160,10 @@ spec: type: object type: array matchLabels: - x-kubernetes-preserve-unknown-fields: true + additionalProperties: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: object group: type: string toServices: @@ -2801,7 +4171,7 @@ spec: items: type: object required: - - name + - name properties: name: type: string @@ -2843,7 +4213,7 @@ spec: message: type: string subresources: - status: {} + status: { } scope: Namespaced names: plural: networkpolicies @@ -5478,7 +6848,7 @@ webhooks: rules: - operations: ["CREATE", "UPDATE"] apiGroups: ["crd.antrea.io"] - apiVersions: ["v1alpha1"] + apiVersions: ["v1beta1"] resources: ["clusternetworkpolicies"] scope: "Cluster" admissionReviewVersions: ["v1", "v1beta1"] @@ -5493,7 +6863,7 @@ webhooks: rules: - operations: ["CREATE", "UPDATE"] apiGroups: ["crd.antrea.io"] - apiVersions: ["v1alpha1"] + apiVersions: ["v1beta1"] resources: ["networkpolicies"] scope: "Namespaced" admissionReviewVersions: ["v1", "v1beta1"] diff --git a/cmd/antrea-controller/controller.go b/cmd/antrea-controller/controller.go index d9c9aaa3bf4..f7ac12fb750 100644 --- a/cmd/antrea-controller/controller.go +++ b/cmd/antrea-controller/controller.go @@ -134,9 +134,9 @@ func run(o *Options) error { serviceInformer := informerFactory.Core().V1().Services() networkPolicyInformer := informerFactory.Networking().V1().NetworkPolicies() nodeInformer := informerFactory.Core().V1().Nodes() - acnpInformer := crdInformerFactory.Crd().V1alpha1().ClusterNetworkPolicies() + acnpInformer := crdInformerFactory.Crd().V1beta1().ClusterNetworkPolicies() eeInformer := crdInformerFactory.Crd().V1alpha2().ExternalEntities() - annpInformer := crdInformerFactory.Crd().V1alpha1().NetworkPolicies() + annpInformer := crdInformerFactory.Crd().V1beta1().NetworkPolicies() tierInformer := crdInformerFactory.Crd().V1beta1().Tiers() tfInformer := crdInformerFactory.Crd().V1alpha1().Traceflows() cgInformer := crdInformerFactory.Crd().V1beta1().ClusterGroups() diff --git a/docs/api.md b/docs/api.md index 3799f5f4eab..565f7926e7c 100644 --- a/docs/api.md +++ b/docs/api.md @@ -31,14 +31,16 @@ These are the CRDs currently available in `crd.antrea.io`. | `ClusterGroup` | v1alpha2 | v1.0.0 | v1.1.0 | v2.0.0 | | `ClusterGroup` | v1alpha3 | v1.1.0 | v1.13.0 | N/A | | `ClusterGroup` | v1beta1 | v1.13.0 | N/A | N/A | -| `ClusterNetworkPolicy` | v1alpha1 | v1.0.0 | N/A | N/A | +| `ClusterNetworkPolicy` | v1alpha1 | v1.0.0 | v1.13.0 | N/A | +| `ClusterNetworkPolicy` | v1beta1 | v1.13.0 | N/A | N/A | | `Egress` | v1alpha2 | v1.0.0 | N/A | N/A | | `ExternalEntity` | v1alpha2 | v1.0.0 | N/A | N/A | | `ExternalIPPool` | v1alpha2 | v1.2.0 | v1.13.0 | N/A | | `ExternalIPPool` | v1beta1 | v1.13.0 | N/A | N/A | | `Group` | v1alpha3 | v1.8.0 | v1.13.0 | N/A | | `Group` | v1beta1 | v1.13.0 | N/A | N/A | -| `NetworkPolicy` | v1alpha1 | v1.0.0 | N/A | N/A | +| `NetworkPolicy` | v1alpha1 | v1.0.0 | v1.13.0 | N/A | +| `NetworkPolicy` | v1beta1 | v1.13.0 | N/A | N/A | | `Tier` | v1alpha1 | v1.0.0 | v1.13.0 | v2.0.0 | | `Tier` | v1beta1 | v1.13.0 | N/A | N/A | | `Traceflow` | v1alpha1 | v1.0.0 | N/A | N/A | diff --git a/multicluster/apis/multicluster/v1alpha1/resourceexport_types.go b/multicluster/apis/multicluster/v1alpha1/resourceexport_types.go index 1316574cbb1..527f0ba7d57 100644 --- a/multicluster/apis/multicluster/v1alpha1/resourceexport_types.go +++ b/multicluster/apis/multicluster/v1alpha1/resourceexport_types.go @@ -20,8 +20,8 @@ import ( v1 "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - "antrea.io/antrea/pkg/apis/crd/v1alpha1" "antrea.io/antrea/pkg/apis/crd/v1alpha2" + "antrea.io/antrea/pkg/apis/crd/v1beta1" ) // ServiceExport exports Service. @@ -68,7 +68,7 @@ type ResourceExportSpec struct { // If exported resource is ExternalEntity. ExternalEntity *ExternalEntityExport `json:"externalEntity,omitempty"` // If exported resource is AntreaClusterNetworkPolicy. - ClusterNetworkPolicy *v1alpha1.ClusterNetworkPolicySpec `json:"clusterNetworkPolicy,omitempty"` + ClusterNetworkPolicy *v1beta1.ClusterNetworkPolicySpec `json:"clusterNetworkPolicy,omitempty"` // If exported resource is LabelIdentity of a cluster. LabelIdentity *LabelIdentityExport `json:"labelIdentity,omitempty"` // If exported resource kind is unknown. diff --git a/multicluster/apis/multicluster/v1alpha1/resourceimport_types.go b/multicluster/apis/multicluster/v1alpha1/resourceimport_types.go index 5e1d81d60bd..b8b2cbb0280 100644 --- a/multicluster/apis/multicluster/v1alpha1/resourceimport_types.go +++ b/multicluster/apis/multicluster/v1alpha1/resourceimport_types.go @@ -21,8 +21,8 @@ import ( metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" mcs "sigs.k8s.io/mcs-api/pkg/apis/v1alpha1" - "antrea.io/antrea/pkg/apis/crd/v1alpha1" "antrea.io/antrea/pkg/apis/crd/v1alpha2" + "antrea.io/antrea/pkg/apis/crd/v1beta1" ) // EndpointsImport imports Endpoints. @@ -61,7 +61,7 @@ type ResourceImportSpec struct { // If imported resource is ExternalEntity. ExternalEntity *ExternalEntityImport `json:"externalentity,omitempty"` // If imported resource is AntreaClusterNetworkPolicy. - ClusterNetworkPolicy *v1alpha1.ClusterNetworkPolicySpec `json:"clusternetworkpolicy,omitempty"` + ClusterNetworkPolicy *v1beta1.ClusterNetworkPolicySpec `json:"clusternetworkpolicy,omitempty"` // If imported resource kind is LabelIdentity. LabelIdentity *LabelIdentitySpec `json:"labelIdentity,omitempty"` // If imported resource kind is unknown. diff --git a/multicluster/apis/multicluster/v1alpha1/zz_generated.deepcopy.go b/multicluster/apis/multicluster/v1alpha1/zz_generated.deepcopy.go index 316a7099a9e..ebebbdea7eb 100644 --- a/multicluster/apis/multicluster/v1alpha1/zz_generated.deepcopy.go +++ b/multicluster/apis/multicluster/v1alpha1/zz_generated.deepcopy.go @@ -20,8 +20,8 @@ package v1alpha1 import ( - crdv1alpha1 "antrea.io/antrea/pkg/apis/crd/v1alpha1" "antrea.io/antrea/pkg/apis/crd/v1alpha2" + "antrea.io/antrea/pkg/apis/crd/v1beta1" "k8s.io/api/core/v1" runtime "k8s.io/apimachinery/pkg/runtime" apisv1alpha1 "sigs.k8s.io/mcs-api/pkg/apis/v1alpha1" @@ -808,7 +808,7 @@ func (in *ResourceExportSpec) DeepCopyInto(out *ResourceExportSpec) { } if in.ClusterNetworkPolicy != nil { in, out := &in.ClusterNetworkPolicy, &out.ClusterNetworkPolicy - *out = new(crdv1alpha1.ClusterNetworkPolicySpec) + *out = new(v1beta1.ClusterNetworkPolicySpec) (*in).DeepCopyInto(*out) } if in.LabelIdentity != nil { @@ -982,7 +982,7 @@ func (in *ResourceImportSpec) DeepCopyInto(out *ResourceImportSpec) { } if in.ClusterNetworkPolicy != nil { in, out := &in.ClusterNetworkPolicy, &out.ClusterNetworkPolicy - *out = new(crdv1alpha1.ClusterNetworkPolicySpec) + *out = new(v1beta1.ClusterNetworkPolicySpec) (*in).DeepCopyInto(*out) } if in.LabelIdentity != nil { diff --git a/multicluster/controllers/multicluster/common/test_data.go b/multicluster/controllers/multicluster/common/test_data.go index f59b13d7f59..4a1f83d2d1e 100644 --- a/multicluster/controllers/multicluster/common/test_data.go +++ b/multicluster/controllers/multicluster/common/test_data.go @@ -28,7 +28,7 @@ import ( mcsv1alpha1 "antrea.io/antrea/multicluster/apis/multicluster/v1alpha1" mcsv1alpha2 "antrea.io/antrea/multicluster/apis/multicluster/v1alpha2" - crdv1alpha1 "antrea.io/antrea/pkg/apis/crd/v1alpha1" + crdv1beta1 "antrea.io/antrea/pkg/apis/crd/v1beta1" ) var ( @@ -108,5 +108,5 @@ func init() { utilruntime.Must(mcsv1alpha2.AddToScheme(TestScheme)) utilruntime.Must(k8smcsapi.AddToScheme(TestScheme)) utilruntime.Must(k8sscheme.AddToScheme(TestScheme)) - utilruntime.Must(crdv1alpha1.AddToScheme(TestScheme)) + utilruntime.Must(crdv1beta1.AddToScheme(TestScheme)) } diff --git a/multicluster/controllers/multicluster/leader/resourceexport_controller_test.go b/multicluster/controllers/multicluster/leader/resourceexport_controller_test.go index 17a91a48bd1..bc720ccf35b 100644 --- a/multicluster/controllers/multicluster/leader/resourceexport_controller_test.go +++ b/multicluster/controllers/multicluster/leader/resourceexport_controller_test.go @@ -32,12 +32,12 @@ import ( "antrea.io/antrea/multicluster/apis/multicluster/constants" mcsv1alpha1 "antrea.io/antrea/multicluster/apis/multicluster/v1alpha1" "antrea.io/antrea/multicluster/controllers/multicluster/common" - "antrea.io/antrea/pkg/apis/crd/v1alpha1" + "antrea.io/antrea/pkg/apis/crd/v1beta1" ) var ( now = metav1.Now() - dropAction = v1alpha1.RuleActionDrop + dropAction = v1beta1.RuleActionDrop svcLabels = map[string]string{ constants.SourceNamespace: "default", constants.SourceName: "nginx", @@ -61,19 +61,19 @@ var ( Namespace: "default", Name: "test-acnp-export", }} - isolationACNPSpec = &v1alpha1.ClusterNetworkPolicySpec{ + isolationACNPSpec = &v1beta1.ClusterNetworkPolicySpec{ Tier: "securityops", Priority: 1.0, - AppliedTo: []v1alpha1.AppliedTo{ + AppliedTo: []v1beta1.AppliedTo{ {NamespaceSelector: &metav1.LabelSelector{}}, }, - Ingress: []v1alpha1.Rule{ + Ingress: []v1beta1.Rule{ { Action: &dropAction, - From: []v1alpha1.NetworkPolicyPeer{ + From: []v1beta1.NetworkPolicyPeer{ { - Namespaces: &v1alpha1.PeerNamespaces{ - Match: v1alpha1.NamespaceMatchSelf, + Namespaces: &v1beta1.PeerNamespaces{ + Match: v1beta1.NamespaceMatchSelf, }, }, }, diff --git a/multicluster/controllers/multicluster/member/acnp_resourceimport_controller.go b/multicluster/controllers/multicluster/member/acnp_resourceimport_controller.go index 8895c410347..e8fe89a6602 100644 --- a/multicluster/controllers/multicluster/member/acnp_resourceimport_controller.go +++ b/multicluster/controllers/multicluster/member/acnp_resourceimport_controller.go @@ -29,7 +29,6 @@ import ( multiclusterv1alpha1 "antrea.io/antrea/multicluster/apis/multicluster/v1alpha1" "antrea.io/antrea/multicluster/controllers/multicluster/common" - "antrea.io/antrea/pkg/apis/crd/v1alpha1" "antrea.io/antrea/pkg/apis/crd/v1beta1" ) @@ -55,7 +54,7 @@ func (r *ResourceImportReconciler) handleResImpUpdateForClusterNetworkPolicy(ctx klog.InfoS("Updating ACNP corresponding to ResourceImport", "acnp", acnpName.String(), "resourceimport", klog.KObj(resImp)) - acnp := &v1alpha1.ClusterNetworkPolicy{} + acnp := &v1beta1.ClusterNetworkPolicy{} err := r.localClusterClient.Get(ctx, acnpName, acnp) acnpNotFound := apierrors.IsNotFound(err) if err != nil && !acnpNotFound { @@ -116,7 +115,7 @@ func (r *ResourceImportReconciler) handleResImpDeleteForClusterNetworkPolicy(ctx klog.InfoS("Deleting ACNP corresponding to ResourceImport", "acnp", acnpName, "resourceimport", klog.KObj(resImp)) - acnp := &v1alpha1.ClusterNetworkPolicy{ + acnp := &v1beta1.ClusterNetworkPolicy{ ObjectMeta: metav1.ObjectMeta{ Name: acnpName, }, @@ -130,8 +129,8 @@ func (r *ResourceImportReconciler) handleResImpDeleteForClusterNetworkPolicy(ctx return ctrl.Result{}, nil } -func getMCAntreaClusterPolicy(resImp *multiclusterv1alpha1.ResourceImport) *v1alpha1.ClusterNetworkPolicy { - return &v1alpha1.ClusterNetworkPolicy{ +func getMCAntreaClusterPolicy(resImp *multiclusterv1alpha1.ResourceImport) *v1beta1.ClusterNetworkPolicy { + return &v1beta1.ClusterNetworkPolicy{ ObjectMeta: metav1.ObjectMeta{ Name: common.ToMCResourceName(resImp.Spec.Name), Annotations: map[string]string{ diff --git a/multicluster/controllers/multicluster/member/acnp_resourceimport_controller_test.go b/multicluster/controllers/multicluster/member/acnp_resourceimport_controller_test.go index 6c109d8a72b..f17fab82955 100644 --- a/multicluster/controllers/multicluster/member/acnp_resourceimport_controller_test.go +++ b/multicluster/controllers/multicluster/member/acnp_resourceimport_controller_test.go @@ -33,7 +33,6 @@ import ( mcsv1alpha1 "antrea.io/antrea/multicluster/apis/multicluster/v1alpha1" "antrea.io/antrea/multicluster/controllers/multicluster/common" "antrea.io/antrea/multicluster/controllers/multicluster/commonarea" - "antrea.io/antrea/pkg/apis/crd/v1alpha1" "antrea.io/antrea/pkg/apis/crd/v1beta1" ) @@ -54,8 +53,8 @@ var ( Name: "default-acnp-no-spec", }} - allowAction = v1alpha1.RuleActionAllow - dropAction = v1alpha1.RuleActionDrop + allowAction = v1beta1.RuleActionAllow + dropAction = v1beta1.RuleActionDrop securityOpsTier = &v1beta1.Tier{ ObjectMeta: metav1.ObjectMeta{ Name: "securityops", @@ -73,19 +72,19 @@ var ( Spec: mcsv1alpha1.ResourceImportSpec{ Name: acnpImportName, Kind: constants.AntreaClusterNetworkPolicyKind, - ClusterNetworkPolicy: &v1alpha1.ClusterNetworkPolicySpec{ + ClusterNetworkPolicy: &v1beta1.ClusterNetworkPolicySpec{ Tier: "securityops", Priority: 1.0, - AppliedTo: []v1alpha1.AppliedTo{ + AppliedTo: []v1beta1.AppliedTo{ {NamespaceSelector: &metav1.LabelSelector{}}, }, - Ingress: []v1alpha1.Rule{ + Ingress: []v1beta1.Rule{ { Action: &dropAction, - From: []v1alpha1.NetworkPolicyPeer{ + From: []v1beta1.NetworkPolicyPeer{ { - Namespaces: &v1alpha1.PeerNamespaces{ - Match: v1alpha1.NamespaceMatchSelf, + Namespaces: &v1beta1.PeerNamespaces{ + Match: v1beta1.NamespaceMatchSelf, }, }, }, @@ -112,10 +111,10 @@ var ( Spec: mcsv1alpha1.ResourceImportSpec{ Name: "acnp-no-matching-tier", Kind: constants.AntreaClusterNetworkPolicyKind, - ClusterNetworkPolicy: &v1alpha1.ClusterNetworkPolicySpec{ + ClusterNetworkPolicy: &v1beta1.ClusterNetworkPolicySpec{ Tier: "somerandomtier", Priority: 1.0, - AppliedTo: []v1alpha1.AppliedTo{ + AppliedTo: []v1beta1.AppliedTo{ {NamespaceSelector: &metav1.LabelSelector{}}, }, }, @@ -161,7 +160,7 @@ func TestResourceImportReconciler_handleCopySpanACNPCreateEvent(t *testing.T) { t.Errorf("ResourceImport Reconciler should handle ACNP create event successfully but got error = %v", err) } } else { - acnp := &v1alpha1.ClusterNetworkPolicy{} + acnp := &v1beta1.ClusterNetworkPolicy{} err := fakeClient.Get(ctx, types.NamespacedName{Namespace: "", Name: common.AntreaMCSPrefix + tt.acnpImportName}, acnp) if tt.expectedSuccess && err != nil { t.Errorf("ResourceImport Reconciler should import an ACNP successfully but got error = %v", err) @@ -183,7 +182,7 @@ func TestResourceImportReconciler_handleCopySpanACNPCreateEvent(t *testing.T) { } func TestResourceImportReconciler_handleCopySpanACNPDeleteEvent(t *testing.T) { - existingACNP := &v1alpha1.ClusterNetworkPolicy{ + existingACNP := &v1beta1.ClusterNetworkPolicy{ ObjectMeta: metav1.ObjectMeta{ Name: common.AntreaMCSPrefix + acnpImportName, }, @@ -199,7 +198,7 @@ func TestResourceImportReconciler_handleCopySpanACNPDeleteEvent(t *testing.T) { if _, err := r.Reconcile(ctx, acnpImpReq); err != nil { t.Errorf("ResourceImport Reconciler should handle ACNP ResourceImport delete event successfully but got error = %v", err) } - acnp := &v1alpha1.ClusterNetworkPolicy{} + acnp := &v1beta1.ClusterNetworkPolicy{} if err := fakeClient.Get(ctx, types.NamespacedName{Namespace: "", Name: common.AntreaMCSPrefix + acnpImportName}, acnp); !apierrors.IsNotFound(err) { t.Errorf("ResourceImport Reconciler should delete ACNP successfully but got error = %v", err) } @@ -209,24 +208,24 @@ func TestResourceImportReconciler_handleCopySpanACNPDeleteEvent(t *testing.T) { } func TestResourceImportReconciler_handleCopySpanACNPUpdateEvent(t *testing.T) { - existingACNP1 := &v1alpha1.ClusterNetworkPolicy{ + existingACNP1 := &v1beta1.ClusterNetworkPolicy{ ObjectMeta: metav1.ObjectMeta{ Name: common.AntreaMCSPrefix + acnpImportName, Annotations: map[string]string{common.AntreaMCACNPAnnotation: "true"}, }, - Spec: v1alpha1.ClusterNetworkPolicySpec{ + Spec: v1beta1.ClusterNetworkPolicySpec{ Tier: "securityops", Priority: 1.0, - AppliedTo: []v1alpha1.AppliedTo{ + AppliedTo: []v1beta1.AppliedTo{ {NamespaceSelector: &metav1.LabelSelector{}}, }, - Ingress: []v1alpha1.Rule{ + Ingress: []v1beta1.Rule{ { Action: &allowAction, - From: []v1alpha1.NetworkPolicyPeer{ + From: []v1beta1.NetworkPolicyPeer{ { - Namespaces: &v1alpha1.PeerNamespaces{ - Match: v1alpha1.NamespaceMatchSelf, + Namespaces: &v1beta1.PeerNamespaces{ + Match: v1beta1.NamespaceMatchSelf, }, }, }, @@ -242,24 +241,24 @@ func TestResourceImportReconciler_handleCopySpanACNPUpdateEvent(t *testing.T) { Spec: mcsv1alpha1.ResourceImportSpec{ Name: "acnp-no-matching-tier", Kind: constants.AntreaClusterNetworkPolicyKind, - ClusterNetworkPolicy: &v1alpha1.ClusterNetworkPolicySpec{ + ClusterNetworkPolicy: &v1beta1.ClusterNetworkPolicySpec{ Tier: "securityops", Priority: 1.0, - AppliedTo: []v1alpha1.AppliedTo{ + AppliedTo: []v1beta1.AppliedTo{ {NamespaceSelector: &metav1.LabelSelector{}}, }, }, }, } - existingACNP3 := &v1alpha1.ClusterNetworkPolicy{ + existingACNP3 := &v1beta1.ClusterNetworkPolicy{ ObjectMeta: metav1.ObjectMeta{ Name: common.AntreaMCSPrefix + "valid-updated-to-no-valid", Annotations: map[string]string{common.AntreaMCACNPAnnotation: "true"}, }, - Spec: v1alpha1.ClusterNetworkPolicySpec{ + Spec: v1beta1.ClusterNetworkPolicySpec{ Tier: "securityops", Priority: 1.0, - AppliedTo: []v1alpha1.AppliedTo{ + AppliedTo: []v1beta1.AppliedTo{ {NamespaceSelector: &metav1.LabelSelector{}}, }, }, @@ -272,10 +271,10 @@ func TestResourceImportReconciler_handleCopySpanACNPUpdateEvent(t *testing.T) { Spec: mcsv1alpha1.ResourceImportSpec{ Name: acnpImportName, Kind: constants.AntreaClusterNetworkPolicyKind, - ClusterNetworkPolicy: &v1alpha1.ClusterNetworkPolicySpec{ + ClusterNetworkPolicy: &v1beta1.ClusterNetworkPolicySpec{ Tier: "somerandomtier", Priority: 1.0, - AppliedTo: []v1alpha1.AppliedTo{ + AppliedTo: []v1beta1.AppliedTo{ {NamespaceSelector: &metav1.LabelSelector{}}, }, }, @@ -289,14 +288,14 @@ func TestResourceImportReconciler_handleCopySpanACNPUpdateEvent(t *testing.T) { Namespace: leaderNamespace, Name: "default-name-conflict", }} - existingACNP4 := &v1alpha1.ClusterNetworkPolicy{ + existingACNP4 := &v1beta1.ClusterNetworkPolicy{ ObjectMeta: metav1.ObjectMeta{ Name: common.AntreaMCSPrefix + "name-conflict", }, - Spec: v1alpha1.ClusterNetworkPolicySpec{ + Spec: v1beta1.ClusterNetworkPolicySpec{ Tier: "securityops", Priority: 1.0, - AppliedTo: []v1alpha1.AppliedTo{ + AppliedTo: []v1beta1.AppliedTo{ {NamespaceSelector: &metav1.LabelSelector{}}, }, }, @@ -317,7 +316,7 @@ func TestResourceImportReconciler_handleCopySpanACNPUpdateEvent(t *testing.T) { req ctrl.Request expectErr bool expectImportSuccess bool - expectedUpdatedACNPSpec *v1alpha1.ClusterNetworkPolicySpec + expectedUpdatedACNPSpec *v1beta1.ClusterNetworkPolicySpec }{ { name: "update acnp spec", @@ -362,7 +361,7 @@ func TestResourceImportReconciler_handleCopySpanACNPUpdateEvent(t *testing.T) { } } else { if tt.expectedUpdatedACNPSpec != nil { - acnp := &v1alpha1.ClusterNetworkPolicy{} + acnp := &v1beta1.ClusterNetworkPolicy{} err := fakeClient.Get(ctx, types.NamespacedName{Namespace: "", Name: common.AntreaMCSPrefix + tt.acnpImportName}, acnp) if tt.expectImportSuccess && err != nil { t.Errorf("ResourceImport Reconciler should import an ACNP successfully but got error = %v", err) diff --git a/multicluster/controllers/multicluster/stale_controller.go b/multicluster/controllers/multicluster/stale_controller.go index 47d4c0b69f8..7688a3b1d35 100644 --- a/multicluster/controllers/multicluster/stale_controller.go +++ b/multicluster/controllers/multicluster/stale_controller.go @@ -35,7 +35,7 @@ import ( mcsv1alpha1 "antrea.io/antrea/multicluster/apis/multicluster/v1alpha1" "antrea.io/antrea/multicluster/controllers/multicluster/common" "antrea.io/antrea/multicluster/controllers/multicluster/commonarea" - crdv1alpha1 "antrea.io/antrea/pkg/apis/crd/v1alpha1" + crdv1beta1 "antrea.io/antrea/pkg/apis/crd/v1beta1" ) const ( @@ -114,7 +114,7 @@ func (c *StaleResCleanupController) cleanupStaleResourcesOnMember(ctx context.Co if err := c.List(ctx, svcList, &client.ListOptions{}); err != nil { return err } - acnpList := &crdv1alpha1.ClusterNetworkPolicyList{} + acnpList := &crdv1beta1.ClusterNetworkPolicyList{} if err := c.List(ctx, acnpList, &client.ListOptions{}); err != nil { return err } @@ -211,9 +211,9 @@ func (c *StaleResCleanupController) cleanupStaleServiceResources(ctx context.Con return nil } -func (c *StaleResCleanupController) cleanupACNPResources(ctx context.Context, acnpList *crdv1alpha1.ClusterNetworkPolicyList, +func (c *StaleResCleanupController) cleanupACNPResources(ctx context.Context, acnpList *crdv1beta1.ClusterNetworkPolicyList, resImpList *mcsv1alpha1.ResourceImportList) error { - staleMCACNPItems := map[string]crdv1alpha1.ClusterNetworkPolicy{} + staleMCACNPItems := map[string]crdv1beta1.ClusterNetworkPolicy{} for _, acnp := range acnpList.Items { if _, ok := acnp.Annotations[common.AntreaMCACNPAnnotation]; ok { staleMCACNPItems[acnp.Name] = acnp diff --git a/multicluster/controllers/multicluster/stale_controller_test.go b/multicluster/controllers/multicluster/stale_controller_test.go index e73b2941243..2583ba236f9 100644 --- a/multicluster/controllers/multicluster/stale_controller_test.go +++ b/multicluster/controllers/multicluster/stale_controller_test.go @@ -35,7 +35,7 @@ import ( "antrea.io/antrea/multicluster/controllers/multicluster/common" "antrea.io/antrea/multicluster/controllers/multicluster/commonarea" "antrea.io/antrea/multicluster/controllers/multicluster/member" - "antrea.io/antrea/pkg/apis/crd/v1alpha1" + "antrea.io/antrea/pkg/apis/crd/v1beta1" ) var ctx = context.Background() @@ -141,42 +141,42 @@ func TestStaleController_CleanupACNP(t *testing.T) { Spec: mcv1alpha1.ResourceImportSpec{ Name: acnpImportName, Kind: constants.AntreaClusterNetworkPolicyKind, - ClusterNetworkPolicy: &v1alpha1.ClusterNetworkPolicySpec{ + ClusterNetworkPolicy: &v1beta1.ClusterNetworkPolicySpec{ Tier: "securityops", Priority: 1.0, - AppliedTo: []v1alpha1.AppliedTo{ + AppliedTo: []v1beta1.AppliedTo{ {NamespaceSelector: &metav1.LabelSelector{}}, }, }, }, } - acnp1 := v1alpha1.ClusterNetworkPolicy{ + acnp1 := v1beta1.ClusterNetworkPolicy{ ObjectMeta: metav1.ObjectMeta{ Name: common.AntreaMCSPrefix + acnpImportName, Annotations: map[string]string{common.AntreaMCACNPAnnotation: "true"}, }, } - acnp2 := v1alpha1.ClusterNetworkPolicy{ + acnp2 := v1beta1.ClusterNetworkPolicy{ ObjectMeta: metav1.ObjectMeta{ Name: common.AntreaMCSPrefix + "some-deleted-resimp", Annotations: map[string]string{common.AntreaMCACNPAnnotation: "true"}, }, } - acnp3 := v1alpha1.ClusterNetworkPolicy{ + acnp3 := v1beta1.ClusterNetworkPolicy{ ObjectMeta: metav1.ObjectMeta{ Name: "non-mcs-acnp", }, } tests := []struct { name string - existingACNPList *v1alpha1.ClusterNetworkPolicyList + existingACNPList *v1beta1.ClusterNetworkPolicyList existingResImpList *mcv1alpha1.ResourceImportList expectedACNPRemaining sets.Set[string] }{ { name: "cleanup stale ACNP", - existingACNPList: &v1alpha1.ClusterNetworkPolicyList{ - Items: []v1alpha1.ClusterNetworkPolicy{ + existingACNPList: &v1beta1.ClusterNetworkPolicyList{ + Items: []v1beta1.ClusterNetworkPolicy{ acnp1, acnp2, acnp3, }, }, @@ -201,7 +201,7 @@ func TestStaleController_CleanupACNP(t *testing.T) { t.Errorf("StaleController.cleanup() should clean up all stale ACNPs but got err = %v", err) } ctx := context.TODO() - acnpList := &v1alpha1.ClusterNetworkPolicyList{} + acnpList := &v1beta1.ClusterNetworkPolicyList{} if err := fakeClient.List(ctx, acnpList, &client.ListOptions{}); err != nil { t.Errorf("Error when listing the ACNPs after cleanup") } diff --git a/multicluster/test/e2e/framework.go b/multicluster/test/e2e/framework.go index 190ccc0f07a..1dbfadaf717 100644 --- a/multicluster/test/e2e/framework.go +++ b/multicluster/test/e2e/framework.go @@ -23,7 +23,7 @@ import ( log "github.com/sirupsen/logrus" corev1 "k8s.io/api/core/v1" - crdv1alpha1 "antrea.io/antrea/pkg/apis/crd/v1alpha1" + crdv1beta1 "antrea.io/antrea/pkg/apis/crd/v1beta1" antreae2e "antrea.io/antrea/test/e2e" "antrea.io/antrea/test/e2e/providers" ) @@ -231,7 +231,7 @@ func (data *MCTestData) createService(clusterName, serviceName, namespace string return nil, fmt.Errorf("clusterName %s not found", clusterName) } -func (data *MCTestData) createOrUpdateANNP(clusterName string, annp *crdv1alpha1.NetworkPolicy) (*crdv1alpha1.NetworkPolicy, error) { +func (data *MCTestData) createOrUpdateANNP(clusterName string, annp *crdv1beta1.NetworkPolicy) (*crdv1beta1.NetworkPolicy, error) { if d, ok := data.clusterTestDataMap[clusterName]; ok { return d.CreateOrUpdateANNP(annp) } @@ -246,7 +246,7 @@ func (data *MCTestData) deleteANNP(clusterName, namespace, name string) error { return fmt.Errorf("clusterName %s not found", clusterName) } -func (data *MCTestData) createOrUpdateACNP(clusterName string, acnp *crdv1alpha1.ClusterNetworkPolicy) (*crdv1alpha1.ClusterNetworkPolicy, error) { +func (data *MCTestData) createOrUpdateACNP(clusterName string, acnp *crdv1beta1.ClusterNetworkPolicy) (*crdv1beta1.ClusterNetworkPolicy, error) { if d, ok := data.clusterTestDataMap[clusterName]; ok { return d.CreateOrUpdateACNP(acnp) } diff --git a/multicluster/test/e2e/service_test.go b/multicluster/test/e2e/service_test.go index 1dca38fcd4d..cb373adcd64 100644 --- a/multicluster/test/e2e/service_test.go +++ b/multicluster/test/e2e/service_test.go @@ -28,7 +28,7 @@ import ( corev1 "k8s.io/api/core/v1" apierrors "k8s.io/apimachinery/pkg/api/errors" - crdv1alpha1 "antrea.io/antrea/pkg/apis/crd/v1alpha1" + crdv1beta1 "antrea.io/antrea/pkg/apis/crd/v1beta1" antreae2e "antrea.io/antrea/test/e2e" e2euttils "antrea.io/antrea/test/e2e/utils" ) @@ -200,10 +200,10 @@ func (data *MCTestData) testANNPToServices(t *testing.T) { annpBuilder1 = annpBuilder1.SetName(multiClusterTestNamespace, "block-west-exported-service"). SetPriority(1.0). SetAppliedToGroup([]e2euttils.ANNPAppliedToSpec{{PodSelector: map[string]string{"app": "client"}}}). - AddToServicesRule([]crdv1alpha1.PeerService{{ + AddToServicesRule([]crdv1beta1.PeerService{{ Name: mcWestClusterTestService, Namespace: multiClusterTestNamespace}, - }, "", nil, crdv1alpha1.RuleActionDrop) + }, "", nil, crdv1beta1.RuleActionDrop) if _, err := data.createOrUpdateANNP(eastCluster, annpBuilder1.Get()); err != nil { t.Fatalf("Error creating ANNP %s: %v", annpBuilder1.Name, err) } @@ -226,11 +226,11 @@ func (data *MCTestData) testANNPToServices(t *testing.T) { annpBuilder2 = annpBuilder2.SetName(multiClusterTestNamespace, "block-west-service-clusterset-scope"). SetPriority(1.0). SetAppliedToGroup([]e2euttils.ANNPAppliedToSpec{{PodSelector: map[string]string{"app": "client"}}}). - AddToServicesRule([]crdv1alpha1.PeerService{{ + AddToServicesRule([]crdv1beta1.PeerService{{ Name: westClusterTestService, Namespace: multiClusterTestNamespace, Scope: "ClusterSet", - }}, "", nil, crdv1alpha1.RuleActionDrop) + }}, "", nil, crdv1beta1.RuleActionDrop) if _, err := data.createOrUpdateANNP(eastCluster, annpBuilder2.Get()); err != nil { t.Fatalf("Error creating ANNP %s: %v", annpBuilder2.Name, err) } @@ -262,8 +262,8 @@ func (data *MCTestData) testStretchedNetworkPolicy(t *testing.T) { acnpBuilder1 = acnpBuilder1.SetName("drop-client-pod-sel"). SetPriority(1.0). SetAppliedToGroup([]e2euttils.ACNPAppliedToSpec{{PodSelector: map[string]string{"app": "nginx"}}}). - AddStretchedIngressRule(map[string]string{"antrea-e2e": eastGwClientName}, nil, "", nil, crdv1alpha1.RuleActionDrop). - AddStretchedIngressRule(map[string]string{"antrea-e2e": eastRegularClientName}, map[string]string{"kubernetes.io/metadata.name": multiClusterTestNamespace}, "", nil, crdv1alpha1.RuleActionDrop) + AddStretchedIngressRule(map[string]string{"antrea-e2e": eastGwClientName}, nil, "", nil, crdv1beta1.RuleActionDrop). + AddStretchedIngressRule(map[string]string{"antrea-e2e": eastRegularClientName}, map[string]string{"kubernetes.io/metadata.name": multiClusterTestNamespace}, "", nil, crdv1beta1.RuleActionDrop) if _, err := data.createOrUpdateACNP(westCluster, acnpBuilder1.Get()); err != nil { t.Fatalf("Error creating ACNP %s: %v", acnpBuilder1.Name, err) } @@ -285,7 +285,7 @@ func (data *MCTestData) testStretchedNetworkPolicy(t *testing.T) { acnpBuilder2 = acnpBuilder2.SetName("drop-client-ns-sel"). SetPriority(1.0). SetAppliedToGroup([]e2euttils.ACNPAppliedToSpec{{PodSelector: map[string]string{"app": "nginx"}}}). - AddStretchedIngressRule(nil, map[string]string{"kubernetes.io/metadata.name": multiClusterTestNamespace}, "", nil, crdv1alpha1.RuleActionDrop) + AddStretchedIngressRule(nil, map[string]string{"kubernetes.io/metadata.name": multiClusterTestNamespace}, "", nil, crdv1beta1.RuleActionDrop) if _, err := data.createOrUpdateACNP(westCluster, acnpBuilder2.Get()); err != nil { t.Fatalf("Error creating ACNP %s: %v", acnpBuilder2.Name, err) @@ -317,7 +317,7 @@ func (data *MCTestData) testStretchedNetworkPolicyReject(t *testing.T) { acnpBuilder = acnpBuilder.SetName("drop-client-pod-sel"). SetPriority(1.0). SetAppliedToGroup([]e2euttils.ACNPAppliedToSpec{{PodSelector: map[string]string{"app": "nginx"}}}). - AddStretchedIngressRule(map[string]string{"app": "client"}, nil, "", nil, crdv1alpha1.RuleActionReject) + AddStretchedIngressRule(map[string]string{"app": "client"}, nil, "", nil, crdv1beta1.RuleActionReject) if _, err := data.createOrUpdateACNP(westCluster, acnpBuilder.Get()); err != nil { t.Fatalf("Error creating ACNP %s: %v", acnpBuilder.Name, err) } @@ -364,7 +364,7 @@ func (data *MCTestData) testStretchedNetworkPolicyUpdatePod(t *testing.T) { acnpBuilder = acnpBuilder.SetName("drop-client-pod-update"). SetPriority(1.0). SetAppliedToGroup([]e2euttils.ACNPAppliedToSpec{{PodSelector: map[string]string{"app": "nginx"}}}). - AddStretchedIngressRule(map[string]string{"antrea-e2e": eastRegularClientName, "foo": "bar"}, nil, "", nil, crdv1alpha1.RuleActionDrop) + AddStretchedIngressRule(map[string]string{"antrea-e2e": eastRegularClientName, "foo": "bar"}, nil, "", nil, crdv1beta1.RuleActionDrop) if _, err := data.createOrUpdateACNP(westCluster, acnpBuilder.Get()); err != nil { t.Fatalf("Error creating ACNP %s: %v", acnpBuilder.Name, err) } @@ -402,7 +402,7 @@ func (data *MCTestData) testStretchedNetworkPolicyUpdateNS(t *testing.T) { acnpBuilder = acnpBuilder.SetName("drop-client-ns-update"). SetPriority(1.0). SetAppliedToGroup([]e2euttils.ACNPAppliedToSpec{{PodSelector: map[string]string{"app": "nginx"}}}). - AddStretchedIngressRule(nil, map[string]string{"kubernetes.io/metadata.name": multiClusterTestNamespace, "foo": "bar"}, "", nil, crdv1alpha1.RuleActionDrop) + AddStretchedIngressRule(nil, map[string]string{"kubernetes.io/metadata.name": multiClusterTestNamespace, "foo": "bar"}, "", nil, crdv1beta1.RuleActionDrop) if _, err := data.createOrUpdateACNP(westCluster, acnpBuilder.Get()); err != nil { t.Fatalf("Error creating ACNP %s: %v", acnpBuilder.Name, err) @@ -445,7 +445,7 @@ func (data *MCTestData) testStretchedNetworkPolicyUpdatePolicy(t *testing.T) { acnpBuilder = acnpBuilder.SetName("drop-client-pod-update"). SetPriority(1.0). SetAppliedToGroup([]e2euttils.ACNPAppliedToSpec{{PodSelector: map[string]string{"app": "nginx"}}}). - AddStretchedIngressRule(map[string]string{"foo": "bar"}, nil, "", nil, crdv1alpha1.RuleActionDrop) + AddStretchedIngressRule(map[string]string{"foo": "bar"}, nil, "", nil, crdv1beta1.RuleActionDrop) if _, err := data.createOrUpdateACNP(westCluster, acnpBuilder.Get()); err != nil { t.Fatalf("Error creating ACNP %s: %v", acnpBuilder.Name, err) @@ -456,7 +456,7 @@ func (data *MCTestData) testStretchedNetworkPolicyUpdatePolicy(t *testing.T) { assert.Equal(t, antreae2e.Connected, connectivity, getStretchedNetworkPolicyErrorMessage(eastRegularClientName)) // Update the policy to select the eastRegularClient. - acnpBuilder.AddStretchedIngressRule(map[string]string{"antrea-e2e": eastRegularClientName}, nil, "", nil, crdv1alpha1.RuleActionDrop) + acnpBuilder.AddStretchedIngressRule(map[string]string{"antrea-e2e": eastRegularClientName}, nil, "", nil, crdv1beta1.RuleActionDrop) if _, err := data.createOrUpdateACNP(westCluster, acnpBuilder.Get()); err != nil { t.Fatalf("Error updateing ACNP %s: %v", acnpBuilder.Name, err) } diff --git a/pkg/agent/controller/networkpolicy/cache.go b/pkg/agent/controller/networkpolicy/cache.go index ef885713d60..70dd3a711f0 100644 --- a/pkg/agent/controller/networkpolicy/cache.go +++ b/pkg/agent/controller/networkpolicy/cache.go @@ -32,7 +32,7 @@ import ( "antrea.io/antrea/pkg/agent/metrics" agenttypes "antrea.io/antrea/pkg/agent/types" v1beta "antrea.io/antrea/pkg/apis/controlplane/v1beta2" - crdv1alpha1 "antrea.io/antrea/pkg/apis/crd/v1alpha1" + crdv1beta1 "antrea.io/antrea/pkg/apis/crd/v1beta1" "antrea.io/antrea/pkg/querier" "antrea.io/antrea/pkg/util/channel" "antrea.io/antrea/pkg/util/k8s" @@ -72,7 +72,7 @@ type rule struct { // Name of this rule. Empty for k8s NetworkPolicy. Name string // Action of this rule. nil for k8s NetworkPolicy. - Action *crdv1alpha1.RuleAction + Action *crdv1beta1.RuleAction // Priority of this rule within the NetworkPolicy. Defaults to -1 for K8s NetworkPolicy. Priority int32 // The highest rule Priority within the NetworkPolicy. Defaults to -1 for K8s NetworkPolicy. @@ -392,7 +392,7 @@ func toIGMPReportGroupAddressIndexFunc(obj interface{}) ([]string, error) { if rule.Direction == v1beta.DirectionOut { for _, svc := range rule.Services { if svc.Protocol != nil && *svc.Protocol == v1beta.ProtocolIGMP && svc.IGMPType == nil || - svc.IGMPType != nil && (*svc.IGMPType == crdv1alpha1.IGMPReportV1 || *svc.IGMPType == crdv1alpha1.IGMPReportV2 || *svc.IGMPType == crdv1alpha1.IGMPReportV3) { + svc.IGMPType != nil && (*svc.IGMPType == crdv1beta1.IGMPReportV1 || *svc.IGMPType == crdv1beta1.IGMPReportV2 || *svc.IGMPType == crdv1beta1.IGMPReportV3) { mcastGroupAddresses.Insert(svc.GroupAddress) } } diff --git a/pkg/agent/controller/networkpolicy/networkpolicy_controller_test.go b/pkg/agent/controller/networkpolicy/networkpolicy_controller_test.go index 43504ae2835..54c591c1e91 100644 --- a/pkg/agent/controller/networkpolicy/networkpolicy_controller_test.go +++ b/pkg/agent/controller/networkpolicy/networkpolicy_controller_test.go @@ -38,7 +38,7 @@ import ( proxytypes "antrea.io/antrea/pkg/agent/proxy/types" agenttypes "antrea.io/antrea/pkg/agent/types" "antrea.io/antrea/pkg/apis/controlplane/v1beta2" - "antrea.io/antrea/pkg/apis/crd/v1alpha1" + "antrea.io/antrea/pkg/apis/crd/v1beta1" "antrea.io/antrea/pkg/client/clientset/versioned" "antrea.io/antrea/pkg/client/clientset/versioned/fake" "antrea.io/antrea/pkg/querier" @@ -627,7 +627,7 @@ func TestNetworkPolicyMetrics(t *testing.T) { func TestValidate(t *testing.T) { controller, _, _ := newTestController() igmpType := int32(0x12) - actionAllow, actionDrop := v1alpha1.RuleActionAllow, v1alpha1.RuleActionDrop + actionAllow, actionDrop := v1beta1.RuleActionAllow, v1beta1.RuleActionDrop appliedToGroup := v1beta2.NewGroupMemberSet() appliedToGroup.Insert() tierPriority01 := int32(100) @@ -684,14 +684,14 @@ func TestValidate(t *testing.T) { if err != nil { t.Fatalf("failed to validate group %s %v", groupAddress1, err) } - if item.RuleAction != v1alpha1.RuleActionAllow { - t.Fatalf("groupAddress %s expect %v, but got %v", groupAddress1, v1alpha1.RuleActionAllow, item.RuleAction) + if item.RuleAction != v1beta1.RuleActionAllow { + t.Fatalf("groupAddress %s expect %v, but got %v", groupAddress1, v1beta1.RuleActionAllow, item.RuleAction) } item, err = controller.GetIGMPNPRuleInfo("pod1", "ns1", net.ParseIP(groupAddress2), 0x12) if err != nil { t.Fatalf("failed to validate group %s %+v", groupAddress2, err) } - if item.RuleAction != v1alpha1.RuleActionDrop { - t.Fatalf("groupAddress %s expect %v, but got %v", groupAddress2, v1alpha1.RuleActionDrop, item.RuleAction) + if item.RuleAction != v1beta1.RuleActionDrop { + t.Fatalf("groupAddress %s expect %v, but got %v", groupAddress2, v1beta1.RuleActionDrop, item.RuleAction) } } diff --git a/pkg/agent/controller/traceflow/packetin.go b/pkg/agent/controller/traceflow/packetin.go index 65d4cfd0dad..7ff5b60fe49 100644 --- a/pkg/agent/controller/traceflow/packetin.go +++ b/pkg/agent/controller/traceflow/packetin.go @@ -31,6 +31,7 @@ import ( "antrea.io/antrea/pkg/agent/openflow" crdv1alpha1 "antrea.io/antrea/pkg/apis/crd/v1alpha1" + crdv1beta1 "antrea.io/antrea/pkg/apis/crd/v1beta1" binding "antrea.io/antrea/pkg/ovs/openflow" ) @@ -237,7 +238,7 @@ func (c *Controller) parsePacketIn(pktIn *ofctrl.PacketIn) (*crdv1alpha1.Tracefl if npRef := ruleRef.PolicyRef; npRef != nil { ob.NetworkPolicy = npRef.ToString() } - if ruleRef.Action != nil && *ruleRef.Action == crdv1alpha1.RuleActionReject { + if ruleRef.Action != nil && *ruleRef.Action == crdv1beta1.RuleActionReject { ob.Action = crdv1alpha1.ActionRejected } } diff --git a/pkg/agent/flowexporter/connections/conntrack_connections_test.go b/pkg/agent/flowexporter/connections/conntrack_connections_test.go index f037aecce7f..b1a32f6e281 100644 --- a/pkg/agent/flowexporter/connections/conntrack_connections_test.go +++ b/pkg/agent/flowexporter/connections/conntrack_connections_test.go @@ -39,7 +39,7 @@ import ( proxytest "antrea.io/antrea/pkg/agent/proxy/testing" agenttypes "antrea.io/antrea/pkg/agent/types" cpv1beta "antrea.io/antrea/pkg/apis/controlplane/v1beta2" - secv1alpha1 "antrea.io/antrea/pkg/apis/crd/v1alpha1" + secv1beta1 "antrea.io/antrea/pkg/apis/crd/v1beta1" queriertest "antrea.io/antrea/pkg/querier/testing" k8sproxy "antrea.io/antrea/third_party/proxy" ) @@ -72,7 +72,7 @@ var ( Name: "bar", UID: "uid1", } - action = secv1alpha1.RuleActionAllow + action = secv1beta1.RuleActionAllow rule1 = agenttypes.PolicyRule{ Direction: cpv1beta.DirectionIn, From: []agenttypes.Address{}, diff --git a/pkg/agent/multicast/mcast_controller_test.go b/pkg/agent/multicast/mcast_controller_test.go index d647ea5f4aa..a277c8218fb 100644 --- a/pkg/agent/multicast/mcast_controller_test.go +++ b/pkg/agent/multicast/mcast_controller_test.go @@ -51,7 +51,7 @@ import ( typestest "antrea.io/antrea/pkg/agent/types/testing" agentutil "antrea.io/antrea/pkg/agent/util" "antrea.io/antrea/pkg/apis/controlplane/v1beta2" - "antrea.io/antrea/pkg/apis/crd/v1alpha1" + "antrea.io/antrea/pkg/apis/crd/v1beta1" ovsconfigtest "antrea.io/antrea/pkg/ovs/ovsconfig/testing" "antrea.io/antrea/pkg/util/channel" ) @@ -574,10 +574,10 @@ func TestProcessPacketIn(t *testing.T) { } return ips } - allow := v1alpha1.RuleActionAllow + allow := v1beta1.RuleActionAllow annp := v1beta2.AntreaNetworkPolicy acnp := v1beta2.AntreaClusterNetworkPolicy - drop := v1alpha1.RuleActionDrop + drop := v1beta1.RuleActionDrop for _, tc := range []struct { name string iface *interfacestore.InterfaceConfig diff --git a/pkg/agent/multicast/mcast_discovery.go b/pkg/agent/multicast/mcast_discovery.go index 7b217012715..f0764284dc8 100644 --- a/pkg/agent/multicast/mcast_discovery.go +++ b/pkg/agent/multicast/mcast_discovery.go @@ -31,7 +31,7 @@ import ( "antrea.io/antrea/pkg/agent/openflow" "antrea.io/antrea/pkg/agent/types" "antrea.io/antrea/pkg/apis/controlplane/v1beta2" - "antrea.io/antrea/pkg/apis/crd/v1alpha1" + "antrea.io/antrea/pkg/apis/crd/v1beta1" binding "antrea.io/antrea/pkg/ovs/openflow" ) @@ -124,7 +124,7 @@ func (s *IGMPSnooper) validate(event *mcastGroupEvent, igmpType uint8, packetInD if ruleInfo != nil { klog.V(2).InfoS("Got NetworkPolicy action for IGMP report", "RuleAction", ruleInfo.RuleAction, "uuid", ruleInfo.UUID, "Name", ruleInfo.Name) s.addToIGMPReportNPStatsMap(*ruleInfo, uint64(packetInData.Len())) - if ruleInfo.RuleAction == v1alpha1.RuleActionDrop { + if ruleInfo.RuleAction == v1beta1.RuleActionDrop { return false, nil } } diff --git a/pkg/agent/openflow/network_policy.go b/pkg/agent/openflow/network_policy.go index 5930e004877..979c4ad21b1 100644 --- a/pkg/agent/openflow/network_policy.go +++ b/pkg/agent/openflow/network_policy.go @@ -30,7 +30,7 @@ import ( "antrea.io/antrea/pkg/agent/openflow/cookie" "antrea.io/antrea/pkg/agent/types" "antrea.io/antrea/pkg/apis/controlplane/v1beta2" - crdv1alpha1 "antrea.io/antrea/pkg/apis/crd/v1alpha1" + crdv1beta1 "antrea.io/antrea/pkg/apis/crd/v1beta1" binding "antrea.io/antrea/pkg/ovs/openflow" thirdpartynp "antrea.io/antrea/third_party/networkpolicy" ) @@ -948,7 +948,7 @@ func getServiceMatchPairs(service v1beta2.Service, ipProtocols []binding.Protoco } case v1beta2.ProtocolIGMP: var matchPairs []matchPair - if service.IGMPType != nil && *service.IGMPType == crdv1alpha1.IGMPQuery { + if service.IGMPType != nil && *service.IGMPType == crdv1beta1.IGMPQuery { // Since OVS only matches layer 3 IP address on the IGMP query packet, and doesn't // identify the multicast group address set in the IGMP protocol, the flow entry // processes all IGMP query packets by matching the destination IP address ( 224.0.0.1 ) @@ -1193,13 +1193,13 @@ func (f *featureNetworkPolicy) calculateActionFlowChangesForRule(rule *types.Pol // Install action flows. var actionFlows []binding.Flow var metricFlows []binding.Flow - if rule.IsAntreaNetworkPolicyRule() && *rule.Action == crdv1alpha1.RuleActionDrop { + if rule.IsAntreaNetworkPolicyRule() && *rule.Action == crdv1beta1.RuleActionDrop { metricFlows = append(metricFlows, f.denyRuleMetricFlow(ruleOfID, isIngress, rule.TableID)) actionFlows = append(actionFlows, f.conjunctionActionDenyFlow(ruleOfID, ruleTable, rule.Priority, DispositionDrop, rule.EnableLogging)) - } else if rule.IsAntreaNetworkPolicyRule() && *rule.Action == crdv1alpha1.RuleActionReject { + } else if rule.IsAntreaNetworkPolicyRule() && *rule.Action == crdv1beta1.RuleActionReject { metricFlows = append(metricFlows, f.denyRuleMetricFlow(ruleOfID, isIngress, rule.TableID)) actionFlows = append(actionFlows, f.conjunctionActionDenyFlow(ruleOfID, ruleTable, rule.Priority, DispositionRej, rule.EnableLogging)) - } else if rule.IsAntreaNetworkPolicyRule() && *rule.Action == crdv1alpha1.RuleActionPass { + } else if rule.IsAntreaNetworkPolicyRule() && *rule.Action == crdv1beta1.RuleActionPass { actionFlows = append(actionFlows, f.conjunctionActionPassFlow(ruleOfID, ruleTable, rule.Priority, rule.EnableLogging)) } else { metricFlows = append(metricFlows, f.allowRulesMetricFlows(ruleOfID, isIngress, rule.TableID)...) diff --git a/pkg/agent/openflow/network_policy_test.go b/pkg/agent/openflow/network_policy_test.go index c856269f357..6220eae93f4 100644 --- a/pkg/agent/openflow/network_policy_test.go +++ b/pkg/agent/openflow/network_policy_test.go @@ -38,7 +38,7 @@ import ( oftest "antrea.io/antrea/pkg/agent/openflow/testing" "antrea.io/antrea/pkg/agent/types" "antrea.io/antrea/pkg/apis/controlplane/v1beta2" - crdv1alpha1 "antrea.io/antrea/pkg/apis/crd/v1alpha1" + crdv1beta1 "antrea.io/antrea/pkg/apis/crd/v1beta1" binding "antrea.io/antrea/pkg/ovs/openflow" mocks "antrea.io/antrea/pkg/ovs/openflow/testing" ovsctltest "antrea.io/antrea/pkg/ovs/ovsctl/testing" @@ -65,8 +65,8 @@ var ( _, podIPv4CIDR, _ = net.ParseCIDR("100.100.100.0/24") _, podIPv6CIDR, _ = net.ParseCIDR("fd12:ab35:34:a001::/64") - actionAllow = crdv1alpha1.RuleActionAllow - actionDrop = crdv1alpha1.RuleActionDrop + actionAllow = crdv1beta1.RuleActionAllow + actionDrop = crdv1beta1.RuleActionDrop port8080 = intstr.FromInt(8080) port32800 = int32(32800) protocolICMP = v1beta2.ProtocolICMP @@ -170,7 +170,7 @@ func TestInstallPolicyRuleFlows(t *testing.T) { c.nodeConfig = &config.NodeConfig{PodIPv4CIDR: podIPv4CIDR, PodIPv6CIDR: nil} c.networkConfig = &config.NetworkConfig{} c.pipelines = pipelineMap - defaultAction := crdv1alpha1.RuleActionAllow + defaultAction := crdv1beta1.RuleActionAllow // Create a policyRuleConjunction for the dns response interception flows // to ensure nil NetworkPolicyReference is handled correctly by GetNetworkPolicyFlowKeys. dnsID := uint32(1) @@ -677,7 +677,7 @@ func TestInstallPolicyRuleFlowsInDualStackCluster(t *testing.T) { c.nodeConfig = &config.NodeConfig{PodIPv4CIDR: podIPv4CIDR, PodIPv6CIDR: podIPv6CIDR} c.networkConfig = &config.NetworkConfig{IPv4Enabled: true, IPv6Enabled: true} c.ipProtocols = []binding.Protocol{binding.ProtocolIP, binding.ProtocolIPv6} - defaultAction := crdv1alpha1.RuleActionAllow + defaultAction := crdv1beta1.RuleActionAllow ruleID1 := uint32(101) rule1 := &types.PolicyRule{ Direction: v1beta2.DirectionOut, diff --git a/pkg/agent/types/multicast.go b/pkg/agent/types/multicast.go index ae910dea965..919352f9ad4 100644 --- a/pkg/agent/types/multicast.go +++ b/pkg/agent/types/multicast.go @@ -20,11 +20,11 @@ import ( apitypes "k8s.io/apimachinery/pkg/types" "antrea.io/antrea/pkg/apis/controlplane/v1beta2" - "antrea.io/antrea/pkg/apis/crd/v1alpha1" + "antrea.io/antrea/pkg/apis/crd/v1beta1" ) type IGMPNPRuleInfo struct { - RuleAction v1alpha1.RuleAction + RuleAction v1beta1.RuleAction UUID apitypes.UID NPType *v1beta2.NetworkPolicyType Name string diff --git a/pkg/agent/types/networkpolicy.go b/pkg/agent/types/networkpolicy.go index ca25e21df85..65e26e2b5f3 100644 --- a/pkg/agent/types/networkpolicy.go +++ b/pkg/agent/types/networkpolicy.go @@ -16,7 +16,7 @@ package types import ( "antrea.io/antrea/pkg/apis/controlplane/v1beta2" - secv1alpha1 "antrea.io/antrea/pkg/apis/crd/v1alpha1" + secv1beta1 "antrea.io/antrea/pkg/apis/crd/v1beta1" binding "antrea.io/antrea/pkg/ovs/openflow" ) @@ -82,7 +82,7 @@ type PolicyRule struct { Service []v1beta2.Service L7Protocols []v1beta2.L7Protocol L7RuleVlanID *uint32 - Action *secv1alpha1.RuleAction + Action *secv1beta1.RuleAction Priority *uint16 Name string FlowID uint32 diff --git a/pkg/apis/controlplane/types.go b/pkg/apis/controlplane/types.go index 941ddee8690..5187617f5a7 100644 --- a/pkg/apis/controlplane/types.go +++ b/pkg/apis/controlplane/types.go @@ -22,7 +22,7 @@ import ( "k8s.io/apimachinery/pkg/types" "k8s.io/apimachinery/pkg/util/intstr" - crdv1alpha1 "antrea.io/antrea/pkg/apis/crd/v1alpha1" + crdv1beta1 "antrea.io/antrea/pkg/apis/crd/v1beta1" statsv1alpha1 "antrea.io/antrea/pkg/apis/stats/v1alpha1" ) @@ -250,7 +250,7 @@ type NetworkPolicyRule struct { // Action specifies the action to be applied on the rule. i.e. Allow/Drop. An empty // action “nil” defaults to Allow action, which would be the case for rules created for // K8s NetworkPolicy. - Action *crdv1alpha1.RuleAction + Action *crdv1beta1.RuleAction // EnableLogging is used to indicate if agent should generate logs // when rules are matched. Should be default to false. EnableLogging bool diff --git a/pkg/apis/controlplane/v1beta2/generated.pb.go b/pkg/apis/controlplane/v1beta2/generated.pb.go index 65c23caa957..5f0ea38ce5a 100644 --- a/pkg/apis/controlplane/v1beta2/generated.pb.go +++ b/pkg/apis/controlplane/v1beta2/generated.pb.go @@ -20,7 +20,7 @@ import ( encoding_binary "encoding/binary" fmt "fmt" - antrea_io_antrea_pkg_apis_crd_v1alpha1 "antrea.io/antrea/pkg/apis/crd/v1alpha1" + antrea_io_antrea_pkg_apis_crd_v1beta1 "antrea.io/antrea/pkg/apis/crd/v1beta1" v1alpha1 "antrea.io/antrea/pkg/apis/stats/v1alpha1" io "io" @@ -1302,186 +1302,186 @@ func init() { } var fileDescriptor_fbaa7d016762fa1d = []byte{ - // 2849 bytes of a gzipped FileDescriptorProto - 0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xec, 0x3a, 0xcd, 0x6f, 0x24, 0x47, - 0xf5, 0xdb, 0x9e, 0x19, 0xdb, 0xf3, 0xc6, 0xf6, 0x7a, 0xcb, 0x49, 0xd6, 0xbf, 0x24, 0x6b, 0x6f, - 0x3a, 0x3f, 0xa2, 0x05, 0x85, 0x99, 0xd8, 0x24, 0xd9, 0x25, 0x5f, 0xe0, 0xf1, 0x7a, 0x9d, 0x21, - 0xb6, 0x33, 0xa9, 0x99, 0x10, 0x29, 0x21, 0x21, 0xed, 0xee, 0x9a, 0x71, 0xe3, 0x9e, 0xae, 0x4e, - 0x75, 0x8d, 0xb3, 0xce, 0x01, 0x05, 0x05, 0x0e, 0xe1, 0x2b, 0x88, 0x0b, 0xe2, 0xc6, 0x8d, 0x0b, - 0x7f, 0x41, 0x4e, 0x80, 0x84, 0x94, 0x63, 0x10, 0x42, 0xe4, 0x64, 0xb1, 0x46, 0x04, 0xe5, 0xc0, - 0x85, 0x1b, 0x8b, 0x90, 0x50, 0x55, 0x57, 0x77, 0x57, 0xcf, 0x78, 0xd6, 0x3b, 0xb6, 0xd7, 0x48, - 0x24, 0xa7, 0x99, 0x7e, 0xdf, 0x55, 0xf5, 0x5e, 0xbd, 0x8f, 0x6e, 0x78, 0xc6, 0xf2, 0x39, 0x23, + // 2852 bytes of a gzipped FileDescriptorProto + 0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xec, 0x3a, 0xcd, 0x6f, 0x24, 0xc5, + 0xf5, 0xdb, 0x9e, 0x19, 0xdb, 0xf3, 0xc6, 0xf6, 0x7a, 0xcb, 0xc0, 0xfa, 0x07, 0xac, 0xbd, 0x34, + 0xbf, 0xa0, 0x4d, 0x44, 0x66, 0xb0, 0x03, 0xec, 0x86, 0x2f, 0xc5, 0xe3, 0xf5, 0x9a, 0x09, 0xb6, + 0x19, 0x6a, 0x06, 0x90, 0x20, 0x10, 0xda, 0xdd, 0x35, 0xe3, 0x8e, 0x7b, 0xba, 0x9a, 0xea, 0x1a, + 0xb3, 0xe6, 0x10, 0x11, 0x91, 0x1c, 0xc8, 0x17, 0x51, 0x2e, 0x51, 0x6e, 0xb9, 0xe5, 0x92, 0xbf, + 0x80, 0x53, 0x38, 0x44, 0xe2, 0x48, 0x14, 0x45, 0xe1, 0x64, 0x65, 0x1d, 0x85, 0x88, 0x43, 0x2e, + 0xb9, 0x65, 0xa3, 0x48, 0x51, 0x55, 0x57, 0x77, 0x57, 0xcf, 0x78, 0xd6, 0x3b, 0xb6, 0xd7, 0x91, + 0x02, 0xa7, 0x99, 0x7e, 0xdf, 0x55, 0xf5, 0x5e, 0xbd, 0x8f, 0x6e, 0x78, 0xc6, 0xf2, 0x39, 0x23, 0x56, 0xd9, 0xa5, 0x95, 0xe8, 0x5f, 0x25, 0xd8, 0x6e, 0x57, 0xac, 0xc0, 0x0d, 0x2b, 0x36, 0xf5, 0x39, 0xa3, 0x5e, 0xe0, 0x59, 0x3e, 0xa9, 0xec, 0x2c, 0x6c, 0x12, 0x6e, 0x2d, 0x56, 0xda, 0xc4, - 0x27, 0xcc, 0xe2, 0xc4, 0x29, 0x07, 0x8c, 0x72, 0x8a, 0xca, 0x11, 0xd7, 0x37, 0x5d, 0xaa, 0xfe, + 0x27, 0xcc, 0xe2, 0xc4, 0x29, 0x07, 0x8c, 0x72, 0x8a, 0xca, 0x11, 0xd7, 0xb7, 0x5d, 0xaa, 0xfe, 0x95, 0x83, 0xed, 0x76, 0x59, 0xf0, 0x97, 0x75, 0xfe, 0xb2, 0xe2, 0xbf, 0xf7, 0xca, 0x60, 0x7d, - 0x21, 0xb7, 0x78, 0x58, 0xd9, 0x59, 0xb0, 0xbc, 0x60, 0xcb, 0x5a, 0xe8, 0xd5, 0x74, 0xef, 0x17, + 0x21, 0xb7, 0x78, 0x58, 0xd9, 0x59, 0xb0, 0xbc, 0x60, 0xcb, 0x5a, 0xe8, 0xd5, 0x74, 0xef, 0x57, 0xdb, 0x2e, 0xdf, 0xea, 0x6e, 0x96, 0x6d, 0xda, 0xa9, 0xb4, 0x69, 0x9b, 0x56, 0x24, 0x78, 0xb3, 0xdb, 0x92, 0x4f, 0xf2, 0x41, 0xfe, 0x53, 0xe4, 0x8f, 0x6e, 0x5f, 0x09, 0xa5, 0x96, 0xc0, 0xed, 0x58, 0xf6, 0x96, 0xeb, 0x13, 0xb6, 0x9b, 0xea, 0xea, 0x10, 0x6e, 0x55, 0x76, 0xfa, 0x95, 0x54, 0x06, 0x71, 0xb1, 0xae, 0xcf, 0xdd, 0x0e, 0xe9, 0x63, 0x78, 0xfc, 0x30, 0x86, 0xd0, 0xde, 0x22, - 0x1d, 0xab, 0x8f, 0xef, 0x4b, 0x83, 0xf8, 0xba, 0xdc, 0xf5, 0x2a, 0xae, 0xcf, 0x43, 0xce, 0x7a, + 0x1d, 0xab, 0x8f, 0xef, 0x6b, 0x83, 0xf8, 0xba, 0xdc, 0xf5, 0x2a, 0xae, 0xcf, 0x43, 0xce, 0x7a, 0x99, 0xcc, 0xbf, 0x19, 0x30, 0xb1, 0xe4, 0x38, 0x8c, 0x84, 0xe1, 0x2a, 0xa3, 0xdd, 0x00, 0xbd, - 0x0e, 0xe3, 0x62, 0x25, 0x8e, 0xc5, 0xad, 0x59, 0xe3, 0xa2, 0x71, 0xa9, 0xb4, 0xf8, 0x48, 0x39, - 0x12, 0x5c, 0xd6, 0x05, 0xa7, 0x67, 0x22, 0xa8, 0xcb, 0x3b, 0x0b, 0xe5, 0xe7, 0x37, 0xbf, 0x45, - 0x6c, 0xbe, 0x4e, 0xb8, 0x55, 0x45, 0x1f, 0xec, 0xcd, 0x9f, 0xd9, 0xdf, 0x9b, 0x87, 0x14, 0x86, + 0x01, 0xe3, 0x62, 0x25, 0x8e, 0xc5, 0xad, 0x59, 0xe3, 0xa2, 0x71, 0xa9, 0xb4, 0xf8, 0x48, 0x39, + 0x12, 0x5c, 0xd6, 0x05, 0xa7, 0x67, 0x22, 0xa8, 0xcb, 0x3b, 0x0b, 0xe5, 0xe7, 0x37, 0xbf, 0x43, + 0x6c, 0xbe, 0x4e, 0xb8, 0x55, 0x45, 0x1f, 0xed, 0xcd, 0x9f, 0xd9, 0xdf, 0x9b, 0x87, 0x14, 0x86, 0x13, 0xa9, 0xa8, 0x0b, 0x13, 0x6d, 0xa1, 0x6a, 0x9d, 0x74, 0x36, 0x09, 0x0b, 0x67, 0x47, 0x2e, 0xe6, 0x2e, 0x95, 0x16, 0x9f, 0x1c, 0xf2, 0xd8, 0xcb, 0xab, 0xa9, 0x8c, 0xea, 0x5d, 0x4a, 0xe1, 0x84, 0x06, 0x0c, 0x71, 0x46, 0x8d, 0xf9, 0x07, 0x03, 0xa6, 0xf5, 0x95, 0xae, 0xb9, 0x21, 0x47, - 0xdf, 0xe8, 0x5b, 0x6d, 0xf9, 0xf6, 0x56, 0x2b, 0xb8, 0xe5, 0x5a, 0xa7, 0x95, 0xea, 0xf1, 0x18, + 0xdf, 0xea, 0x5b, 0x6d, 0xf9, 0xf6, 0x56, 0x2b, 0xb8, 0xe5, 0x5a, 0xa7, 0x95, 0xea, 0xf1, 0x18, 0xa2, 0xad, 0xd4, 0x82, 0x82, 0xcb, 0x49, 0x27, 0x5e, 0xe2, 0x53, 0xc3, 0x2e, 0x51, 0x37, 0xb7, - 0x3a, 0xa9, 0x14, 0x15, 0x6a, 0x42, 0x24, 0x8e, 0x24, 0x9b, 0xef, 0xe6, 0xe0, 0x9c, 0x4e, 0x56, - 0xb7, 0xb8, 0xbd, 0x75, 0x0a, 0x87, 0xf8, 0x5d, 0x03, 0xce, 0x59, 0x8e, 0x43, 0x9c, 0xd5, 0x13, - 0x3e, 0xca, 0xff, 0x53, 0x6a, 0xc5, 0xaa, 0xb2, 0xd2, 0x71, 0xbf, 0x42, 0xf4, 0x7d, 0x03, 0x66, + 0x3a, 0xa9, 0x14, 0x15, 0x6a, 0x42, 0x24, 0x8e, 0x24, 0x9b, 0xef, 0xe5, 0xe0, 0x9c, 0x4e, 0x56, + 0xb7, 0xb8, 0xbd, 0x75, 0x0a, 0x87, 0xf8, 0x7d, 0x03, 0xce, 0x59, 0x8e, 0x43, 0x9c, 0xd5, 0x13, + 0x3e, 0xca, 0xff, 0x53, 0x6a, 0xc5, 0xaa, 0xb2, 0xd2, 0x71, 0xbf, 0x42, 0xf4, 0x43, 0x03, 0x66, 0x18, 0xe9, 0xd0, 0x9d, 0x1e, 0x43, 0x72, 0xc7, 0x37, 0xe4, 0x3e, 0x65, 0xc8, 0x0c, 0xee, 0x97, - 0x8f, 0x0f, 0x52, 0x6a, 0x7e, 0x62, 0xc0, 0xd4, 0x52, 0x10, 0x78, 0x2e, 0x71, 0x9a, 0xf4, 0x7f, + 0x8f, 0x0f, 0x52, 0x6a, 0x7e, 0x66, 0xc0, 0xd4, 0x52, 0x10, 0x78, 0x2e, 0x71, 0x9a, 0xf4, 0x7f, 0x3c, 0x9a, 0xfe, 0x64, 0x00, 0xca, 0xae, 0xf5, 0x14, 0xe2, 0xc9, 0xce, 0xc6, 0xd3, 0x33, 0x43, - 0xc7, 0x53, 0xc6, 0xe0, 0x01, 0x11, 0xf5, 0x83, 0x1c, 0xcc, 0x64, 0x09, 0x3f, 0x8b, 0xa9, 0xff, - 0x5e, 0x4c, 0xbd, 0x01, 0x33, 0x55, 0x2b, 0x74, 0xed, 0xa5, 0x2e, 0xdf, 0x22, 0x3e, 0x77, 0x6d, + 0xc7, 0x53, 0xc6, 0xe0, 0x01, 0x11, 0xf5, 0xa3, 0x1c, 0xcc, 0x64, 0x09, 0xbf, 0x88, 0xa9, 0xff, + 0x5e, 0x4c, 0xbd, 0x09, 0x33, 0x55, 0x2b, 0x74, 0xed, 0xa5, 0x2e, 0xdf, 0x22, 0x3e, 0x77, 0x6d, 0x8b, 0xbb, 0xd4, 0x47, 0x0f, 0xc3, 0x78, 0x37, 0x24, 0xcc, 0xb7, 0x3a, 0x44, 0x1e, 0x46, 0x31, - 0xf5, 0x9b, 0x17, 0x15, 0x1c, 0x27, 0x14, 0x82, 0x3a, 0xb0, 0xc2, 0xf0, 0x4d, 0xca, 0x9c, 0xd9, + 0xf5, 0x9b, 0x17, 0x15, 0x1c, 0x27, 0x14, 0x82, 0x3a, 0xb0, 0xc2, 0xf0, 0x2d, 0xca, 0x9c, 0xd9, 0x91, 0x2c, 0x75, 0x5d, 0xc1, 0x71, 0x42, 0x61, 0x2e, 0xc0, 0x74, 0xb5, 0xeb, 0x3b, 0x1e, 0xb9, 0xe6, 0x7a, 0xa4, 0x41, 0xd8, 0x0e, 0x61, 0xe8, 0x02, 0xe4, 0xba, 0xcc, 0x53, 0xaa, 0x4a, 0x8a, - 0x39, 0xf7, 0x22, 0x5e, 0xc3, 0x02, 0x6e, 0xbe, 0x37, 0x02, 0x17, 0x22, 0x9e, 0x88, 0x5e, 0x58, + 0x39, 0xf7, 0x22, 0x5e, 0xc3, 0x02, 0x6e, 0xbe, 0x3f, 0x02, 0x17, 0x22, 0x9e, 0x88, 0x5e, 0x58, 0xbb, 0x4c, 0xfd, 0x96, 0xdb, 0xee, 0xb2, 0xc8, 0xe0, 0xc7, 0xa0, 0xb4, 0x49, 0x2c, 0x46, 0x58, 0x93, 0x6e, 0x13, 0x5f, 0x09, 0x9a, 0x51, 0x82, 0x4a, 0xd5, 0x14, 0x85, 0x75, 0x3a, 0xf4, 0x10, 0x8c, 0x5a, 0x81, 0xfb, 0x1c, 0xd9, 0x55, 0x76, 0x4f, 0x29, 0x8e, 0xd1, 0xa5, 0x7a, 0xed, 0x39, - 0xb2, 0x8b, 0x15, 0x16, 0xfd, 0xd8, 0x80, 0x99, 0xcd, 0xfe, 0x7d, 0x9a, 0xcd, 0x49, 0x47, 0x5d, + 0xb2, 0x8b, 0x15, 0x16, 0xfd, 0xd4, 0x80, 0x99, 0xcd, 0xfe, 0x7d, 0x9a, 0xcd, 0x49, 0x47, 0x5d, 0x1e, 0xf6, 0xcc, 0x0e, 0xd8, 0xf2, 0xea, 0x79, 0x71, 0x6e, 0x07, 0x20, 0xf0, 0x41, 0x8a, 0xcd, - 0x5f, 0xe4, 0x61, 0x66, 0xd9, 0xeb, 0x86, 0x9c, 0xb0, 0x8c, 0x73, 0xdd, 0xf9, 0x28, 0xfa, 0x8e, + 0x5f, 0xe5, 0x61, 0x66, 0xd9, 0xeb, 0x86, 0x9c, 0xb0, 0x8c, 0x73, 0xdd, 0xf9, 0x28, 0xfa, 0x9e, 0x01, 0xd3, 0xa4, 0xd5, 0x22, 0x36, 0x77, 0x77, 0xc8, 0x09, 0x06, 0xd1, 0xac, 0xd2, 0x3a, 0xbd, - 0xd2, 0x23, 0x1c, 0xf7, 0xa9, 0x43, 0xdf, 0x86, 0x73, 0x09, 0xac, 0x56, 0xaf, 0x7a, 0xd4, 0xde, + 0xd2, 0x23, 0x1c, 0xf7, 0xa9, 0x43, 0xdf, 0x85, 0x73, 0x09, 0xac, 0x56, 0xaf, 0x7a, 0xd4, 0xde, 0x8e, 0xe3, 0xe7, 0xb1, 0x61, 0x6d, 0xa8, 0xd5, 0x37, 0x08, 0x4f, 0x43, 0x78, 0xa5, 0x57, 0x2e, 0xee, 0x57, 0x85, 0xae, 0xc0, 0x04, 0xa7, 0xdc, 0xf2, 0xe2, 0xe5, 0xe7, 0x2f, 0x1a, 0x97, 0x72, 0xe9, 0xbd, 0xde, 0xd4, 0x70, 0x38, 0x43, 0x89, 0x16, 0x01, 0xe4, 0x73, 0xdd, 0x6a, 0x93, 0x70, 0xb6, 0x20, 0xf9, 0x92, 0xfd, 0x6e, 0x26, 0x18, 0xac, 0x51, 0x09, 0xdf, 0xb6, 0xbb, 0x8c, 0x11, - 0x9f, 0x8b, 0xe7, 0xd9, 0x51, 0xc9, 0x94, 0xf8, 0xf6, 0x72, 0x8a, 0xc2, 0x3a, 0x9d, 0xf9, 0xb1, - 0x01, 0xa5, 0x95, 0xf6, 0xa7, 0xa0, 0xf2, 0xfc, 0xbd, 0x01, 0x67, 0xb5, 0x85, 0x9e, 0x42, 0xa2, - 0x7c, 0x3d, 0x9b, 0x28, 0x87, 0x5e, 0xa1, 0x66, 0xed, 0x80, 0x2c, 0xf9, 0xc3, 0x1c, 0x4c, 0x6b, - 0x54, 0x51, 0x8a, 0x74, 0x00, 0x68, 0xb2, 0xef, 0x27, 0x7a, 0x86, 0x9a, 0xdc, 0xcf, 0xd2, 0xe4, + 0x9f, 0x8b, 0xe7, 0xd9, 0x51, 0xc9, 0x94, 0xf8, 0xf6, 0x72, 0x8a, 0xc2, 0x3a, 0x9d, 0xf9, 0xa9, + 0x01, 0xa5, 0x95, 0xf6, 0xe7, 0xa0, 0xf2, 0xfc, 0xbd, 0x01, 0x67, 0xb5, 0x85, 0x9e, 0x42, 0xa2, + 0x7c, 0x23, 0x9b, 0x28, 0x87, 0x5e, 0xa1, 0x66, 0xed, 0x80, 0x2c, 0xf9, 0xe3, 0x1c, 0x4c, 0x6b, + 0x54, 0x51, 0x8a, 0x74, 0x00, 0x68, 0xb2, 0xef, 0x27, 0x7a, 0x86, 0x9a, 0xdc, 0x2f, 0xd2, 0xe4, 0x01, 0x69, 0xd2, 0x83, 0xf3, 0x2b, 0xd7, 0xb9, 0x48, 0x77, 0xde, 0x8a, 0xcf, 0x5d, 0xbe, 0x8b, 0x49, 0x8b, 0x30, 0xe2, 0xdb, 0x04, 0x5d, 0x84, 0xbc, 0x96, 0x26, 0x27, 0x94, 0xe8, 0xfc, 0x86, 0x48, 0x91, 0x12, 0x83, 0x2a, 0x50, 0x14, 0xbf, 0x61, 0x60, 0xd9, 0x44, 0xe5, 0x99, 0x73, 0x8a, 0xac, 0xb8, 0x11, 0x23, 0x70, 0x4a, 0x63, 0xfe, 0xcb, 0x80, 0x69, 0xa9, 0x7e, 0x29, 0x0c, 0xa9, 0xed, 0x46, 0x19, 0xee, 0x54, 0xea, 0xa3, 0x69, 0x4b, 0x69, 0x54, 0xeb, 0x3f, 0x72, 0x29, 0x28, - 0xb9, 0x93, 0x4d, 0x4a, 0x2f, 0xf7, 0xa5, 0x1e, 0xf9, 0xb8, 0x4f, 0xa3, 0xf9, 0x7e, 0x1e, 0x4a, - 0xda, 0xe6, 0xa3, 0x97, 0x20, 0x17, 0x50, 0x47, 0xad, 0x79, 0xe8, 0x1e, 0xaf, 0x4e, 0x9d, 0xd4, - 0x8c, 0x31, 0x51, 0x55, 0x08, 0x88, 0x90, 0x88, 0xde, 0x31, 0x60, 0x8a, 0x64, 0x4e, 0x55, 0x9e, + 0xb9, 0x93, 0x4d, 0x4a, 0x2f, 0xf7, 0xa5, 0x1e, 0xf9, 0xb8, 0x4f, 0xa3, 0xf9, 0x41, 0x1e, 0x4a, + 0xda, 0xe6, 0xa3, 0x97, 0x21, 0x17, 0x50, 0x47, 0xad, 0x79, 0xe8, 0x1e, 0xaf, 0x4e, 0x9d, 0xd4, + 0x8c, 0x31, 0x51, 0x55, 0x08, 0x88, 0x90, 0x88, 0xde, 0x35, 0x60, 0x8a, 0x64, 0x4e, 0x55, 0x9e, 0x4e, 0x69, 0x71, 0x75, 0xe8, 0x78, 0x3e, 0xd8, 0x37, 0xaa, 0x68, 0x7f, 0x6f, 0x7e, 0xaa, 0x07, 0xd9, 0xa3, 0x12, 0x3d, 0x04, 0x39, 0x37, 0x88, 0xdc, 0x7a, 0xa2, 0x7a, 0x97, 0x30, 0xb0, 0x56, - 0x0f, 0x6f, 0xee, 0xcd, 0x17, 0x6b, 0x75, 0xd5, 0x78, 0x62, 0x41, 0x80, 0x5e, 0x83, 0x42, 0x40, - 0x19, 0x17, 0xc9, 0x46, 0x9c, 0xc8, 0x97, 0x87, 0xb5, 0x51, 0x78, 0x9a, 0x53, 0xa7, 0x8c, 0xa7, - 0x37, 0x8e, 0x78, 0x0a, 0x71, 0x24, 0x16, 0xbd, 0x02, 0x79, 0x9f, 0x3a, 0x44, 0xe6, 0xa4, 0xd2, + 0x0f, 0x6f, 0xee, 0xcd, 0x17, 0x6b, 0x75, 0xd5, 0x78, 0x62, 0x41, 0x80, 0x5e, 0x87, 0x42, 0x40, + 0x19, 0x17, 0xc9, 0x46, 0x9c, 0xc8, 0xd7, 0x87, 0xb5, 0x51, 0x78, 0x9a, 0x53, 0xa7, 0x8c, 0xa7, + 0x37, 0x8e, 0x78, 0x0a, 0x71, 0x24, 0x16, 0xbd, 0x0a, 0x79, 0x9f, 0x3a, 0x44, 0xe6, 0xa4, 0xd2, 0xe2, 0xd3, 0x43, 0x8b, 0xa7, 0x0e, 0x49, 0x17, 0x3e, 0x2e, 0x43, 0x40, 0x80, 0xa4, 0x50, 0xd4, - 0x86, 0xb1, 0x90, 0xb0, 0x1d, 0xd7, 0x8e, 0xd2, 0x57, 0x69, 0xf1, 0xab, 0xc3, 0xca, 0x6f, 0x44, - 0xec, 0xa9, 0x8a, 0xd2, 0xfe, 0xde, 0xfc, 0x58, 0x0c, 0x8d, 0xa5, 0x9b, 0xbf, 0x34, 0x60, 0x2a, + 0x86, 0xb1, 0x90, 0xb0, 0x1d, 0xd7, 0x8e, 0xd2, 0x57, 0x69, 0xf1, 0x1b, 0xc3, 0xca, 0x6f, 0x44, + 0xec, 0xa9, 0x8a, 0xd2, 0xfe, 0xde, 0xfc, 0x58, 0x0c, 0x8d, 0xa5, 0x9b, 0xbf, 0x36, 0x60, 0x2a, 0xeb, 0x7b, 0xd9, 0xf0, 0x33, 0x0e, 0x0f, 0xbf, 0x24, 0xa2, 0x47, 0x06, 0x46, 0x74, 0x15, 0x72, 0x5d, 0xd7, 0x91, 0xd5, 0x5f, 0xb1, 0xfa, 0x48, 0x52, 0xae, 0xd6, 0xae, 0xde, 0xdc, 0x9b, 0x7f, - 0x60, 0xd0, 0x98, 0x88, 0xef, 0x06, 0x24, 0x2c, 0xbf, 0x58, 0xbb, 0x8a, 0x05, 0xb3, 0xf9, 0x16, + 0x60, 0xd0, 0x98, 0x88, 0xef, 0x06, 0x24, 0x2c, 0xbf, 0x58, 0xbb, 0x8a, 0x05, 0xb3, 0xf9, 0x36, 0x4c, 0x3c, 0xdb, 0x6c, 0xd6, 0xeb, 0x8c, 0x72, 0x6a, 0x53, 0x4f, 0x68, 0xdd, 0xa2, 0x21, 0xef, 0xbd, 0x47, 0x9e, 0xa5, 0x21, 0xc7, 0x12, 0x23, 0x8a, 0xd5, 0x0e, 0xe1, 0x5b, 0xd4, 0xe9, 0x2d, 0x56, 0xd7, 0x25, 0x14, 0x2b, 0xac, 0x90, 0x14, 0x58, 0x7c, 0x4b, 0x99, 0x97, 0x48, 0xaa, 0x5b, - 0x7c, 0x0b, 0x4b, 0x8c, 0xf9, 0x1b, 0x03, 0xc6, 0x54, 0x31, 0x83, 0x5e, 0x82, 0xbc, 0xed, 0x3a, - 0x4c, 0xc5, 0xd7, 0x11, 0xcb, 0xa7, 0x44, 0xc9, 0x72, 0xed, 0x2a, 0xc6, 0x52, 0x20, 0x7a, 0x15, - 0x46, 0xc9, 0x75, 0x9b, 0x04, 0x5c, 0xdd, 0x21, 0x47, 0x14, 0x9d, 0xac, 0x72, 0x45, 0x0a, 0xc3, - 0x4a, 0xa8, 0xf9, 0x6f, 0x03, 0x50, 0xad, 0xfe, 0xe9, 0xbd, 0x26, 0x5b, 0x50, 0x90, 0x1b, 0x84, - 0x1e, 0x84, 0x11, 0x37, 0x90, 0x6b, 0x9d, 0xa8, 0xce, 0xec, 0xef, 0xcd, 0x8f, 0xd4, 0xea, 0xd9, - 0xeb, 0x63, 0xc4, 0x0d, 0x44, 0xc5, 0x1a, 0x30, 0xd2, 0x72, 0xaf, 0xaf, 0x11, 0xbf, 0xcd, 0xb7, - 0xa4, 0x07, 0x15, 0xd2, 0xea, 0xaa, 0xae, 0xe1, 0x70, 0x86, 0xd2, 0xfc, 0xb5, 0x01, 0xb0, 0x76, - 0x39, 0x71, 0xd3, 0x97, 0x21, 0xbf, 0xc5, 0x79, 0x70, 0xd4, 0xeb, 0x58, 0x77, 0xf9, 0xe8, 0x96, - 0x10, 0x10, 0x2c, 0x65, 0xa2, 0xaf, 0x43, 0x8e, 0x7b, 0xa1, 0xba, 0x84, 0x87, 0xce, 0xf0, 0xcd, - 0xb5, 0x46, 0x22, 0x59, 0x5e, 0xf4, 0xcd, 0xb5, 0x06, 0x16, 0x02, 0xcd, 0x9f, 0x1b, 0x80, 0xd6, - 0xbb, 0x9e, 0x68, 0x9e, 0x42, 0x2e, 0xb7, 0xaf, 0xe6, 0xb7, 0x28, 0x7a, 0x10, 0x0a, 0xb2, 0x8e, - 0x54, 0x21, 0x97, 0x5c, 0x8b, 0xd1, 0xa1, 0x44, 0x38, 0xf4, 0x1a, 0xe4, 0x03, 0xea, 0x1c, 0x79, - 0xc4, 0x98, 0x49, 0x3f, 0x69, 0x28, 0x52, 0x27, 0xc4, 0x52, 0xae, 0xf9, 0xae, 0x01, 0xc5, 0xe4, - 0x6a, 0x96, 0xa1, 0x4b, 0x59, 0x74, 0x09, 0x14, 0x74, 0x7a, 0xc6, 0xb1, 0xc4, 0xdc, 0xc6, 0xe5, - 0x74, 0x05, 0xc6, 0x03, 0xb5, 0x0f, 0xea, 0x0a, 0xb8, 0x3f, 0xe9, 0xc6, 0x15, 0xfc, 0xa6, 0xf6, - 0x1f, 0x27, 0xd4, 0xe6, 0xdf, 0x73, 0x30, 0xb9, 0x41, 0xf8, 0x9b, 0x94, 0x6d, 0xd7, 0xa9, 0xe7, - 0xda, 0xbb, 0xa7, 0x10, 0x4d, 0x2d, 0x28, 0xb0, 0xae, 0x47, 0xe2, 0x0d, 0x5e, 0x1a, 0x3a, 0xef, - 0xe8, 0xf6, 0xe2, 0xae, 0x47, 0xd2, 0x73, 0x14, 0x4f, 0x21, 0x8e, 0xc4, 0xa3, 0xa7, 0xe1, 0xac, - 0x95, 0x99, 0x3a, 0x45, 0x29, 0xb7, 0x28, 0x43, 0xe6, 0x6c, 0x76, 0x20, 0x15, 0xe2, 0x5e, 0x5a, - 0x74, 0x49, 0x6c, 0xaa, 0x4b, 0x99, 0x28, 0x12, 0x44, 0xb7, 0x67, 0x54, 0x27, 0xa2, 0x0d, 0x8d, - 0x60, 0x38, 0xc1, 0xa2, 0x47, 0x61, 0x82, 0xbb, 0x84, 0xc5, 0x18, 0x99, 0x4f, 0x0b, 0xd5, 0x69, - 0xd9, 0x17, 0x6a, 0x70, 0x9c, 0xa1, 0x42, 0x21, 0x14, 0x43, 0xda, 0x65, 0x32, 0xc1, 0xa9, 0x14, - 0x79, 0xed, 0x78, 0x5b, 0x91, 0x78, 0xdd, 0xa4, 0x48, 0x74, 0x8d, 0x58, 0x38, 0x4e, 0xf5, 0x98, - 0x7f, 0x34, 0xe0, 0x5c, 0x86, 0xe9, 0x14, 0x5a, 0xa7, 0xcd, 0x6c, 0xeb, 0xf4, 0xf4, 0xb1, 0x16, - 0x39, 0xa0, 0x79, 0xfa, 0x87, 0x01, 0xe7, 0x33, 0x74, 0xa2, 0x12, 0x69, 0x70, 0x8b, 0x77, 0x43, - 0xf4, 0x30, 0x8c, 0x8b, 0x8a, 0x64, 0xe3, 0x80, 0xc9, 0xd6, 0x86, 0x82, 0xe3, 0x84, 0x42, 0xb4, - 0xeb, 0xea, 0x8d, 0x8e, 0x4b, 0x7d, 0x19, 0x73, 0x5a, 0xbb, 0xbe, 0x9a, 0x60, 0xb0, 0x46, 0x85, - 0xbe, 0x06, 0x88, 0x11, 0xcb, 0x73, 0xdf, 0x92, 0x8f, 0xd7, 0x2c, 0xd7, 0xeb, 0x32, 0x22, 0x23, - 0x71, 0xbc, 0x7a, 0xaf, 0xe2, 0x45, 0xb8, 0x8f, 0x02, 0x1f, 0xc0, 0x85, 0x3e, 0x0f, 0x63, 0x1d, - 0x12, 0x86, 0xa2, 0xed, 0xcf, 0x4b, 0x63, 0xcf, 0x2a, 0x01, 0x63, 0xeb, 0x11, 0x18, 0xc7, 0x78, - 0xf9, 0xa6, 0x22, 0xb3, 0xe8, 0x3a, 0x21, 0x0c, 0x5d, 0x86, 0x49, 0x4b, 0x7b, 0x7d, 0x11, 0xce, - 0x1a, 0xd2, 0xe9, 0xcf, 0xed, 0xef, 0xcd, 0x4f, 0xea, 0xef, 0x35, 0x42, 0x9c, 0xa5, 0x43, 0x04, - 0xc6, 0xdd, 0x40, 0x4d, 0x56, 0xa2, 0xa3, 0xba, 0x3c, 0x7c, 0xfe, 0x96, 0xfc, 0xe9, 0x06, 0x27, - 0x23, 0x95, 0x44, 0x34, 0x9a, 0x87, 0x42, 0xeb, 0x0d, 0xc7, 0x8f, 0x83, 0xb1, 0x28, 0xce, 0xf2, - 0xda, 0x0b, 0x57, 0x37, 0x42, 0x1c, 0xc1, 0x11, 0x07, 0xe0, 0x54, 0x95, 0x79, 0x71, 0xed, 0x7b, - 0xfc, 0xe2, 0x51, 0x1b, 0xb9, 0xc4, 0xb2, 0xb1, 0xa6, 0x47, 0xdc, 0x16, 0x9e, 0xb5, 0x49, 0xbc, - 0x9a, 0x43, 0x44, 0x95, 0xee, 0xca, 0x59, 0x4d, 0xee, 0xd2, 0x64, 0x74, 0x5b, 0xac, 0x65, 0x51, - 0xb8, 0x97, 0xd6, 0xfc, 0xd8, 0x80, 0x7b, 0x0e, 0x8e, 0x46, 0xf4, 0x18, 0xe4, 0x45, 0x21, 0xa8, - 0x7c, 0xef, 0x81, 0xf8, 0xfe, 0x6e, 0xee, 0x06, 0xe4, 0xe6, 0xde, 0x7c, 0xf6, 0x04, 0x05, 0x10, - 0x4b, 0xf2, 0xa1, 0x7b, 0xc8, 0x24, 0x4f, 0xe4, 0x0e, 0x2b, 0x62, 0xf3, 0xc7, 0x29, 0x62, 0x7f, - 0x3b, 0xda, 0xe3, 0x74, 0xe2, 0xce, 0x45, 0x4f, 0x41, 0xd1, 0x71, 0x19, 0xb1, 0x65, 0xd0, 0x44, - 0x0b, 0x9d, 0x8b, 0x8d, 0xbd, 0x1a, 0x23, 0x6e, 0xea, 0x0f, 0x38, 0x65, 0x40, 0x36, 0xe4, 0x5b, - 0x8c, 0x76, 0x54, 0x19, 0x70, 0xbc, 0x84, 0x20, 0x62, 0x20, 0x5d, 0xfc, 0x35, 0x46, 0x3b, 0x58, - 0x0a, 0x47, 0xaf, 0xc2, 0x08, 0xa7, 0x6a, 0x7c, 0x7b, 0x02, 0x2a, 0x40, 0xa9, 0x18, 0x69, 0x52, - 0x3c, 0xc2, 0xa9, 0x88, 0x9e, 0x30, 0xeb, 0xb3, 0x97, 0x8f, 0xe8, 0xb3, 0x69, 0xf4, 0x24, 0x8e, - 0x9a, 0x88, 0x96, 0x83, 0xf7, 0x9e, 0x3c, 0x93, 0xa6, 0xfa, 0xbe, 0xcc, 0xf4, 0x12, 0x8c, 0x5a, - 0xd1, 0x99, 0x8c, 0xca, 0x33, 0xf9, 0x8a, 0x1c, 0x74, 0xc7, 0x87, 0xb1, 0x70, 0x8b, 0xcf, 0x0a, - 0x98, 0x93, 0xbc, 0xe4, 0x2f, 0x8b, 0x13, 0x8e, 0x98, 0xb0, 0x12, 0x87, 0x9e, 0x84, 0x49, 0xe2, - 0x5b, 0x9b, 0x1e, 0x59, 0xa3, 0xed, 0xb6, 0xeb, 0xb7, 0x67, 0xc7, 0xe4, 0x65, 0x77, 0xb7, 0xb2, - 0x65, 0x72, 0x45, 0x47, 0xe2, 0x2c, 0xed, 0x41, 0x89, 0x79, 0x7c, 0x88, 0xc4, 0x1c, 0xfb, 0x79, - 0x71, 0xa0, 0x9f, 0xbf, 0x01, 0x25, 0x2f, 0xa9, 0x5f, 0xc3, 0x59, 0x90, 0xc7, 0xf1, 0xc4, 0xb0, - 0xc7, 0x91, 0x96, 0xc0, 0xe9, 0xe8, 0x35, 0x85, 0x85, 0x58, 0xd7, 0x21, 0xce, 0xc5, 0xa3, 0x6d, - 0x79, 0x4d, 0xcc, 0x96, 0xb2, 0x49, 0x66, 0x4d, 0xc1, 0x71, 0x42, 0x61, 0xbe, 0x97, 0x03, 0x94, - 0x71, 0x29, 0x91, 0xaa, 0x42, 0xf4, 0x8e, 0x01, 0x93, 0xbe, 0x0e, 0x56, 0xd9, 0xf8, 0xa4, 0xea, - 0x82, 0xe4, 0x78, 0xb2, 0xf8, 0xac, 0x4e, 0x14, 0xc0, 0x04, 0x67, 0x56, 0xab, 0xe5, 0xda, 0xd2, - 0x2a, 0x15, 0x95, 0x8f, 0xdf, 0xc2, 0x06, 0xf9, 0x51, 0x48, 0x39, 0xf1, 0x97, 0xa6, 0xc6, 0xad, - 0x8d, 0xc8, 0x35, 0x28, 0xce, 0x68, 0x40, 0x6f, 0x1b, 0x30, 0x2d, 0x6a, 0x36, 0x9d, 0x44, 0x4d, - 0xfd, 0x9e, 0xb8, 0x7d, 0xb5, 0xb8, 0x47, 0x42, 0xda, 0x5b, 0xf5, 0x62, 0x70, 0x9f, 0x36, 0xf3, - 0xaf, 0x06, 0xcc, 0xf4, 0x9d, 0x48, 0xf7, 0x34, 0xde, 0xae, 0x78, 0x50, 0x10, 0xc5, 0x47, 0x9c, - 0x73, 0x57, 0x8f, 0x75, 0xd6, 0x69, 0xd9, 0x93, 0x16, 0x4a, 0x02, 0x16, 0xe2, 0x48, 0x89, 0xb9, - 0x00, 0x93, 0x99, 0xb9, 0xcd, 0xe1, 0xc3, 0x4c, 0xf3, 0xfd, 0x02, 0x4c, 0xc7, 0x72, 0xc3, 0x46, - 0xb7, 0xd3, 0xb1, 0xd8, 0x69, 0xb4, 0x09, 0xdf, 0x33, 0xe0, 0xac, 0xee, 0x98, 0x6e, 0xb2, 0x45, - 0xd5, 0x63, 0x6d, 0x51, 0xe4, 0x1b, 0xe7, 0x95, 0xee, 0xb3, 0x1b, 0x59, 0x15, 0xb8, 0x57, 0x27, - 0xfa, 0x95, 0x01, 0xf7, 0x47, 0x5a, 0xd4, 0xdb, 0xb7, 0x1e, 0x0e, 0xe5, 0xa8, 0x27, 0x61, 0xd4, - 0xff, 0x2b, 0xa3, 0xee, 0x5f, 0xba, 0x85, 0x3e, 0x7c, 0x4b, 0x6b, 0xd0, 0xcf, 0x0c, 0xb8, 0x3b, - 0x22, 0xe8, 0xb5, 0x33, 0x7f, 0x62, 0x76, 0x5e, 0x50, 0x76, 0xde, 0xbd, 0x74, 0x90, 0x22, 0x7c, - 0xb0, 0x7e, 0xd1, 0xf0, 0x74, 0xe2, 0x96, 0x5c, 0xd6, 0x56, 0x47, 0x30, 0xa6, 0xbf, 0xa7, 0x4f, - 0x8b, 0xa2, 0x04, 0x87, 0x53, 0x3d, 0xe6, 0xab, 0x70, 0x57, 0xdd, 0x6a, 0xbb, 0xbe, 0xac, 0xb1, - 0x57, 0x09, 0x7f, 0x3e, 0x10, 0x7f, 0xc2, 0x68, 0x62, 0xd6, 0x8e, 0xdc, 0x3e, 0xa7, 0x4f, 0xcc, - 0xda, 0x04, 0x4b, 0x0c, 0x7a, 0x10, 0x0a, 0x9e, 0xdb, 0x71, 0xb9, 0xea, 0x01, 0x92, 0x70, 0x5a, - 0x13, 0x40, 0x1c, 0xe1, 0x4c, 0x0b, 0x26, 0xf4, 0x7e, 0xff, 0x4e, 0xbc, 0x1a, 0xf8, 0x5d, 0x0e, - 0xe2, 0xa1, 0x27, 0x7a, 0x54, 0x6b, 0xf4, 0x23, 0x15, 0xb3, 0x87, 0x37, 0xf9, 0x68, 0x43, 0x8d, - 0x18, 0x46, 0x0e, 0x89, 0xd3, 0x2e, 0x77, 0xbd, 0x72, 0xf4, 0x55, 0x5b, 0xb9, 0xe6, 0xf3, 0xe7, - 0x59, 0x83, 0x33, 0xd7, 0x6f, 0x47, 0x43, 0x1b, 0x6d, 0x20, 0xf1, 0x39, 0x18, 0x23, 0xbe, 0x9c, - 0x5e, 0xc8, 0x72, 0xaa, 0x10, 0x0d, 0x66, 0x57, 0x22, 0x10, 0x8e, 0x71, 0xa2, 0x81, 0x76, 0xed, - 0x4e, 0x20, 0x4a, 0x5a, 0x59, 0x72, 0x16, 0xa2, 0x06, 0xba, 0xb6, 0xbc, 0x5e, 0x97, 0x65, 0x6e, - 0x82, 0x8d, 0x29, 0x97, 0xe3, 0x61, 0xb4, 0x46, 0x29, 0x60, 0x38, 0xc1, 0x4a, 0xca, 0xb6, 0x92, - 0x39, 0xaa, 0x51, 0xae, 0x26, 0x32, 0x15, 0x16, 0x5d, 0x51, 0x6f, 0x26, 0x55, 0xcb, 0x23, 0x0b, - 0x94, 0x62, 0xcf, 0xcb, 0xc5, 0x78, 0x5c, 0x96, 0xa1, 0x14, 0xcb, 0x0b, 0x99, 0x2d, 0x97, 0x37, - 0x9e, 0x2e, 0xaf, 0x11, 0x81, 0x70, 0x8c, 0x43, 0x65, 0x80, 0x90, 0xd9, 0x6a, 0xd5, 0xb2, 0x18, - 0x29, 0x54, 0xa7, 0xc4, 0x6d, 0xd6, 0x48, 0xa0, 0x58, 0xa3, 0x30, 0x09, 0x4c, 0xf7, 0x36, 0x25, - 0x77, 0xc2, 0x5d, 0xde, 0xcb, 0xc3, 0xf9, 0x46, 0x37, 0x10, 0x07, 0x15, 0x7d, 0x3f, 0xb1, 0x4c, - 0x3d, 0x4f, 0xd5, 0xd9, 0x77, 0xfe, 0xd2, 0x7e, 0x05, 0x8a, 0xe4, 0x7a, 0xe0, 0x32, 0xe2, 0x2c, - 0xc5, 0xfe, 0xf6, 0x85, 0xdb, 0x53, 0xd1, 0x74, 0x3b, 0x24, 0x5d, 0xda, 0x4a, 0x2c, 0x04, 0xa7, - 0xf2, 0xc4, 0x5e, 0x84, 0xae, 0x6f, 0x13, 0x41, 0xaa, 0xba, 0x9c, 0x84, 0xa1, 0x11, 0x23, 0x70, - 0x4a, 0x23, 0x3a, 0xc9, 0x56, 0xf2, 0xc5, 0x89, 0xf4, 0xc1, 0x23, 0x74, 0x92, 0xbd, 0x5f, 0xae, - 0xa4, 0x3b, 0x90, 0xc2, 0xb0, 0xa6, 0x07, 0xfd, 0xc8, 0x80, 0x29, 0x2b, 0xfb, 0xd1, 0x48, 0xf4, - 0x86, 0x65, 0xfd, 0x68, 0xaa, 0x07, 0x7c, 0x00, 0x53, 0xbd, 0x47, 0xd9, 0x31, 0xd5, 0xf3, 0xf5, - 0x48, 0x8f, 0x72, 0xf3, 0x13, 0x03, 0xee, 0x1b, 0xe0, 0x11, 0xa7, 0x30, 0xfd, 0xf1, 0xb2, 0xd3, - 0x9f, 0xa1, 0xcb, 0x9b, 0x01, 0x96, 0x0f, 0x98, 0x03, 0xfd, 0x74, 0x04, 0x1e, 0x18, 0xc0, 0x71, - 0xe4, 0x89, 0xd0, 0x93, 0x30, 0x19, 0xff, 0xd7, 0xc3, 0x30, 0x2d, 0xa6, 0x75, 0x24, 0xce, 0xd2, - 0xc6, 0xaa, 0xe4, 0x85, 0x95, 0xeb, 0x57, 0x15, 0x5d, 0x5a, 0x31, 0x85, 0xf0, 0x70, 0x9b, 0x76, - 0x02, 0x8f, 0x70, 0x12, 0xb5, 0xe9, 0xe3, 0xa9, 0x87, 0x2f, 0xc7, 0x08, 0x9c, 0xd2, 0x88, 0x24, - 0x45, 0x18, 0xa3, 0x4c, 0x7a, 0x98, 0x36, 0xd0, 0x5e, 0x11, 0x40, 0x1c, 0xe1, 0xcc, 0x7f, 0x1a, - 0x70, 0x61, 0xc0, 0xa6, 0x9c, 0x5a, 0x95, 0xbb, 0x93, 0xad, 0x72, 0x5f, 0x38, 0x21, 0x37, 0x38, - 0xb4, 0xde, 0x7d, 0x18, 0x4a, 0xda, 0x5b, 0x02, 0x74, 0x01, 0x72, 0xa1, 0xef, 0xf6, 0x7e, 0x75, - 0xd6, 0xd8, 0xa8, 0x61, 0x01, 0xaf, 0x36, 0x3f, 0xb8, 0x31, 0x77, 0xe6, 0xc3, 0x1b, 0x73, 0x67, - 0x3e, 0xba, 0x31, 0x77, 0xe6, 0xed, 0xfd, 0x39, 0xe3, 0x83, 0xfd, 0x39, 0xe3, 0xc3, 0xfd, 0x39, - 0xe3, 0xa3, 0xfd, 0x39, 0xe3, 0xcf, 0xfb, 0x73, 0xc6, 0x4f, 0xfe, 0x32, 0x77, 0xe6, 0xe5, 0xf2, - 0x70, 0x9f, 0xe3, 0xff, 0x27, 0x00, 0x00, 0xff, 0xff, 0x5c, 0xc7, 0x62, 0xe3, 0xbf, 0x2f, 0x00, - 0x00, + 0x7c, 0x0b, 0x4b, 0x8c, 0xf9, 0xa1, 0x01, 0x63, 0xaa, 0x98, 0x41, 0x2f, 0x43, 0xde, 0x76, 0x1d, + 0xa6, 0xe2, 0xeb, 0x88, 0xe5, 0x53, 0xa2, 0x64, 0xb9, 0x76, 0x15, 0x63, 0x29, 0x10, 0xbd, 0x06, + 0xa3, 0xe4, 0xba, 0x4d, 0x02, 0xae, 0xee, 0x90, 0x23, 0x8a, 0x4e, 0x56, 0xb9, 0x22, 0x85, 0x61, + 0x25, 0xd4, 0xfc, 0xb7, 0x01, 0xa8, 0x56, 0xff, 0xfc, 0x5e, 0x93, 0x2d, 0x28, 0xc8, 0x0d, 0x42, + 0x0f, 0xc2, 0x88, 0x1b, 0xc8, 0xb5, 0x4e, 0x54, 0x67, 0xf6, 0xf7, 0xe6, 0x47, 0x6a, 0xf5, 0xec, + 0xf5, 0x31, 0xe2, 0x06, 0xa2, 0x62, 0x0d, 0x18, 0x69, 0xb9, 0xd7, 0xd7, 0x88, 0xdf, 0xe6, 0x5b, + 0xd2, 0x83, 0x0a, 0x69, 0x75, 0x55, 0xd7, 0x70, 0x38, 0x43, 0x69, 0xfe, 0xd6, 0x00, 0x58, 0xbb, + 0x9c, 0xb8, 0xe9, 0x2b, 0x90, 0xdf, 0xe2, 0x3c, 0x38, 0xea, 0x75, 0xac, 0xbb, 0x7c, 0x74, 0x4b, + 0x08, 0x08, 0x96, 0x32, 0xd1, 0x4b, 0x90, 0xe3, 0x5e, 0xa8, 0x2e, 0xe1, 0xa1, 0x33, 0x7c, 0x73, + 0xad, 0x91, 0x48, 0x96, 0x17, 0x7d, 0x73, 0xad, 0x81, 0x85, 0x40, 0xf3, 0x97, 0x06, 0xa0, 0xf5, + 0xae, 0x27, 0x9a, 0xa7, 0x90, 0xcb, 0xed, 0xab, 0xf9, 0x2d, 0x8a, 0x1e, 0x84, 0x82, 0xac, 0x23, + 0x55, 0xc8, 0x25, 0xd7, 0x62, 0x74, 0x28, 0x11, 0x0e, 0xbd, 0x0e, 0xf9, 0x80, 0x3a, 0x47, 0x1e, + 0x31, 0x66, 0xd2, 0x4f, 0x1a, 0x8a, 0xd4, 0x09, 0xb1, 0x94, 0x6b, 0xbe, 0x67, 0x40, 0x31, 0xb9, + 0x9a, 0x65, 0xe8, 0x52, 0x16, 0x5d, 0x02, 0x05, 0x9d, 0x9e, 0x71, 0x2c, 0x31, 0xb7, 0x71, 0x39, + 0x5d, 0x81, 0xf1, 0x40, 0xed, 0x83, 0xba, 0x02, 0xee, 0x4f, 0xba, 0x71, 0x05, 0xbf, 0xa9, 0xfd, + 0xc7, 0x09, 0xb5, 0xf9, 0xf7, 0x1c, 0x4c, 0x6e, 0x10, 0xfe, 0x16, 0x65, 0xdb, 0x75, 0xea, 0xb9, + 0xf6, 0xee, 0x29, 0x44, 0x53, 0x0b, 0x0a, 0xac, 0xeb, 0x91, 0x78, 0x83, 0x97, 0x86, 0xce, 0x3b, + 0xba, 0xbd, 0xb8, 0xeb, 0x91, 0xf4, 0x1c, 0xc5, 0x53, 0x88, 0x23, 0xf1, 0xe8, 0x69, 0x38, 0x6b, + 0x65, 0xa6, 0x4e, 0x51, 0xca, 0x2d, 0xca, 0x90, 0x39, 0x9b, 0x1d, 0x48, 0x85, 0xb8, 0x97, 0x16, + 0x5d, 0x12, 0x9b, 0xea, 0x52, 0x26, 0x8a, 0x04, 0xd1, 0xed, 0x19, 0xd5, 0x89, 0x68, 0x43, 0x23, + 0x18, 0x4e, 0xb0, 0xe8, 0x51, 0x98, 0xe0, 0x2e, 0x61, 0x31, 0x46, 0xe6, 0xd3, 0x42, 0x75, 0x5a, + 0xf6, 0x85, 0x1a, 0x1c, 0x67, 0xa8, 0x50, 0x08, 0xc5, 0x90, 0x76, 0x99, 0x4c, 0x70, 0x2a, 0x45, + 0x5e, 0x3b, 0xde, 0x56, 0x24, 0x5e, 0x37, 0x29, 0x12, 0x5d, 0x23, 0x16, 0x8e, 0x53, 0x3d, 0xe6, + 0x1f, 0x0d, 0x38, 0x97, 0x61, 0x3a, 0x85, 0xd6, 0x69, 0x33, 0xdb, 0x3a, 0x3d, 0x7d, 0xac, 0x45, + 0x0e, 0x68, 0x9e, 0xfe, 0x61, 0xc0, 0xf9, 0x0c, 0x9d, 0xa8, 0x44, 0x1a, 0xdc, 0xe2, 0xdd, 0x10, + 0x3d, 0x0c, 0xe3, 0xa2, 0x22, 0xd9, 0x38, 0x60, 0xb2, 0xb5, 0xa1, 0xe0, 0x38, 0xa1, 0x10, 0xed, + 0xba, 0x7a, 0xa3, 0xe3, 0x52, 0x5f, 0xc6, 0x9c, 0xd6, 0xae, 0xaf, 0x26, 0x18, 0xac, 0x51, 0xa1, + 0x6f, 0x02, 0x62, 0xc4, 0xf2, 0xdc, 0xb7, 0xe5, 0xe3, 0x35, 0xcb, 0xf5, 0xba, 0x8c, 0xc8, 0x48, + 0x1c, 0xaf, 0xde, 0xab, 0x78, 0x11, 0xee, 0xa3, 0xc0, 0x07, 0x70, 0xa1, 0x2f, 0xc3, 0x58, 0x87, + 0x84, 0xa1, 0x68, 0xfb, 0xf3, 0xd2, 0xd8, 0xb3, 0x4a, 0xc0, 0xd8, 0x7a, 0x04, 0xc6, 0x31, 0x5e, + 0xbe, 0xa9, 0xc8, 0x2c, 0xba, 0x4e, 0x08, 0x43, 0x97, 0x61, 0xd2, 0xd2, 0x5e, 0x5f, 0x84, 0xb3, + 0x86, 0x74, 0xfa, 0x73, 0xfb, 0x7b, 0xf3, 0x93, 0xfa, 0x7b, 0x8d, 0x10, 0x67, 0xe9, 0x10, 0x81, + 0x71, 0x37, 0x50, 0x93, 0x95, 0xe8, 0xa8, 0x2e, 0x0f, 0x9f, 0xbf, 0x25, 0x7f, 0xba, 0xc1, 0xc9, + 0x48, 0x25, 0x11, 0x8d, 0xe6, 0xa1, 0xd0, 0x7a, 0xd3, 0xf1, 0xe3, 0x60, 0x2c, 0x8a, 0xb3, 0xbc, + 0xf6, 0xc2, 0xd5, 0x8d, 0x10, 0x47, 0x70, 0xc4, 0x01, 0x38, 0x55, 0x65, 0x5e, 0x5c, 0xfb, 0x1e, + 0xbf, 0x78, 0xd4, 0x46, 0x2e, 0xb1, 0x6c, 0xac, 0xe9, 0x11, 0xb7, 0x85, 0x67, 0x6d, 0x12, 0xaf, + 0xe6, 0x10, 0x51, 0xa5, 0xbb, 0x72, 0x56, 0x93, 0xbb, 0x34, 0x19, 0xdd, 0x16, 0x6b, 0x59, 0x14, + 0xee, 0xa5, 0x35, 0x3f, 0x35, 0xe0, 0x9e, 0x83, 0xa3, 0x11, 0x3d, 0x06, 0x79, 0x51, 0x08, 0x2a, + 0xdf, 0x7b, 0x20, 0xbe, 0xbf, 0x9b, 0xbb, 0x01, 0xb9, 0xb9, 0x37, 0x9f, 0x3d, 0x41, 0x01, 0xc4, + 0x92, 0x7c, 0xe8, 0x1e, 0x32, 0xc9, 0x13, 0xb9, 0xc3, 0x8a, 0xd8, 0xfc, 0x71, 0x8a, 0xd8, 0x0f, + 0x47, 0x7b, 0x9c, 0x4e, 0xdc, 0xb9, 0xe8, 0x29, 0x28, 0x3a, 0x2e, 0x23, 0xb6, 0x0c, 0x9a, 0x68, + 0xa1, 0x73, 0xb1, 0xb1, 0x57, 0x63, 0xc4, 0x4d, 0xfd, 0x01, 0xa7, 0x0c, 0xc8, 0x86, 0x7c, 0x8b, + 0xd1, 0x8e, 0x2a, 0x03, 0x8e, 0x97, 0x10, 0x44, 0x0c, 0xa4, 0x8b, 0xbf, 0xc6, 0x68, 0x07, 0x4b, + 0xe1, 0xe8, 0x35, 0x18, 0xe1, 0x54, 0x8d, 0x6f, 0x4f, 0x40, 0x05, 0x28, 0x15, 0x23, 0x4d, 0x8a, + 0x47, 0x38, 0x15, 0xd1, 0x13, 0x66, 0x7d, 0xf6, 0xf2, 0x11, 0x7d, 0x36, 0x8d, 0x9e, 0xc4, 0x51, + 0x13, 0xd1, 0x72, 0xf0, 0xde, 0x93, 0x67, 0xd2, 0x54, 0xdf, 0x97, 0x99, 0x5e, 0x82, 0x51, 0x2b, + 0x3a, 0x93, 0x51, 0x79, 0x26, 0xcf, 0xc8, 0x41, 0x77, 0x7c, 0x18, 0x8f, 0xdc, 0xe2, 0xb3, 0x02, + 0xe6, 0xa8, 0xaf, 0x09, 0x16, 0xca, 0xe2, 0x80, 0x23, 0x1e, 0xac, 0xa4, 0xa1, 0x27, 0x61, 0x92, + 0xf8, 0xd6, 0xa6, 0x47, 0xd6, 0x68, 0xbb, 0xed, 0xfa, 0xed, 0xd9, 0x31, 0x79, 0xd7, 0xdd, 0xad, + 0x4c, 0x99, 0x5c, 0xd1, 0x91, 0x38, 0x4b, 0x7b, 0x50, 0x5e, 0x1e, 0x1f, 0x22, 0x2f, 0xc7, 0x6e, + 0x5e, 0x1c, 0xe8, 0xe6, 0x6f, 0x42, 0xc9, 0x4b, 0xca, 0xd7, 0x70, 0x16, 0xe4, 0x69, 0x3c, 0x31, + 0xec, 0x69, 0xa4, 0x15, 0x70, 0x3a, 0x79, 0x4d, 0x61, 0x21, 0xd6, 0x75, 0x88, 0x63, 0xf1, 0x68, + 0x5b, 0xde, 0x12, 0xb3, 0xa5, 0x6c, 0x8e, 0x59, 0x53, 0x70, 0x9c, 0x50, 0x98, 0xef, 0xe7, 0x00, + 0x65, 0x3c, 0x4a, 0x64, 0xaa, 0x10, 0xbd, 0x6b, 0xc0, 0xa4, 0xaf, 0x83, 0x55, 0x32, 0x3e, 0xa9, + 0xb2, 0x20, 0x39, 0x9e, 0x2c, 0x3e, 0xab, 0x13, 0x05, 0x30, 0xc1, 0x99, 0xd5, 0x6a, 0xb9, 0xb6, + 0xb4, 0x4a, 0x05, 0xe5, 0xe3, 0xb7, 0xb0, 0x41, 0x7e, 0x13, 0x52, 0x8e, 0xbf, 0x09, 0x29, 0x37, + 0x35, 0x6e, 0x6d, 0x42, 0xae, 0x41, 0x71, 0x46, 0x03, 0x7a, 0xc7, 0x80, 0x69, 0x51, 0xb2, 0xe9, + 0x24, 0x6a, 0xe8, 0xf7, 0xc4, 0xed, 0xab, 0xc5, 0x3d, 0x12, 0xd2, 0xd6, 0xaa, 0x17, 0x83, 0xfb, + 0xb4, 0x99, 0x7f, 0x35, 0x60, 0xa6, 0xef, 0x44, 0xba, 0xa7, 0xf1, 0x72, 0xc5, 0x83, 0x82, 0xa8, + 0x3d, 0xe2, 0x94, 0xbb, 0x7a, 0xac, 0xb3, 0x4e, 0xab, 0x9e, 0xb4, 0x4e, 0x12, 0xb0, 0x10, 0x47, + 0x4a, 0xcc, 0x05, 0x98, 0xcc, 0x8c, 0x6d, 0x0e, 0x9f, 0x65, 0x9a, 0x1f, 0x14, 0x60, 0x3a, 0x96, + 0x1b, 0x36, 0xba, 0x9d, 0x8e, 0xc5, 0x4e, 0xa3, 0x4b, 0xf8, 0x81, 0x01, 0x67, 0x75, 0xc7, 0x74, + 0x93, 0x2d, 0xaa, 0x1e, 0x6b, 0x8b, 0x22, 0xdf, 0x38, 0xaf, 0x74, 0x9f, 0xdd, 0xc8, 0xaa, 0xc0, + 0xbd, 0x3a, 0xd1, 0x6f, 0x0c, 0xb8, 0x3f, 0xd2, 0xa2, 0x5e, 0xbe, 0xf5, 0x70, 0x28, 0x47, 0x3d, + 0x09, 0xa3, 0xfe, 0x5f, 0x19, 0x75, 0xff, 0xd2, 0x2d, 0xf4, 0xe1, 0x5b, 0x5a, 0x83, 0x7e, 0x61, + 0xc0, 0xdd, 0x11, 0x41, 0xaf, 0x9d, 0xf9, 0x13, 0xb3, 0xf3, 0x82, 0xb2, 0xf3, 0xee, 0xa5, 0x83, + 0x14, 0xe1, 0x83, 0xf5, 0x8b, 0x7e, 0xa7, 0x13, 0x77, 0xe4, 0xb2, 0xb4, 0x3a, 0x82, 0x31, 0xfd, + 0x2d, 0x7d, 0x5a, 0x13, 0x25, 0x38, 0x9c, 0xea, 0x31, 0x5f, 0x83, 0xbb, 0xea, 0x56, 0xdb, 0xf5, + 0x65, 0x89, 0xbd, 0x4a, 0xf8, 0xf3, 0x81, 0xf8, 0x13, 0x46, 0x03, 0xb3, 0x76, 0xe4, 0xf6, 0x39, + 0x7d, 0x60, 0xd6, 0x26, 0x58, 0x62, 0xd0, 0x83, 0x50, 0xf0, 0xdc, 0x8e, 0xcb, 0x55, 0x0b, 0x90, + 0x84, 0xd3, 0x9a, 0x00, 0xe2, 0x08, 0x67, 0x5a, 0x30, 0xa1, 0xb7, 0xfb, 0x77, 0xe2, 0xcd, 0xc0, + 0xef, 0x72, 0x10, 0xcf, 0x3c, 0xd1, 0xa3, 0x5a, 0x9f, 0x1f, 0xa9, 0x98, 0x3d, 0xbc, 0xc7, 0x47, + 0x1b, 0x6a, 0xc2, 0x30, 0x72, 0x48, 0x9c, 0x76, 0xb9, 0xeb, 0x95, 0xa3, 0x8f, 0xda, 0xca, 0x35, + 0x9f, 0x3f, 0xcf, 0x1a, 0x9c, 0xb9, 0x7e, 0x3b, 0x9a, 0xd9, 0x68, 0xf3, 0x88, 0x2f, 0xc1, 0x18, + 0xf1, 0xe5, 0xf0, 0x42, 0x56, 0x53, 0x85, 0x68, 0x2e, 0xbb, 0x12, 0x81, 0x70, 0x8c, 0x13, 0xfd, + 0xb3, 0x6b, 0x77, 0x02, 0x51, 0xd1, 0xca, 0x8a, 0xb3, 0x10, 0xf5, 0xcf, 0xb5, 0xe5, 0xf5, 0xba, + 0xac, 0x72, 0x13, 0x6c, 0x4c, 0xb9, 0x1c, 0xcf, 0xa2, 0x35, 0x4a, 0x01, 0xc3, 0x09, 0x56, 0x52, + 0xb6, 0x95, 0xcc, 0x51, 0x8d, 0x72, 0x35, 0x91, 0xa9, 0xb0, 0xe8, 0x8a, 0x7a, 0x31, 0xa9, 0x3a, + 0x1e, 0x59, 0xa0, 0x14, 0x7b, 0xde, 0x2d, 0xc6, 0xd3, 0xb2, 0x0c, 0xa5, 0x58, 0x5e, 0xc8, 0x6c, + 0xb9, 0xbc, 0xf1, 0x74, 0x79, 0x8d, 0x08, 0x84, 0x63, 0x1c, 0x2a, 0x03, 0x84, 0xcc, 0x56, 0xab, + 0x96, 0xc5, 0x48, 0xa1, 0x3a, 0x25, 0x6e, 0xb3, 0x46, 0x02, 0xc5, 0x1a, 0x85, 0x49, 0x60, 0xba, + 0xb7, 0x27, 0xb9, 0x13, 0xee, 0xf2, 0x7e, 0x1e, 0xce, 0x37, 0xba, 0x81, 0x38, 0xa8, 0xe8, 0xf3, + 0x89, 0x65, 0xea, 0x79, 0xaa, 0xcc, 0xbe, 0xf3, 0x97, 0xf6, 0xab, 0x50, 0x24, 0xd7, 0x03, 0x97, + 0x11, 0x67, 0x29, 0xf6, 0xb7, 0xaf, 0xdc, 0x9e, 0x8a, 0xa6, 0xdb, 0x21, 0xe9, 0xd2, 0x56, 0x62, + 0x21, 0x38, 0x95, 0x27, 0xf6, 0x22, 0x74, 0x7d, 0x9b, 0x08, 0x52, 0xd5, 0xe4, 0x24, 0x0c, 0x8d, + 0x18, 0x81, 0x53, 0x1a, 0xd1, 0x48, 0xb6, 0x92, 0x0f, 0x4e, 0xa4, 0x0f, 0x1e, 0xa1, 0x91, 0xec, + 0xfd, 0x70, 0x25, 0xdd, 0x81, 0x14, 0x86, 0x35, 0x3d, 0xe8, 0x27, 0x06, 0x4c, 0x59, 0xd9, 0x6f, + 0x46, 0xa2, 0x17, 0x2c, 0xeb, 0x47, 0x53, 0x3d, 0xe0, 0xfb, 0x97, 0xea, 0x3d, 0xca, 0x8e, 0xa9, + 0x9e, 0x8f, 0x47, 0x7a, 0x94, 0x9b, 0x9f, 0x19, 0x70, 0xdf, 0x00, 0x8f, 0x38, 0x85, 0xe1, 0x8f, + 0x97, 0x1d, 0xfe, 0x0c, 0x5d, 0xde, 0x0c, 0xb0, 0x7c, 0xc0, 0x18, 0xe8, 0xe7, 0x23, 0xf0, 0xc0, + 0x00, 0x8e, 0x23, 0x0f, 0x84, 0x9e, 0x84, 0xc9, 0xf8, 0xbf, 0x1e, 0x86, 0x69, 0x31, 0xad, 0x23, + 0x71, 0x96, 0x36, 0x56, 0x25, 0x2f, 0xac, 0x5c, 0xbf, 0xaa, 0xe8, 0xd2, 0x8a, 0x29, 0x84, 0x87, + 0xdb, 0xb4, 0x13, 0x78, 0x84, 0x93, 0xa8, 0x4b, 0x1f, 0x4f, 0x3d, 0x7c, 0x39, 0x46, 0xe0, 0x94, + 0x46, 0x24, 0x29, 0xc2, 0x18, 0x65, 0xd2, 0xc3, 0xb4, 0x79, 0xf6, 0x8a, 0x00, 0xe2, 0x08, 0x67, + 0xfe, 0xd3, 0x80, 0x0b, 0x03, 0x36, 0xe5, 0xd4, 0xaa, 0xdc, 0x9d, 0x6c, 0x95, 0xfb, 0xc2, 0x09, + 0xb9, 0xc1, 0xa1, 0xf5, 0xee, 0xc3, 0x50, 0xd2, 0x5e, 0x12, 0xa0, 0x0b, 0x90, 0x0b, 0x7d, 0xb7, + 0xf7, 0xa3, 0xb3, 0xc6, 0x46, 0x0d, 0x0b, 0x78, 0xb5, 0xf9, 0xd1, 0x8d, 0xb9, 0x33, 0x1f, 0xdf, + 0x98, 0x3b, 0xf3, 0xc9, 0x8d, 0xb9, 0x33, 0xef, 0xec, 0xcf, 0x19, 0x1f, 0xed, 0xcf, 0x19, 0x1f, + 0xef, 0xcf, 0x19, 0x9f, 0xec, 0xcf, 0x19, 0x7f, 0xde, 0x9f, 0x33, 0x7e, 0xf6, 0x97, 0xb9, 0x33, + 0xaf, 0x94, 0x87, 0xfb, 0x1a, 0xff, 0x3f, 0x01, 0x00, 0x00, 0xff, 0xff, 0xdf, 0x8d, 0x27, 0x1b, + 0xbe, 0x2f, 0x00, 0x00, } func (m *AddressGroup) Marshal() (dAtA []byte, err error) { @@ -9540,7 +9540,7 @@ func (m *NetworkPolicyRule) Unmarshal(dAtA []byte) error { if postIndex > l { return io.ErrUnexpectedEOF } - s := antrea_io_antrea_pkg_apis_crd_v1alpha1.RuleAction(dAtA[iNdEx:postIndex]) + s := antrea_io_antrea_pkg_apis_crd_v1beta1.RuleAction(dAtA[iNdEx:postIndex]) m.Action = &s iNdEx = postIndex case 7: diff --git a/pkg/apis/controlplane/v1beta2/types.go b/pkg/apis/controlplane/v1beta2/types.go index 27c00607b45..1c4091b3db3 100644 --- a/pkg/apis/controlplane/v1beta2/types.go +++ b/pkg/apis/controlplane/v1beta2/types.go @@ -19,7 +19,7 @@ import ( "k8s.io/apimachinery/pkg/types" "k8s.io/apimachinery/pkg/util/intstr" - crdv1alpha1 "antrea.io/antrea/pkg/apis/crd/v1alpha1" + crdv1beta1 "antrea.io/antrea/pkg/apis/crd/v1beta1" statsv1alpha1 "antrea.io/antrea/pkg/apis/stats/v1alpha1" ) @@ -246,7 +246,7 @@ type NetworkPolicyRule struct { // Action specifies the action to be applied on the rule. i.e. Allow/Drop. An empty // action “nil” defaults to Allow action, which would be the case for rules created for // K8s Network Policy. - Action *crdv1alpha1.RuleAction `json:"action,omitempty" protobuf:"bytes,6,opt,name=action,casttype=antrea.io/antrea/pkg/apis/security/v1alpha1.RuleAction"` + Action *crdv1beta1.RuleAction `json:"action,omitempty" protobuf:"bytes,6,opt,name=action,casttype=antrea.io/antrea/pkg/apis/security/v1beta1.RuleAction"` // EnableLogging indicates whether or not to generate logs when rules are matched. Default to false. EnableLogging bool `json:"enableLogging" protobuf:"varint,7,opt,name=enableLogging"` // AppliedToGroups is a list of names of AppliedToGroups to which this rule applies. diff --git a/pkg/apis/controlplane/v1beta2/zz_generated.conversion.go b/pkg/apis/controlplane/v1beta2/zz_generated.conversion.go index 2f96026c1df..77f7128878a 100644 --- a/pkg/apis/controlplane/v1beta2/zz_generated.conversion.go +++ b/pkg/apis/controlplane/v1beta2/zz_generated.conversion.go @@ -24,8 +24,8 @@ import ( unsafe "unsafe" controlplane "antrea.io/antrea/pkg/apis/controlplane" - v1alpha1 "antrea.io/antrea/pkg/apis/crd/v1alpha1" - statsv1alpha1 "antrea.io/antrea/pkg/apis/stats/v1alpha1" + v1beta1 "antrea.io/antrea/pkg/apis/crd/v1beta1" + v1alpha1 "antrea.io/antrea/pkg/apis/stats/v1alpha1" conversion "k8s.io/apimachinery/pkg/conversion" runtime "k8s.io/apimachinery/pkg/runtime" types "k8s.io/apimachinery/pkg/types" @@ -1489,7 +1489,7 @@ func autoConvert_v1beta2_NetworkPolicyRule_To_controlplane_NetworkPolicyRule(in out.Services = nil } out.Priority = in.Priority - out.Action = (*v1alpha1.RuleAction)(unsafe.Pointer(in.Action)) + out.Action = (*v1beta1.RuleAction)(unsafe.Pointer(in.Action)) out.EnableLogging = in.EnableLogging out.AppliedToGroups = *(*[]string)(unsafe.Pointer(&in.AppliedToGroups)) out.Name = in.Name @@ -1524,7 +1524,7 @@ func autoConvert_controlplane_NetworkPolicyRule_To_v1beta2_NetworkPolicyRule(in } out.Name = in.Name out.Priority = in.Priority - out.Action = (*v1alpha1.RuleAction)(unsafe.Pointer(in.Action)) + out.Action = (*v1beta1.RuleAction)(unsafe.Pointer(in.Action)) out.EnableLogging = in.EnableLogging out.AppliedToGroups = *(*[]string)(unsafe.Pointer(&in.AppliedToGroups)) out.L7Protocols = *(*[]L7Protocol)(unsafe.Pointer(&in.L7Protocols)) @@ -1542,7 +1542,7 @@ func autoConvert_v1beta2_NetworkPolicyStats_To_controlplane_NetworkPolicyStats(i return err } out.TrafficStats = in.TrafficStats - out.RuleTrafficStats = *(*[]statsv1alpha1.RuleTrafficStats)(unsafe.Pointer(&in.RuleTrafficStats)) + out.RuleTrafficStats = *(*[]v1alpha1.RuleTrafficStats)(unsafe.Pointer(&in.RuleTrafficStats)) return nil } @@ -1556,7 +1556,7 @@ func autoConvert_controlplane_NetworkPolicyStats_To_v1beta2_NetworkPolicyStats(i return err } out.TrafficStats = in.TrafficStats - out.RuleTrafficStats = *(*[]statsv1alpha1.RuleTrafficStats)(unsafe.Pointer(&in.RuleTrafficStats)) + out.RuleTrafficStats = *(*[]v1alpha1.RuleTrafficStats)(unsafe.Pointer(&in.RuleTrafficStats)) return nil } diff --git a/pkg/apis/controlplane/v1beta2/zz_generated.deepcopy.go b/pkg/apis/controlplane/v1beta2/zz_generated.deepcopy.go index 68e7b231e2a..672b6e0d825 100644 --- a/pkg/apis/controlplane/v1beta2/zz_generated.deepcopy.go +++ b/pkg/apis/controlplane/v1beta2/zz_generated.deepcopy.go @@ -20,8 +20,8 @@ package v1beta2 import ( - v1alpha1 "antrea.io/antrea/pkg/apis/crd/v1alpha1" - statsv1alpha1 "antrea.io/antrea/pkg/apis/stats/v1alpha1" + v1beta1 "antrea.io/antrea/pkg/apis/crd/v1beta1" + v1alpha1 "antrea.io/antrea/pkg/apis/stats/v1alpha1" runtime "k8s.io/apimachinery/pkg/runtime" intstr "k8s.io/apimachinery/pkg/util/intstr" ) @@ -902,7 +902,7 @@ func (in *NetworkPolicyRule) DeepCopyInto(out *NetworkPolicyRule) { } if in.Action != nil { in, out := &in.Action, &out.Action - *out = new(v1alpha1.RuleAction) + *out = new(v1beta1.RuleAction) **out = **in } if in.AppliedToGroups != nil { @@ -937,7 +937,7 @@ func (in *NetworkPolicyStats) DeepCopyInto(out *NetworkPolicyStats) { out.TrafficStats = in.TrafficStats if in.RuleTrafficStats != nil { in, out := &in.RuleTrafficStats, &out.RuleTrafficStats - *out = make([]statsv1alpha1.RuleTrafficStats, len(*in)) + *out = make([]v1alpha1.RuleTrafficStats, len(*in)) copy(*out, *in) } return diff --git a/pkg/apis/controlplane/zz_generated.deepcopy.go b/pkg/apis/controlplane/zz_generated.deepcopy.go index 3d1f309b2a0..08e0944de99 100644 --- a/pkg/apis/controlplane/zz_generated.deepcopy.go +++ b/pkg/apis/controlplane/zz_generated.deepcopy.go @@ -20,8 +20,8 @@ package controlplane import ( - v1alpha1 "antrea.io/antrea/pkg/apis/crd/v1alpha1" - statsv1alpha1 "antrea.io/antrea/pkg/apis/stats/v1alpha1" + v1beta1 "antrea.io/antrea/pkg/apis/crd/v1beta1" + v1alpha1 "antrea.io/antrea/pkg/apis/stats/v1alpha1" runtime "k8s.io/apimachinery/pkg/runtime" intstr "k8s.io/apimachinery/pkg/util/intstr" ) @@ -902,7 +902,7 @@ func (in *NetworkPolicyRule) DeepCopyInto(out *NetworkPolicyRule) { } if in.Action != nil { in, out := &in.Action, &out.Action - *out = new(v1alpha1.RuleAction) + *out = new(v1beta1.RuleAction) **out = **in } if in.AppliedToGroups != nil { @@ -937,7 +937,7 @@ func (in *NetworkPolicyStats) DeepCopyInto(out *NetworkPolicyStats) { out.TrafficStats = in.TrafficStats if in.RuleTrafficStats != nil { in, out := &in.RuleTrafficStats, &out.RuleTrafficStats - *out = make([]statsv1alpha1.RuleTrafficStats, len(*in)) + *out = make([]v1alpha1.RuleTrafficStats, len(*in)) copy(*out, *in) } return diff --git a/pkg/apis/crd/v1beta1/register.go b/pkg/apis/crd/v1beta1/register.go index 82a785cd6ec..2d0aff206af 100644 --- a/pkg/apis/crd/v1beta1/register.go +++ b/pkg/apis/crd/v1beta1/register.go @@ -54,6 +54,10 @@ func addKnownTypes(scheme *runtime.Scheme) error { &ClusterGroupList{}, &Group{}, &GroupList{}, + &NetworkPolicy{}, + &NetworkPolicyList{}, + &ClusterNetworkPolicy{}, + &ClusterNetworkPolicyList{}, ) metav1.AddToGroupVersion( diff --git a/pkg/apis/crd/v1beta1/types.go b/pkg/apis/crd/v1beta1/types.go index 6bd9e698f5f..81f0439a810 100644 --- a/pkg/apis/crd/v1beta1/types.go +++ b/pkg/apis/crd/v1beta1/types.go @@ -17,8 +17,7 @@ package v1beta1 import ( corev1 "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - - "antrea.io/antrea/pkg/apis/crd/v1alpha1" + "k8s.io/apimachinery/pkg/util/intstr" ) // +genclient @@ -278,11 +277,11 @@ type GroupSpec struct { // IPBlocks cannot be set as part of the AppliedTo field. // Cannot be set with any other selector or ServiceReference. // +optional - IPBlocks []v1alpha1.IPBlock `json:"ipBlocks,omitempty"` + IPBlocks []IPBlock `json:"ipBlocks,omitempty"` // Select backend Pods of the referred Service. // Cannot be set with any other selector or ipBlock. // +optional - ServiceReference *v1alpha1.NamespacedName `json:"serviceReference,omitempty"` + ServiceReference *NamespacedName `json:"serviceReference,omitempty"` // Select ExternalEntities from all Namespaces as workloads // in AppliedTo/To/From fields. If set with NamespaceSelector, // ExternalEntities are matched from Namespaces matched by the @@ -351,3 +350,463 @@ type GroupList struct { Items []Group `json:"items,omitempty"` } + +// +genclient +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object + +type NetworkPolicy struct { + metav1.TypeMeta `json:",inline"` + // Standard metadata of the object. + metav1.ObjectMeta `json:"metadata,omitempty"` + + // Specification of the desired behavior of NetworkPolicy. + Spec NetworkPolicySpec `json:"spec"` + // Most recently observed status of the NetworkPolicy. + Status NetworkPolicyStatus `json:"status"` +} + +// NetworkPolicySpec defines the desired state for NetworkPolicy. +type NetworkPolicySpec struct { + // Tier specifies the tier to which this NetworkPolicy belongs to. + // The NetworkPolicy order will be determined based on the combination of the + // Tier's Priority and the NetworkPolicy's own Priority. If not specified, + // this policy will be created in the Application Tier right above the K8s + // NetworkPolicy which resides at the bottom. + Tier string `json:"tier,omitempty"` + // Priority specfies the order of the NetworkPolicy relative to other + // NetworkPolicies. + Priority float64 `json:"priority"` + // Select workloads on which the rules will be applied to. Cannot be set in + // conjunction with AppliedTo in each rule. + // +optional + AppliedTo []AppliedTo `json:"appliedTo,omitempty"` + // Set of ingress rules evaluated based on the order in which they are set. + // Currently Ingress rule supports setting the `From` field but not the `To` + // field within a Rule. + // +optional + Ingress []Rule `json:"ingress,omitempty"` + // Set of egress rules evaluated based on the order in which they are set. + // Currently Egress rule supports setting the `To` field but not the `From` + // field within a Rule. + // +optional + Egress []Rule `json:"egress,omitempty"` +} + +// NetworkPolicyPhase defines the phase in which a NetworkPolicy is. +type NetworkPolicyPhase string + +// NetworkPolicyConditionType describes the condition types of NetworkPolicies. +type NetworkPolicyConditionType string + +// These are the valid values for NetworkPolicyPhase. +const ( + // NetworkPolicyPending means the NetworkPolicy has been accepted by the system, but it has not been processed by Antrea. + NetworkPolicyPending NetworkPolicyPhase = "Pending" + // NetworkPolicyRealizing means the NetworkPolicy has been observed by Antrea and is being realized. + NetworkPolicyRealizing NetworkPolicyPhase = "Realizing" + // NetworkPolicyRealized means the NetworkPolicy has been enforced to all Pods on all Nodes it applies to. + NetworkPolicyRealized NetworkPolicyPhase = "Realized" + // NetworkPolicyFailed means the NetworkPolicy is failed to be enforced on at least one Node. + NetworkPolicyFailed NetworkPolicyPhase = "Failed" +) + +// These are valid conditions of a deployment. +const ( + // NetworkPolicyConditionRealizable reports whether the NetworkPolicy is realizable and the reasons why it is not. + NetworkPolicyConditionRealizable NetworkPolicyConditionType = "Realizable" + // NetworkPolicyConditionRealizationFailure reports information about a failure when realizing the NetworkPolicy on a Node. + NetworkPolicyConditionRealizationFailure NetworkPolicyConditionType = "RealizationFailure" +) + +// NetworkPolicyCondition describes the state of a NetworkPolicy at a certain point. +type NetworkPolicyCondition struct { + // Type of StatefulSet condition. + Type NetworkPolicyConditionType `json:"type"` + // Status of the condition, one of True, False, Unknown. + Status metav1.ConditionStatus `json:"status"` + // Last time the condition transitioned from one status to another. + // +optional + LastTransitionTime metav1.Time `json:"lastTransitionTime,omitempty"` + // The reason for the condition's last transition. + // +optional + Reason string `json:"reason,omitempty"` + // A human-readable message indicating details about the transition. + // +optional + Message string `json:"message,omitempty"` +} + +// NetworkPolicyStatus represents information about the status of a NetworkPolicy. +type NetworkPolicyStatus struct { + // The phase of a NetworkPolicy is a simple, high-level summary of the NetworkPolicy's status. + Phase NetworkPolicyPhase `json:"phase"` + // The generation observed by Antrea. + ObservedGeneration int64 `json:"observedGeneration"` + // The number of nodes that have realized the NetworkPolicy. + CurrentNodesRealized int32 `json:"currentNodesRealized"` + // The total number of nodes that should realize the NetworkPolicy. + DesiredNodesRealized int32 `json:"desiredNodesRealized"` + // Represents the latest available observations of a NetworkPolicy current state. + Conditions []NetworkPolicyCondition `json:"conditions"` +} + +// Rule describes the traffic allowed to/from the workloads selected by +// Spec.AppliedTo. Based on the action specified in the rule, traffic is either +// allowed or denied which exactly match the specified ports and protocol. +type Rule struct { + // Action specifies the action to be applied on the rule. + Action *RuleAction `json:"action"` + // Set of ports and protocols matched by the rule. If this field and Protocols + // are unset or empty, this rule matches all ports. + // +optional + Ports []NetworkPolicyPort `json:"ports,omitempty"` + // Set of protocols matched by the rule. If this field and Ports are unset or + // empty, this rule matches all protocols supported. + // +optional + Protocols []NetworkPolicyProtocol `json:"protocols,omitempty"` + // Set of layer 7 protocols matched by the rule. If this field is set, action can only be Allow. + // When this field is used in a rule, any traffic matching the other layer 3/4 criteria of the rule (typically the + // 5-tuple) will be forwarded to an application-aware engine for protocol detection and rule enforcement, and the + // traffic will be allowed if the layer 7 criteria is also matched, otherwise it will be dropped. Therefore, any + // rules after a layer 7 rule will not be enforced for the traffic. + L7Protocols []L7Protocol `json:"l7Protocols,omitempty"` + // Rule is matched if traffic originates from workloads selected by + // this field. If this field is empty, this rule matches all sources. + // +optional + From []NetworkPolicyPeer `json:"from,omitempty"` + // Rule is matched if traffic is intended for workloads selected by + // this field. This field can't be used with ToServices. If this field + // and ToServices are both empty or missing this rule matches all destinations. + // +optional + To []NetworkPolicyPeer `json:"to,omitempty"` + // Rule is matched if traffic is intended for a Service listed in this field. + // Currently, only ClusterIP types Services are supported in this field. + // When scope is set to ClusterSet, it matches traffic intended for a multi-cluster + // Service listed in this field. Service name and Namespace provided should match + // the original exported Service. + // This field can only be used when AntreaProxy is enabled. This field can't be used + // with To or Ports. If this field and To are both empty or missing, this rule matches + // all destinations. + // +optional + ToServices []PeerService `json:"toServices,omitempty"` + // Name describes the intention of this rule. + // Name should be unique within the policy. + // +optional + Name string `json:"name,omitempty"` + // EnableLogging is used to indicate if agent should generate logs + // when rules are matched. Should be default to false. + // +optional + EnableLogging bool `json:"enableLogging"` + // LogLabel is a user-defined arbitrary string which will be printed in the NetworkPolicy logs. + // +optional + LogLabel string `json:"logLabel,omitempty"` + // Select workloads on which this rule will be applied to. Cannot be set in + // conjunction with NetworkPolicySpec/ClusterNetworkPolicySpec.AppliedTo. + // +optional + AppliedTo []AppliedTo `json:"appliedTo,omitempty"` +} + +// NetworkPolicyPeer describes the grouping selector of workloads. +type NetworkPolicyPeer struct { + // IPBlock describes the IPAddresses/IPBlocks that is matched in to/from. + // IPBlock cannot be set as part of the AppliedTo field. + // Cannot be set with any other selector. + // +optional + IPBlock *IPBlock `json:"ipBlock,omitempty"` + // Select Pods from NetworkPolicy's Namespace as workloads in + // To/From fields. If set with NamespaceSelector, Pods are + // matched from Namespaces matched by the NamespaceSelector. + // Cannot be set with any other selector except NamespaceSelector. + // +optional + PodSelector *metav1.LabelSelector `json:"podSelector,omitempty"` + // Select all Pods from Namespaces matched by this selector, as + // workloads in To/From fields. If set with PodSelector, + // Pods are matched from Namespaces matched by the NamespaceSelector. + // Cannot be set with any other selector except PodSelector or + // ExternalEntitySelector. Cannot be set with Namespaces. + // +optional + NamespaceSelector *metav1.LabelSelector `json:"namespaceSelector,omitempty"` + // Select Pod/ExternalEntity from Namespaces matched by specific criteria. + // Current supported criteria is match: Self, which selects from the same + // Namespace of the appliedTo workloads. + // Cannot be set with any other selector except PodSelector or + // ExternalEntitySelector. This field can only be set when NetworkPolicyPeer + // is created for ClusterNetworkPolicy ingress/egress rules. + // Cannot be set with NamespaceSelector. + // +optional + Namespaces *PeerNamespaces `json:"namespaces,omitempty"` + // Select ExternalEntities from NetworkPolicy's Namespace as workloads + // in To/From fields. If set with NamespaceSelector, + // ExternalEntities are matched from Namespaces matched by the + // NamespaceSelector. + // Cannot be set with any other selector except NamespaceSelector. + // +optional + ExternalEntitySelector *metav1.LabelSelector `json:"externalEntitySelector,omitempty"` + // Group is the name of the ClusterGroup which can be set within + // an Ingress or Egress rule in place of a stand-alone selector. + // A Group cannot be set with any other selector. + Group string `json:"group,omitempty"` + // Restrict egress access to the Fully Qualified Domain Names prescribed + // by name or by wildcard match patterns. This field can only be set for + // NetworkPolicyPeer of egress rules. + // Supported formats are: + // Exact FQDNs, i.e. "google.com", "db-svc.default.svc.cluster.local" + // Wildcard expressions, i.e. "*wayfair.com". + FQDN string `json:"fqdn,omitempty"` + // Select all Pods with the ServiceAccount matched by this field, as + // workloads in To/From fields. + // Cannot be set with any other selector. + // +optional + ServiceAccount *NamespacedName `json:"serviceAccount,omitempty"` + // Select certain Nodes which match the label selector. + // A NodeSelector cannot be set in AppliedTo field or set with any other selector. + // +optional + NodeSelector *metav1.LabelSelector `json:"nodeSelector,omitempty"` + // Define scope of the Pod/NamespaceSelector(s) of this peer. + // Can only be used in ingress NetworkPolicyPeers. + // Defaults to "Cluster". + // +optional + Scope PeerScope `json:"scope,omitempty"` +} + +// AppliedTo describes the grouping selector of workloads in AppliedTo field. +type AppliedTo struct { + // Select Pods from NetworkPolicy's Namespace as workloads in + // AppliedTo fields. If set with NamespaceSelector, Pods are + // matched from Namespaces matched by the NamespaceSelector. + // Cannot be set with any other selector except NamespaceSelector. + // +optional + PodSelector *metav1.LabelSelector `json:"podSelector,omitempty"` + // Select all Pods from Namespaces matched by this selector, as + // workloads in AppliedTo fields. If set with PodSelector, + // Pods are matched from Namespaces matched by the NamespaceSelector. + // Cannot be set with any other selector except PodSelector or + // ExternalEntitySelector. Cannot be set with Namespaces. + // +optional + NamespaceSelector *metav1.LabelSelector `json:"namespaceSelector,omitempty"` + // Select ExternalEntities from NetworkPolicy's Namespace as workloads + // in AppliedTo fields. If set with NamespaceSelector, + // ExternalEntities are matched from Namespaces matched by the + // NamespaceSelector. + // Cannot be set with any other selector except NamespaceSelector. + // +optional + ExternalEntitySelector *metav1.LabelSelector `json:"externalEntitySelector,omitempty"` + // Group is the name of the ClusterGroup which can be set as an + // AppliedTo in place of a stand-alone selector. A Group cannot + // be set with any other selector. + // +optional + Group string `json:"group,omitempty"` + // Select all Pods with the ServiceAccount matched by this field, as + // workloads in AppliedTo fields. + // Cannot be set with any other selector. + // +optional + ServiceAccount *NamespacedName `json:"serviceAccount,omitempty"` + // Select a certain Service which matches the NamespacedName. + // A Service can only be set in either policy level AppliedTo field in a policy + // that only has ingress rules or rule level AppliedTo field in an ingress rule. + // Only a NodePort Service can be referred by this field. + // Cannot be set with any other selector. + // +optional + Service *NamespacedName `json:"service,omitempty"` +} + +type PeerNamespaces struct { + Match NamespaceMatchType `json:"match,omitempty"` +} + +// NamespaceMatchType describes Namespace matching strategy. +type NamespaceMatchType string + +const ( + NamespaceMatchSelf NamespaceMatchType = "Self" +) + +type PeerScope string + +const ( + ScopeCluster PeerScope = "Cluster" + ScopeClusterSet PeerScope = "ClusterSet" +) + +// IPBlock describes a particular CIDR (Ex. "192.168.1.1/24") that is allowed +// or denied to/from the workloads matched by a Spec.AppliedTo. +type IPBlock struct { + // CIDR is a string representing the IP Block + // Valid examples are "192.168.1.1/24". + CIDR string `json:"cidr"` +} + +// NetworkPolicyPort describes the port and protocol to match in a rule. +type NetworkPolicyPort struct { + // The protocol (TCP, UDP, or SCTP) which traffic must match. + // If not specified, this field defaults to TCP. + // +optional + Protocol *corev1.Protocol `json:"protocol,omitempty"` + // The port on the given protocol. This can be either a numerical + // or named port on a Pod. If this field is not provided, this + // matches all port names and numbers. + // +optional + Port *intstr.IntOrString `json:"port,omitempty"` + // EndPort defines the end of the port range, inclusive. + // It can only be specified when a numerical `port` is specified. + // +optional + EndPort *int32 `json:"endPort,omitempty"` + // The source port on the given protocol. This can only be a numerical port. + // If this field is not provided, rule matches all source ports. + // +optional + SourcePort *int32 `json:"sourcePort,omitempty"` + // SourceEndPort defines the end of the source port range, inclusive. + // It can only be specified when `sourcePort` is specified. + // +optional + SourceEndPort *int32 `json:"sourceEndPort,omitempty"` +} + +// RuleAction describes the action to be applied on traffic matching a rule. +type RuleAction string + +const ( + // RuleActionAllow describes that the traffic matching the rule must be allowed. + RuleActionAllow RuleAction = "Allow" + // RuleActionDrop describes that the traffic matching the rule must be dropped. + RuleActionDrop RuleAction = "Drop" + // RuleActionPass indicates that the traffic matching the rule will not be evaluated + // by Antrea NetworkPolicy or ClusterNetworkPolicy, but rather punt to K8s namespaced + // NetworkPolicy for evaluation. + RuleActionPass RuleAction = "Pass" + // RuleActionReject indicates that the traffic matching the rule must be rejected and the + // client will receive a response. + RuleActionReject RuleAction = "Reject" + + IGMPQuery int32 = 0x11 + IGMPReportV1 int32 = 0x12 + IGMPReportV2 int32 = 0x16 + IGMPReportV3 int32 = 0x22 +) + +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object + +type NetworkPolicyList struct { + metav1.TypeMeta `json:",inline"` + // +optional + metav1.ListMeta `json:"metadata,omitempty"` + + Items []NetworkPolicy `json:"items"` +} + +// +genclient +// +genclient:nonNamespaced +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object + +type ClusterNetworkPolicy struct { + metav1.TypeMeta `json:",inline"` + // Standard metadata of the object. + metav1.ObjectMeta `json:"metadata,omitempty"` + + // Specification of the desired behavior of ClusterNetworkPolicy. + Spec ClusterNetworkPolicySpec `json:"spec"` + // Most recently observed status of the NetworkPolicy. + Status NetworkPolicyStatus `json:"status"` +} + +// ClusterNetworkPolicySpec defines the desired state for ClusterNetworkPolicy. +type ClusterNetworkPolicySpec struct { + // Tier specifies the tier to which this ClusterNetworkPolicy belongs to. + // The ClusterNetworkPolicy order will be determined based on the + // combination of the Tier's Priority and the ClusterNetworkPolicy's own + // Priority. If not specified, this policy will be created in the Application + // Tier right above the K8s NetworkPolicy which resides at the bottom. + Tier string `json:"tier,omitempty"` + // Priority specfies the order of the ClusterNetworkPolicy relative to + // other AntreaClusterNetworkPolicies. + Priority float64 `json:"priority"` + // Select workloads on which the rules will be applied to. Cannot be set in + // conjunction with AppliedTo in each rule. + // +optional + AppliedTo []AppliedTo `json:"appliedTo,omitempty"` + // Set of ingress rules evaluated based on the order in which they are set. + // Currently Ingress rule supports setting the `From` field but not the `To` + // field within a Rule. + // +optional + Ingress []Rule `json:"ingress,omitempty"` + // Set of egress rules evaluated based on the order in which they are set. + // Currently Egress rule supports setting the `To` field but not the `From` + // field within a Rule. + // +optional + Egress []Rule `json:"egress,omitempty"` +} + +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object + +type ClusterNetworkPolicyList struct { + metav1.TypeMeta `json:",inline"` + // +optional + metav1.ListMeta `json:"metadata,omitempty"` + + Items []ClusterNetworkPolicy `json:"items"` +} + +// NamespacedName refers to a Namespace scoped resource. +// All fields must be used together. +type NamespacedName struct { + Name string `json:"name,omitempty"` + Namespace string `json:"namespace,omitempty"` +} + +// PeerService refers to a Service, which can be a in-cluster Service or +// imported multi-cluster service. +type PeerService struct { + Name string `json:"name,omitempty"` + Namespace string `json:"namespace,omitempty"` + Scope PeerScope `json:"scope,omitempty"` +} + +// NetworkPolicyProtocol defines additional protocols that are not supported by +// `ports`. All fields should be used as a standalone field. +type NetworkPolicyProtocol struct { + ICMP *ICMPProtocol `json:"icmp,omitempty"` + IGMP *IGMPProtocol `json:"igmp,omitempty"` +} + +// ICMPProtocol matches ICMP traffic with specific ICMPType and/or ICMPCode. All +// fields could be used alone or together. If all fields are not provided, this +// matches all ICMP traffic. +type ICMPProtocol struct { + ICMPType *int32 `json:"icmpType,omitempty"` + ICMPCode *int32 `json:"icmpCode,omitempty"` +} + +// IGMPProtocol matches IGMP traffic with IGMPType and GroupAddress. IGMPType must +// be filled with: +// IGMPQuery int32 = 0x11 +// IGMPReportV1 int32 = 0x12 +// IGMPReportV2 int32 = 0x16 +// IGMPReportV3 int32 = 0x22 +// If groupAddress is empty, all groupAddresses will be matched. +type IGMPProtocol struct { + IGMPType *int32 `json:"igmpType,omitempty"` + GroupAddress string `json:"groupAddress,omitempty"` +} + +type L7Protocol struct { + HTTP *HTTPProtocol `json:"http,omitempty"` + TLS *TLSProtocol `json:"tls,omitempty"` +} + +// HTTPProtocol matches HTTP requests with specific host, method, and path. All fields could be used alone or together. +// If all fields are not provided, it matches all HTTP requests. +type HTTPProtocol struct { + // Host represents the hostname present in the URI or the HTTP Host header to match. + // It does not contain the port associated with the host. + Host string `json:"host,omitempty"` + // Method represents the HTTP method to match. + // It could be GET, POST, PUT, HEAD, DELETE, TRACE, OPTIONS, CONNECT and PATCH. + Method string `json:"method,omitempty"` + // Path represents the URI path to match (Ex. "/index.html", "/admin"). + Path string `json:"path,omitempty"` +} + +// TLSProtocol matches TLS handshake packets with specific SNI. If the field is not provided, this +// matches all TLS handshake packets. +type TLSProtocol struct { + // SNI (Server Name Indication) indicates the server domain name in the TLS/SSL hello message. + SNI string `json:"sni,omitempty"` +} diff --git a/pkg/apis/crd/v1beta1/zz_generated.deepcopy.go b/pkg/apis/crd/v1beta1/zz_generated.deepcopy.go index 46d5f6da8b6..fb6def5cf6c 100644 --- a/pkg/apis/crd/v1beta1/zz_generated.deepcopy.go +++ b/pkg/apis/crd/v1beta1/zz_generated.deepcopy.go @@ -20,9 +20,10 @@ package v1beta1 import ( - v1alpha1 "antrea.io/antrea/pkg/apis/crd/v1alpha1" + corev1 "k8s.io/api/core/v1" v1 "k8s.io/apimachinery/pkg/apis/meta/v1" runtime "k8s.io/apimachinery/pkg/runtime" + intstr "k8s.io/apimachinery/pkg/util/intstr" ) // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. @@ -192,6 +193,47 @@ func (in *AntreaControllerInfoList) DeepCopyObject() runtime.Object { return nil } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *AppliedTo) DeepCopyInto(out *AppliedTo) { + *out = *in + if in.PodSelector != nil { + in, out := &in.PodSelector, &out.PodSelector + *out = new(v1.LabelSelector) + (*in).DeepCopyInto(*out) + } + if in.NamespaceSelector != nil { + in, out := &in.NamespaceSelector, &out.NamespaceSelector + *out = new(v1.LabelSelector) + (*in).DeepCopyInto(*out) + } + if in.ExternalEntitySelector != nil { + in, out := &in.ExternalEntitySelector, &out.ExternalEntitySelector + *out = new(v1.LabelSelector) + (*in).DeepCopyInto(*out) + } + if in.ServiceAccount != nil { + in, out := &in.ServiceAccount, &out.ServiceAccount + *out = new(NamespacedName) + **out = **in + } + if in.Service != nil { + in, out := &in.Service, &out.Service + *out = new(NamespacedName) + **out = **in + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AppliedTo. +func (in *AppliedTo) DeepCopy() *AppliedTo { + if in == nil { + return nil + } + out := new(AppliedTo) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *ClusterGroup) DeepCopyInto(out *ClusterGroup) { *out = *in @@ -253,6 +295,104 @@ func (in *ClusterGroupList) DeepCopyObject() runtime.Object { return nil } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ClusterNetworkPolicy) DeepCopyInto(out *ClusterNetworkPolicy) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) + in.Spec.DeepCopyInto(&out.Spec) + in.Status.DeepCopyInto(&out.Status) + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterNetworkPolicy. +func (in *ClusterNetworkPolicy) DeepCopy() *ClusterNetworkPolicy { + if in == nil { + return nil + } + out := new(ClusterNetworkPolicy) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *ClusterNetworkPolicy) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ClusterNetworkPolicyList) DeepCopyInto(out *ClusterNetworkPolicyList) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ListMeta.DeepCopyInto(&out.ListMeta) + if in.Items != nil { + in, out := &in.Items, &out.Items + *out = make([]ClusterNetworkPolicy, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterNetworkPolicyList. +func (in *ClusterNetworkPolicyList) DeepCopy() *ClusterNetworkPolicyList { + if in == nil { + return nil + } + out := new(ClusterNetworkPolicyList) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *ClusterNetworkPolicyList) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ClusterNetworkPolicySpec) DeepCopyInto(out *ClusterNetworkPolicySpec) { + *out = *in + if in.AppliedTo != nil { + in, out := &in.AppliedTo, &out.AppliedTo + *out = make([]AppliedTo, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + if in.Ingress != nil { + in, out := &in.Ingress, &out.Ingress + *out = make([]Rule, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + if in.Egress != nil { + in, out := &in.Egress, &out.Egress + *out = make([]Rule, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterNetworkPolicySpec. +func (in *ClusterNetworkPolicySpec) DeepCopy() *ClusterNetworkPolicySpec { + if in == nil { + return nil + } + out := new(ClusterNetworkPolicySpec) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *ControllerCondition) DeepCopyInto(out *ControllerCondition) { *out = *in @@ -463,12 +603,12 @@ func (in *GroupSpec) DeepCopyInto(out *GroupSpec) { } if in.IPBlocks != nil { in, out := &in.IPBlocks, &out.IPBlocks - *out = make([]v1alpha1.IPBlock, len(*in)) + *out = make([]IPBlock, len(*in)) copy(*out, *in) } if in.ServiceReference != nil { in, out := &in.ServiceReference, &out.ServiceReference - *out = new(v1alpha1.NamespacedName) + *out = new(NamespacedName) **out = **in } if in.ExternalEntitySelector != nil { @@ -517,6 +657,85 @@ func (in *GroupStatus) DeepCopy() *GroupStatus { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *HTTPProtocol) DeepCopyInto(out *HTTPProtocol) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new HTTPProtocol. +func (in *HTTPProtocol) DeepCopy() *HTTPProtocol { + if in == nil { + return nil + } + out := new(HTTPProtocol) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ICMPProtocol) DeepCopyInto(out *ICMPProtocol) { + *out = *in + if in.ICMPType != nil { + in, out := &in.ICMPType, &out.ICMPType + *out = new(int32) + **out = **in + } + if in.ICMPCode != nil { + in, out := &in.ICMPCode, &out.ICMPCode + *out = new(int32) + **out = **in + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ICMPProtocol. +func (in *ICMPProtocol) DeepCopy() *ICMPProtocol { + if in == nil { + return nil + } + out := new(ICMPProtocol) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *IGMPProtocol) DeepCopyInto(out *IGMPProtocol) { + *out = *in + if in.IGMPType != nil { + in, out := &in.IGMPType, &out.IGMPType + *out = new(int32) + **out = **in + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new IGMPProtocol. +func (in *IGMPProtocol) DeepCopy() *IGMPProtocol { + if in == nil { + return nil + } + out := new(IGMPProtocol) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *IPBlock) DeepCopyInto(out *IPBlock) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new IPBlock. +func (in *IPBlock) DeepCopy() *IPBlock { + if in == nil { + return nil + } + out := new(IPBlock) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *IPPoolUsage) DeepCopyInto(out *IPPoolUsage) { *out = *in @@ -549,6 +768,93 @@ func (in *IPRange) DeepCopy() *IPRange { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *L7Protocol) DeepCopyInto(out *L7Protocol) { + *out = *in + if in.HTTP != nil { + in, out := &in.HTTP, &out.HTTP + *out = new(HTTPProtocol) + **out = **in + } + if in.TLS != nil { + in, out := &in.TLS, &out.TLS + *out = new(TLSProtocol) + **out = **in + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new L7Protocol. +func (in *L7Protocol) DeepCopy() *L7Protocol { + if in == nil { + return nil + } + out := new(L7Protocol) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *NamespacedName) DeepCopyInto(out *NamespacedName) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NamespacedName. +func (in *NamespacedName) DeepCopy() *NamespacedName { + if in == nil { + return nil + } + out := new(NamespacedName) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *NetworkPolicy) DeepCopyInto(out *NetworkPolicy) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) + in.Spec.DeepCopyInto(&out.Spec) + in.Status.DeepCopyInto(&out.Status) + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NetworkPolicy. +func (in *NetworkPolicy) DeepCopy() *NetworkPolicy { + if in == nil { + return nil + } + out := new(NetworkPolicy) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *NetworkPolicy) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *NetworkPolicyCondition) DeepCopyInto(out *NetworkPolicyCondition) { + *out = *in + in.LastTransitionTime.DeepCopyInto(&out.LastTransitionTime) + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NetworkPolicyCondition. +func (in *NetworkPolicyCondition) DeepCopy() *NetworkPolicyCondition { + if in == nil { + return nil + } + out := new(NetworkPolicyCondition) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *NetworkPolicyControllerInfo) DeepCopyInto(out *NetworkPolicyControllerInfo) { *out = *in @@ -565,6 +871,217 @@ func (in *NetworkPolicyControllerInfo) DeepCopy() *NetworkPolicyControllerInfo { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *NetworkPolicyList) DeepCopyInto(out *NetworkPolicyList) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ListMeta.DeepCopyInto(&out.ListMeta) + if in.Items != nil { + in, out := &in.Items, &out.Items + *out = make([]NetworkPolicy, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NetworkPolicyList. +func (in *NetworkPolicyList) DeepCopy() *NetworkPolicyList { + if in == nil { + return nil + } + out := new(NetworkPolicyList) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *NetworkPolicyList) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *NetworkPolicyPeer) DeepCopyInto(out *NetworkPolicyPeer) { + *out = *in + if in.IPBlock != nil { + in, out := &in.IPBlock, &out.IPBlock + *out = new(IPBlock) + **out = **in + } + if in.PodSelector != nil { + in, out := &in.PodSelector, &out.PodSelector + *out = new(v1.LabelSelector) + (*in).DeepCopyInto(*out) + } + if in.NamespaceSelector != nil { + in, out := &in.NamespaceSelector, &out.NamespaceSelector + *out = new(v1.LabelSelector) + (*in).DeepCopyInto(*out) + } + if in.Namespaces != nil { + in, out := &in.Namespaces, &out.Namespaces + *out = new(PeerNamespaces) + **out = **in + } + if in.ExternalEntitySelector != nil { + in, out := &in.ExternalEntitySelector, &out.ExternalEntitySelector + *out = new(v1.LabelSelector) + (*in).DeepCopyInto(*out) + } + if in.ServiceAccount != nil { + in, out := &in.ServiceAccount, &out.ServiceAccount + *out = new(NamespacedName) + **out = **in + } + if in.NodeSelector != nil { + in, out := &in.NodeSelector, &out.NodeSelector + *out = new(v1.LabelSelector) + (*in).DeepCopyInto(*out) + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NetworkPolicyPeer. +func (in *NetworkPolicyPeer) DeepCopy() *NetworkPolicyPeer { + if in == nil { + return nil + } + out := new(NetworkPolicyPeer) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *NetworkPolicyPort) DeepCopyInto(out *NetworkPolicyPort) { + *out = *in + if in.Protocol != nil { + in, out := &in.Protocol, &out.Protocol + *out = new(corev1.Protocol) + **out = **in + } + if in.Port != nil { + in, out := &in.Port, &out.Port + *out = new(intstr.IntOrString) + **out = **in + } + if in.EndPort != nil { + in, out := &in.EndPort, &out.EndPort + *out = new(int32) + **out = **in + } + if in.SourcePort != nil { + in, out := &in.SourcePort, &out.SourcePort + *out = new(int32) + **out = **in + } + if in.SourceEndPort != nil { + in, out := &in.SourceEndPort, &out.SourceEndPort + *out = new(int32) + **out = **in + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NetworkPolicyPort. +func (in *NetworkPolicyPort) DeepCopy() *NetworkPolicyPort { + if in == nil { + return nil + } + out := new(NetworkPolicyPort) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *NetworkPolicyProtocol) DeepCopyInto(out *NetworkPolicyProtocol) { + *out = *in + if in.ICMP != nil { + in, out := &in.ICMP, &out.ICMP + *out = new(ICMPProtocol) + (*in).DeepCopyInto(*out) + } + if in.IGMP != nil { + in, out := &in.IGMP, &out.IGMP + *out = new(IGMPProtocol) + (*in).DeepCopyInto(*out) + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NetworkPolicyProtocol. +func (in *NetworkPolicyProtocol) DeepCopy() *NetworkPolicyProtocol { + if in == nil { + return nil + } + out := new(NetworkPolicyProtocol) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *NetworkPolicySpec) DeepCopyInto(out *NetworkPolicySpec) { + *out = *in + if in.AppliedTo != nil { + in, out := &in.AppliedTo, &out.AppliedTo + *out = make([]AppliedTo, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + if in.Ingress != nil { + in, out := &in.Ingress, &out.Ingress + *out = make([]Rule, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + if in.Egress != nil { + in, out := &in.Egress, &out.Egress + *out = make([]Rule, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NetworkPolicySpec. +func (in *NetworkPolicySpec) DeepCopy() *NetworkPolicySpec { + if in == nil { + return nil + } + out := new(NetworkPolicySpec) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *NetworkPolicyStatus) DeepCopyInto(out *NetworkPolicyStatus) { + *out = *in + if in.Conditions != nil { + in, out := &in.Conditions, &out.Conditions + *out = make([]NetworkPolicyCondition, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NetworkPolicyStatus. +func (in *NetworkPolicyStatus) DeepCopy() *NetworkPolicyStatus { + if in == nil { + return nil + } + out := new(NetworkPolicyStatus) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *OVSInfo) DeepCopyInto(out *OVSInfo) { *out = *in @@ -588,6 +1105,122 @@ func (in *OVSInfo) DeepCopy() *OVSInfo { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *PeerNamespaces) DeepCopyInto(out *PeerNamespaces) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PeerNamespaces. +func (in *PeerNamespaces) DeepCopy() *PeerNamespaces { + if in == nil { + return nil + } + out := new(PeerNamespaces) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *PeerService) DeepCopyInto(out *PeerService) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PeerService. +func (in *PeerService) DeepCopy() *PeerService { + if in == nil { + return nil + } + out := new(PeerService) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *Rule) DeepCopyInto(out *Rule) { + *out = *in + if in.Action != nil { + in, out := &in.Action, &out.Action + *out = new(RuleAction) + **out = **in + } + if in.Ports != nil { + in, out := &in.Ports, &out.Ports + *out = make([]NetworkPolicyPort, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + if in.Protocols != nil { + in, out := &in.Protocols, &out.Protocols + *out = make([]NetworkPolicyProtocol, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + if in.L7Protocols != nil { + in, out := &in.L7Protocols, &out.L7Protocols + *out = make([]L7Protocol, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + if in.From != nil { + in, out := &in.From, &out.From + *out = make([]NetworkPolicyPeer, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + if in.To != nil { + in, out := &in.To, &out.To + *out = make([]NetworkPolicyPeer, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + if in.ToServices != nil { + in, out := &in.ToServices, &out.ToServices + *out = make([]PeerService, len(*in)) + copy(*out, *in) + } + if in.AppliedTo != nil { + in, out := &in.AppliedTo, &out.AppliedTo + *out = make([]AppliedTo, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Rule. +func (in *Rule) DeepCopy() *Rule { + if in == nil { + return nil + } + out := new(Rule) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *TLSProtocol) DeepCopyInto(out *TLSProtocol) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TLSProtocol. +func (in *TLSProtocol) DeepCopy() *TLSProtocol { + if in == nil { + return nil + } + out := new(TLSProtocol) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *Tier) DeepCopyInto(out *Tier) { *out = *in diff --git a/pkg/apiserver/openapi/zz_generated.openapi.go b/pkg/apiserver/openapi/zz_generated.openapi.go index 491d243e52b..860bff4d158 100644 --- a/pkg/apiserver/openapi/zz_generated.openapi.go +++ b/pkg/apiserver/openapi/zz_generated.openapi.go @@ -78,8 +78,12 @@ func GetOpenAPIDefinitions(ref common.ReferenceCallback) map[string]common.OpenA "antrea.io/antrea/pkg/apis/crd/v1beta1.AntreaAgentInfoList": schema_pkg_apis_crd_v1beta1_AntreaAgentInfoList(ref), "antrea.io/antrea/pkg/apis/crd/v1beta1.AntreaControllerInfo": schema_pkg_apis_crd_v1beta1_AntreaControllerInfo(ref), "antrea.io/antrea/pkg/apis/crd/v1beta1.AntreaControllerInfoList": schema_pkg_apis_crd_v1beta1_AntreaControllerInfoList(ref), + "antrea.io/antrea/pkg/apis/crd/v1beta1.AppliedTo": schema_pkg_apis_crd_v1beta1_AppliedTo(ref), "antrea.io/antrea/pkg/apis/crd/v1beta1.ClusterGroup": schema_pkg_apis_crd_v1beta1_ClusterGroup(ref), "antrea.io/antrea/pkg/apis/crd/v1beta1.ClusterGroupList": schema_pkg_apis_crd_v1beta1_ClusterGroupList(ref), + "antrea.io/antrea/pkg/apis/crd/v1beta1.ClusterNetworkPolicy": schema_pkg_apis_crd_v1beta1_ClusterNetworkPolicy(ref), + "antrea.io/antrea/pkg/apis/crd/v1beta1.ClusterNetworkPolicyList": schema_pkg_apis_crd_v1beta1_ClusterNetworkPolicyList(ref), + "antrea.io/antrea/pkg/apis/crd/v1beta1.ClusterNetworkPolicySpec": schema_pkg_apis_crd_v1beta1_ClusterNetworkPolicySpec(ref), "antrea.io/antrea/pkg/apis/crd/v1beta1.ControllerCondition": schema_pkg_apis_crd_v1beta1_ControllerCondition(ref), "antrea.io/antrea/pkg/apis/crd/v1beta1.ExternalIPPool": schema_pkg_apis_crd_v1beta1_ExternalIPPool(ref), "antrea.io/antrea/pkg/apis/crd/v1beta1.ExternalIPPoolList": schema_pkg_apis_crd_v1beta1_ExternalIPPoolList(ref), @@ -90,10 +94,28 @@ func GetOpenAPIDefinitions(ref common.ReferenceCallback) map[string]common.OpenA "antrea.io/antrea/pkg/apis/crd/v1beta1.GroupList": schema_pkg_apis_crd_v1beta1_GroupList(ref), "antrea.io/antrea/pkg/apis/crd/v1beta1.GroupSpec": schema_pkg_apis_crd_v1beta1_GroupSpec(ref), "antrea.io/antrea/pkg/apis/crd/v1beta1.GroupStatus": schema_pkg_apis_crd_v1beta1_GroupStatus(ref), + "antrea.io/antrea/pkg/apis/crd/v1beta1.HTTPProtocol": schema_pkg_apis_crd_v1beta1_HTTPProtocol(ref), + "antrea.io/antrea/pkg/apis/crd/v1beta1.ICMPProtocol": schema_pkg_apis_crd_v1beta1_ICMPProtocol(ref), + "antrea.io/antrea/pkg/apis/crd/v1beta1.IGMPProtocol": schema_pkg_apis_crd_v1beta1_IGMPProtocol(ref), + "antrea.io/antrea/pkg/apis/crd/v1beta1.IPBlock": schema_pkg_apis_crd_v1beta1_IPBlock(ref), "antrea.io/antrea/pkg/apis/crd/v1beta1.IPPoolUsage": schema_pkg_apis_crd_v1beta1_IPPoolUsage(ref), "antrea.io/antrea/pkg/apis/crd/v1beta1.IPRange": schema_pkg_apis_crd_v1beta1_IPRange(ref), + "antrea.io/antrea/pkg/apis/crd/v1beta1.L7Protocol": schema_pkg_apis_crd_v1beta1_L7Protocol(ref), + "antrea.io/antrea/pkg/apis/crd/v1beta1.NamespacedName": schema_pkg_apis_crd_v1beta1_NamespacedName(ref), + "antrea.io/antrea/pkg/apis/crd/v1beta1.NetworkPolicy": schema_pkg_apis_crd_v1beta1_NetworkPolicy(ref), + "antrea.io/antrea/pkg/apis/crd/v1beta1.NetworkPolicyCondition": schema_pkg_apis_crd_v1beta1_NetworkPolicyCondition(ref), "antrea.io/antrea/pkg/apis/crd/v1beta1.NetworkPolicyControllerInfo": schema_pkg_apis_crd_v1beta1_NetworkPolicyControllerInfo(ref), + "antrea.io/antrea/pkg/apis/crd/v1beta1.NetworkPolicyList": schema_pkg_apis_crd_v1beta1_NetworkPolicyList(ref), + "antrea.io/antrea/pkg/apis/crd/v1beta1.NetworkPolicyPeer": schema_pkg_apis_crd_v1beta1_NetworkPolicyPeer(ref), + "antrea.io/antrea/pkg/apis/crd/v1beta1.NetworkPolicyPort": schema_pkg_apis_crd_v1beta1_NetworkPolicyPort(ref), + "antrea.io/antrea/pkg/apis/crd/v1beta1.NetworkPolicyProtocol": schema_pkg_apis_crd_v1beta1_NetworkPolicyProtocol(ref), + "antrea.io/antrea/pkg/apis/crd/v1beta1.NetworkPolicySpec": schema_pkg_apis_crd_v1beta1_NetworkPolicySpec(ref), + "antrea.io/antrea/pkg/apis/crd/v1beta1.NetworkPolicyStatus": schema_pkg_apis_crd_v1beta1_NetworkPolicyStatus(ref), "antrea.io/antrea/pkg/apis/crd/v1beta1.OVSInfo": schema_pkg_apis_crd_v1beta1_OVSInfo(ref), + "antrea.io/antrea/pkg/apis/crd/v1beta1.PeerNamespaces": schema_pkg_apis_crd_v1beta1_PeerNamespaces(ref), + "antrea.io/antrea/pkg/apis/crd/v1beta1.PeerService": schema_pkg_apis_crd_v1beta1_PeerService(ref), + "antrea.io/antrea/pkg/apis/crd/v1beta1.Rule": schema_pkg_apis_crd_v1beta1_Rule(ref), + "antrea.io/antrea/pkg/apis/crd/v1beta1.TLSProtocol": schema_pkg_apis_crd_v1beta1_TLSProtocol(ref), "antrea.io/antrea/pkg/apis/crd/v1beta1.Tier": schema_pkg_apis_crd_v1beta1_Tier(ref), "antrea.io/antrea/pkg/apis/crd/v1beta1.TierList": schema_pkg_apis_crd_v1beta1_TierList(ref), "antrea.io/antrea/pkg/apis/crd/v1beta1.TierSpec": schema_pkg_apis_crd_v1beta1_TierSpec(ref), @@ -2811,6 +2833,58 @@ func schema_pkg_apis_crd_v1beta1_AntreaControllerInfoList(ref common.ReferenceCa } } +func schema_pkg_apis_crd_v1beta1_AppliedTo(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "AppliedTo describes the grouping selector of workloads in AppliedTo field.", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "podSelector": { + SchemaProps: spec.SchemaProps{ + Description: "Select Pods from NetworkPolicy's Namespace as workloads in AppliedTo fields. If set with NamespaceSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector.", + Ref: ref("k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelector"), + }, + }, + "namespaceSelector": { + SchemaProps: spec.SchemaProps{ + Description: "Select all Pods from Namespaces matched by this selector, as workloads in AppliedTo fields. If set with PodSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except PodSelector or ExternalEntitySelector. Cannot be set with Namespaces.", + Ref: ref("k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelector"), + }, + }, + "externalEntitySelector": { + SchemaProps: spec.SchemaProps{ + Description: "Select ExternalEntities from NetworkPolicy's Namespace as workloads in AppliedTo fields. If set with NamespaceSelector, ExternalEntities are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector.", + Ref: ref("k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelector"), + }, + }, + "group": { + SchemaProps: spec.SchemaProps{ + Description: "Group is the name of the ClusterGroup which can be set as an AppliedTo in place of a stand-alone selector. A Group cannot be set with any other selector.", + Type: []string{"string"}, + Format: "", + }, + }, + "serviceAccount": { + SchemaProps: spec.SchemaProps{ + Description: "Select all Pods with the ServiceAccount matched by this field, as workloads in AppliedTo fields. Cannot be set with any other selector.", + Ref: ref("antrea.io/antrea/pkg/apis/crd/v1beta1.NamespacedName"), + }, + }, + "service": { + SchemaProps: spec.SchemaProps{ + Description: "Select a certain Service which matches the NamespacedName. A Service can only be set in either policy level AppliedTo field in a policy that only has ingress rules or rule level AppliedTo field in an ingress rule. Only a NodePort Service can be referred by this field. Cannot be set with any other selector.", + Ref: ref("antrea.io/antrea/pkg/apis/crd/v1beta1.NamespacedName"), + }, + }, + }, + }, + }, + Dependencies: []string{ + "antrea.io/antrea/pkg/apis/crd/v1beta1.NamespacedName", "k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelector"}, + } +} + func schema_pkg_apis_crd_v1beta1_ClusterGroup(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ @@ -2908,6 +2982,177 @@ func schema_pkg_apis_crd_v1beta1_ClusterGroupList(ref common.ReferenceCallback) } } +func schema_pkg_apis_crd_v1beta1_ClusterNetworkPolicy(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "kind": { + SchemaProps: spec.SchemaProps{ + Description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + Type: []string{"string"}, + Format: "", + }, + }, + "apiVersion": { + SchemaProps: spec.SchemaProps{ + Description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + Type: []string{"string"}, + Format: "", + }, + }, + "metadata": { + SchemaProps: spec.SchemaProps{ + Description: "Standard metadata of the object.", + Default: map[string]interface{}{}, + Ref: ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"), + }, + }, + "spec": { + SchemaProps: spec.SchemaProps{ + Description: "Specification of the desired behavior of ClusterNetworkPolicy.", + Default: map[string]interface{}{}, + Ref: ref("antrea.io/antrea/pkg/apis/crd/v1beta1.ClusterNetworkPolicySpec"), + }, + }, + "status": { + SchemaProps: spec.SchemaProps{ + Description: "Most recently observed status of the NetworkPolicy.", + Default: map[string]interface{}{}, + Ref: ref("antrea.io/antrea/pkg/apis/crd/v1beta1.NetworkPolicyStatus"), + }, + }, + }, + Required: []string{"spec", "status"}, + }, + }, + Dependencies: []string{ + "antrea.io/antrea/pkg/apis/crd/v1beta1.ClusterNetworkPolicySpec", "antrea.io/antrea/pkg/apis/crd/v1beta1.NetworkPolicyStatus", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"}, + } +} + +func schema_pkg_apis_crd_v1beta1_ClusterNetworkPolicyList(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "kind": { + SchemaProps: spec.SchemaProps{ + Description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + Type: []string{"string"}, + Format: "", + }, + }, + "apiVersion": { + SchemaProps: spec.SchemaProps{ + Description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + Type: []string{"string"}, + Format: "", + }, + }, + "metadata": { + SchemaProps: spec.SchemaProps{ + Default: map[string]interface{}{}, + Ref: ref("k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"), + }, + }, + "items": { + SchemaProps: spec.SchemaProps{ + Type: []string{"array"}, + Items: &spec.SchemaOrArray{ + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Default: map[string]interface{}{}, + Ref: ref("antrea.io/antrea/pkg/apis/crd/v1beta1.ClusterNetworkPolicy"), + }, + }, + }, + }, + }, + }, + Required: []string{"items"}, + }, + }, + Dependencies: []string{ + "antrea.io/antrea/pkg/apis/crd/v1beta1.ClusterNetworkPolicy", "k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"}, + } +} + +func schema_pkg_apis_crd_v1beta1_ClusterNetworkPolicySpec(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "ClusterNetworkPolicySpec defines the desired state for ClusterNetworkPolicy.", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "tier": { + SchemaProps: spec.SchemaProps{ + Description: "Tier specifies the tier to which this ClusterNetworkPolicy belongs to. The ClusterNetworkPolicy order will be determined based on the combination of the Tier's Priority and the ClusterNetworkPolicy's own Priority. If not specified, this policy will be created in the Application Tier right above the K8s NetworkPolicy which resides at the bottom.", + Type: []string{"string"}, + Format: "", + }, + }, + "priority": { + SchemaProps: spec.SchemaProps{ + Description: "Priority specfies the order of the ClusterNetworkPolicy relative to other AntreaClusterNetworkPolicies.", + Default: 0, + Type: []string{"number"}, + Format: "double", + }, + }, + "appliedTo": { + SchemaProps: spec.SchemaProps{ + Description: "Select workloads on which the rules will be applied to. Cannot be set in conjunction with AppliedTo in each rule.", + Type: []string{"array"}, + Items: &spec.SchemaOrArray{ + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Default: map[string]interface{}{}, + Ref: ref("antrea.io/antrea/pkg/apis/crd/v1beta1.AppliedTo"), + }, + }, + }, + }, + }, + "ingress": { + SchemaProps: spec.SchemaProps{ + Description: "Set of ingress rules evaluated based on the order in which they are set. Currently Ingress rule supports setting the `From` field but not the `To` field within a Rule.", + Type: []string{"array"}, + Items: &spec.SchemaOrArray{ + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Default: map[string]interface{}{}, + Ref: ref("antrea.io/antrea/pkg/apis/crd/v1beta1.Rule"), + }, + }, + }, + }, + }, + "egress": { + SchemaProps: spec.SchemaProps{ + Description: "Set of egress rules evaluated based on the order in which they are set. Currently Egress rule supports setting the `To` field but not the `From` field within a Rule.", + Type: []string{"array"}, + Items: &spec.SchemaOrArray{ + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Default: map[string]interface{}{}, + Ref: ref("antrea.io/antrea/pkg/apis/crd/v1beta1.Rule"), + }, + }, + }, + }, + }, + }, + Required: []string{"priority"}, + }, + }, + Dependencies: []string{ + "antrea.io/antrea/pkg/apis/crd/v1beta1.AppliedTo", "antrea.io/antrea/pkg/apis/crd/v1beta1.Rule"}, + } +} + func schema_pkg_apis_crd_v1beta1_ControllerCondition(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ @@ -3274,7 +3519,7 @@ func schema_pkg_apis_crd_v1beta1_GroupSpec(ref common.ReferenceCallback) common. Schema: &spec.Schema{ SchemaProps: spec.SchemaProps{ Default: map[string]interface{}{}, - Ref: ref("antrea.io/antrea/pkg/apis/crd/v1alpha1.IPBlock"), + Ref: ref("antrea.io/antrea/pkg/apis/crd/v1beta1.IPBlock"), }, }, }, @@ -3283,7 +3528,7 @@ func schema_pkg_apis_crd_v1beta1_GroupSpec(ref common.ReferenceCallback) common. "serviceReference": { SchemaProps: spec.SchemaProps{ Description: "Select backend Pods of the referred Service. Cannot be set with any other selector or ipBlock.", - Ref: ref("antrea.io/antrea/pkg/apis/crd/v1alpha1.NamespacedName"), + Ref: ref("antrea.io/antrea/pkg/apis/crd/v1beta1.NamespacedName"), }, }, "externalEntitySelector": { @@ -3311,7 +3556,7 @@ func schema_pkg_apis_crd_v1beta1_GroupSpec(ref common.ReferenceCallback) common. }, }, Dependencies: []string{ - "antrea.io/antrea/pkg/apis/crd/v1alpha1.IPBlock", "antrea.io/antrea/pkg/apis/crd/v1alpha1.NamespacedName", "k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelector"}, + "antrea.io/antrea/pkg/apis/crd/v1beta1.IPBlock", "antrea.io/antrea/pkg/apis/crd/v1beta1.NamespacedName", "k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelector"}, } } @@ -3343,59 +3588,30 @@ func schema_pkg_apis_crd_v1beta1_GroupStatus(ref common.ReferenceCallback) commo } } -func schema_pkg_apis_crd_v1beta1_IPPoolUsage(ref common.ReferenceCallback) common.OpenAPIDefinition { - return common.OpenAPIDefinition{ - Schema: spec.Schema{ - SchemaProps: spec.SchemaProps{ - Type: []string{"object"}, - Properties: map[string]spec.Schema{ - "total": { - SchemaProps: spec.SchemaProps{ - Description: "Total number of IPs.", - Default: 0, - Type: []string{"integer"}, - Format: "int32", - }, - }, - "used": { - SchemaProps: spec.SchemaProps{ - Description: "Number of allocated IPs.", - Default: 0, - Type: []string{"integer"}, - Format: "int32", - }, - }, - }, - Required: []string{"total", "used"}, - }, - }, - } -} - -func schema_pkg_apis_crd_v1beta1_IPRange(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_pkg_apis_crd_v1beta1_HTTPProtocol(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "IPRange is a set of contiguous IP addresses, represented by a CIDR or a pair of start and end IPs.", + Description: "HTTPProtocol matches HTTP requests with specific host, method, and path. All fields could be used alone or together. If all fields are not provided, it matches all HTTP requests.", Type: []string{"object"}, Properties: map[string]spec.Schema{ - "cidr": { + "host": { SchemaProps: spec.SchemaProps{ - Description: "The CIDR of this range, e.g. 10.10.10.0/24.", + Description: "Host represents the hostname present in the URI or the HTTP Host header to match. It does not contain the port associated with the host.", Type: []string{"string"}, Format: "", }, }, - "start": { + "method": { SchemaProps: spec.SchemaProps{ - Description: "The start IP of the range, e.g. 10.10.20.5, inclusive.", + Description: "Method represents the HTTP method to match. It could be GET, POST, PUT, HEAD, DELETE, TRACE, OPTIONS, CONNECT and PATCH.", Type: []string{"string"}, Format: "", }, }, - "end": { + "path": { SchemaProps: spec.SchemaProps{ - Description: "The end IP of the range, e.g. 10.10.20.20, inclusive.", + Description: "Path represents the URI path to match (Ex. \"/index.html\", \"/admin\").", Type: []string{"string"}, Format: "", }, @@ -3406,25 +3622,20 @@ func schema_pkg_apis_crd_v1beta1_IPRange(ref common.ReferenceCallback) common.Op } } -func schema_pkg_apis_crd_v1beta1_NetworkPolicyControllerInfo(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_pkg_apis_crd_v1beta1_ICMPProtocol(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Type: []string{"object"}, + Description: "ICMPProtocol matches ICMP traffic with specific ICMPType and/or ICMPCode. All fields could be used alone or together. If all fields are not provided, this matches all ICMP traffic.", + Type: []string{"object"}, Properties: map[string]spec.Schema{ - "networkPolicyNum": { - SchemaProps: spec.SchemaProps{ - Type: []string{"integer"}, - Format: "int32", - }, - }, - "addressGroupNum": { + "icmpType": { SchemaProps: spec.SchemaProps{ Type: []string{"integer"}, Format: "int32", }, }, - "appliedToGroupNum": { + "icmpCode": { SchemaProps: spec.SchemaProps{ Type: []string{"integer"}, Format: "int32", @@ -3436,19 +3647,646 @@ func schema_pkg_apis_crd_v1beta1_NetworkPolicyControllerInfo(ref common.Referenc } } -func schema_pkg_apis_crd_v1beta1_OVSInfo(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_pkg_apis_crd_v1beta1_IGMPProtocol(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Type: []string{"object"}, + Description: "IGMPProtocol matches IGMP traffic with IGMPType and GroupAddress. IGMPType must be filled with: IGMPQuery int32 = 0x11 IGMPReportV1 int32 = 0x12 IGMPReportV2 int32 = 0x16 IGMPReportV3 int32 = 0x22 If groupAddress is empty, all groupAddresses will be matched.", + Type: []string{"object"}, Properties: map[string]spec.Schema{ - "version": { + "igmpType": { SchemaProps: spec.SchemaProps{ - Type: []string{"string"}, - Format: "", + Type: []string{"integer"}, + Format: "int32", }, }, - "bridgeName": { + "groupAddress": { + SchemaProps: spec.SchemaProps{ + Type: []string{"string"}, + Format: "", + }, + }, + }, + }, + }, + } +} + +func schema_pkg_apis_crd_v1beta1_IPBlock(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "IPBlock describes a particular CIDR (Ex. \"192.168.1.1/24\") that is allowed or denied to/from the workloads matched by a Spec.AppliedTo.", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "cidr": { + SchemaProps: spec.SchemaProps{ + Description: "CIDR is a string representing the IP Block Valid examples are \"192.168.1.1/24\".", + Default: "", + Type: []string{"string"}, + Format: "", + }, + }, + }, + Required: []string{"cidr"}, + }, + }, + } +} + +func schema_pkg_apis_crd_v1beta1_IPPoolUsage(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "total": { + SchemaProps: spec.SchemaProps{ + Description: "Total number of IPs.", + Default: 0, + Type: []string{"integer"}, + Format: "int32", + }, + }, + "used": { + SchemaProps: spec.SchemaProps{ + Description: "Number of allocated IPs.", + Default: 0, + Type: []string{"integer"}, + Format: "int32", + }, + }, + }, + Required: []string{"total", "used"}, + }, + }, + } +} + +func schema_pkg_apis_crd_v1beta1_IPRange(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "IPRange is a set of contiguous IP addresses, represented by a CIDR or a pair of start and end IPs.", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "cidr": { + SchemaProps: spec.SchemaProps{ + Description: "The CIDR of this range, e.g. 10.10.10.0/24.", + Type: []string{"string"}, + Format: "", + }, + }, + "start": { + SchemaProps: spec.SchemaProps{ + Description: "The start IP of the range, e.g. 10.10.20.5, inclusive.", + Type: []string{"string"}, + Format: "", + }, + }, + "end": { + SchemaProps: spec.SchemaProps{ + Description: "The end IP of the range, e.g. 10.10.20.20, inclusive.", + Type: []string{"string"}, + Format: "", + }, + }, + }, + }, + }, + } +} + +func schema_pkg_apis_crd_v1beta1_L7Protocol(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "http": { + SchemaProps: spec.SchemaProps{ + Ref: ref("antrea.io/antrea/pkg/apis/crd/v1beta1.HTTPProtocol"), + }, + }, + "tls": { + SchemaProps: spec.SchemaProps{ + Ref: ref("antrea.io/antrea/pkg/apis/crd/v1beta1.TLSProtocol"), + }, + }, + }, + }, + }, + Dependencies: []string{ + "antrea.io/antrea/pkg/apis/crd/v1beta1.HTTPProtocol", "antrea.io/antrea/pkg/apis/crd/v1beta1.TLSProtocol"}, + } +} + +func schema_pkg_apis_crd_v1beta1_NamespacedName(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "NamespacedName refers to a Namespace scoped resource. All fields must be used together.", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "name": { + SchemaProps: spec.SchemaProps{ + Type: []string{"string"}, + Format: "", + }, + }, + "namespace": { + SchemaProps: spec.SchemaProps{ + Type: []string{"string"}, + Format: "", + }, + }, + }, + }, + }, + } +} + +func schema_pkg_apis_crd_v1beta1_NetworkPolicy(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "kind": { + SchemaProps: spec.SchemaProps{ + Description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + Type: []string{"string"}, + Format: "", + }, + }, + "apiVersion": { + SchemaProps: spec.SchemaProps{ + Description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + Type: []string{"string"}, + Format: "", + }, + }, + "metadata": { + SchemaProps: spec.SchemaProps{ + Description: "Standard metadata of the object.", + Default: map[string]interface{}{}, + Ref: ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"), + }, + }, + "spec": { + SchemaProps: spec.SchemaProps{ + Description: "Specification of the desired behavior of NetworkPolicy.", + Default: map[string]interface{}{}, + Ref: ref("antrea.io/antrea/pkg/apis/crd/v1beta1.NetworkPolicySpec"), + }, + }, + "status": { + SchemaProps: spec.SchemaProps{ + Description: "Most recently observed status of the NetworkPolicy.", + Default: map[string]interface{}{}, + Ref: ref("antrea.io/antrea/pkg/apis/crd/v1beta1.NetworkPolicyStatus"), + }, + }, + }, + Required: []string{"spec", "status"}, + }, + }, + Dependencies: []string{ + "antrea.io/antrea/pkg/apis/crd/v1beta1.NetworkPolicySpec", "antrea.io/antrea/pkg/apis/crd/v1beta1.NetworkPolicyStatus", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"}, + } +} + +func schema_pkg_apis_crd_v1beta1_NetworkPolicyCondition(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "NetworkPolicyCondition describes the state of a NetworkPolicy at a certain point.", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "type": { + SchemaProps: spec.SchemaProps{ + Description: "Type of StatefulSet condition.", + Default: "", + Type: []string{"string"}, + Format: "", + }, + }, + "status": { + SchemaProps: spec.SchemaProps{ + Description: "Status of the condition, one of True, False, Unknown.", + Default: "", + Type: []string{"string"}, + Format: "", + }, + }, + "lastTransitionTime": { + SchemaProps: spec.SchemaProps{ + Description: "Last time the condition transitioned from one status to another.", + Default: map[string]interface{}{}, + Ref: ref("k8s.io/apimachinery/pkg/apis/meta/v1.Time"), + }, + }, + "reason": { + SchemaProps: spec.SchemaProps{ + Description: "The reason for the condition's last transition.", + Type: []string{"string"}, + Format: "", + }, + }, + "message": { + SchemaProps: spec.SchemaProps{ + Description: "A human-readable message indicating details about the transition.", + Type: []string{"string"}, + Format: "", + }, + }, + }, + Required: []string{"type", "status"}, + }, + }, + Dependencies: []string{ + "k8s.io/apimachinery/pkg/apis/meta/v1.Time"}, + } +} + +func schema_pkg_apis_crd_v1beta1_NetworkPolicyControllerInfo(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "networkPolicyNum": { + SchemaProps: spec.SchemaProps{ + Type: []string{"integer"}, + Format: "int32", + }, + }, + "addressGroupNum": { + SchemaProps: spec.SchemaProps{ + Type: []string{"integer"}, + Format: "int32", + }, + }, + "appliedToGroupNum": { + SchemaProps: spec.SchemaProps{ + Type: []string{"integer"}, + Format: "int32", + }, + }, + }, + }, + }, + } +} + +func schema_pkg_apis_crd_v1beta1_NetworkPolicyList(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "kind": { + SchemaProps: spec.SchemaProps{ + Description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + Type: []string{"string"}, + Format: "", + }, + }, + "apiVersion": { + SchemaProps: spec.SchemaProps{ + Description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + Type: []string{"string"}, + Format: "", + }, + }, + "metadata": { + SchemaProps: spec.SchemaProps{ + Default: map[string]interface{}{}, + Ref: ref("k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"), + }, + }, + "items": { + SchemaProps: spec.SchemaProps{ + Type: []string{"array"}, + Items: &spec.SchemaOrArray{ + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Default: map[string]interface{}{}, + Ref: ref("antrea.io/antrea/pkg/apis/crd/v1beta1.NetworkPolicy"), + }, + }, + }, + }, + }, + }, + Required: []string{"items"}, + }, + }, + Dependencies: []string{ + "antrea.io/antrea/pkg/apis/crd/v1beta1.NetworkPolicy", "k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"}, + } +} + +func schema_pkg_apis_crd_v1beta1_NetworkPolicyPeer(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "NetworkPolicyPeer describes the grouping selector of workloads.", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "ipBlock": { + SchemaProps: spec.SchemaProps{ + Description: "IPBlock describes the IPAddresses/IPBlocks that is matched in to/from. IPBlock cannot be set as part of the AppliedTo field. Cannot be set with any other selector.", + Ref: ref("antrea.io/antrea/pkg/apis/crd/v1beta1.IPBlock"), + }, + }, + "podSelector": { + SchemaProps: spec.SchemaProps{ + Description: "Select Pods from NetworkPolicy's Namespace as workloads in To/From fields. If set with NamespaceSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector.", + Ref: ref("k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelector"), + }, + }, + "namespaceSelector": { + SchemaProps: spec.SchemaProps{ + Description: "Select all Pods from Namespaces matched by this selector, as workloads in To/From fields. If set with PodSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except PodSelector or ExternalEntitySelector. Cannot be set with Namespaces.", + Ref: ref("k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelector"), + }, + }, + "namespaces": { + SchemaProps: spec.SchemaProps{ + Description: "Select Pod/ExternalEntity from Namespaces matched by specific criteria. Current supported criteria is match: Self, which selects from the same Namespace of the appliedTo workloads. Cannot be set with any other selector except PodSelector or ExternalEntitySelector. This field can only be set when NetworkPolicyPeer is created for ClusterNetworkPolicy ingress/egress rules. Cannot be set with NamespaceSelector.", + Ref: ref("antrea.io/antrea/pkg/apis/crd/v1beta1.PeerNamespaces"), + }, + }, + "externalEntitySelector": { + SchemaProps: spec.SchemaProps{ + Description: "Select ExternalEntities from NetworkPolicy's Namespace as workloads in To/From fields. If set with NamespaceSelector, ExternalEntities are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector.", + Ref: ref("k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelector"), + }, + }, + "group": { + SchemaProps: spec.SchemaProps{ + Description: "Group is the name of the ClusterGroup which can be set within an Ingress or Egress rule in place of a stand-alone selector. A Group cannot be set with any other selector.", + Type: []string{"string"}, + Format: "", + }, + }, + "fqdn": { + SchemaProps: spec.SchemaProps{ + Description: "Restrict egress access to the Fully Qualified Domain Names prescribed by name or by wildcard match patterns. This field can only be set for NetworkPolicyPeer of egress rules. Supported formats are:\n Exact FQDNs, i.e. \"google.com\", \"db-svc.default.svc.cluster.local\"\n Wildcard expressions, i.e. \"*wayfair.com\".", + Type: []string{"string"}, + Format: "", + }, + }, + "serviceAccount": { + SchemaProps: spec.SchemaProps{ + Description: "Select all Pods with the ServiceAccount matched by this field, as workloads in To/From fields. Cannot be set with any other selector.", + Ref: ref("antrea.io/antrea/pkg/apis/crd/v1beta1.NamespacedName"), + }, + }, + "nodeSelector": { + SchemaProps: spec.SchemaProps{ + Description: "Select certain Nodes which match the label selector. A NodeSelector cannot be set in AppliedTo field or set with any other selector.", + Ref: ref("k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelector"), + }, + }, + "scope": { + SchemaProps: spec.SchemaProps{ + Description: "Define scope of the Pod/NamespaceSelector(s) of this peer. Can only be used in ingress NetworkPolicyPeers. Defaults to \"Cluster\".", + Type: []string{"string"}, + Format: "", + }, + }, + }, + }, + }, + Dependencies: []string{ + "antrea.io/antrea/pkg/apis/crd/v1beta1.IPBlock", "antrea.io/antrea/pkg/apis/crd/v1beta1.NamespacedName", "antrea.io/antrea/pkg/apis/crd/v1beta1.PeerNamespaces", "k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelector"}, + } +} + +func schema_pkg_apis_crd_v1beta1_NetworkPolicyPort(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "NetworkPolicyPort describes the port and protocol to match in a rule.", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "protocol": { + SchemaProps: spec.SchemaProps{ + Description: "The protocol (TCP, UDP, or SCTP) which traffic must match. If not specified, this field defaults to TCP.", + Type: []string{"string"}, + Format: "", + }, + }, + "port": { + SchemaProps: spec.SchemaProps{ + Description: "The port on the given protocol. This can be either a numerical or named port on a Pod. If this field is not provided, this matches all port names and numbers.", + Ref: ref("k8s.io/apimachinery/pkg/util/intstr.IntOrString"), + }, + }, + "endPort": { + SchemaProps: spec.SchemaProps{ + Description: "EndPort defines the end of the port range, inclusive. It can only be specified when a numerical `port` is specified.", + Type: []string{"integer"}, + Format: "int32", + }, + }, + "sourcePort": { + SchemaProps: spec.SchemaProps{ + Description: "The source port on the given protocol. This can only be a numerical port. If this field is not provided, rule matches all source ports.", + Type: []string{"integer"}, + Format: "int32", + }, + }, + "sourceEndPort": { + SchemaProps: spec.SchemaProps{ + Description: "SourceEndPort defines the end of the source port range, inclusive. It can only be specified when `sourcePort` is specified.", + Type: []string{"integer"}, + Format: "int32", + }, + }, + }, + }, + }, + Dependencies: []string{ + "k8s.io/apimachinery/pkg/util/intstr.IntOrString"}, + } +} + +func schema_pkg_apis_crd_v1beta1_NetworkPolicyProtocol(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "NetworkPolicyProtocol defines additional protocols that are not supported by `ports`. All fields should be used as a standalone field.", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "icmp": { + SchemaProps: spec.SchemaProps{ + Ref: ref("antrea.io/antrea/pkg/apis/crd/v1beta1.ICMPProtocol"), + }, + }, + "igmp": { + SchemaProps: spec.SchemaProps{ + Ref: ref("antrea.io/antrea/pkg/apis/crd/v1beta1.IGMPProtocol"), + }, + }, + }, + }, + }, + Dependencies: []string{ + "antrea.io/antrea/pkg/apis/crd/v1beta1.ICMPProtocol", "antrea.io/antrea/pkg/apis/crd/v1beta1.IGMPProtocol"}, + } +} + +func schema_pkg_apis_crd_v1beta1_NetworkPolicySpec(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "NetworkPolicySpec defines the desired state for NetworkPolicy.", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "tier": { + SchemaProps: spec.SchemaProps{ + Description: "Tier specifies the tier to which this NetworkPolicy belongs to. The NetworkPolicy order will be determined based on the combination of the Tier's Priority and the NetworkPolicy's own Priority. If not specified, this policy will be created in the Application Tier right above the K8s NetworkPolicy which resides at the bottom.", + Type: []string{"string"}, + Format: "", + }, + }, + "priority": { + SchemaProps: spec.SchemaProps{ + Description: "Priority specfies the order of the NetworkPolicy relative to other NetworkPolicies.", + Default: 0, + Type: []string{"number"}, + Format: "double", + }, + }, + "appliedTo": { + SchemaProps: spec.SchemaProps{ + Description: "Select workloads on which the rules will be applied to. Cannot be set in conjunction with AppliedTo in each rule.", + Type: []string{"array"}, + Items: &spec.SchemaOrArray{ + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Default: map[string]interface{}{}, + Ref: ref("antrea.io/antrea/pkg/apis/crd/v1beta1.AppliedTo"), + }, + }, + }, + }, + }, + "ingress": { + SchemaProps: spec.SchemaProps{ + Description: "Set of ingress rules evaluated based on the order in which they are set. Currently Ingress rule supports setting the `From` field but not the `To` field within a Rule.", + Type: []string{"array"}, + Items: &spec.SchemaOrArray{ + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Default: map[string]interface{}{}, + Ref: ref("antrea.io/antrea/pkg/apis/crd/v1beta1.Rule"), + }, + }, + }, + }, + }, + "egress": { + SchemaProps: spec.SchemaProps{ + Description: "Set of egress rules evaluated based on the order in which they are set. Currently Egress rule supports setting the `To` field but not the `From` field within a Rule.", + Type: []string{"array"}, + Items: &spec.SchemaOrArray{ + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Default: map[string]interface{}{}, + Ref: ref("antrea.io/antrea/pkg/apis/crd/v1beta1.Rule"), + }, + }, + }, + }, + }, + }, + Required: []string{"priority"}, + }, + }, + Dependencies: []string{ + "antrea.io/antrea/pkg/apis/crd/v1beta1.AppliedTo", "antrea.io/antrea/pkg/apis/crd/v1beta1.Rule"}, + } +} + +func schema_pkg_apis_crd_v1beta1_NetworkPolicyStatus(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "NetworkPolicyStatus represents information about the status of a NetworkPolicy.", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "phase": { + SchemaProps: spec.SchemaProps{ + Description: "The phase of a NetworkPolicy is a simple, high-level summary of the NetworkPolicy's status.", + Default: "", + Type: []string{"string"}, + Format: "", + }, + }, + "observedGeneration": { + SchemaProps: spec.SchemaProps{ + Description: "The generation observed by Antrea.", + Default: 0, + Type: []string{"integer"}, + Format: "int64", + }, + }, + "currentNodesRealized": { + SchemaProps: spec.SchemaProps{ + Description: "The number of nodes that have realized the NetworkPolicy.", + Default: 0, + Type: []string{"integer"}, + Format: "int32", + }, + }, + "desiredNodesRealized": { + SchemaProps: spec.SchemaProps{ + Description: "The total number of nodes that should realize the NetworkPolicy.", + Default: 0, + Type: []string{"integer"}, + Format: "int32", + }, + }, + "conditions": { + SchemaProps: spec.SchemaProps{ + Description: "Represents the latest available observations of a NetworkPolicy current state.", + Type: []string{"array"}, + Items: &spec.SchemaOrArray{ + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Default: map[string]interface{}{}, + Ref: ref("antrea.io/antrea/pkg/apis/crd/v1beta1.NetworkPolicyCondition"), + }, + }, + }, + }, + }, + }, + Required: []string{"phase", "observedGeneration", "currentNodesRealized", "desiredNodesRealized", "conditions"}, + }, + }, + Dependencies: []string{ + "antrea.io/antrea/pkg/apis/crd/v1beta1.NetworkPolicyCondition"}, + } +} + +func schema_pkg_apis_crd_v1beta1_OVSInfo(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "version": { + SchemaProps: spec.SchemaProps{ + Type: []string{"string"}, + Format: "", + }, + }, + "bridgeName": { SchemaProps: spec.SchemaProps{ Type: []string{"string"}, Format: "", @@ -3476,6 +4314,218 @@ func schema_pkg_apis_crd_v1beta1_OVSInfo(ref common.ReferenceCallback) common.Op } } +func schema_pkg_apis_crd_v1beta1_PeerNamespaces(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "match": { + SchemaProps: spec.SchemaProps{ + Type: []string{"string"}, + Format: "", + }, + }, + }, + }, + }, + } +} + +func schema_pkg_apis_crd_v1beta1_PeerService(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "PeerService refers to a Service, which can be a in-cluster Service or imported multi-cluster service.", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "name": { + SchemaProps: spec.SchemaProps{ + Type: []string{"string"}, + Format: "", + }, + }, + "namespace": { + SchemaProps: spec.SchemaProps{ + Type: []string{"string"}, + Format: "", + }, + }, + "scope": { + SchemaProps: spec.SchemaProps{ + Type: []string{"string"}, + Format: "", + }, + }, + }, + }, + }, + } +} + +func schema_pkg_apis_crd_v1beta1_Rule(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "Rule describes the traffic allowed to/from the workloads selected by Spec.AppliedTo. Based on the action specified in the rule, traffic is either allowed or denied which exactly match the specified ports and protocol.", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "action": { + SchemaProps: spec.SchemaProps{ + Description: "Action specifies the action to be applied on the rule.", + Type: []string{"string"}, + Format: "", + }, + }, + "ports": { + SchemaProps: spec.SchemaProps{ + Description: "Set of ports and protocols matched by the rule. If this field and Protocols are unset or empty, this rule matches all ports.", + Type: []string{"array"}, + Items: &spec.SchemaOrArray{ + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Default: map[string]interface{}{}, + Ref: ref("antrea.io/antrea/pkg/apis/crd/v1beta1.NetworkPolicyPort"), + }, + }, + }, + }, + }, + "protocols": { + SchemaProps: spec.SchemaProps{ + Description: "Set of protocols matched by the rule. If this field and Ports are unset or empty, this rule matches all protocols supported.", + Type: []string{"array"}, + Items: &spec.SchemaOrArray{ + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Default: map[string]interface{}{}, + Ref: ref("antrea.io/antrea/pkg/apis/crd/v1beta1.NetworkPolicyProtocol"), + }, + }, + }, + }, + }, + "l7Protocols": { + SchemaProps: spec.SchemaProps{ + Description: "Set of layer 7 protocols matched by the rule. If this field is set, action can only be Allow. When this field is used in a rule, any traffic matching the other layer 3/4 criteria of the rule (typically the 5-tuple) will be forwarded to an application-aware engine for protocol detection and rule enforcement, and the traffic will be allowed if the layer 7 criteria is also matched, otherwise it will be dropped. Therefore, any rules after a layer 7 rule will not be enforced for the traffic.", + Type: []string{"array"}, + Items: &spec.SchemaOrArray{ + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Default: map[string]interface{}{}, + Ref: ref("antrea.io/antrea/pkg/apis/crd/v1beta1.L7Protocol"), + }, + }, + }, + }, + }, + "from": { + SchemaProps: spec.SchemaProps{ + Description: "Rule is matched if traffic originates from workloads selected by this field. If this field is empty, this rule matches all sources.", + Type: []string{"array"}, + Items: &spec.SchemaOrArray{ + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Default: map[string]interface{}{}, + Ref: ref("antrea.io/antrea/pkg/apis/crd/v1beta1.NetworkPolicyPeer"), + }, + }, + }, + }, + }, + "to": { + SchemaProps: spec.SchemaProps{ + Description: "Rule is matched if traffic is intended for workloads selected by this field. This field can't be used with ToServices. If this field and ToServices are both empty or missing this rule matches all destinations.", + Type: []string{"array"}, + Items: &spec.SchemaOrArray{ + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Default: map[string]interface{}{}, + Ref: ref("antrea.io/antrea/pkg/apis/crd/v1beta1.NetworkPolicyPeer"), + }, + }, + }, + }, + }, + "toServices": { + SchemaProps: spec.SchemaProps{ + Description: "Rule is matched if traffic is intended for a Service listed in this field. Currently, only ClusterIP types Services are supported in this field. When scope is set to ClusterSet, it matches traffic intended for a multi-cluster Service listed in this field. Service name and Namespace provided should match the original exported Service. This field can only be used when AntreaProxy is enabled. This field can't be used with To or Ports. If this field and To are both empty or missing, this rule matches all destinations.", + Type: []string{"array"}, + Items: &spec.SchemaOrArray{ + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Default: map[string]interface{}{}, + Ref: ref("antrea.io/antrea/pkg/apis/crd/v1beta1.PeerService"), + }, + }, + }, + }, + }, + "name": { + SchemaProps: spec.SchemaProps{ + Description: "Name describes the intention of this rule. Name should be unique within the policy.", + Type: []string{"string"}, + Format: "", + }, + }, + "enableLogging": { + SchemaProps: spec.SchemaProps{ + Description: "EnableLogging is used to indicate if agent should generate logs when rules are matched. Should be default to false.", + Default: false, + Type: []string{"boolean"}, + Format: "", + }, + }, + "logLabel": { + SchemaProps: spec.SchemaProps{ + Description: "LogLabel is a user-defined arbitrary string which will be printed in the NetworkPolicy logs.", + Type: []string{"string"}, + Format: "", + }, + }, + "appliedTo": { + SchemaProps: spec.SchemaProps{ + Description: "Select workloads on which this rule will be applied to. Cannot be set in conjunction with NetworkPolicySpec/ClusterNetworkPolicySpec.AppliedTo.", + Type: []string{"array"}, + Items: &spec.SchemaOrArray{ + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Default: map[string]interface{}{}, + Ref: ref("antrea.io/antrea/pkg/apis/crd/v1beta1.AppliedTo"), + }, + }, + }, + }, + }, + }, + Required: []string{"action"}, + }, + }, + Dependencies: []string{ + "antrea.io/antrea/pkg/apis/crd/v1beta1.AppliedTo", "antrea.io/antrea/pkg/apis/crd/v1beta1.L7Protocol", "antrea.io/antrea/pkg/apis/crd/v1beta1.NetworkPolicyPeer", "antrea.io/antrea/pkg/apis/crd/v1beta1.NetworkPolicyPort", "antrea.io/antrea/pkg/apis/crd/v1beta1.NetworkPolicyProtocol", "antrea.io/antrea/pkg/apis/crd/v1beta1.PeerService"}, + } +} + +func schema_pkg_apis_crd_v1beta1_TLSProtocol(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "TLSProtocol matches TLS handshake packets with specific SNI. If the field is not provided, this matches all TLS handshake packets.", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "sni": { + SchemaProps: spec.SchemaProps{ + Description: "SNI (Server Name Indication) indicates the server domain name in the TLS/SSL hello message.", + Type: []string{"string"}, + Format: "", + }, + }, + }, + }, + }, + } +} + func schema_pkg_apis_crd_v1beta1_Tier(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ diff --git a/pkg/client/clientset/versioned/typed/crd/v1beta1/clusternetworkpolicy.go b/pkg/client/clientset/versioned/typed/crd/v1beta1/clusternetworkpolicy.go new file mode 100644 index 00000000000..95b3d52542f --- /dev/null +++ b/pkg/client/clientset/versioned/typed/crd/v1beta1/clusternetworkpolicy.go @@ -0,0 +1,182 @@ +// Copyright 2023 Antrea Authors +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +// Code generated by client-gen. DO NOT EDIT. + +package v1beta1 + +import ( + "context" + "time" + + v1beta1 "antrea.io/antrea/pkg/apis/crd/v1beta1" + scheme "antrea.io/antrea/pkg/client/clientset/versioned/scheme" + v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + types "k8s.io/apimachinery/pkg/types" + watch "k8s.io/apimachinery/pkg/watch" + rest "k8s.io/client-go/rest" +) + +// ClusterNetworkPoliciesGetter has a method to return a ClusterNetworkPolicyInterface. +// A group's client should implement this interface. +type ClusterNetworkPoliciesGetter interface { + ClusterNetworkPolicies() ClusterNetworkPolicyInterface +} + +// ClusterNetworkPolicyInterface has methods to work with ClusterNetworkPolicy resources. +type ClusterNetworkPolicyInterface interface { + Create(ctx context.Context, clusterNetworkPolicy *v1beta1.ClusterNetworkPolicy, opts v1.CreateOptions) (*v1beta1.ClusterNetworkPolicy, error) + Update(ctx context.Context, clusterNetworkPolicy *v1beta1.ClusterNetworkPolicy, opts v1.UpdateOptions) (*v1beta1.ClusterNetworkPolicy, error) + UpdateStatus(ctx context.Context, clusterNetworkPolicy *v1beta1.ClusterNetworkPolicy, opts v1.UpdateOptions) (*v1beta1.ClusterNetworkPolicy, error) + Delete(ctx context.Context, name string, opts v1.DeleteOptions) error + DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error + Get(ctx context.Context, name string, opts v1.GetOptions) (*v1beta1.ClusterNetworkPolicy, error) + List(ctx context.Context, opts v1.ListOptions) (*v1beta1.ClusterNetworkPolicyList, error) + Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) + Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1beta1.ClusterNetworkPolicy, err error) + ClusterNetworkPolicyExpansion +} + +// clusterNetworkPolicies implements ClusterNetworkPolicyInterface +type clusterNetworkPolicies struct { + client rest.Interface +} + +// newClusterNetworkPolicies returns a ClusterNetworkPolicies +func newClusterNetworkPolicies(c *CrdV1beta1Client) *clusterNetworkPolicies { + return &clusterNetworkPolicies{ + client: c.RESTClient(), + } +} + +// Get takes name of the clusterNetworkPolicy, and returns the corresponding clusterNetworkPolicy object, and an error if there is any. +func (c *clusterNetworkPolicies) Get(ctx context.Context, name string, options v1.GetOptions) (result *v1beta1.ClusterNetworkPolicy, err error) { + result = &v1beta1.ClusterNetworkPolicy{} + err = c.client.Get(). + Resource("clusternetworkpolicies"). + Name(name). + VersionedParams(&options, scheme.ParameterCodec). + Do(ctx). + Into(result) + return +} + +// List takes label and field selectors, and returns the list of ClusterNetworkPolicies that match those selectors. +func (c *clusterNetworkPolicies) List(ctx context.Context, opts v1.ListOptions) (result *v1beta1.ClusterNetworkPolicyList, err error) { + var timeout time.Duration + if opts.TimeoutSeconds != nil { + timeout = time.Duration(*opts.TimeoutSeconds) * time.Second + } + result = &v1beta1.ClusterNetworkPolicyList{} + err = c.client.Get(). + Resource("clusternetworkpolicies"). + VersionedParams(&opts, scheme.ParameterCodec). + Timeout(timeout). + Do(ctx). + Into(result) + return +} + +// Watch returns a watch.Interface that watches the requested clusterNetworkPolicies. +func (c *clusterNetworkPolicies) Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) { + var timeout time.Duration + if opts.TimeoutSeconds != nil { + timeout = time.Duration(*opts.TimeoutSeconds) * time.Second + } + opts.Watch = true + return c.client.Get(). + Resource("clusternetworkpolicies"). + VersionedParams(&opts, scheme.ParameterCodec). + Timeout(timeout). + Watch(ctx) +} + +// Create takes the representation of a clusterNetworkPolicy and creates it. Returns the server's representation of the clusterNetworkPolicy, and an error, if there is any. +func (c *clusterNetworkPolicies) Create(ctx context.Context, clusterNetworkPolicy *v1beta1.ClusterNetworkPolicy, opts v1.CreateOptions) (result *v1beta1.ClusterNetworkPolicy, err error) { + result = &v1beta1.ClusterNetworkPolicy{} + err = c.client.Post(). + Resource("clusternetworkpolicies"). + VersionedParams(&opts, scheme.ParameterCodec). + Body(clusterNetworkPolicy). + Do(ctx). + Into(result) + return +} + +// Update takes the representation of a clusterNetworkPolicy and updates it. Returns the server's representation of the clusterNetworkPolicy, and an error, if there is any. +func (c *clusterNetworkPolicies) Update(ctx context.Context, clusterNetworkPolicy *v1beta1.ClusterNetworkPolicy, opts v1.UpdateOptions) (result *v1beta1.ClusterNetworkPolicy, err error) { + result = &v1beta1.ClusterNetworkPolicy{} + err = c.client.Put(). + Resource("clusternetworkpolicies"). + Name(clusterNetworkPolicy.Name). + VersionedParams(&opts, scheme.ParameterCodec). + Body(clusterNetworkPolicy). + Do(ctx). + Into(result) + return +} + +// UpdateStatus was generated because the type contains a Status member. +// Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus(). +func (c *clusterNetworkPolicies) UpdateStatus(ctx context.Context, clusterNetworkPolicy *v1beta1.ClusterNetworkPolicy, opts v1.UpdateOptions) (result *v1beta1.ClusterNetworkPolicy, err error) { + result = &v1beta1.ClusterNetworkPolicy{} + err = c.client.Put(). + Resource("clusternetworkpolicies"). + Name(clusterNetworkPolicy.Name). + SubResource("status"). + VersionedParams(&opts, scheme.ParameterCodec). + Body(clusterNetworkPolicy). + Do(ctx). + Into(result) + return +} + +// Delete takes name of the clusterNetworkPolicy and deletes it. Returns an error if one occurs. +func (c *clusterNetworkPolicies) Delete(ctx context.Context, name string, opts v1.DeleteOptions) error { + return c.client.Delete(). + Resource("clusternetworkpolicies"). + Name(name). + Body(&opts). + Do(ctx). + Error() +} + +// DeleteCollection deletes a collection of objects. +func (c *clusterNetworkPolicies) DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error { + var timeout time.Duration + if listOpts.TimeoutSeconds != nil { + timeout = time.Duration(*listOpts.TimeoutSeconds) * time.Second + } + return c.client.Delete(). + Resource("clusternetworkpolicies"). + VersionedParams(&listOpts, scheme.ParameterCodec). + Timeout(timeout). + Body(&opts). + Do(ctx). + Error() +} + +// Patch applies the patch and returns the patched clusterNetworkPolicy. +func (c *clusterNetworkPolicies) Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1beta1.ClusterNetworkPolicy, err error) { + result = &v1beta1.ClusterNetworkPolicy{} + err = c.client.Patch(pt). + Resource("clusternetworkpolicies"). + Name(name). + SubResource(subresources...). + VersionedParams(&opts, scheme.ParameterCodec). + Body(data). + Do(ctx). + Into(result) + return +} diff --git a/pkg/client/clientset/versioned/typed/crd/v1beta1/crd_client.go b/pkg/client/clientset/versioned/typed/crd/v1beta1/crd_client.go index e637197eaa0..c5c6d68d7d0 100644 --- a/pkg/client/clientset/versioned/typed/crd/v1beta1/crd_client.go +++ b/pkg/client/clientset/versioned/typed/crd/v1beta1/crd_client.go @@ -29,8 +29,10 @@ type CrdV1beta1Interface interface { AntreaAgentInfosGetter AntreaControllerInfosGetter ClusterGroupsGetter + ClusterNetworkPoliciesGetter ExternalIPPoolsGetter GroupsGetter + NetworkPoliciesGetter TiersGetter } @@ -51,6 +53,10 @@ func (c *CrdV1beta1Client) ClusterGroups() ClusterGroupInterface { return newClusterGroups(c) } +func (c *CrdV1beta1Client) ClusterNetworkPolicies() ClusterNetworkPolicyInterface { + return newClusterNetworkPolicies(c) +} + func (c *CrdV1beta1Client) ExternalIPPools() ExternalIPPoolInterface { return newExternalIPPools(c) } @@ -59,6 +65,10 @@ func (c *CrdV1beta1Client) Groups(namespace string) GroupInterface { return newGroups(c, namespace) } +func (c *CrdV1beta1Client) NetworkPolicies(namespace string) NetworkPolicyInterface { + return newNetworkPolicies(c, namespace) +} + func (c *CrdV1beta1Client) Tiers() TierInterface { return newTiers(c) } diff --git a/pkg/client/clientset/versioned/typed/crd/v1beta1/fake/fake_clusternetworkpolicy.go b/pkg/client/clientset/versioned/typed/crd/v1beta1/fake/fake_clusternetworkpolicy.go new file mode 100644 index 00000000000..d04d6544fbf --- /dev/null +++ b/pkg/client/clientset/versioned/typed/crd/v1beta1/fake/fake_clusternetworkpolicy.go @@ -0,0 +1,131 @@ +// Copyright 2023 Antrea Authors +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +// Code generated by client-gen. DO NOT EDIT. + +package fake + +import ( + "context" + + v1beta1 "antrea.io/antrea/pkg/apis/crd/v1beta1" + v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + labels "k8s.io/apimachinery/pkg/labels" + schema "k8s.io/apimachinery/pkg/runtime/schema" + types "k8s.io/apimachinery/pkg/types" + watch "k8s.io/apimachinery/pkg/watch" + testing "k8s.io/client-go/testing" +) + +// FakeClusterNetworkPolicies implements ClusterNetworkPolicyInterface +type FakeClusterNetworkPolicies struct { + Fake *FakeCrdV1beta1 +} + +var clusternetworkpoliciesResource = schema.GroupVersionResource{Group: "crd.antrea.io", Version: "v1beta1", Resource: "clusternetworkpolicies"} + +var clusternetworkpoliciesKind = schema.GroupVersionKind{Group: "crd.antrea.io", Version: "v1beta1", Kind: "ClusterNetworkPolicy"} + +// Get takes name of the clusterNetworkPolicy, and returns the corresponding clusterNetworkPolicy object, and an error if there is any. +func (c *FakeClusterNetworkPolicies) Get(ctx context.Context, name string, options v1.GetOptions) (result *v1beta1.ClusterNetworkPolicy, err error) { + obj, err := c.Fake. + Invokes(testing.NewRootGetAction(clusternetworkpoliciesResource, name), &v1beta1.ClusterNetworkPolicy{}) + if obj == nil { + return nil, err + } + return obj.(*v1beta1.ClusterNetworkPolicy), err +} + +// List takes label and field selectors, and returns the list of ClusterNetworkPolicies that match those selectors. +func (c *FakeClusterNetworkPolicies) List(ctx context.Context, opts v1.ListOptions) (result *v1beta1.ClusterNetworkPolicyList, err error) { + obj, err := c.Fake. + Invokes(testing.NewRootListAction(clusternetworkpoliciesResource, clusternetworkpoliciesKind, opts), &v1beta1.ClusterNetworkPolicyList{}) + if obj == nil { + return nil, err + } + + label, _, _ := testing.ExtractFromListOptions(opts) + if label == nil { + label = labels.Everything() + } + list := &v1beta1.ClusterNetworkPolicyList{ListMeta: obj.(*v1beta1.ClusterNetworkPolicyList).ListMeta} + for _, item := range obj.(*v1beta1.ClusterNetworkPolicyList).Items { + if label.Matches(labels.Set(item.Labels)) { + list.Items = append(list.Items, item) + } + } + return list, err +} + +// Watch returns a watch.Interface that watches the requested clusterNetworkPolicies. +func (c *FakeClusterNetworkPolicies) Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) { + return c.Fake. + InvokesWatch(testing.NewRootWatchAction(clusternetworkpoliciesResource, opts)) +} + +// Create takes the representation of a clusterNetworkPolicy and creates it. Returns the server's representation of the clusterNetworkPolicy, and an error, if there is any. +func (c *FakeClusterNetworkPolicies) Create(ctx context.Context, clusterNetworkPolicy *v1beta1.ClusterNetworkPolicy, opts v1.CreateOptions) (result *v1beta1.ClusterNetworkPolicy, err error) { + obj, err := c.Fake. + Invokes(testing.NewRootCreateAction(clusternetworkpoliciesResource, clusterNetworkPolicy), &v1beta1.ClusterNetworkPolicy{}) + if obj == nil { + return nil, err + } + return obj.(*v1beta1.ClusterNetworkPolicy), err +} + +// Update takes the representation of a clusterNetworkPolicy and updates it. Returns the server's representation of the clusterNetworkPolicy, and an error, if there is any. +func (c *FakeClusterNetworkPolicies) Update(ctx context.Context, clusterNetworkPolicy *v1beta1.ClusterNetworkPolicy, opts v1.UpdateOptions) (result *v1beta1.ClusterNetworkPolicy, err error) { + obj, err := c.Fake. + Invokes(testing.NewRootUpdateAction(clusternetworkpoliciesResource, clusterNetworkPolicy), &v1beta1.ClusterNetworkPolicy{}) + if obj == nil { + return nil, err + } + return obj.(*v1beta1.ClusterNetworkPolicy), err +} + +// UpdateStatus was generated because the type contains a Status member. +// Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus(). +func (c *FakeClusterNetworkPolicies) UpdateStatus(ctx context.Context, clusterNetworkPolicy *v1beta1.ClusterNetworkPolicy, opts v1.UpdateOptions) (*v1beta1.ClusterNetworkPolicy, error) { + obj, err := c.Fake. + Invokes(testing.NewRootUpdateSubresourceAction(clusternetworkpoliciesResource, "status", clusterNetworkPolicy), &v1beta1.ClusterNetworkPolicy{}) + if obj == nil { + return nil, err + } + return obj.(*v1beta1.ClusterNetworkPolicy), err +} + +// Delete takes name of the clusterNetworkPolicy and deletes it. Returns an error if one occurs. +func (c *FakeClusterNetworkPolicies) Delete(ctx context.Context, name string, opts v1.DeleteOptions) error { + _, err := c.Fake. + Invokes(testing.NewRootDeleteActionWithOptions(clusternetworkpoliciesResource, name, opts), &v1beta1.ClusterNetworkPolicy{}) + return err +} + +// DeleteCollection deletes a collection of objects. +func (c *FakeClusterNetworkPolicies) DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error { + action := testing.NewRootDeleteCollectionAction(clusternetworkpoliciesResource, listOpts) + + _, err := c.Fake.Invokes(action, &v1beta1.ClusterNetworkPolicyList{}) + return err +} + +// Patch applies the patch and returns the patched clusterNetworkPolicy. +func (c *FakeClusterNetworkPolicies) Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1beta1.ClusterNetworkPolicy, err error) { + obj, err := c.Fake. + Invokes(testing.NewRootPatchSubresourceAction(clusternetworkpoliciesResource, name, pt, data, subresources...), &v1beta1.ClusterNetworkPolicy{}) + if obj == nil { + return nil, err + } + return obj.(*v1beta1.ClusterNetworkPolicy), err +} diff --git a/pkg/client/clientset/versioned/typed/crd/v1beta1/fake/fake_crd_client.go b/pkg/client/clientset/versioned/typed/crd/v1beta1/fake/fake_crd_client.go index c7df84a72ed..4f869508dce 100644 --- a/pkg/client/clientset/versioned/typed/crd/v1beta1/fake/fake_crd_client.go +++ b/pkg/client/clientset/versioned/typed/crd/v1beta1/fake/fake_crd_client.go @@ -38,6 +38,10 @@ func (c *FakeCrdV1beta1) ClusterGroups() v1beta1.ClusterGroupInterface { return &FakeClusterGroups{c} } +func (c *FakeCrdV1beta1) ClusterNetworkPolicies() v1beta1.ClusterNetworkPolicyInterface { + return &FakeClusterNetworkPolicies{c} +} + func (c *FakeCrdV1beta1) ExternalIPPools() v1beta1.ExternalIPPoolInterface { return &FakeExternalIPPools{c} } @@ -46,6 +50,10 @@ func (c *FakeCrdV1beta1) Groups(namespace string) v1beta1.GroupInterface { return &FakeGroups{c, namespace} } +func (c *FakeCrdV1beta1) NetworkPolicies(namespace string) v1beta1.NetworkPolicyInterface { + return &FakeNetworkPolicies{c, namespace} +} + func (c *FakeCrdV1beta1) Tiers() v1beta1.TierInterface { return &FakeTiers{c} } diff --git a/pkg/client/clientset/versioned/typed/crd/v1beta1/fake/fake_networkpolicy.go b/pkg/client/clientset/versioned/typed/crd/v1beta1/fake/fake_networkpolicy.go new file mode 100644 index 00000000000..9d9da2686b5 --- /dev/null +++ b/pkg/client/clientset/versioned/typed/crd/v1beta1/fake/fake_networkpolicy.go @@ -0,0 +1,140 @@ +// Copyright 2023 Antrea Authors +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +// Code generated by client-gen. DO NOT EDIT. + +package fake + +import ( + "context" + + v1beta1 "antrea.io/antrea/pkg/apis/crd/v1beta1" + v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + labels "k8s.io/apimachinery/pkg/labels" + schema "k8s.io/apimachinery/pkg/runtime/schema" + types "k8s.io/apimachinery/pkg/types" + watch "k8s.io/apimachinery/pkg/watch" + testing "k8s.io/client-go/testing" +) + +// FakeNetworkPolicies implements NetworkPolicyInterface +type FakeNetworkPolicies struct { + Fake *FakeCrdV1beta1 + ns string +} + +var networkpoliciesResource = schema.GroupVersionResource{Group: "crd.antrea.io", Version: "v1beta1", Resource: "networkpolicies"} + +var networkpoliciesKind = schema.GroupVersionKind{Group: "crd.antrea.io", Version: "v1beta1", Kind: "NetworkPolicy"} + +// Get takes name of the networkPolicy, and returns the corresponding networkPolicy object, and an error if there is any. +func (c *FakeNetworkPolicies) Get(ctx context.Context, name string, options v1.GetOptions) (result *v1beta1.NetworkPolicy, err error) { + obj, err := c.Fake. + Invokes(testing.NewGetAction(networkpoliciesResource, c.ns, name), &v1beta1.NetworkPolicy{}) + + if obj == nil { + return nil, err + } + return obj.(*v1beta1.NetworkPolicy), err +} + +// List takes label and field selectors, and returns the list of NetworkPolicies that match those selectors. +func (c *FakeNetworkPolicies) List(ctx context.Context, opts v1.ListOptions) (result *v1beta1.NetworkPolicyList, err error) { + obj, err := c.Fake. + Invokes(testing.NewListAction(networkpoliciesResource, networkpoliciesKind, c.ns, opts), &v1beta1.NetworkPolicyList{}) + + if obj == nil { + return nil, err + } + + label, _, _ := testing.ExtractFromListOptions(opts) + if label == nil { + label = labels.Everything() + } + list := &v1beta1.NetworkPolicyList{ListMeta: obj.(*v1beta1.NetworkPolicyList).ListMeta} + for _, item := range obj.(*v1beta1.NetworkPolicyList).Items { + if label.Matches(labels.Set(item.Labels)) { + list.Items = append(list.Items, item) + } + } + return list, err +} + +// Watch returns a watch.Interface that watches the requested networkPolicies. +func (c *FakeNetworkPolicies) Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) { + return c.Fake. + InvokesWatch(testing.NewWatchAction(networkpoliciesResource, c.ns, opts)) + +} + +// Create takes the representation of a networkPolicy and creates it. Returns the server's representation of the networkPolicy, and an error, if there is any. +func (c *FakeNetworkPolicies) Create(ctx context.Context, networkPolicy *v1beta1.NetworkPolicy, opts v1.CreateOptions) (result *v1beta1.NetworkPolicy, err error) { + obj, err := c.Fake. + Invokes(testing.NewCreateAction(networkpoliciesResource, c.ns, networkPolicy), &v1beta1.NetworkPolicy{}) + + if obj == nil { + return nil, err + } + return obj.(*v1beta1.NetworkPolicy), err +} + +// Update takes the representation of a networkPolicy and updates it. Returns the server's representation of the networkPolicy, and an error, if there is any. +func (c *FakeNetworkPolicies) Update(ctx context.Context, networkPolicy *v1beta1.NetworkPolicy, opts v1.UpdateOptions) (result *v1beta1.NetworkPolicy, err error) { + obj, err := c.Fake. + Invokes(testing.NewUpdateAction(networkpoliciesResource, c.ns, networkPolicy), &v1beta1.NetworkPolicy{}) + + if obj == nil { + return nil, err + } + return obj.(*v1beta1.NetworkPolicy), err +} + +// UpdateStatus was generated because the type contains a Status member. +// Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus(). +func (c *FakeNetworkPolicies) UpdateStatus(ctx context.Context, networkPolicy *v1beta1.NetworkPolicy, opts v1.UpdateOptions) (*v1beta1.NetworkPolicy, error) { + obj, err := c.Fake. + Invokes(testing.NewUpdateSubresourceAction(networkpoliciesResource, "status", c.ns, networkPolicy), &v1beta1.NetworkPolicy{}) + + if obj == nil { + return nil, err + } + return obj.(*v1beta1.NetworkPolicy), err +} + +// Delete takes name of the networkPolicy and deletes it. Returns an error if one occurs. +func (c *FakeNetworkPolicies) Delete(ctx context.Context, name string, opts v1.DeleteOptions) error { + _, err := c.Fake. + Invokes(testing.NewDeleteActionWithOptions(networkpoliciesResource, c.ns, name, opts), &v1beta1.NetworkPolicy{}) + + return err +} + +// DeleteCollection deletes a collection of objects. +func (c *FakeNetworkPolicies) DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error { + action := testing.NewDeleteCollectionAction(networkpoliciesResource, c.ns, listOpts) + + _, err := c.Fake.Invokes(action, &v1beta1.NetworkPolicyList{}) + return err +} + +// Patch applies the patch and returns the patched networkPolicy. +func (c *FakeNetworkPolicies) Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1beta1.NetworkPolicy, err error) { + obj, err := c.Fake. + Invokes(testing.NewPatchSubresourceAction(networkpoliciesResource, c.ns, name, pt, data, subresources...), &v1beta1.NetworkPolicy{}) + + if obj == nil { + return nil, err + } + return obj.(*v1beta1.NetworkPolicy), err +} diff --git a/pkg/client/clientset/versioned/typed/crd/v1beta1/generated_expansion.go b/pkg/client/clientset/versioned/typed/crd/v1beta1/generated_expansion.go index 578b75d698a..5fc5743e99a 100644 --- a/pkg/client/clientset/versioned/typed/crd/v1beta1/generated_expansion.go +++ b/pkg/client/clientset/versioned/typed/crd/v1beta1/generated_expansion.go @@ -22,8 +22,12 @@ type AntreaControllerInfoExpansion interface{} type ClusterGroupExpansion interface{} +type ClusterNetworkPolicyExpansion interface{} + type ExternalIPPoolExpansion interface{} type GroupExpansion interface{} +type NetworkPolicyExpansion interface{} + type TierExpansion interface{} diff --git a/pkg/client/clientset/versioned/typed/crd/v1beta1/networkpolicy.go b/pkg/client/clientset/versioned/typed/crd/v1beta1/networkpolicy.go new file mode 100644 index 00000000000..4d3f322831e --- /dev/null +++ b/pkg/client/clientset/versioned/typed/crd/v1beta1/networkpolicy.go @@ -0,0 +1,193 @@ +// Copyright 2023 Antrea Authors +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +// Code generated by client-gen. DO NOT EDIT. + +package v1beta1 + +import ( + "context" + "time" + + v1beta1 "antrea.io/antrea/pkg/apis/crd/v1beta1" + scheme "antrea.io/antrea/pkg/client/clientset/versioned/scheme" + v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + types "k8s.io/apimachinery/pkg/types" + watch "k8s.io/apimachinery/pkg/watch" + rest "k8s.io/client-go/rest" +) + +// NetworkPoliciesGetter has a method to return a NetworkPolicyInterface. +// A group's client should implement this interface. +type NetworkPoliciesGetter interface { + NetworkPolicies(namespace string) NetworkPolicyInterface +} + +// NetworkPolicyInterface has methods to work with NetworkPolicy resources. +type NetworkPolicyInterface interface { + Create(ctx context.Context, networkPolicy *v1beta1.NetworkPolicy, opts v1.CreateOptions) (*v1beta1.NetworkPolicy, error) + Update(ctx context.Context, networkPolicy *v1beta1.NetworkPolicy, opts v1.UpdateOptions) (*v1beta1.NetworkPolicy, error) + UpdateStatus(ctx context.Context, networkPolicy *v1beta1.NetworkPolicy, opts v1.UpdateOptions) (*v1beta1.NetworkPolicy, error) + Delete(ctx context.Context, name string, opts v1.DeleteOptions) error + DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error + Get(ctx context.Context, name string, opts v1.GetOptions) (*v1beta1.NetworkPolicy, error) + List(ctx context.Context, opts v1.ListOptions) (*v1beta1.NetworkPolicyList, error) + Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) + Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1beta1.NetworkPolicy, err error) + NetworkPolicyExpansion +} + +// networkPolicies implements NetworkPolicyInterface +type networkPolicies struct { + client rest.Interface + ns string +} + +// newNetworkPolicies returns a NetworkPolicies +func newNetworkPolicies(c *CrdV1beta1Client, namespace string) *networkPolicies { + return &networkPolicies{ + client: c.RESTClient(), + ns: namespace, + } +} + +// Get takes name of the networkPolicy, and returns the corresponding networkPolicy object, and an error if there is any. +func (c *networkPolicies) Get(ctx context.Context, name string, options v1.GetOptions) (result *v1beta1.NetworkPolicy, err error) { + result = &v1beta1.NetworkPolicy{} + err = c.client.Get(). + Namespace(c.ns). + Resource("networkpolicies"). + Name(name). + VersionedParams(&options, scheme.ParameterCodec). + Do(ctx). + Into(result) + return +} + +// List takes label and field selectors, and returns the list of NetworkPolicies that match those selectors. +func (c *networkPolicies) List(ctx context.Context, opts v1.ListOptions) (result *v1beta1.NetworkPolicyList, err error) { + var timeout time.Duration + if opts.TimeoutSeconds != nil { + timeout = time.Duration(*opts.TimeoutSeconds) * time.Second + } + result = &v1beta1.NetworkPolicyList{} + err = c.client.Get(). + Namespace(c.ns). + Resource("networkpolicies"). + VersionedParams(&opts, scheme.ParameterCodec). + Timeout(timeout). + Do(ctx). + Into(result) + return +} + +// Watch returns a watch.Interface that watches the requested networkPolicies. +func (c *networkPolicies) Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) { + var timeout time.Duration + if opts.TimeoutSeconds != nil { + timeout = time.Duration(*opts.TimeoutSeconds) * time.Second + } + opts.Watch = true + return c.client.Get(). + Namespace(c.ns). + Resource("networkpolicies"). + VersionedParams(&opts, scheme.ParameterCodec). + Timeout(timeout). + Watch(ctx) +} + +// Create takes the representation of a networkPolicy and creates it. Returns the server's representation of the networkPolicy, and an error, if there is any. +func (c *networkPolicies) Create(ctx context.Context, networkPolicy *v1beta1.NetworkPolicy, opts v1.CreateOptions) (result *v1beta1.NetworkPolicy, err error) { + result = &v1beta1.NetworkPolicy{} + err = c.client.Post(). + Namespace(c.ns). + Resource("networkpolicies"). + VersionedParams(&opts, scheme.ParameterCodec). + Body(networkPolicy). + Do(ctx). + Into(result) + return +} + +// Update takes the representation of a networkPolicy and updates it. Returns the server's representation of the networkPolicy, and an error, if there is any. +func (c *networkPolicies) Update(ctx context.Context, networkPolicy *v1beta1.NetworkPolicy, opts v1.UpdateOptions) (result *v1beta1.NetworkPolicy, err error) { + result = &v1beta1.NetworkPolicy{} + err = c.client.Put(). + Namespace(c.ns). + Resource("networkpolicies"). + Name(networkPolicy.Name). + VersionedParams(&opts, scheme.ParameterCodec). + Body(networkPolicy). + Do(ctx). + Into(result) + return +} + +// UpdateStatus was generated because the type contains a Status member. +// Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus(). +func (c *networkPolicies) UpdateStatus(ctx context.Context, networkPolicy *v1beta1.NetworkPolicy, opts v1.UpdateOptions) (result *v1beta1.NetworkPolicy, err error) { + result = &v1beta1.NetworkPolicy{} + err = c.client.Put(). + Namespace(c.ns). + Resource("networkpolicies"). + Name(networkPolicy.Name). + SubResource("status"). + VersionedParams(&opts, scheme.ParameterCodec). + Body(networkPolicy). + Do(ctx). + Into(result) + return +} + +// Delete takes name of the networkPolicy and deletes it. Returns an error if one occurs. +func (c *networkPolicies) Delete(ctx context.Context, name string, opts v1.DeleteOptions) error { + return c.client.Delete(). + Namespace(c.ns). + Resource("networkpolicies"). + Name(name). + Body(&opts). + Do(ctx). + Error() +} + +// DeleteCollection deletes a collection of objects. +func (c *networkPolicies) DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error { + var timeout time.Duration + if listOpts.TimeoutSeconds != nil { + timeout = time.Duration(*listOpts.TimeoutSeconds) * time.Second + } + return c.client.Delete(). + Namespace(c.ns). + Resource("networkpolicies"). + VersionedParams(&listOpts, scheme.ParameterCodec). + Timeout(timeout). + Body(&opts). + Do(ctx). + Error() +} + +// Patch applies the patch and returns the patched networkPolicy. +func (c *networkPolicies) Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1beta1.NetworkPolicy, err error) { + result = &v1beta1.NetworkPolicy{} + err = c.client.Patch(pt). + Namespace(c.ns). + Resource("networkpolicies"). + Name(name). + SubResource(subresources...). + VersionedParams(&opts, scheme.ParameterCodec). + Body(data). + Do(ctx). + Into(result) + return +} diff --git a/pkg/client/informers/externalversions/crd/v1beta1/clusternetworkpolicy.go b/pkg/client/informers/externalversions/crd/v1beta1/clusternetworkpolicy.go new file mode 100644 index 00000000000..2e30b6f8f2f --- /dev/null +++ b/pkg/client/informers/externalversions/crd/v1beta1/clusternetworkpolicy.go @@ -0,0 +1,87 @@ +// Copyright 2023 Antrea Authors +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +// Code generated by informer-gen. DO NOT EDIT. + +package v1beta1 + +import ( + "context" + time "time" + + crdv1beta1 "antrea.io/antrea/pkg/apis/crd/v1beta1" + versioned "antrea.io/antrea/pkg/client/clientset/versioned" + internalinterfaces "antrea.io/antrea/pkg/client/informers/externalversions/internalinterfaces" + v1beta1 "antrea.io/antrea/pkg/client/listers/crd/v1beta1" + v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + runtime "k8s.io/apimachinery/pkg/runtime" + watch "k8s.io/apimachinery/pkg/watch" + cache "k8s.io/client-go/tools/cache" +) + +// ClusterNetworkPolicyInformer provides access to a shared informer and lister for +// ClusterNetworkPolicies. +type ClusterNetworkPolicyInformer interface { + Informer() cache.SharedIndexInformer + Lister() v1beta1.ClusterNetworkPolicyLister +} + +type clusterNetworkPolicyInformer struct { + factory internalinterfaces.SharedInformerFactory + tweakListOptions internalinterfaces.TweakListOptionsFunc +} + +// NewClusterNetworkPolicyInformer constructs a new informer for ClusterNetworkPolicy type. +// Always prefer using an informer factory to get a shared informer instead of getting an independent +// one. This reduces memory footprint and number of connections to the server. +func NewClusterNetworkPolicyInformer(client versioned.Interface, resyncPeriod time.Duration, indexers cache.Indexers) cache.SharedIndexInformer { + return NewFilteredClusterNetworkPolicyInformer(client, resyncPeriod, indexers, nil) +} + +// NewFilteredClusterNetworkPolicyInformer constructs a new informer for ClusterNetworkPolicy type. +// Always prefer using an informer factory to get a shared informer instead of getting an independent +// one. This reduces memory footprint and number of connections to the server. +func NewFilteredClusterNetworkPolicyInformer(client versioned.Interface, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer { + return cache.NewSharedIndexInformer( + &cache.ListWatch{ + ListFunc: func(options v1.ListOptions) (runtime.Object, error) { + if tweakListOptions != nil { + tweakListOptions(&options) + } + return client.CrdV1beta1().ClusterNetworkPolicies().List(context.TODO(), options) + }, + WatchFunc: func(options v1.ListOptions) (watch.Interface, error) { + if tweakListOptions != nil { + tweakListOptions(&options) + } + return client.CrdV1beta1().ClusterNetworkPolicies().Watch(context.TODO(), options) + }, + }, + &crdv1beta1.ClusterNetworkPolicy{}, + resyncPeriod, + indexers, + ) +} + +func (f *clusterNetworkPolicyInformer) defaultInformer(client versioned.Interface, resyncPeriod time.Duration) cache.SharedIndexInformer { + return NewFilteredClusterNetworkPolicyInformer(client, resyncPeriod, cache.Indexers{cache.NamespaceIndex: cache.MetaNamespaceIndexFunc}, f.tweakListOptions) +} + +func (f *clusterNetworkPolicyInformer) Informer() cache.SharedIndexInformer { + return f.factory.InformerFor(&crdv1beta1.ClusterNetworkPolicy{}, f.defaultInformer) +} + +func (f *clusterNetworkPolicyInformer) Lister() v1beta1.ClusterNetworkPolicyLister { + return v1beta1.NewClusterNetworkPolicyLister(f.Informer().GetIndexer()) +} diff --git a/pkg/client/informers/externalversions/crd/v1beta1/interface.go b/pkg/client/informers/externalversions/crd/v1beta1/interface.go index 2a7a0fa88ba..0cc02cea671 100644 --- a/pkg/client/informers/externalversions/crd/v1beta1/interface.go +++ b/pkg/client/informers/externalversions/crd/v1beta1/interface.go @@ -28,10 +28,14 @@ type Interface interface { AntreaControllerInfos() AntreaControllerInfoInformer // ClusterGroups returns a ClusterGroupInformer. ClusterGroups() ClusterGroupInformer + // ClusterNetworkPolicies returns a ClusterNetworkPolicyInformer. + ClusterNetworkPolicies() ClusterNetworkPolicyInformer // ExternalIPPools returns a ExternalIPPoolInformer. ExternalIPPools() ExternalIPPoolInformer // Groups returns a GroupInformer. Groups() GroupInformer + // NetworkPolicies returns a NetworkPolicyInformer. + NetworkPolicies() NetworkPolicyInformer // Tiers returns a TierInformer. Tiers() TierInformer } @@ -62,6 +66,11 @@ func (v *version) ClusterGroups() ClusterGroupInformer { return &clusterGroupInformer{factory: v.factory, tweakListOptions: v.tweakListOptions} } +// ClusterNetworkPolicies returns a ClusterNetworkPolicyInformer. +func (v *version) ClusterNetworkPolicies() ClusterNetworkPolicyInformer { + return &clusterNetworkPolicyInformer{factory: v.factory, tweakListOptions: v.tweakListOptions} +} + // ExternalIPPools returns a ExternalIPPoolInformer. func (v *version) ExternalIPPools() ExternalIPPoolInformer { return &externalIPPoolInformer{factory: v.factory, tweakListOptions: v.tweakListOptions} @@ -72,6 +81,11 @@ func (v *version) Groups() GroupInformer { return &groupInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions} } +// NetworkPolicies returns a NetworkPolicyInformer. +func (v *version) NetworkPolicies() NetworkPolicyInformer { + return &networkPolicyInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions} +} + // Tiers returns a TierInformer. func (v *version) Tiers() TierInformer { return &tierInformer{factory: v.factory, tweakListOptions: v.tweakListOptions} diff --git a/pkg/client/informers/externalversions/crd/v1beta1/networkpolicy.go b/pkg/client/informers/externalversions/crd/v1beta1/networkpolicy.go new file mode 100644 index 00000000000..b22a4438bc5 --- /dev/null +++ b/pkg/client/informers/externalversions/crd/v1beta1/networkpolicy.go @@ -0,0 +1,88 @@ +// Copyright 2023 Antrea Authors +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +// Code generated by informer-gen. DO NOT EDIT. + +package v1beta1 + +import ( + "context" + time "time" + + crdv1beta1 "antrea.io/antrea/pkg/apis/crd/v1beta1" + versioned "antrea.io/antrea/pkg/client/clientset/versioned" + internalinterfaces "antrea.io/antrea/pkg/client/informers/externalversions/internalinterfaces" + v1beta1 "antrea.io/antrea/pkg/client/listers/crd/v1beta1" + v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + runtime "k8s.io/apimachinery/pkg/runtime" + watch "k8s.io/apimachinery/pkg/watch" + cache "k8s.io/client-go/tools/cache" +) + +// NetworkPolicyInformer provides access to a shared informer and lister for +// NetworkPolicies. +type NetworkPolicyInformer interface { + Informer() cache.SharedIndexInformer + Lister() v1beta1.NetworkPolicyLister +} + +type networkPolicyInformer struct { + factory internalinterfaces.SharedInformerFactory + tweakListOptions internalinterfaces.TweakListOptionsFunc + namespace string +} + +// NewNetworkPolicyInformer constructs a new informer for NetworkPolicy type. +// Always prefer using an informer factory to get a shared informer instead of getting an independent +// one. This reduces memory footprint and number of connections to the server. +func NewNetworkPolicyInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers) cache.SharedIndexInformer { + return NewFilteredNetworkPolicyInformer(client, namespace, resyncPeriod, indexers, nil) +} + +// NewFilteredNetworkPolicyInformer constructs a new informer for NetworkPolicy type. +// Always prefer using an informer factory to get a shared informer instead of getting an independent +// one. This reduces memory footprint and number of connections to the server. +func NewFilteredNetworkPolicyInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer { + return cache.NewSharedIndexInformer( + &cache.ListWatch{ + ListFunc: func(options v1.ListOptions) (runtime.Object, error) { + if tweakListOptions != nil { + tweakListOptions(&options) + } + return client.CrdV1beta1().NetworkPolicies(namespace).List(context.TODO(), options) + }, + WatchFunc: func(options v1.ListOptions) (watch.Interface, error) { + if tweakListOptions != nil { + tweakListOptions(&options) + } + return client.CrdV1beta1().NetworkPolicies(namespace).Watch(context.TODO(), options) + }, + }, + &crdv1beta1.NetworkPolicy{}, + resyncPeriod, + indexers, + ) +} + +func (f *networkPolicyInformer) defaultInformer(client versioned.Interface, resyncPeriod time.Duration) cache.SharedIndexInformer { + return NewFilteredNetworkPolicyInformer(client, f.namespace, resyncPeriod, cache.Indexers{cache.NamespaceIndex: cache.MetaNamespaceIndexFunc}, f.tweakListOptions) +} + +func (f *networkPolicyInformer) Informer() cache.SharedIndexInformer { + return f.factory.InformerFor(&crdv1beta1.NetworkPolicy{}, f.defaultInformer) +} + +func (f *networkPolicyInformer) Lister() v1beta1.NetworkPolicyLister { + return v1beta1.NewNetworkPolicyLister(f.Informer().GetIndexer()) +} diff --git a/pkg/client/informers/externalversions/generic.go b/pkg/client/informers/externalversions/generic.go index a1ea279fc40..4539d7b4722 100644 --- a/pkg/client/informers/externalversions/generic.go +++ b/pkg/client/informers/externalversions/generic.go @@ -94,10 +94,14 @@ func (f *sharedInformerFactory) ForResource(resource schema.GroupVersionResource return &genericInformer{resource: resource.GroupResource(), informer: f.Crd().V1beta1().AntreaControllerInfos().Informer()}, nil case v1beta1.SchemeGroupVersion.WithResource("clustergroups"): return &genericInformer{resource: resource.GroupResource(), informer: f.Crd().V1beta1().ClusterGroups().Informer()}, nil + case v1beta1.SchemeGroupVersion.WithResource("clusternetworkpolicies"): + return &genericInformer{resource: resource.GroupResource(), informer: f.Crd().V1beta1().ClusterNetworkPolicies().Informer()}, nil case v1beta1.SchemeGroupVersion.WithResource("externalippools"): return &genericInformer{resource: resource.GroupResource(), informer: f.Crd().V1beta1().ExternalIPPools().Informer()}, nil case v1beta1.SchemeGroupVersion.WithResource("groups"): return &genericInformer{resource: resource.GroupResource(), informer: f.Crd().V1beta1().Groups().Informer()}, nil + case v1beta1.SchemeGroupVersion.WithResource("networkpolicies"): + return &genericInformer{resource: resource.GroupResource(), informer: f.Crd().V1beta1().NetworkPolicies().Informer()}, nil case v1beta1.SchemeGroupVersion.WithResource("tiers"): return &genericInformer{resource: resource.GroupResource(), informer: f.Crd().V1beta1().Tiers().Informer()}, nil diff --git a/pkg/client/listers/crd/v1beta1/clusternetworkpolicy.go b/pkg/client/listers/crd/v1beta1/clusternetworkpolicy.go new file mode 100644 index 00000000000..5b27c325ec8 --- /dev/null +++ b/pkg/client/listers/crd/v1beta1/clusternetworkpolicy.go @@ -0,0 +1,66 @@ +// Copyright 2023 Antrea Authors +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +// Code generated by lister-gen. DO NOT EDIT. + +package v1beta1 + +import ( + v1beta1 "antrea.io/antrea/pkg/apis/crd/v1beta1" + "k8s.io/apimachinery/pkg/api/errors" + "k8s.io/apimachinery/pkg/labels" + "k8s.io/client-go/tools/cache" +) + +// ClusterNetworkPolicyLister helps list ClusterNetworkPolicies. +// All objects returned here must be treated as read-only. +type ClusterNetworkPolicyLister interface { + // List lists all ClusterNetworkPolicies in the indexer. + // Objects returned here must be treated as read-only. + List(selector labels.Selector) (ret []*v1beta1.ClusterNetworkPolicy, err error) + // Get retrieves the ClusterNetworkPolicy from the index for a given name. + // Objects returned here must be treated as read-only. + Get(name string) (*v1beta1.ClusterNetworkPolicy, error) + ClusterNetworkPolicyListerExpansion +} + +// clusterNetworkPolicyLister implements the ClusterNetworkPolicyLister interface. +type clusterNetworkPolicyLister struct { + indexer cache.Indexer +} + +// NewClusterNetworkPolicyLister returns a new ClusterNetworkPolicyLister. +func NewClusterNetworkPolicyLister(indexer cache.Indexer) ClusterNetworkPolicyLister { + return &clusterNetworkPolicyLister{indexer: indexer} +} + +// List lists all ClusterNetworkPolicies in the indexer. +func (s *clusterNetworkPolicyLister) List(selector labels.Selector) (ret []*v1beta1.ClusterNetworkPolicy, err error) { + err = cache.ListAll(s.indexer, selector, func(m interface{}) { + ret = append(ret, m.(*v1beta1.ClusterNetworkPolicy)) + }) + return ret, err +} + +// Get retrieves the ClusterNetworkPolicy from the index for a given name. +func (s *clusterNetworkPolicyLister) Get(name string) (*v1beta1.ClusterNetworkPolicy, error) { + obj, exists, err := s.indexer.GetByKey(name) + if err != nil { + return nil, err + } + if !exists { + return nil, errors.NewNotFound(v1beta1.Resource("clusternetworkpolicy"), name) + } + return obj.(*v1beta1.ClusterNetworkPolicy), nil +} diff --git a/pkg/client/listers/crd/v1beta1/expansion_generated.go b/pkg/client/listers/crd/v1beta1/expansion_generated.go index 8df6946e5fa..8882d1af8a0 100644 --- a/pkg/client/listers/crd/v1beta1/expansion_generated.go +++ b/pkg/client/listers/crd/v1beta1/expansion_generated.go @@ -28,6 +28,10 @@ type AntreaControllerInfoListerExpansion interface{} // ClusterGroupLister. type ClusterGroupListerExpansion interface{} +// ClusterNetworkPolicyListerExpansion allows custom methods to be added to +// ClusterNetworkPolicyLister. +type ClusterNetworkPolicyListerExpansion interface{} + // ExternalIPPoolListerExpansion allows custom methods to be added to // ExternalIPPoolLister. type ExternalIPPoolListerExpansion interface{} @@ -40,6 +44,14 @@ type GroupListerExpansion interface{} // GroupNamespaceLister. type GroupNamespaceListerExpansion interface{} +// NetworkPolicyListerExpansion allows custom methods to be added to +// NetworkPolicyLister. +type NetworkPolicyListerExpansion interface{} + +// NetworkPolicyNamespaceListerExpansion allows custom methods to be added to +// NetworkPolicyNamespaceLister. +type NetworkPolicyNamespaceListerExpansion interface{} + // TierListerExpansion allows custom methods to be added to // TierLister. type TierListerExpansion interface{} diff --git a/pkg/client/listers/crd/v1beta1/networkpolicy.go b/pkg/client/listers/crd/v1beta1/networkpolicy.go new file mode 100644 index 00000000000..9131f6fcdf2 --- /dev/null +++ b/pkg/client/listers/crd/v1beta1/networkpolicy.go @@ -0,0 +1,97 @@ +// Copyright 2023 Antrea Authors +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +// Code generated by lister-gen. DO NOT EDIT. + +package v1beta1 + +import ( + v1beta1 "antrea.io/antrea/pkg/apis/crd/v1beta1" + "k8s.io/apimachinery/pkg/api/errors" + "k8s.io/apimachinery/pkg/labels" + "k8s.io/client-go/tools/cache" +) + +// NetworkPolicyLister helps list NetworkPolicies. +// All objects returned here must be treated as read-only. +type NetworkPolicyLister interface { + // List lists all NetworkPolicies in the indexer. + // Objects returned here must be treated as read-only. + List(selector labels.Selector) (ret []*v1beta1.NetworkPolicy, err error) + // NetworkPolicies returns an object that can list and get NetworkPolicies. + NetworkPolicies(namespace string) NetworkPolicyNamespaceLister + NetworkPolicyListerExpansion +} + +// networkPolicyLister implements the NetworkPolicyLister interface. +type networkPolicyLister struct { + indexer cache.Indexer +} + +// NewNetworkPolicyLister returns a new NetworkPolicyLister. +func NewNetworkPolicyLister(indexer cache.Indexer) NetworkPolicyLister { + return &networkPolicyLister{indexer: indexer} +} + +// List lists all NetworkPolicies in the indexer. +func (s *networkPolicyLister) List(selector labels.Selector) (ret []*v1beta1.NetworkPolicy, err error) { + err = cache.ListAll(s.indexer, selector, func(m interface{}) { + ret = append(ret, m.(*v1beta1.NetworkPolicy)) + }) + return ret, err +} + +// NetworkPolicies returns an object that can list and get NetworkPolicies. +func (s *networkPolicyLister) NetworkPolicies(namespace string) NetworkPolicyNamespaceLister { + return networkPolicyNamespaceLister{indexer: s.indexer, namespace: namespace} +} + +// NetworkPolicyNamespaceLister helps list and get NetworkPolicies. +// All objects returned here must be treated as read-only. +type NetworkPolicyNamespaceLister interface { + // List lists all NetworkPolicies in the indexer for a given namespace. + // Objects returned here must be treated as read-only. + List(selector labels.Selector) (ret []*v1beta1.NetworkPolicy, err error) + // Get retrieves the NetworkPolicy from the indexer for a given namespace and name. + // Objects returned here must be treated as read-only. + Get(name string) (*v1beta1.NetworkPolicy, error) + NetworkPolicyNamespaceListerExpansion +} + +// networkPolicyNamespaceLister implements the NetworkPolicyNamespaceLister +// interface. +type networkPolicyNamespaceLister struct { + indexer cache.Indexer + namespace string +} + +// List lists all NetworkPolicies in the indexer for a given namespace. +func (s networkPolicyNamespaceLister) List(selector labels.Selector) (ret []*v1beta1.NetworkPolicy, err error) { + err = cache.ListAllByNamespace(s.indexer, s.namespace, selector, func(m interface{}) { + ret = append(ret, m.(*v1beta1.NetworkPolicy)) + }) + return ret, err +} + +// Get retrieves the NetworkPolicy from the indexer for a given namespace and name. +func (s networkPolicyNamespaceLister) Get(name string) (*v1beta1.NetworkPolicy, error) { + obj, exists, err := s.indexer.GetByKey(s.namespace + "/" + name) + if err != nil { + return nil, err + } + if !exists { + return nil, errors.NewNotFound(v1beta1.Resource("networkpolicy"), name) + } + return obj.(*v1beta1.NetworkPolicy), nil +} diff --git a/pkg/controller/networkpolicy/antreanetworkpolicy.go b/pkg/controller/networkpolicy/antreanetworkpolicy.go index e45a2e1c012..e0af393993d 100644 --- a/pkg/controller/networkpolicy/antreanetworkpolicy.go +++ b/pkg/controller/networkpolicy/antreanetworkpolicy.go @@ -22,11 +22,11 @@ import ( "k8s.io/klog/v2" "antrea.io/antrea/pkg/apis/controlplane" - crdv1alpha1 "antrea.io/antrea/pkg/apis/crd/v1alpha1" + crdv1beta1 "antrea.io/antrea/pkg/apis/crd/v1beta1" antreatypes "antrea.io/antrea/pkg/controller/types" ) -func getANNPReference(annp *crdv1alpha1.NetworkPolicy) *controlplane.NetworkPolicyReference { +func getANNPReference(annp *crdv1beta1.NetworkPolicy) *controlplane.NetworkPolicyReference { return &controlplane.NetworkPolicyReference{ Type: controlplane.AntreaNetworkPolicy, Namespace: annp.Namespace, @@ -39,7 +39,7 @@ func getANNPReference(annp *crdv1alpha1.NetworkPolicy) *controlplane.NetworkPoli // the AntreaNetworkPolicy to trigger its process. func (n *NetworkPolicyController) addANNP(obj interface{}) { defer n.heartbeat("addANNP") - np := obj.(*crdv1alpha1.NetworkPolicy) + np := obj.(*crdv1beta1.NetworkPolicy) klog.Infof("Processing Antrea NetworkPolicy %s/%s ADD event", np.Namespace, np.Name) n.enqueueInternalNetworkPolicy(getANNPReference(np)) } @@ -48,7 +48,7 @@ func (n *NetworkPolicyController) addANNP(obj interface{}) { // of the AntreaNetworkPolicy to trigger its process. func (n *NetworkPolicyController) updateANNP(old, cur interface{}) { defer n.heartbeat("updateANNP") - curNP := cur.(*crdv1alpha1.NetworkPolicy) + curNP := cur.(*crdv1beta1.NetworkPolicy) klog.Infof("Processing Antrea NetworkPolicy %s/%s UPDATE event", curNP.Namespace, curNP.Name) n.enqueueInternalNetworkPolicy(getANNPReference(curNP)) } @@ -56,14 +56,14 @@ func (n *NetworkPolicyController) updateANNP(old, cur interface{}) { // deleteANNP receives AntreaNetworkPolicy DELETE events and enqueues a reference // of the AntreaNetworkPolicy to trigger its process. func (n *NetworkPolicyController) deleteANNP(old interface{}) { - np, ok := old.(*crdv1alpha1.NetworkPolicy) + np, ok := old.(*crdv1beta1.NetworkPolicy) if !ok { tombstone, ok := old.(cache.DeletedFinalStateUnknown) if !ok { klog.Errorf("Error decoding object when deleting Antrea NetworkPolicy, invalid type: %v", old) return } - np, ok = tombstone.Obj.(*crdv1alpha1.NetworkPolicy) + np, ok = tombstone.Obj.(*crdv1beta1.NetworkPolicy) if !ok { klog.Errorf("Error decoding object tombstone when deleting Antrea NetworkPolicy, invalid type: %v", tombstone.Obj) return @@ -75,10 +75,10 @@ func (n *NetworkPolicyController) deleteANNP(old interface{}) { } // processAntreaNetworkPolicy creates an internal NetworkPolicy instance -// corresponding to the crdv1alpha1.NetworkPolicy object. This method +// corresponding to the crdv1beta1.NetworkPolicy object. This method // does not commit the internal NetworkPolicy in store, instead returns an // instance to the caller. -func (n *NetworkPolicyController) processAntreaNetworkPolicy(np *crdv1alpha1.NetworkPolicy) (*antreatypes.NetworkPolicy, map[string]*antreatypes.AppliedToGroup, map[string]*antreatypes.AddressGroup) { +func (n *NetworkPolicyController) processAntreaNetworkPolicy(np *crdv1beta1.NetworkPolicy) (*antreatypes.NetworkPolicy, map[string]*antreatypes.AppliedToGroup, map[string]*antreatypes.AddressGroup) { appliedToPerRule := len(np.Spec.AppliedTo) == 0 // appliedToGroups tracks all distinct appliedToGroups referred to by the Antrea NetworkPolicy, // either in the spec section or in ingress/egress rules. @@ -174,7 +174,7 @@ func (n *NetworkPolicyController) processAntreaNetworkPolicy(np *crdv1alpha1.Net return internalNetworkPolicy, appliedToGroups, addressGroups } -func (n *NetworkPolicyController) processAppliedTo(namespace string, appliedTo []crdv1alpha1.AppliedTo) []*antreatypes.AppliedToGroup { +func (n *NetworkPolicyController) processAppliedTo(namespace string, appliedTo []crdv1beta1.AppliedTo) []*antreatypes.AppliedToGroup { var appliedToGroups []*antreatypes.AppliedToGroup for _, at := range appliedTo { var atg *antreatypes.AppliedToGroup diff --git a/pkg/controller/networkpolicy/antreanetworkpolicy_test.go b/pkg/controller/networkpolicy/antreanetworkpolicy_test.go index 89aa58503f6..62554de4402 100644 --- a/pkg/controller/networkpolicy/antreanetworkpolicy_test.go +++ b/pkg/controller/networkpolicy/antreanetworkpolicy_test.go @@ -24,7 +24,7 @@ import ( "antrea.io/antrea/multicluster/controllers/multicluster/common" "antrea.io/antrea/pkg/apis/controlplane" - crdv1alpha1 "antrea.io/antrea/pkg/apis/crd/v1alpha1" + crdv1beta1 "antrea.io/antrea/pkg/apis/crd/v1beta1" antreatypes "antrea.io/antrea/pkg/controller/types" ) @@ -53,32 +53,32 @@ func TestProcessAntreaNetworkPolicy(t *testing.T) { }, }, } - allowAction := crdv1alpha1.RuleActionAllow + allowAction := crdv1beta1.RuleActionAllow protocolTCP := controlplane.ProtocolTCP tests := []struct { name string - inputPolicy *crdv1alpha1.NetworkPolicy + inputPolicy *crdv1beta1.NetworkPolicy expectedPolicy *antreatypes.NetworkPolicy expectedAppliedToGroups int expectedAddressGroups int }{ { name: "rules-with-same-selectors", - inputPolicy: &crdv1alpha1.NetworkPolicy{ + inputPolicy: &crdv1beta1.NetworkPolicy{ ObjectMeta: metav1.ObjectMeta{Namespace: "ns1", Name: "npA", UID: "uidA"}, - Spec: crdv1alpha1.NetworkPolicySpec{ - AppliedTo: []crdv1alpha1.AppliedTo{ + Spec: crdv1beta1.NetworkPolicySpec{ + AppliedTo: []crdv1beta1.AppliedTo{ {PodSelector: &selectorA}, }, Priority: p10, - Ingress: []crdv1alpha1.Rule{ + Ingress: []crdv1beta1.Rule{ { - Ports: []crdv1alpha1.NetworkPolicyPort{ + Ports: []crdv1beta1.NetworkPolicyPort{ { Port: &int80, }, }, - From: []crdv1alpha1.NetworkPolicyPeer{ + From: []crdv1beta1.NetworkPolicyPeer{ { PodSelector: &selectorB, NamespaceSelector: &selectorC, @@ -87,14 +87,14 @@ func TestProcessAntreaNetworkPolicy(t *testing.T) { Action: &allowAction, }, }, - Egress: []crdv1alpha1.Rule{ + Egress: []crdv1beta1.Rule{ { - Ports: []crdv1alpha1.NetworkPolicyPort{ + Ports: []crdv1beta1.NetworkPolicyPort{ { Port: &int81, }, }, - To: []crdv1alpha1.NetworkPolicyPeer{ + To: []crdv1beta1.NetworkPolicyPeer{ { PodSelector: &selectorB, NamespaceSelector: &selectorC, @@ -153,21 +153,21 @@ func TestProcessAntreaNetworkPolicy(t *testing.T) { }, { name: "rules-with-different-selectors", - inputPolicy: &crdv1alpha1.NetworkPolicy{ + inputPolicy: &crdv1beta1.NetworkPolicy{ ObjectMeta: metav1.ObjectMeta{Namespace: "ns2", Name: "npB", UID: "uidB"}, - Spec: crdv1alpha1.NetworkPolicySpec{ - AppliedTo: []crdv1alpha1.AppliedTo{ + Spec: crdv1beta1.NetworkPolicySpec{ + AppliedTo: []crdv1beta1.AppliedTo{ {PodSelector: &selectorA}, }, Priority: p10, - Ingress: []crdv1alpha1.Rule{ + Ingress: []crdv1beta1.Rule{ { - Ports: []crdv1alpha1.NetworkPolicyPort{ + Ports: []crdv1beta1.NetworkPolicyPort{ { Port: &int80, }, }, - From: []crdv1alpha1.NetworkPolicyPeer{ + From: []crdv1beta1.NetworkPolicyPeer{ { PodSelector: &selectorB, }, @@ -175,12 +175,12 @@ func TestProcessAntreaNetworkPolicy(t *testing.T) { Action: &allowAction, }, { - Ports: []crdv1alpha1.NetworkPolicyPort{ + Ports: []crdv1beta1.NetworkPolicyPort{ { Port: &int81, }, }, - From: []crdv1alpha1.NetworkPolicyPeer{ + From: []crdv1beta1.NetworkPolicyPeer{ { NamespaceSelector: &selectorC, }, @@ -238,24 +238,24 @@ func TestProcessAntreaNetworkPolicy(t *testing.T) { }, { name: "appliedTo-per-rule", - inputPolicy: &crdv1alpha1.NetworkPolicy{ + inputPolicy: &crdv1beta1.NetworkPolicy{ ObjectMeta: metav1.ObjectMeta{Namespace: "ns3", Name: "npC", UID: "uidC"}, - Spec: crdv1alpha1.NetworkPolicySpec{ + Spec: crdv1beta1.NetworkPolicySpec{ AppliedTo: nil, Priority: p10, - Ingress: []crdv1alpha1.Rule{ + Ingress: []crdv1beta1.Rule{ { - AppliedTo: []crdv1alpha1.AppliedTo{ + AppliedTo: []crdv1beta1.AppliedTo{ { PodSelector: &selectorA, }, }, - Ports: []crdv1alpha1.NetworkPolicyPort{ + Ports: []crdv1beta1.NetworkPolicyPort{ { Port: &int80, }, }, - From: []crdv1alpha1.NetworkPolicyPeer{ + From: []crdv1beta1.NetworkPolicyPeer{ { PodSelector: &selectorB, }, @@ -263,17 +263,17 @@ func TestProcessAntreaNetworkPolicy(t *testing.T) { Action: &allowAction, }, { - AppliedTo: []crdv1alpha1.AppliedTo{ + AppliedTo: []crdv1beta1.AppliedTo{ { PodSelector: &selectorB, }, }, - Ports: []crdv1alpha1.NetworkPolicyPort{ + Ports: []crdv1beta1.NetworkPolicyPort{ { Port: &int81, }, }, - From: []crdv1alpha1.NetworkPolicyPeer{ + From: []crdv1beta1.NetworkPolicyPeer{ { NamespaceSelector: &selectorC, }, @@ -337,23 +337,23 @@ func TestProcessAntreaNetworkPolicy(t *testing.T) { }, { name: "with-port-range", - inputPolicy: &crdv1alpha1.NetworkPolicy{ + inputPolicy: &crdv1beta1.NetworkPolicy{ ObjectMeta: metav1.ObjectMeta{Namespace: "ns4", Name: "npD", UID: "uidD"}, - Spec: crdv1alpha1.NetworkPolicySpec{ - AppliedTo: []crdv1alpha1.AppliedTo{ + Spec: crdv1beta1.NetworkPolicySpec{ + AppliedTo: []crdv1beta1.AppliedTo{ {PodSelector: &selectorA}, }, Priority: p10, - Ingress: []crdv1alpha1.Rule{ + Ingress: []crdv1beta1.Rule{ { - Ports: []crdv1alpha1.NetworkPolicyPort{ + Ports: []crdv1beta1.NetworkPolicyPort{ { Protocol: &k8sProtocolTCP, Port: &int1000, EndPort: &int32For1999, }, }, - From: []crdv1alpha1.NetworkPolicyPeer{ + From: []crdv1beta1.NetworkPolicyPeer{ { PodSelector: &selectorB, NamespaceSelector: &selectorC, @@ -399,16 +399,16 @@ func TestProcessAntreaNetworkPolicy(t *testing.T) { }, { name: "rules-with-to-services", - inputPolicy: &crdv1alpha1.NetworkPolicy{ + inputPolicy: &crdv1beta1.NetworkPolicy{ ObjectMeta: metav1.ObjectMeta{Namespace: "ns5", Name: "npE", UID: "uidE"}, - Spec: crdv1alpha1.NetworkPolicySpec{ - AppliedTo: []crdv1alpha1.AppliedTo{ + Spec: crdv1beta1.NetworkPolicySpec{ + AppliedTo: []crdv1beta1.AppliedTo{ {PodSelector: &selectorA}, }, Priority: p10, - Egress: []crdv1alpha1.Rule{ + Egress: []crdv1beta1.Rule{ { - ToServices: []crdv1alpha1.PeerService{ + ToServices: []crdv1beta1.PeerService{ { Namespace: "ns5", Name: "svc1", @@ -452,19 +452,19 @@ func TestProcessAntreaNetworkPolicy(t *testing.T) { }, { name: "rules-with-to-mc-services", - inputPolicy: &crdv1alpha1.NetworkPolicy{ + inputPolicy: &crdv1beta1.NetworkPolicy{ ObjectMeta: metav1.ObjectMeta{Namespace: "ns5", Name: "npE2", UID: "uidE2"}, - Spec: crdv1alpha1.NetworkPolicySpec{ - AppliedTo: []crdv1alpha1.AppliedTo{ + Spec: crdv1beta1.NetworkPolicySpec{ + AppliedTo: []crdv1beta1.AppliedTo{ {PodSelector: &selectorA}, }, Priority: p10, - Egress: []crdv1alpha1.Rule{ + Egress: []crdv1beta1.Rule{ { - ToServices: []crdv1alpha1.PeerService{ + ToServices: []crdv1beta1.PeerService{ { Name: "svc1", - Scope: crdv1alpha1.ScopeClusterSet, + Scope: crdv1beta1.ScopeClusterSet, }, }, Action: &allowAction, @@ -505,21 +505,21 @@ func TestProcessAntreaNetworkPolicy(t *testing.T) { }, { name: "rules-with-nodeSelector", - inputPolicy: &crdv1alpha1.NetworkPolicy{ + inputPolicy: &crdv1beta1.NetworkPolicy{ ObjectMeta: metav1.ObjectMeta{Namespace: "ns6", Name: "npF", UID: "uidF"}, - Spec: crdv1alpha1.NetworkPolicySpec{ - AppliedTo: []crdv1alpha1.AppliedTo{ + Spec: crdv1beta1.NetworkPolicySpec{ + AppliedTo: []crdv1beta1.AppliedTo{ {PodSelector: &selectorA}, }, Priority: p10, - Egress: []crdv1alpha1.Rule{ + Egress: []crdv1beta1.Rule{ { - Ports: []crdv1alpha1.NetworkPolicyPort{ + Ports: []crdv1beta1.NetworkPolicyPort{ { Port: &int81, }, }, - To: []crdv1alpha1.NetworkPolicyPeer{ + To: []crdv1beta1.NetworkPolicyPeer{ { NodeSelector: &selectorB, }, @@ -563,24 +563,24 @@ func TestProcessAntreaNetworkPolicy(t *testing.T) { }, { name: "rules-with-icmp-protocol", - inputPolicy: &crdv1alpha1.NetworkPolicy{ + inputPolicy: &crdv1beta1.NetworkPolicy{ ObjectMeta: metav1.ObjectMeta{Namespace: "ns7", Name: "npG", UID: "uidG"}, - Spec: crdv1alpha1.NetworkPolicySpec{ - AppliedTo: []crdv1alpha1.AppliedTo{ + Spec: crdv1beta1.NetworkPolicySpec{ + AppliedTo: []crdv1beta1.AppliedTo{ {PodSelector: &selectorA}, }, Priority: p10, - Egress: []crdv1alpha1.Rule{ + Egress: []crdv1beta1.Rule{ { - Protocols: []crdv1alpha1.NetworkPolicyProtocol{ + Protocols: []crdv1beta1.NetworkPolicyProtocol{ { - ICMP: &crdv1alpha1.ICMPProtocol{ + ICMP: &crdv1beta1.ICMPProtocol{ ICMPType: &icmpType8, ICMPCode: &icmpCode0, }, }, }, - To: []crdv1alpha1.NetworkPolicyPeer{ + To: []crdv1beta1.NetworkPolicyPeer{ { NodeSelector: &selectorB, }, @@ -625,17 +625,17 @@ func TestProcessAntreaNetworkPolicy(t *testing.T) { }, { name: "with-l7Protocol", - inputPolicy: &crdv1alpha1.NetworkPolicy{ + inputPolicy: &crdv1beta1.NetworkPolicy{ ObjectMeta: metav1.ObjectMeta{Namespace: "ns8", Name: "npH", UID: "uidH"}, - Spec: crdv1alpha1.NetworkPolicySpec{ - AppliedTo: []crdv1alpha1.AppliedTo{ + Spec: crdv1beta1.NetworkPolicySpec{ + AppliedTo: []crdv1beta1.AppliedTo{ {PodSelector: &selectorA}, }, Priority: p10, - Ingress: []crdv1alpha1.Rule{ + Ingress: []crdv1beta1.Rule{ { - L7Protocols: []crdv1alpha1.L7Protocol{{HTTP: &crdv1alpha1.HTTPProtocol{Host: "test.com", Method: "GET", Path: "/admin"}}}, - From: []crdv1alpha1.NetworkPolicyPeer{ + L7Protocols: []crdv1beta1.L7Protocol{{HTTP: &crdv1beta1.HTTPProtocol{Host: "test.com", Method: "GET", Path: "/admin"}}}, + From: []crdv1beta1.NetworkPolicyPeer{ { PodSelector: &selectorB, NamespaceSelector: &selectorC, @@ -675,21 +675,21 @@ func TestProcessAntreaNetworkPolicy(t *testing.T) { }, { name: "with-log-label", - inputPolicy: &crdv1alpha1.NetworkPolicy{ + inputPolicy: &crdv1beta1.NetworkPolicy{ ObjectMeta: metav1.ObjectMeta{Namespace: "ns9", Name: "npI", UID: "uidI"}, - Spec: crdv1alpha1.NetworkPolicySpec{ - AppliedTo: []crdv1alpha1.AppliedTo{ + Spec: crdv1beta1.NetworkPolicySpec{ + AppliedTo: []crdv1beta1.AppliedTo{ {PodSelector: &selectorA}, }, Priority: p10, - Ingress: []crdv1alpha1.Rule{ + Ingress: []crdv1beta1.Rule{ { - Ports: []crdv1alpha1.NetworkPolicyPort{ + Ports: []crdv1beta1.NetworkPolicyPort{ { Port: &int80, }, }, - From: []crdv1alpha1.NetworkPolicyPeer{ + From: []crdv1beta1.NetworkPolicyPeer{ { PodSelector: &selectorB, NamespaceSelector: &selectorC, @@ -786,15 +786,15 @@ func TestDeleteANNP(t *testing.T) { } // util functions for testing. -func getANNP() *crdv1alpha1.NetworkPolicy { +func getANNP() *crdv1beta1.NetworkPolicy { p10 := float64(10) - allowAction := crdv1alpha1.RuleActionAllow + allowAction := crdv1beta1.RuleActionAllow selectorA := metav1.LabelSelector{MatchLabels: map[string]string{"foo1": "bar1"}} selectorB := metav1.LabelSelector{MatchLabels: map[string]string{"foo2": "bar2"}} selectorC := metav1.LabelSelector{MatchLabels: map[string]string{"foo3": "bar3"}} - ingressRules := []crdv1alpha1.Rule{ + ingressRules := []crdv1beta1.Rule{ { - From: []crdv1alpha1.NetworkPolicyPeer{ + From: []crdv1beta1.NetworkPolicyPeer{ { NamespaceSelector: &selectorB, }, @@ -802,9 +802,9 @@ func getANNP() *crdv1alpha1.NetworkPolicy { Action: &allowAction, }, } - egressRules := []crdv1alpha1.Rule{ + egressRules := []crdv1beta1.Rule{ { - To: []crdv1alpha1.NetworkPolicyPeer{ + To: []crdv1beta1.NetworkPolicyPeer{ { ExternalEntitySelector: &selectorC, }, @@ -812,10 +812,10 @@ func getANNP() *crdv1alpha1.NetworkPolicy { Action: &allowAction, }, } - npObj := &crdv1alpha1.NetworkPolicy{ + npObj := &crdv1beta1.NetworkPolicy{ ObjectMeta: metav1.ObjectMeta{Namespace: "test-ns", Name: "test-annp"}, - Spec: crdv1alpha1.NetworkPolicySpec{ - AppliedTo: []crdv1alpha1.AppliedTo{ + Spec: crdv1beta1.NetworkPolicySpec{ + AppliedTo: []crdv1beta1.AppliedTo{ {PodSelector: &selectorA}, }, Priority: p10, diff --git a/pkg/controller/networkpolicy/clustergroup.go b/pkg/controller/networkpolicy/clustergroup.go index ed29e637386..079065114c2 100644 --- a/pkg/controller/networkpolicy/clustergroup.go +++ b/pkg/controller/networkpolicy/clustergroup.go @@ -26,7 +26,6 @@ import ( "k8s.io/klog/v2" "antrea.io/antrea/pkg/apis/controlplane" - crdv1alpha1 "antrea.io/antrea/pkg/apis/crd/v1alpha1" crdv1beta1 "antrea.io/antrea/pkg/apis/crd/v1beta1" "antrea.io/antrea/pkg/controller/networkpolicy/store" antreatypes "antrea.io/antrea/pkg/controller/types" @@ -305,7 +304,7 @@ func (c *NetworkPolicyController) triggerCNPUpdates(cg string) { return } for _, obj := range cnps { - c.enqueueInternalNetworkPolicy(getACNPReference(obj.(*crdv1alpha1.ClusterNetworkPolicy))) + c.enqueueInternalNetworkPolicy(getACNPReference(obj.(*crdv1beta1.ClusterNetworkPolicy))) } } diff --git a/pkg/controller/networkpolicy/clustergroup_test.go b/pkg/controller/networkpolicy/clustergroup_test.go index a6f8fef8746..e273c4adb65 100644 --- a/pkg/controller/networkpolicy/clustergroup_test.go +++ b/pkg/controller/networkpolicy/clustergroup_test.go @@ -27,7 +27,6 @@ import ( "k8s.io/apimachinery/pkg/util/sets" "antrea.io/antrea/pkg/apis/controlplane" - crdv1alpha1 "antrea.io/antrea/pkg/apis/crd/v1alpha1" crdv1alpha2 "antrea.io/antrea/pkg/apis/crd/v1alpha2" crdv1beta1 "antrea.io/antrea/pkg/apis/crd/v1beta1" antreatypes "antrea.io/antrea/pkg/controller/types" @@ -103,7 +102,7 @@ func TestProcessClusterGroup(t *testing.T) { inputGroup: &crdv1beta1.ClusterGroup{ ObjectMeta: metav1.ObjectMeta{Name: "cgD", UID: "uidD"}, Spec: crdv1beta1.GroupSpec{ - IPBlocks: []crdv1alpha1.IPBlock{ + IPBlocks: []crdv1beta1.IPBlock{ { CIDR: cidr, }, @@ -130,7 +129,7 @@ func TestProcessClusterGroup(t *testing.T) { inputGroup: &crdv1beta1.ClusterGroup{ ObjectMeta: metav1.ObjectMeta{Name: "cgE", UID: "uidE"}, Spec: crdv1beta1.GroupSpec{ - ServiceReference: &crdv1alpha1.NamespacedName{ + ServiceReference: &crdv1beta1.NamespacedName{ Name: "test-svc", Namespace: "test-ns", }, @@ -245,7 +244,7 @@ func TestAddClusterGroup(t *testing.T) { inputGroup: &crdv1beta1.ClusterGroup{ ObjectMeta: metav1.ObjectMeta{Name: "cgD", UID: "uidD"}, Spec: crdv1beta1.GroupSpec{ - IPBlocks: []crdv1alpha1.IPBlock{ + IPBlocks: []crdv1beta1.IPBlock{ { CIDR: cidr, }, @@ -356,7 +355,7 @@ func TestUpdateClusterGroup(t *testing.T) { updatedGroup: &crdv1beta1.ClusterGroup{ ObjectMeta: metav1.ObjectMeta{Name: "cgA", UID: "uidA"}, Spec: crdv1beta1.GroupSpec{ - IPBlocks: []crdv1alpha1.IPBlock{ + IPBlocks: []crdv1beta1.IPBlock{ { CIDR: cidr, }, @@ -383,7 +382,7 @@ func TestUpdateClusterGroup(t *testing.T) { updatedGroup: &crdv1beta1.ClusterGroup{ ObjectMeta: metav1.ObjectMeta{Name: "cgA", UID: "uidA"}, Spec: crdv1beta1.GroupSpec{ - ServiceReference: &crdv1alpha1.NamespacedName{ + ServiceReference: &crdv1beta1.NamespacedName{ Name: "test-svc", Namespace: "test-ns", }, @@ -928,23 +927,23 @@ func TestGetGroupMembers(t *testing.T) { func TestSyncInternalGroup(t *testing.T) { p10 := float64(10) p20 := float64(20) - allowAction := crdv1alpha1.RuleActionAllow + allowAction := crdv1beta1.RuleActionAllow cgName := "cgA" cgUID := types.UID("uidA") cg := &crdv1beta1.ClusterGroup{ ObjectMeta: metav1.ObjectMeta{Name: cgName, UID: cgUID}, Spec: crdv1beta1.GroupSpec{NamespaceSelector: &selectorA}, } - cnp1 := &crdv1alpha1.ClusterNetworkPolicy{ + cnp1 := &crdv1beta1.ClusterNetworkPolicy{ ObjectMeta: metav1.ObjectMeta{Name: "cnp1", UID: "uid1"}, - Spec: crdv1alpha1.ClusterNetworkPolicySpec{ - AppliedTo: []crdv1alpha1.AppliedTo{ + Spec: crdv1beta1.ClusterNetworkPolicySpec{ + AppliedTo: []crdv1beta1.AppliedTo{ {PodSelector: &selectorB}, }, Priority: p10, - Ingress: []crdv1alpha1.Rule{ + Ingress: []crdv1beta1.Rule{ { - From: []crdv1alpha1.NetworkPolicyPeer{ + From: []crdv1beta1.NetworkPolicyPeer{ {Group: cgName}, }, Action: &allowAction, @@ -952,16 +951,16 @@ func TestSyncInternalGroup(t *testing.T) { }, }, } - cnp2 := &crdv1alpha1.ClusterNetworkPolicy{ + cnp2 := &crdv1beta1.ClusterNetworkPolicy{ ObjectMeta: metav1.ObjectMeta{Name: "cnp2", UID: "uid2"}, - Spec: crdv1alpha1.ClusterNetworkPolicySpec{ - AppliedTo: []crdv1alpha1.AppliedTo{ + Spec: crdv1beta1.ClusterNetworkPolicySpec{ + AppliedTo: []crdv1beta1.AppliedTo{ {PodSelector: &selectorC}, }, Priority: p20, - Ingress: []crdv1alpha1.Rule{ + Ingress: []crdv1beta1.Rule{ { - From: []crdv1alpha1.NetworkPolicyPeer{ + From: []crdv1beta1.NetworkPolicyPeer{ {Group: cgName}, }, Action: &allowAction, @@ -1129,7 +1128,7 @@ func TestGetAssociatedIPBlockGroups(t *testing.T) { cg1 := &crdv1beta1.ClusterGroup{ ObjectMeta: metav1.ObjectMeta{Name: "ipBlockGrp1", UID: "UID1"}, Spec: crdv1beta1.GroupSpec{ - IPBlocks: []crdv1alpha1.IPBlock{ + IPBlocks: []crdv1beta1.IPBlock{ {CIDR: "172.60.0.0/16"}, }, }, @@ -1137,7 +1136,7 @@ func TestGetAssociatedIPBlockGroups(t *testing.T) { cg2 := &crdv1beta1.ClusterGroup{ ObjectMeta: metav1.ObjectMeta{Name: "ipBlockGrp2", UID: "UID2"}, Spec: crdv1beta1.GroupSpec{ - IPBlocks: []crdv1alpha1.IPBlock{ + IPBlocks: []crdv1beta1.IPBlock{ {CIDR: "172.60.2.0/24"}, }, }, diff --git a/pkg/controller/networkpolicy/clusternetworkpolicy.go b/pkg/controller/networkpolicy/clusternetworkpolicy.go index d11d63c7796..ae595fd9135 100644 --- a/pkg/controller/networkpolicy/clusternetworkpolicy.go +++ b/pkg/controller/networkpolicy/clusternetworkpolicy.go @@ -25,7 +25,7 @@ import ( "k8s.io/klog/v2" "antrea.io/antrea/pkg/apis/controlplane" - crdv1alpha1 "antrea.io/antrea/pkg/apis/crd/v1alpha1" + crdv1beta1 "antrea.io/antrea/pkg/apis/crd/v1beta1" "antrea.io/antrea/pkg/controller/grouping" "antrea.io/antrea/pkg/controller/networkpolicy/store" antreatypes "antrea.io/antrea/pkg/controller/types" @@ -33,7 +33,7 @@ import ( utilsets "antrea.io/antrea/pkg/util/sets" ) -func getACNPReference(cnp *crdv1alpha1.ClusterNetworkPolicy) *controlplane.NetworkPolicyReference { +func getACNPReference(cnp *crdv1beta1.ClusterNetworkPolicy) *controlplane.NetworkPolicyReference { return &controlplane.NetworkPolicyReference{ Type: controlplane.AntreaClusterNetworkPolicy, Name: cnp.Name, @@ -45,7 +45,7 @@ func getACNPReference(cnp *crdv1alpha1.ClusterNetworkPolicy) *controlplane.Netwo // the ClusterNetworkPolicy to trigger its process. func (n *NetworkPolicyController) addCNP(obj interface{}) { defer n.heartbeat("addCNP") - cnp := obj.(*crdv1alpha1.ClusterNetworkPolicy) + cnp := obj.(*crdv1beta1.ClusterNetworkPolicy) klog.Infof("Processing ClusterNetworkPolicy %s ADD event", cnp.Name) n.enqueueInternalNetworkPolicy(getACNPReference(cnp)) } @@ -54,7 +54,7 @@ func (n *NetworkPolicyController) addCNP(obj interface{}) { // reference of the ClusterNetworkPolicy to trigger its process. func (n *NetworkPolicyController) updateCNP(_, cur interface{}) { defer n.heartbeat("updateACNP") - curCNP := cur.(*crdv1alpha1.ClusterNetworkPolicy) + curCNP := cur.(*crdv1beta1.ClusterNetworkPolicy) klog.Infof("Processing ClusterNetworkPolicy %s UPDATE event", curCNP.Name) n.enqueueInternalNetworkPolicy(getACNPReference(curCNP)) } @@ -62,14 +62,14 @@ func (n *NetworkPolicyController) updateCNP(_, cur interface{}) { // deleteCNP receives ClusterNetworkPolicy DELETE events and enqueues a // reference of the ClusterNetworkPolicy to trigger its process. func (n *NetworkPolicyController) deleteCNP(old interface{}) { - cnp, ok := old.(*crdv1alpha1.ClusterNetworkPolicy) + cnp, ok := old.(*crdv1beta1.ClusterNetworkPolicy) if !ok { tombstone, ok := old.(cache.DeletedFinalStateUnknown) if !ok { klog.Errorf("Error decoding object when deleting ClusterNetworkPolicy, invalid type: %v", old) return } - cnp, ok = tombstone.Obj.(*crdv1alpha1.ClusterNetworkPolicy) + cnp, ok = tombstone.Obj.(*crdv1beta1.ClusterNetworkPolicy) if !ok { klog.Errorf("Error decoding object tombstone when deleting ClusterNetworkPolicy, invalid type: %v", tombstone.Obj) return @@ -83,7 +83,7 @@ func (n *NetworkPolicyController) deleteCNP(old interface{}) { // filterPerNamespaceRuleACNPsByNSLabels gets all ClusterNetworkPolicy names that will need to be // re-processed based on the entire label set of an added/updated/deleted Namespace. func (n *NetworkPolicyController) filterPerNamespaceRuleACNPsByNSLabels(nsLabels labels.Set) sets.Set[string] { - namespaceLabelMatches := func(peers []crdv1alpha1.AppliedTo) bool { + namespaceLabelMatches := func(peers []crdv1beta1.AppliedTo) bool { for _, peer := range peers { nsLabelSelector := peer.NamespaceSelector if peer.Group != "" { @@ -109,9 +109,9 @@ func (n *NetworkPolicyController) filterPerNamespaceRuleACNPsByNSLabels(nsLabels return false } - peerNamespacesSelectorExists := func(peers []crdv1alpha1.NetworkPolicyPeer) bool { + peerNamespacesSelectorExists := func(peers []crdv1beta1.NetworkPolicyPeer) bool { for _, peer := range peers { - if peer.Namespaces != nil && peer.Namespaces.Match == crdv1alpha1.NamespaceMatchSelf { + if peer.Namespaces != nil && peer.Namespaces.Match == crdv1beta1.NamespaceMatchSelf { return true } } @@ -121,7 +121,7 @@ func (n *NetworkPolicyController) filterPerNamespaceRuleACNPsByNSLabels(nsLabels affectedPolicies := sets.New[string]() objs, _ := n.acnpInformer.Informer().GetIndexer().ByIndex(perNamespaceRuleIndex, HasPerNamespaceRule) for _, obj := range objs { - cnp := obj.(*crdv1alpha1.ClusterNetworkPolicy) + cnp := obj.(*crdv1beta1.ClusterNetworkPolicy) if affected := func() bool { if len(cnp.Spec.AppliedTo) > 0 { // The policy has only spec level AppliedTo. @@ -318,12 +318,12 @@ func (c *NetworkPolicyController) updateNode(oldObj, newObj interface{}) { } // processClusterNetworkPolicy creates an internal NetworkPolicy instance -// corresponding to the crdv1alpha1.ClusterNetworkPolicy object. This method +// corresponding to the crdv1beta1.ClusterNetworkPolicy object. This method // does not commit the internal NetworkPolicy in store, instead returns an // instance to the caller wherein, it will be either stored as a new Object // in case of ADD event or modified and store the updated instance, in case // of an UPDATE event. -func (n *NetworkPolicyController) processClusterNetworkPolicy(cnp *crdv1alpha1.ClusterNetworkPolicy) (*antreatypes.NetworkPolicy, map[string]*antreatypes.AppliedToGroup, map[string]*antreatypes.AddressGroup) { +func (n *NetworkPolicyController) processClusterNetworkPolicy(cnp *crdv1beta1.ClusterNetworkPolicy) (*antreatypes.NetworkPolicy, map[string]*antreatypes.AppliedToGroup, map[string]*antreatypes.AddressGroup) { hasPerNamespaceRule := hasPerNamespaceRule(cnp) // If one of the ACNP rule is a per-namespace rule (a peer in that rule has namespaces.Match set // to Self), the policy will need to be converted to appliedTo per rule policy, as the appliedTo @@ -363,7 +363,7 @@ func (n *NetworkPolicyController) processClusterNetworkPolicy(cnp *crdv1alpha1.C } } var rules []controlplane.NetworkPolicyRule - processRules := func(cnpRules []crdv1alpha1.Rule, direction controlplane.Direction) { + processRules := func(cnpRules []crdv1beta1.Rule, direction controlplane.Direction) { for idx, cnpRule := range cnpRules { services, namedPortExists := toAntreaServicesForCRD(cnpRule.Ports, cnpRule.Protocols) clusterPeers, perNSPeers := splitPeersByScope(cnpRule, direction) @@ -481,17 +481,17 @@ func serviceAccountNameToPodSelector(saName string) *metav1.LabelSelector { } // hasPerNamespaceRule returns true if there is at least one per-namespace rule -func hasPerNamespaceRule(cnp *crdv1alpha1.ClusterNetworkPolicy) bool { +func hasPerNamespaceRule(cnp *crdv1beta1.ClusterNetworkPolicy) bool { for _, ingress := range cnp.Spec.Ingress { for _, peer := range ingress.From { - if peer.Namespaces != nil && peer.Namespaces.Match == crdv1alpha1.NamespaceMatchSelf { + if peer.Namespaces != nil && peer.Namespaces.Match == crdv1beta1.NamespaceMatchSelf { return true } } } for _, egress := range cnp.Spec.Egress { for _, peer := range egress.To { - if peer.Namespaces != nil && peer.Namespaces.Match == crdv1alpha1.NamespaceMatchSelf { + if peer.Namespaces != nil && peer.Namespaces.Match == crdv1beta1.NamespaceMatchSelf { return true } } @@ -501,7 +501,7 @@ func hasPerNamespaceRule(cnp *crdv1alpha1.ClusterNetworkPolicy) bool { // processClusterAppliedTo processes appliedTo groups in Antrea ClusterNetworkPolicy set // at cluster level (appliedTo groups which will not need to be split by Namespaces). -func (n *NetworkPolicyController) processClusterAppliedTo(appliedTo []crdv1alpha1.AppliedTo) []*antreatypes.AppliedToGroup { +func (n *NetworkPolicyController) processClusterAppliedTo(appliedTo []crdv1beta1.AppliedTo) []*antreatypes.AppliedToGroup { var appliedToGroups []*antreatypes.AppliedToGroup for _, at := range appliedTo { var atg *antreatypes.AppliedToGroup @@ -523,14 +523,14 @@ func (n *NetworkPolicyController) processClusterAppliedTo(appliedTo []crdv1alpha // splitPeersByScope splits the ClusterNetworkPolicy peers in the rule by whether the peer // is cluster-scoped or per-namespace. -func splitPeersByScope(rule crdv1alpha1.Rule, dir controlplane.Direction) ([]crdv1alpha1.NetworkPolicyPeer, []crdv1alpha1.NetworkPolicyPeer) { - var clusterPeers, perNSPeers []crdv1alpha1.NetworkPolicyPeer +func splitPeersByScope(rule crdv1beta1.Rule, dir controlplane.Direction) ([]crdv1beta1.NetworkPolicyPeer, []crdv1beta1.NetworkPolicyPeer) { + var clusterPeers, perNSPeers []crdv1beta1.NetworkPolicyPeer peers := rule.From if dir == controlplane.DirectionOut { peers = rule.To } for _, peer := range peers { - if peer.Namespaces != nil && peer.Namespaces.Match == crdv1alpha1.NamespaceMatchSelf { + if peer.Namespaces != nil && peer.Namespaces.Match == crdv1beta1.NamespaceMatchSelf { perNSPeers = append(perNSPeers, peer) } else { clusterPeers = append(clusterPeers, peer) @@ -541,7 +541,7 @@ func splitPeersByScope(rule crdv1alpha1.Rule, dir controlplane.Direction) ([]crd // getAffectedNamespacesForAppliedTo computes the Namespaces currently affected by the appliedTo // Namespace selectors. -func (n *NetworkPolicyController) getAffectedNamespacesForAppliedTo(appliedTo crdv1alpha1.AppliedTo) []string { +func (n *NetworkPolicyController) getAffectedNamespacesForAppliedTo(appliedTo crdv1beta1.AppliedTo) []string { var affectedNS []string nsLabelSelector := appliedTo.NamespaceSelector diff --git a/pkg/controller/networkpolicy/clusternetworkpolicy_test.go b/pkg/controller/networkpolicy/clusternetworkpolicy_test.go index 0c57733922a..08c40914817 100644 --- a/pkg/controller/networkpolicy/clusternetworkpolicy_test.go +++ b/pkg/controller/networkpolicy/clusternetworkpolicy_test.go @@ -28,7 +28,6 @@ import ( "antrea.io/antrea/multicluster/controllers/multicluster/common" "antrea.io/antrea/pkg/apis/controlplane" - crdv1alpha1 "antrea.io/antrea/pkg/apis/crd/v1alpha1" crdv1beta1 "antrea.io/antrea/pkg/apis/crd/v1beta1" antreatypes "antrea.io/antrea/pkg/controller/types" "antrea.io/antrea/pkg/util/k8s" @@ -81,11 +80,11 @@ func TestProcessClusterNetworkPolicy(t *testing.T) { ipA := "1.1.1.1" - allowAction := crdv1alpha1.RuleActionAllow - dropAction := crdv1alpha1.RuleActionDrop + allowAction := crdv1beta1.RuleActionAllow + dropAction := crdv1beta1.RuleActionDrop protocolTCP := controlplane.ProtocolTCP - query := crdv1alpha1.IGMPQuery - report := crdv1alpha1.IGMPReportV1 + query := crdv1beta1.IGMPQuery + report := crdv1beta1.IGMPReportV1 selectorA := metav1.LabelSelector{MatchLabels: map[string]string{"foo1": "bar1"}} selectorB := metav1.LabelSelector{MatchLabels: map[string]string{"foo2": "bar2"}} selectorC := metav1.LabelSelector{MatchLabels: map[string]string{"foo3": "bar3"}} @@ -100,28 +99,28 @@ func TestProcessClusterNetworkPolicy(t *testing.T) { } tests := []struct { name string - inputPolicy *crdv1alpha1.ClusterNetworkPolicy + inputPolicy *crdv1beta1.ClusterNetworkPolicy expectedPolicy *antreatypes.NetworkPolicy expectedAppliedToGroups int expectedAddressGroups int }{ { name: "rules-with-same-selectors", - inputPolicy: &crdv1alpha1.ClusterNetworkPolicy{ + inputPolicy: &crdv1beta1.ClusterNetworkPolicy{ ObjectMeta: metav1.ObjectMeta{Name: "cnpA", UID: "uidA"}, - Spec: crdv1alpha1.ClusterNetworkPolicySpec{ - AppliedTo: []crdv1alpha1.AppliedTo{ + Spec: crdv1beta1.ClusterNetworkPolicySpec{ + AppliedTo: []crdv1beta1.AppliedTo{ {PodSelector: &selectorA}, }, Priority: p10, - Ingress: []crdv1alpha1.Rule{ + Ingress: []crdv1beta1.Rule{ { - Ports: []crdv1alpha1.NetworkPolicyPort{ + Ports: []crdv1beta1.NetworkPolicyPort{ { Port: &int80, }, }, - From: []crdv1alpha1.NetworkPolicyPeer{ + From: []crdv1beta1.NetworkPolicyPeer{ { PodSelector: &selectorB, NamespaceSelector: &selectorC, @@ -130,14 +129,14 @@ func TestProcessClusterNetworkPolicy(t *testing.T) { Action: &allowAction, }, }, - Egress: []crdv1alpha1.Rule{ + Egress: []crdv1beta1.Rule{ { - Ports: []crdv1alpha1.NetworkPolicyPort{ + Ports: []crdv1beta1.NetworkPolicyPort{ { Port: &int81, }, }, - To: []crdv1alpha1.NetworkPolicyPeer{ + To: []crdv1beta1.NetworkPolicyPeer{ { PodSelector: &selectorB, NamespaceSelector: &selectorC, @@ -195,21 +194,21 @@ func TestProcessClusterNetworkPolicy(t *testing.T) { }, { name: "rules-with-different-selectors", - inputPolicy: &crdv1alpha1.ClusterNetworkPolicy{ + inputPolicy: &crdv1beta1.ClusterNetworkPolicy{ ObjectMeta: metav1.ObjectMeta{Namespace: "", Name: "cnpB", UID: "uidB"}, - Spec: crdv1alpha1.ClusterNetworkPolicySpec{ - AppliedTo: []crdv1alpha1.AppliedTo{ + Spec: crdv1beta1.ClusterNetworkPolicySpec{ + AppliedTo: []crdv1beta1.AppliedTo{ {PodSelector: &selectorA}, }, Priority: p10, - Ingress: []crdv1alpha1.Rule{ + Ingress: []crdv1beta1.Rule{ { - Ports: []crdv1alpha1.NetworkPolicyPort{ + Ports: []crdv1beta1.NetworkPolicyPort{ { Port: &int80, }, }, - From: []crdv1alpha1.NetworkPolicyPeer{ + From: []crdv1beta1.NetworkPolicyPeer{ { PodSelector: &selectorB, }, @@ -217,12 +216,12 @@ func TestProcessClusterNetworkPolicy(t *testing.T) { Action: &allowAction, }, { - Ports: []crdv1alpha1.NetworkPolicyPort{ + Ports: []crdv1beta1.NetworkPolicyPort{ { Port: &int81, }, }, - From: []crdv1alpha1.NetworkPolicyPeer{ + From: []crdv1beta1.NetworkPolicyPeer{ { NamespaceSelector: &selectorC, }, @@ -279,17 +278,17 @@ func TestProcessClusterNetworkPolicy(t *testing.T) { }, { name: "with-tier-A", - inputPolicy: &crdv1alpha1.ClusterNetworkPolicy{ + inputPolicy: &crdv1beta1.ClusterNetworkPolicy{ ObjectMeta: metav1.ObjectMeta{Namespace: "", Name: "cnpC", UID: "uidC"}, - Spec: crdv1alpha1.ClusterNetworkPolicySpec{ - AppliedTo: []crdv1alpha1.AppliedTo{ + Spec: crdv1beta1.ClusterNetworkPolicySpec{ + AppliedTo: []crdv1beta1.AppliedTo{ {PodSelector: &selectorA}, }, Priority: p10, Tier: tierA.Name, - Ingress: []crdv1alpha1.Rule{ + Ingress: []crdv1beta1.Rule{ { - From: []crdv1alpha1.NetworkPolicyPeer{ + From: []crdv1beta1.NetworkPolicyPeer{ { PodSelector: &selectorB, }, @@ -326,23 +325,23 @@ func TestProcessClusterNetworkPolicy(t *testing.T) { }, { name: "with-port-range", - inputPolicy: &crdv1alpha1.ClusterNetworkPolicy{ + inputPolicy: &crdv1beta1.ClusterNetworkPolicy{ ObjectMeta: metav1.ObjectMeta{Namespace: "", Name: "cnpD", UID: "uidD"}, - Spec: crdv1alpha1.ClusterNetworkPolicySpec{ - AppliedTo: []crdv1alpha1.AppliedTo{ + Spec: crdv1beta1.ClusterNetworkPolicySpec{ + AppliedTo: []crdv1beta1.AppliedTo{ {PodSelector: &selectorA}, }, Priority: p10, - Ingress: []crdv1alpha1.Rule{ + Ingress: []crdv1beta1.Rule{ { - Ports: []crdv1alpha1.NetworkPolicyPort{ + Ports: []crdv1beta1.NetworkPolicyPort{ { Protocol: &k8sProtocolTCP, Port: &int1000, EndPort: &int32For1999, }, }, - From: []crdv1alpha1.NetworkPolicyPeer{ + From: []crdv1beta1.NetworkPolicyPeer{ { PodSelector: &selectorB, }, @@ -386,17 +385,17 @@ func TestProcessClusterNetworkPolicy(t *testing.T) { }, { name: "with-l7Protocol", - inputPolicy: &crdv1alpha1.ClusterNetworkPolicy{ + inputPolicy: &crdv1beta1.ClusterNetworkPolicy{ ObjectMeta: metav1.ObjectMeta{Namespace: "", Name: "cnpE", UID: "uidE"}, - Spec: crdv1alpha1.ClusterNetworkPolicySpec{ - AppliedTo: []crdv1alpha1.AppliedTo{ + Spec: crdv1beta1.ClusterNetworkPolicySpec{ + AppliedTo: []crdv1beta1.AppliedTo{ {PodSelector: &selectorA}, }, Priority: p10, - Ingress: []crdv1alpha1.Rule{ + Ingress: []crdv1beta1.Rule{ { - L7Protocols: []crdv1alpha1.L7Protocol{{HTTP: &crdv1alpha1.HTTPProtocol{Host: "test.com", Method: "GET", Path: "/admin"}}}, - From: []crdv1alpha1.NetworkPolicyPeer{ + L7Protocols: []crdv1beta1.L7Protocol{{HTTP: &crdv1beta1.HTTPProtocol{Host: "test.com", Method: "GET", Path: "/admin"}}}, + From: []crdv1beta1.NetworkPolicyPeer{ { PodSelector: &selectorB, }, @@ -434,24 +433,24 @@ func TestProcessClusterNetworkPolicy(t *testing.T) { }, { name: "appliedTo-per-rule", - inputPolicy: &crdv1alpha1.ClusterNetworkPolicy{ + inputPolicy: &crdv1beta1.ClusterNetworkPolicy{ ObjectMeta: metav1.ObjectMeta{Name: "cnpH", UID: "uidH"}, - Spec: crdv1alpha1.ClusterNetworkPolicySpec{ + Spec: crdv1beta1.ClusterNetworkPolicySpec{ AppliedTo: nil, Priority: p10, - Ingress: []crdv1alpha1.Rule{ + Ingress: []crdv1beta1.Rule{ { - AppliedTo: []crdv1alpha1.AppliedTo{ + AppliedTo: []crdv1beta1.AppliedTo{ { PodSelector: &selectorA, }, }, - Ports: []crdv1alpha1.NetworkPolicyPort{ + Ports: []crdv1beta1.NetworkPolicyPort{ { Port: &int80, }, }, - From: []crdv1alpha1.NetworkPolicyPeer{ + From: []crdv1beta1.NetworkPolicyPeer{ { PodSelector: &selectorB, }, @@ -459,18 +458,18 @@ func TestProcessClusterNetworkPolicy(t *testing.T) { Action: &allowAction, }, { - AppliedTo: []crdv1alpha1.AppliedTo{ + AppliedTo: []crdv1beta1.AppliedTo{ { PodSelector: &selectorB, NamespaceSelector: &selectorC, }, }, - Ports: []crdv1alpha1.NetworkPolicyPort{ + Ports: []crdv1beta1.NetworkPolicyPort{ { Port: &int81, }, }, - From: []crdv1alpha1.NetworkPolicyPeer{ + From: []crdv1beta1.NetworkPolicyPeer{ { NamespaceSelector: &selectorC, }, @@ -533,21 +532,21 @@ func TestProcessClusterNetworkPolicy(t *testing.T) { }, { name: "with-cluster-group-ingress-egress", - inputPolicy: &crdv1alpha1.ClusterNetworkPolicy{ + inputPolicy: &crdv1beta1.ClusterNetworkPolicy{ ObjectMeta: metav1.ObjectMeta{Name: "cnpI", UID: "uidI"}, - Spec: crdv1alpha1.ClusterNetworkPolicySpec{ - AppliedTo: []crdv1alpha1.AppliedTo{ + Spec: crdv1beta1.ClusterNetworkPolicySpec{ + AppliedTo: []crdv1beta1.AppliedTo{ {PodSelector: &selectorA}, }, Priority: p10, - Ingress: []crdv1alpha1.Rule{ + Ingress: []crdv1beta1.Rule{ { - Ports: []crdv1alpha1.NetworkPolicyPort{ + Ports: []crdv1beta1.NetworkPolicyPort{ { Port: &int80, }, }, - From: []crdv1alpha1.NetworkPolicyPeer{ + From: []crdv1beta1.NetworkPolicyPeer{ { Group: cgA.Name, }, @@ -555,14 +554,14 @@ func TestProcessClusterNetworkPolicy(t *testing.T) { Action: &allowAction, }, }, - Egress: []crdv1alpha1.Rule{ + Egress: []crdv1beta1.Rule{ { - Ports: []crdv1alpha1.NetworkPolicyPort{ + Ports: []crdv1beta1.NetworkPolicyPort{ { Port: &int81, }, }, - To: []crdv1alpha1.NetworkPolicyPeer{ + To: []crdv1beta1.NetworkPolicyPeer{ { Group: cgA.Name, }, @@ -619,23 +618,23 @@ func TestProcessClusterNetworkPolicy(t *testing.T) { }, { name: "with-applied-to-cluster-group-ingress-egress", - inputPolicy: &crdv1alpha1.ClusterNetworkPolicy{ + inputPolicy: &crdv1beta1.ClusterNetworkPolicy{ ObjectMeta: metav1.ObjectMeta{Name: "cnpI", UID: "uidI"}, - Spec: crdv1alpha1.ClusterNetworkPolicySpec{ + Spec: crdv1beta1.ClusterNetworkPolicySpec{ Priority: p10, - Ingress: []crdv1alpha1.Rule{ + Ingress: []crdv1beta1.Rule{ { - Ports: []crdv1alpha1.NetworkPolicyPort{ + Ports: []crdv1beta1.NetworkPolicyPort{ { Port: &int80, }, }, - From: []crdv1alpha1.NetworkPolicyPeer{ + From: []crdv1beta1.NetworkPolicyPeer{ { PodSelector: &selectorB, }, }, - AppliedTo: []crdv1alpha1.AppliedTo{ + AppliedTo: []crdv1beta1.AppliedTo{ { Group: cgA.Name, }, @@ -643,19 +642,19 @@ func TestProcessClusterNetworkPolicy(t *testing.T) { Action: &allowAction, }, }, - Egress: []crdv1alpha1.Rule{ + Egress: []crdv1beta1.Rule{ { - Ports: []crdv1alpha1.NetworkPolicyPort{ + Ports: []crdv1beta1.NetworkPolicyPort{ { Port: &int81, }, }, - To: []crdv1alpha1.NetworkPolicyPeer{ + To: []crdv1beta1.NetworkPolicyPeer{ { PodSelector: &selectorB, }, }, - AppliedTo: []crdv1alpha1.AppliedTo{ + AppliedTo: []crdv1beta1.AppliedTo{ { Group: cgA.Name, }, @@ -715,38 +714,38 @@ func TestProcessClusterNetworkPolicy(t *testing.T) { }, { name: "with-per-namespace-rule", - inputPolicy: &crdv1alpha1.ClusterNetworkPolicy{ + inputPolicy: &crdv1beta1.ClusterNetworkPolicy{ ObjectMeta: metav1.ObjectMeta{Name: "cnpI", UID: "uidI"}, - Spec: crdv1alpha1.ClusterNetworkPolicySpec{ - AppliedTo: []crdv1alpha1.AppliedTo{ + Spec: crdv1beta1.ClusterNetworkPolicySpec{ + AppliedTo: []crdv1beta1.AppliedTo{ { NamespaceSelector: &metav1.LabelSelector{}, }, }, Priority: p10, - Ingress: []crdv1alpha1.Rule{ + Ingress: []crdv1beta1.Rule{ { - Ports: []crdv1alpha1.NetworkPolicyPort{ + Ports: []crdv1beta1.NetworkPolicyPort{ { Port: &int80, }, }, - From: []crdv1alpha1.NetworkPolicyPeer{ + From: []crdv1beta1.NetworkPolicyPeer{ { - Namespaces: &crdv1alpha1.PeerNamespaces{ - Match: crdv1alpha1.NamespaceMatchSelf, + Namespaces: &crdv1beta1.PeerNamespaces{ + Match: crdv1beta1.NamespaceMatchSelf, }, }, }, Action: &allowAction, }, { - Ports: []crdv1alpha1.NetworkPolicyPort{ + Ports: []crdv1beta1.NetworkPolicyPort{ { Port: &int81, }, }, - From: []crdv1alpha1.NetworkPolicyPeer{ + From: []crdv1beta1.NetworkPolicyPeer{ { NamespaceSelector: &selectorA, }, @@ -825,27 +824,27 @@ func TestProcessClusterNetworkPolicy(t *testing.T) { }, { name: "with-per-namespace-rule-applied-to-per-rule", - inputPolicy: &crdv1alpha1.ClusterNetworkPolicy{ + inputPolicy: &crdv1beta1.ClusterNetworkPolicy{ ObjectMeta: metav1.ObjectMeta{Name: "cnpJ", UID: "uidJ"}, - Spec: crdv1alpha1.ClusterNetworkPolicySpec{ + Spec: crdv1beta1.ClusterNetworkPolicySpec{ Priority: p10, - Ingress: []crdv1alpha1.Rule{ + Ingress: []crdv1beta1.Rule{ { - AppliedTo: []crdv1alpha1.AppliedTo{ + AppliedTo: []crdv1beta1.AppliedTo{ { NamespaceSelector: &selectorA, PodSelector: &selectorA, }, }, - Ports: []crdv1alpha1.NetworkPolicyPort{ + Ports: []crdv1beta1.NetworkPolicyPort{ { Port: &int80, }, }, - From: []crdv1alpha1.NetworkPolicyPeer{ + From: []crdv1beta1.NetworkPolicyPeer{ { - Namespaces: &crdv1alpha1.PeerNamespaces{ - Match: crdv1alpha1.NamespaceMatchSelf, + Namespaces: &crdv1beta1.PeerNamespaces{ + Match: crdv1beta1.NamespaceMatchSelf, }, PodSelector: &selectorA, }, @@ -853,20 +852,20 @@ func TestProcessClusterNetworkPolicy(t *testing.T) { Action: &dropAction, }, { - AppliedTo: []crdv1alpha1.AppliedTo{ + AppliedTo: []crdv1beta1.AppliedTo{ { NamespaceSelector: &selectorB, }, }, - Ports: []crdv1alpha1.NetworkPolicyPort{ + Ports: []crdv1beta1.NetworkPolicyPort{ { Port: &int81, }, }, - From: []crdv1alpha1.NetworkPolicyPeer{ + From: []crdv1beta1.NetworkPolicyPeer{ { - Namespaces: &crdv1alpha1.PeerNamespaces{ - Match: crdv1alpha1.NamespaceMatchSelf, + Namespaces: &crdv1beta1.PeerNamespaces{ + Match: crdv1beta1.NamespaceMatchSelf, }, }, }, @@ -928,16 +927,16 @@ func TestProcessClusterNetworkPolicy(t *testing.T) { }, { name: "rule-with-to-service", - inputPolicy: &crdv1alpha1.ClusterNetworkPolicy{ + inputPolicy: &crdv1beta1.ClusterNetworkPolicy{ ObjectMeta: metav1.ObjectMeta{Name: "cnpK", UID: "uidK"}, - Spec: crdv1alpha1.ClusterNetworkPolicySpec{ - AppliedTo: []crdv1alpha1.AppliedTo{ + Spec: crdv1beta1.ClusterNetworkPolicySpec{ + AppliedTo: []crdv1beta1.AppliedTo{ {PodSelector: &selectorA}, }, Priority: p10, - Egress: []crdv1alpha1.Rule{ + Egress: []crdv1beta1.Rule{ { - ToServices: []crdv1alpha1.PeerService{ + ToServices: []crdv1beta1.PeerService{ { Namespace: "nsA", Name: "svcA", @@ -980,20 +979,20 @@ func TestProcessClusterNetworkPolicy(t *testing.T) { }, { name: "rule-with-to-mc-service", - inputPolicy: &crdv1alpha1.ClusterNetworkPolicy{ + inputPolicy: &crdv1beta1.ClusterNetworkPolicy{ ObjectMeta: metav1.ObjectMeta{Name: "cnpM", UID: "uidM"}, - Spec: crdv1alpha1.ClusterNetworkPolicySpec{ - AppliedTo: []crdv1alpha1.AppliedTo{ + Spec: crdv1beta1.ClusterNetworkPolicySpec{ + AppliedTo: []crdv1beta1.AppliedTo{ {PodSelector: &selectorA}, }, Priority: p10, - Egress: []crdv1alpha1.Rule{ + Egress: []crdv1beta1.Rule{ { - ToServices: []crdv1alpha1.PeerService{ + ToServices: []crdv1beta1.PeerService{ { Namespace: "nsA", Name: "svcA", - Scope: crdv1alpha1.ScopeClusterSet, + Scope: crdv1beta1.ScopeClusterSet, }, }, Action: &dropAction, @@ -1033,21 +1032,21 @@ func TestProcessClusterNetworkPolicy(t *testing.T) { }, { name: "applied-to-with-service-account-namespaced-name", - inputPolicy: &crdv1alpha1.ClusterNetworkPolicy{ + inputPolicy: &crdv1beta1.ClusterNetworkPolicy{ ObjectMeta: metav1.ObjectMeta{Name: "cnpL", UID: "uidL"}, - Spec: crdv1alpha1.ClusterNetworkPolicySpec{ - AppliedTo: []crdv1alpha1.AppliedTo{ + Spec: crdv1beta1.ClusterNetworkPolicySpec{ + AppliedTo: []crdv1beta1.AppliedTo{ { - ServiceAccount: &crdv1alpha1.NamespacedName{ + ServiceAccount: &crdv1beta1.NamespacedName{ Name: saA.Name, Namespace: saA.Namespace, }, }, }, Priority: p10, - Egress: []crdv1alpha1.Rule{ + Egress: []crdv1beta1.Rule{ { - ToServices: []crdv1alpha1.PeerService{ + ToServices: []crdv1beta1.PeerService{ { Namespace: "nsA", Name: "svcA", @@ -1090,20 +1089,20 @@ func TestProcessClusterNetworkPolicy(t *testing.T) { }, { name: "rule-with-service-account-namespaced-name", - inputPolicy: &crdv1alpha1.ClusterNetworkPolicy{ + inputPolicy: &crdv1beta1.ClusterNetworkPolicy{ ObjectMeta: metav1.ObjectMeta{Name: "cnpP", UID: "uidP"}, - Spec: crdv1alpha1.ClusterNetworkPolicySpec{ - AppliedTo: []crdv1alpha1.AppliedTo{ + Spec: crdv1beta1.ClusterNetworkPolicySpec{ + AppliedTo: []crdv1beta1.AppliedTo{ { PodSelector: &selectorA, }, }, Priority: p10, - Egress: []crdv1alpha1.Rule{ + Egress: []crdv1beta1.Rule{ { - To: []crdv1alpha1.NetworkPolicyPeer{ + To: []crdv1beta1.NetworkPolicyPeer{ { - ServiceAccount: &crdv1alpha1.NamespacedName{ + ServiceAccount: &crdv1beta1.NamespacedName{ Name: saA.Name, Namespace: saA.Namespace, }, @@ -1141,21 +1140,21 @@ func TestProcessClusterNetworkPolicy(t *testing.T) { }, { name: "rule-applied-to-with-service-account-namespaced-name", - inputPolicy: &crdv1alpha1.ClusterNetworkPolicy{ + inputPolicy: &crdv1beta1.ClusterNetworkPolicy{ ObjectMeta: metav1.ObjectMeta{Name: "cnpQ", UID: "uidQ"}, - Spec: crdv1alpha1.ClusterNetworkPolicySpec{ + Spec: crdv1beta1.ClusterNetworkPolicySpec{ Priority: p10, - Egress: []crdv1alpha1.Rule{ + Egress: []crdv1beta1.Rule{ { - To: []crdv1alpha1.NetworkPolicyPeer{ + To: []crdv1beta1.NetworkPolicyPeer{ { PodSelector: &selectorA, }, }, Action: &dropAction, - AppliedTo: []crdv1alpha1.AppliedTo{ + AppliedTo: []crdv1beta1.AppliedTo{ { - ServiceAccount: &crdv1alpha1.NamespacedName{ + ServiceAccount: &crdv1beta1.NamespacedName{ Name: saA.Name, Namespace: saA.Namespace, }, @@ -1194,31 +1193,31 @@ func TestProcessClusterNetworkPolicy(t *testing.T) { }, { name: "service-account-per-namespace-rule", - inputPolicy: &crdv1alpha1.ClusterNetworkPolicy{ + inputPolicy: &crdv1beta1.ClusterNetworkPolicy{ ObjectMeta: metav1.ObjectMeta{Name: "cnpR", UID: "uidR"}, - Spec: crdv1alpha1.ClusterNetworkPolicySpec{ - AppliedTo: []crdv1alpha1.AppliedTo{ + Spec: crdv1beta1.ClusterNetworkPolicySpec{ + AppliedTo: []crdv1beta1.AppliedTo{ { - ServiceAccount: &crdv1alpha1.NamespacedName{ + ServiceAccount: &crdv1beta1.NamespacedName{ Name: saA.Name, Namespace: saA.Namespace, }, }, }, Priority: p10, - Egress: []crdv1alpha1.Rule{ + Egress: []crdv1beta1.Rule{ { - To: []crdv1alpha1.NetworkPolicyPeer{ + To: []crdv1beta1.NetworkPolicyPeer{ { - Namespaces: &crdv1alpha1.PeerNamespaces{ - Match: crdv1alpha1.NamespaceMatchSelf, + Namespaces: &crdv1beta1.PeerNamespaces{ + Match: crdv1beta1.NamespaceMatchSelf, }, }, }, Action: &dropAction, }, { - To: []crdv1alpha1.NetworkPolicyPeer{ + To: []crdv1beta1.NetworkPolicyPeer{ { NamespaceSelector: &selectorB, }, @@ -1268,21 +1267,21 @@ func TestProcessClusterNetworkPolicy(t *testing.T) { }, { name: "rule-with-node-selector", - inputPolicy: &crdv1alpha1.ClusterNetworkPolicy{ + inputPolicy: &crdv1beta1.ClusterNetworkPolicy{ ObjectMeta: metav1.ObjectMeta{Name: "cnpL", UID: "uidL"}, - Spec: crdv1alpha1.ClusterNetworkPolicySpec{ - AppliedTo: []crdv1alpha1.AppliedTo{ + Spec: crdv1beta1.ClusterNetworkPolicySpec{ + AppliedTo: []crdv1beta1.AppliedTo{ {PodSelector: &selectorA}, }, Priority: p10, - Ingress: []crdv1alpha1.Rule{ + Ingress: []crdv1beta1.Rule{ { - Ports: []crdv1alpha1.NetworkPolicyPort{ + Ports: []crdv1beta1.NetworkPolicyPort{ { Port: &int80, }, }, - From: []crdv1alpha1.NetworkPolicyPeer{ + From: []crdv1beta1.NetworkPolicyPeer{ { NodeSelector: &selectorA, }, @@ -1290,14 +1289,14 @@ func TestProcessClusterNetworkPolicy(t *testing.T) { Action: &allowAction, }, }, - Egress: []crdv1alpha1.Rule{ + Egress: []crdv1beta1.Rule{ { - Ports: []crdv1alpha1.NetworkPolicyPort{ + Ports: []crdv1beta1.NetworkPolicyPort{ { Port: &int81, }, }, - To: []crdv1alpha1.NetworkPolicyPeer{ + To: []crdv1beta1.NetworkPolicyPeer{ { NodeSelector: &selectorB, }, @@ -1354,24 +1353,24 @@ func TestProcessClusterNetworkPolicy(t *testing.T) { }, { name: "rules-with-icmp-protocol", - inputPolicy: &crdv1alpha1.ClusterNetworkPolicy{ + inputPolicy: &crdv1beta1.ClusterNetworkPolicy{ ObjectMeta: metav1.ObjectMeta{Name: "cnp-icmp", UID: "uid-icmp"}, - Spec: crdv1alpha1.ClusterNetworkPolicySpec{ - AppliedTo: []crdv1alpha1.AppliedTo{ + Spec: crdv1beta1.ClusterNetworkPolicySpec{ + AppliedTo: []crdv1beta1.AppliedTo{ {PodSelector: &selectorA}, }, Priority: p10, - Ingress: []crdv1alpha1.Rule{ + Ingress: []crdv1beta1.Rule{ { - Protocols: []crdv1alpha1.NetworkPolicyProtocol{ + Protocols: []crdv1beta1.NetworkPolicyProtocol{ { - ICMP: &crdv1alpha1.ICMPProtocol{ + ICMP: &crdv1beta1.ICMPProtocol{ ICMPType: &icmpType8, ICMPCode: &icmpCode0, }, }, }, - From: []crdv1alpha1.NetworkPolicyPeer{ + From: []crdv1beta1.NetworkPolicyPeer{ { NodeSelector: &selectorB, }, @@ -1379,14 +1378,14 @@ func TestProcessClusterNetworkPolicy(t *testing.T) { Action: &allowAction, }, }, - Egress: []crdv1alpha1.Rule{ + Egress: []crdv1beta1.Rule{ { - Protocols: []crdv1alpha1.NetworkPolicyProtocol{ + Protocols: []crdv1beta1.NetworkPolicyProtocol{ { - ICMP: &crdv1alpha1.ICMPProtocol{}, + ICMP: &crdv1beta1.ICMPProtocol{}, }, }, - To: []crdv1alpha1.NetworkPolicyPeer{ + To: []crdv1beta1.NetworkPolicyPeer{ { NodeSelector: &selectorA, }, @@ -1443,19 +1442,19 @@ func TestProcessClusterNetworkPolicy(t *testing.T) { }, { name: "rule-with-igmp-query", - inputPolicy: &crdv1alpha1.ClusterNetworkPolicy{ + inputPolicy: &crdv1beta1.ClusterNetworkPolicy{ ObjectMeta: metav1.ObjectMeta{Name: "cnpL", UID: "uidL"}, - Spec: crdv1alpha1.ClusterNetworkPolicySpec{ - AppliedTo: []crdv1alpha1.AppliedTo{ + Spec: crdv1beta1.ClusterNetworkPolicySpec{ + AppliedTo: []crdv1beta1.AppliedTo{ {PodSelector: &selectorA}, }, Priority: p10, - Ingress: []crdv1alpha1.Rule{ + Ingress: []crdv1beta1.Rule{ { Action: &dropAction, - Protocols: []crdv1alpha1.NetworkPolicyProtocol{ + Protocols: []crdv1beta1.NetworkPolicyProtocol{ { - IGMP: &crdv1alpha1.IGMPProtocol{ + IGMP: &crdv1beta1.IGMPProtocol{ IGMPType: &query, GroupAddress: queryAddr, }, @@ -1502,19 +1501,19 @@ func TestProcessClusterNetworkPolicy(t *testing.T) { }, { name: "rule-with-igmp-report", - inputPolicy: &crdv1alpha1.ClusterNetworkPolicy{ + inputPolicy: &crdv1beta1.ClusterNetworkPolicy{ ObjectMeta: metav1.ObjectMeta{Name: "cnpL", UID: "uidL"}, - Spec: crdv1alpha1.ClusterNetworkPolicySpec{ - AppliedTo: []crdv1alpha1.AppliedTo{ + Spec: crdv1beta1.ClusterNetworkPolicySpec{ + AppliedTo: []crdv1beta1.AppliedTo{ {PodSelector: &selectorA}, }, Priority: p10, - Egress: []crdv1alpha1.Rule{ + Egress: []crdv1beta1.Rule{ { Action: &dropAction, - Protocols: []crdv1alpha1.NetworkPolicyProtocol{ + Protocols: []crdv1beta1.NetworkPolicyProtocol{ { - IGMP: &crdv1alpha1.IGMPProtocol{ + IGMP: &crdv1beta1.IGMPProtocol{ IGMPType: &report, GroupAddress: reportAddr, }, @@ -1561,24 +1560,24 @@ func TestProcessClusterNetworkPolicy(t *testing.T) { }, { name: "appliedTo-service", - inputPolicy: &crdv1alpha1.ClusterNetworkPolicy{ + inputPolicy: &crdv1beta1.ClusterNetworkPolicy{ ObjectMeta: metav1.ObjectMeta{Name: "cnpM", UID: "uidM"}, - Spec: crdv1alpha1.ClusterNetworkPolicySpec{ + Spec: crdv1beta1.ClusterNetworkPolicySpec{ AppliedTo: nil, Priority: p10, - Ingress: []crdv1alpha1.Rule{ + Ingress: []crdv1beta1.Rule{ { - AppliedTo: []crdv1alpha1.AppliedTo{ + AppliedTo: []crdv1beta1.AppliedTo{ { - Service: &crdv1alpha1.NamespacedName{ + Service: &crdv1beta1.NamespacedName{ Name: svcA.Name, Namespace: svcA.Namespace, }, }, }, - From: []crdv1alpha1.NetworkPolicyPeer{ + From: []crdv1beta1.NetworkPolicyPeer{ { - IPBlock: &crdv1alpha1.IPBlock{ + IPBlock: &crdv1beta1.IPBlock{ CIDR: ipA + "/32", }, }, @@ -1627,21 +1626,21 @@ func TestProcessClusterNetworkPolicy(t *testing.T) { }, { name: "with-log-label", - inputPolicy: &crdv1alpha1.ClusterNetworkPolicy{ + inputPolicy: &crdv1beta1.ClusterNetworkPolicy{ ObjectMeta: metav1.ObjectMeta{Name: "cnpN", UID: "uidN"}, - Spec: crdv1alpha1.ClusterNetworkPolicySpec{ - AppliedTo: []crdv1alpha1.AppliedTo{ + Spec: crdv1beta1.ClusterNetworkPolicySpec{ + AppliedTo: []crdv1beta1.AppliedTo{ {PodSelector: &selectorA}, }, Priority: p10, - Ingress: []crdv1alpha1.Rule{ + Ingress: []crdv1beta1.Rule{ { - Ports: []crdv1alpha1.NetworkPolicyPort{ + Ports: []crdv1beta1.NetworkPolicyPort{ { Port: &int80, }, }, - From: []crdv1alpha1.NetworkPolicyPeer{ + From: []crdv1beta1.NetworkPolicyPeer{ { PodSelector: &selectorB, NamespaceSelector: &selectorC, @@ -1801,7 +1800,7 @@ func TestProcessRefGroupOrClusterGroup(t *testing.T) { cgB := crdv1beta1.ClusterGroup{ ObjectMeta: metav1.ObjectMeta{Name: "cgB", UID: "uidB"}, Spec: crdv1beta1.GroupSpec{ - IPBlocks: []crdv1alpha1.IPBlock{ + IPBlocks: []crdv1beta1.IPBlock{ { CIDR: cidr, }, @@ -1838,7 +1837,7 @@ func TestProcessRefGroupOrClusterGroup(t *testing.T) { gB := crdv1beta1.Group{ ObjectMeta: metav1.ObjectMeta{Namespace: "nsB", Name: "gB", UID: "uidGB"}, Spec: crdv1beta1.GroupSpec{ - IPBlocks: []crdv1alpha1.IPBlock{ + IPBlocks: []crdv1beta1.IPBlock{ { CIDR: cidr, }, @@ -1961,15 +1960,15 @@ func TestProcessRefGroupOrClusterGroup(t *testing.T) { // util functions for testing. -func getCNP() *crdv1alpha1.ClusterNetworkPolicy { +func getCNP() *crdv1beta1.ClusterNetworkPolicy { p10 := float64(10) - allowAction := crdv1alpha1.RuleActionAllow + allowAction := crdv1beta1.RuleActionAllow selectorA := metav1.LabelSelector{MatchLabels: map[string]string{"foo1": "bar1"}} selectorB := metav1.LabelSelector{MatchLabels: map[string]string{"foo2": "bar2"}} selectorC := metav1.LabelSelector{MatchLabels: map[string]string{"foo3": "bar3"}} - ingressRules := []crdv1alpha1.Rule{ + ingressRules := []crdv1beta1.Rule{ { - From: []crdv1alpha1.NetworkPolicyPeer{ + From: []crdv1beta1.NetworkPolicyPeer{ { NamespaceSelector: &selectorB, }, @@ -1977,9 +1976,9 @@ func getCNP() *crdv1alpha1.ClusterNetworkPolicy { Action: &allowAction, }, } - egressRules := []crdv1alpha1.Rule{ + egressRules := []crdv1beta1.Rule{ { - To: []crdv1alpha1.NetworkPolicyPeer{ + To: []crdv1beta1.NetworkPolicyPeer{ { PodSelector: &selectorC, }, @@ -1987,10 +1986,10 @@ func getCNP() *crdv1alpha1.ClusterNetworkPolicy { Action: &allowAction, }, } - npObj := &crdv1alpha1.ClusterNetworkPolicy{ + npObj := &crdv1beta1.ClusterNetworkPolicy{ ObjectMeta: metav1.ObjectMeta{Name: "test-cnp"}, - Spec: crdv1alpha1.ClusterNetworkPolicySpec{ - AppliedTo: []crdv1alpha1.AppliedTo{ + Spec: crdv1beta1.ClusterNetworkPolicySpec{ + AppliedTo: []crdv1beta1.AppliedTo{ {PodSelector: &selectorA}, }, Priority: p10, @@ -2006,65 +2005,65 @@ func TestFilterPerNamespaceRuleACNPsByNSLabels(t *testing.T) { ObjectMeta: metav1.ObjectMeta{Name: "group1"}, Spec: crdv1beta1.GroupSpec{NamespaceSelector: &metav1.LabelSelector{MatchLabels: map[string]string{"foo2": "bar2"}}}, } - cnpWithSpecAppliedTo := &crdv1alpha1.ClusterNetworkPolicy{ + cnpWithSpecAppliedTo := &crdv1beta1.ClusterNetworkPolicy{ ObjectMeta: metav1.ObjectMeta{Name: "cnp-with-spec-appliedTo"}, - Spec: crdv1alpha1.ClusterNetworkPolicySpec{ - AppliedTo: []crdv1alpha1.AppliedTo{ + Spec: crdv1beta1.ClusterNetworkPolicySpec{ + AppliedTo: []crdv1beta1.AppliedTo{ {NamespaceSelector: &metav1.LabelSelector{MatchLabels: map[string]string{"foo1": "bar1"}}}, }, - Ingress: []crdv1alpha1.Rule{ + Ingress: []crdv1beta1.Rule{ { - From: []crdv1alpha1.NetworkPolicyPeer{ - {Namespaces: &crdv1alpha1.PeerNamespaces{Match: crdv1alpha1.NamespaceMatchSelf}}, + From: []crdv1beta1.NetworkPolicyPeer{ + {Namespaces: &crdv1beta1.PeerNamespaces{Match: crdv1beta1.NamespaceMatchSelf}}, }, }, }, }, } - cnpWithRuleAppliedTo := &crdv1alpha1.ClusterNetworkPolicy{ + cnpWithRuleAppliedTo := &crdv1beta1.ClusterNetworkPolicy{ ObjectMeta: metav1.ObjectMeta{Name: "cnp-with-rule-appliedTo"}, - Spec: crdv1alpha1.ClusterNetworkPolicySpec{ - Ingress: []crdv1alpha1.Rule{ + Spec: crdv1beta1.ClusterNetworkPolicySpec{ + Ingress: []crdv1beta1.Rule{ { - AppliedTo: []crdv1alpha1.AppliedTo{ + AppliedTo: []crdv1beta1.AppliedTo{ {Group: group.Name}, }, - From: []crdv1alpha1.NetworkPolicyPeer{ - {Namespaces: &crdv1alpha1.PeerNamespaces{Match: crdv1alpha1.NamespaceMatchSelf}}, + From: []crdv1beta1.NetworkPolicyPeer{ + {Namespaces: &crdv1beta1.PeerNamespaces{Match: crdv1beta1.NamespaceMatchSelf}}, }, }, { - AppliedTo: []crdv1alpha1.AppliedTo{ + AppliedTo: []crdv1beta1.AppliedTo{ {NamespaceSelector: &metav1.LabelSelector{MatchLabels: map[string]string{"foo3": "bar3"}}}, }, - From: []crdv1alpha1.NetworkPolicyPeer{ - {IPBlock: &crdv1alpha1.IPBlock{CIDR: "10.0.0.0/8"}}, + From: []crdv1beta1.NetworkPolicyPeer{ + {IPBlock: &crdv1beta1.IPBlock{CIDR: "10.0.0.0/8"}}, }, }, }, - Egress: []crdv1alpha1.Rule{ + Egress: []crdv1beta1.Rule{ { - AppliedTo: []crdv1alpha1.AppliedTo{ + AppliedTo: []crdv1beta1.AppliedTo{ {Group: "non-existing-group"}, {NamespaceSelector: &metav1.LabelSelector{MatchLabels: map[string]string{"foo4": "bar4"}}}, }, - To: []crdv1alpha1.NetworkPolicyPeer{ - {Namespaces: &crdv1alpha1.PeerNamespaces{Match: crdv1alpha1.NamespaceMatchSelf}}, + To: []crdv1beta1.NetworkPolicyPeer{ + {Namespaces: &crdv1beta1.PeerNamespaces{Match: crdv1beta1.NamespaceMatchSelf}}, }, }, }, }, } - cnpMatchAllNamespaces := &crdv1alpha1.ClusterNetworkPolicy{ + cnpMatchAllNamespaces := &crdv1beta1.ClusterNetworkPolicy{ ObjectMeta: metav1.ObjectMeta{Name: "cnp3-match-all-namespaces"}, - Spec: crdv1alpha1.ClusterNetworkPolicySpec{ - AppliedTo: []crdv1alpha1.AppliedTo{ + Spec: crdv1beta1.ClusterNetworkPolicySpec{ + AppliedTo: []crdv1beta1.AppliedTo{ {PodSelector: &metav1.LabelSelector{MatchLabels: map[string]string{"foo": "bar"}}}, }, - Ingress: []crdv1alpha1.Rule{ + Ingress: []crdv1beta1.Rule{ { - From: []crdv1alpha1.NetworkPolicyPeer{ - {Namespaces: &crdv1alpha1.PeerNamespaces{Match: crdv1alpha1.NamespaceMatchSelf}}, + From: []crdv1beta1.NetworkPolicyPeer{ + {Namespaces: &crdv1beta1.PeerNamespaces{Match: crdv1beta1.NamespaceMatchSelf}}, }, }, }, diff --git a/pkg/controller/networkpolicy/crd_utils.go b/pkg/controller/networkpolicy/crd_utils.go index 788d111ac5f..801470383e4 100644 --- a/pkg/controller/networkpolicy/crd_utils.go +++ b/pkg/controller/networkpolicy/crd_utils.go @@ -27,16 +27,15 @@ import ( "antrea.io/antrea/multicluster/controllers/multicluster/common" "antrea.io/antrea/pkg/apis/controlplane" - "antrea.io/antrea/pkg/apis/crd/v1alpha1" crdv1beta1 "antrea.io/antrea/pkg/apis/crd/v1beta1" antreatypes "antrea.io/antrea/pkg/controller/types" "antrea.io/antrea/pkg/util/k8s" ) var ( - // matchAllPodsPeerCrd is a v1alpha1.NetworkPolicyPeer matching all + // matchAllPodsPeerCrd is a crdv1beta1.NetworkPolicyPeer matching all // Pods from all Namespaces. - matchAllPodsPeerCrd = v1alpha1.NetworkPolicyPeer{ + matchAllPodsPeerCrd = crdv1beta1.NetworkPolicyPeer{ NamespaceSelector: &metav1.LabelSelector{}, } ) @@ -46,7 +45,7 @@ var ( // comparing NetworkPolicyCondition in NetworkPolicyStatus objects to avoid // unnecessary updates caused different status generation time. var semanticIgnoreLastTransitionTime = conversion.EqualitiesOrDie( - func(a, b v1alpha1.NetworkPolicyCondition) bool { + func(a, b crdv1beta1.NetworkPolicyCondition) bool { a.LastTransitionTime = metav1.Date(2018, 1, 1, 0, 0, 0, 0, time.UTC) b.LastTransitionTime = metav1.Date(2018, 1, 1, 0, 0, 0, 0, time.UTC) return a == b @@ -55,7 +54,7 @@ var semanticIgnoreLastTransitionTime = conversion.EqualitiesOrDie( // NetworkPolicyStatusEqual compares two NetworkPolicyStatus objects. It disregards // the LastTransitionTime field in the status Conditions. -func NetworkPolicyStatusEqual(oldStatus, newStatus v1alpha1.NetworkPolicyStatus) bool { +func NetworkPolicyStatusEqual(oldStatus, newStatus crdv1beta1.NetworkPolicyStatus) bool { return semanticIgnoreLastTransitionTime.DeepEqual(oldStatus, newStatus) } @@ -72,11 +71,11 @@ func groupMembersComputedConditionEqual(conds []crdv1beta1.GroupCondition, condi return false } -// toAntreaServicesForCRD converts a slice of v1alpha1.NetworkPolicyPort objects -// and a slice of v1alpha1.NetworkPolicyProtocol objects to a slice of Antrea +// toAntreaServicesForCRD converts a slice of crdv1beta1.NetworkPolicyPort objects +// and a slice of v1beta1.NetworkPolicyProtocol objects to a slice of Antrea // Service objects. A bool is returned along with the Service objects to indicate // whether any named port exists. -func toAntreaServicesForCRD(npPorts []v1alpha1.NetworkPolicyPort, npProtocols []v1alpha1.NetworkPolicyProtocol) ([]controlplane.Service, bool) { +func toAntreaServicesForCRD(npPorts []crdv1beta1.NetworkPolicyPort, npProtocols []crdv1beta1.NetworkPolicyProtocol) ([]controlplane.Service, bool) { var antreaServices []controlplane.Service var namedPortExists bool for _, npPort := range npPorts { @@ -112,9 +111,9 @@ func toAntreaServicesForCRD(npPorts []v1alpha1.NetworkPolicyPort, npProtocols [] return antreaServices, namedPortExists } -// toAntreaL7ProtocolsForCRD converts a slice of v1alpha1.L7Protocol objects to +// toAntreaL7ProtocolsForCRD converts a slice of v1beta1.L7Protocol objects to // a slice of Antrea L7Protocol objects. -func toAntreaL7ProtocolsForCRD(l7Protocols []v1alpha1.L7Protocol) []controlplane.L7Protocol { +func toAntreaL7ProtocolsForCRD(l7Protocols []crdv1beta1.L7Protocol) []controlplane.L7Protocol { var antreaL7Protocols []controlplane.L7Protocol for _, l7p := range l7Protocols { antreaL7Protocols = append(antreaL7Protocols, controlplane.L7Protocol{ @@ -125,8 +124,8 @@ func toAntreaL7ProtocolsForCRD(l7Protocols []v1alpha1.L7Protocol) []controlplane return antreaL7Protocols } -// toAntreaIPBlockForCRD converts a v1alpha1.IPBlock to an Antrea IPBlock. -func toAntreaIPBlockForCRD(ipBlock *v1alpha1.IPBlock) (*controlplane.IPBlock, error) { +// toAntreaIPBlockForCRD converts a crdv1beta1.IPBlock to an Antrea IPBlock. +func toAntreaIPBlockForCRD(ipBlock *crdv1beta1.IPBlock) (*controlplane.IPBlock, error) { // Convert the allowed IPBlock to networkpolicy.IPNet. ipNet, err := cidrStrToIPNet(ipBlock.CIDR) if err != nil { @@ -140,12 +139,12 @@ func toAntreaIPBlockForCRD(ipBlock *v1alpha1.IPBlock) (*controlplane.IPBlock, er return antreaIPBlock, nil } -// toAntreaPeerForCRD creates an Antrea controlplane NetworkPolicyPeer for crdv1alpha1 NetworkPolicyPeer. +// toAntreaPeerForCRD creates an Antrea controlplane NetworkPolicyPeer for crdv1beta1 NetworkPolicyPeer. // It is used when peer's Namespaces are not matched by NamespaceMatchTypes, for which the controlplane // NetworkPolicyPeers will need to be created on a per-Namespace basis. // Any ClusterSet scoped selector in this peer will also be registered with the labelIdentityInterface // for the policy. -func (n *NetworkPolicyController) toAntreaPeerForCRD(peers []v1alpha1.NetworkPolicyPeer, +func (n *NetworkPolicyController) toAntreaPeerForCRD(peers []crdv1beta1.NetworkPolicyPeer, np metav1.Object, dir controlplane.Direction, namedPortExists bool) (*controlplane.NetworkPolicyPeer, []*antreatypes.AddressGroup, sets.Set[string]) { var addressGroups []*antreatypes.AddressGroup // NetworkPolicyPeer is supposed to match all addresses when it is empty and no clusterGroup is present. @@ -172,7 +171,7 @@ func (n *NetworkPolicyController) toAntreaPeerForCRD(peers []v1alpha1.NetworkPol uniqueLabelIDs := map[uint32]struct{}{} clusterSetScopeSelectorKeys := sets.New[string]() for _, peer := range peers { - // A v1alpha1.NetworkPolicyPeer will have exactly one of the following fields set: + // A crdv1beta1.NetworkPolicyPeer will have exactly one of the following fields set: // - podSelector and/or namespaceSelector (in-cluster scope or ClusterSet scope) // - reference to a Group/ClusterGroup // - IPBlocks @@ -202,7 +201,7 @@ func (n *NetworkPolicyController) toAntreaPeerForCRD(peers []v1alpha1.NetworkPol addressGroup := n.createAddressGroup(np.GetNamespace(), peer.PodSelector, peer.NamespaceSelector, peer.ExternalEntitySelector, nil) addressGroups = append(addressGroups, addressGroup) } - if n.stretchNPEnabled && peer.Scope == v1alpha1.ScopeClusterSet { + if n.stretchNPEnabled && peer.Scope == crdv1beta1.ScopeClusterSet { newClusterSetScopeSelector := antreatypes.NewGroupSelector(np.GetNamespace(), peer.PodSelector, peer.NamespaceSelector, nil, nil) clusterSetScopeSelectorKeys.Insert(newClusterSetScopeSelector.NormalizedName) // In addition to getting the matched Label Identity IDs, AddSelector also registers the selector @@ -224,10 +223,10 @@ func (n *NetworkPolicyController) toAntreaPeerForCRD(peers []v1alpha1.NetworkPol }, addressGroups, clusterSetScopeSelectorKeys } -// toNamespacedPeerForCRD creates an Antrea controlplane NetworkPolicyPeer for crdv1alpha1 NetworkPolicyPeer -// for a particular Namespace. It is used when a single crdv1alpha1 NetworkPolicyPeer maps to multiple +// toNamespacedPeerForCRD creates an Antrea controlplane NetworkPolicyPeer for crdv1beta1 NetworkPolicyPeer +// for a particular Namespace. It is used when a single crdv1beta1 NetworkPolicyPeer maps to multiple // controlplane NetworkPolicyPeers because the appliedTo workloads reside in different Namespaces. -func (n *NetworkPolicyController) toNamespacedPeerForCRD(peers []v1alpha1.NetworkPolicyPeer, +func (n *NetworkPolicyController) toNamespacedPeerForCRD(peers []crdv1beta1.NetworkPolicyPeer, np metav1.Object, namespace string) (*controlplane.NetworkPolicyPeer, []*antreatypes.AddressGroup, sets.Set[string]) { var addressGroups []*antreatypes.AddressGroup var labelIdentities []uint32 @@ -236,7 +235,7 @@ func (n *NetworkPolicyController) toNamespacedPeerForCRD(peers []v1alpha1.Networ for _, peer := range peers { addressGroup := n.createAddressGroup(namespace, peer.PodSelector, nil, peer.ExternalEntitySelector, nil) addressGroups = append(addressGroups, addressGroup) - if n.stretchNPEnabled && peer.Scope == v1alpha1.ScopeClusterSet { + if n.stretchNPEnabled && peer.Scope == crdv1beta1.ScopeClusterSet { newClusterSetScopeSelector := antreatypes.NewGroupSelector(namespace, peer.PodSelector, nil, peer.ExternalEntitySelector, nil) clusterSetScopeSelectorKeys.Insert(newClusterSetScopeSelector.NormalizedName) // In addition to getting the matched Label Identity IDs, AddSelector also registers the selector @@ -256,16 +255,16 @@ func (n *NetworkPolicyController) toNamespacedPeerForCRD(peers []v1alpha1.Networ } // svcRefToPeerForCRD creates an Antrea controlplane NetworkPolicyPeer from ServiceReferences in ToServices -// or ToMulticlusterServices field of a crdv1alpha1 NetworkPolicyPeer. For ANNP NetworkPolicyPeers, if +// or ToMulticlusterServices field of a crdv1beta1 NetworkPolicyPeer. For ANNP NetworkPolicyPeers, if // Namespace is not provided in the ServiceReference, the policy's Namespace will be assumed. -func (n *NetworkPolicyController) svcRefToPeerForCRD(svcRefs []v1alpha1.PeerService, defaultNamespace string) *controlplane.NetworkPolicyPeer { +func (n *NetworkPolicyController) svcRefToPeerForCRD(svcRefs []crdv1beta1.PeerService, defaultNamespace string) *controlplane.NetworkPolicyPeer { var controlplaneSvcRefs []controlplane.ServiceReference for _, svcRef := range svcRefs { svcNS, svcName := defaultNamespace, svcRef.Name if svcRef.Namespace != "" { svcNS = svcRef.Namespace } - if svcRef.Scope == v1alpha1.ScopeClusterSet { + if svcRef.Scope == crdv1beta1.ScopeClusterSet { if n.stretchNPEnabled { svcName = common.ToMCResourceName(svcName) } else { @@ -282,7 +281,7 @@ func (n *NetworkPolicyController) svcRefToPeerForCRD(svcRefs []v1alpha1.PeerServ } // createAppliedToGroupForService creates an AppliedToGroup object corresponding to a Service. -func (n *NetworkPolicyController) createAppliedToGroupForService(service *v1alpha1.NamespacedName) *antreatypes.AppliedToGroup { +func (n *NetworkPolicyController) createAppliedToGroupForService(service *crdv1beta1.NamespacedName) *antreatypes.AppliedToGroup { key := getNormalizedUID(k8s.NamespacedName(service.Namespace, service.Name)) // Create an AppliedToGroup object for this Service. diff --git a/pkg/controller/networkpolicy/crd_utils_test.go b/pkg/controller/networkpolicy/crd_utils_test.go index 1379b498f99..a572e347c28 100644 --- a/pkg/controller/networkpolicy/crd_utils_test.go +++ b/pkg/controller/networkpolicy/crd_utils_test.go @@ -25,7 +25,6 @@ import ( featuregatetesting "k8s.io/component-base/featuregate/testing" "antrea.io/antrea/pkg/apis/controlplane" - crdv1alpha1 "antrea.io/antrea/pkg/apis/crd/v1alpha1" crdv1beta1 "antrea.io/antrea/pkg/apis/crd/v1beta1" antreatypes "antrea.io/antrea/pkg/controller/types" "antrea.io/antrea/pkg/features" @@ -37,13 +36,13 @@ func TestToAntreaServicesForCRD(t *testing.T) { queryStr := "224.0.0.1" reportStr := "225.1.2.3" tables := []struct { - ports []crdv1alpha1.NetworkPolicyPort - protocols []crdv1alpha1.NetworkPolicyProtocol + ports []crdv1beta1.NetworkPolicyPort + protocols []crdv1beta1.NetworkPolicyProtocol expServices []controlplane.Service expNamedPortExists bool }{ { - ports: []crdv1alpha1.NetworkPolicyPort{ + ports: []crdv1beta1.NetworkPolicyPort{ { Protocol: &k8sProtocolTCP, Port: &int80, @@ -58,7 +57,7 @@ func TestToAntreaServicesForCRD(t *testing.T) { expNamedPortExists: false, }, { - ports: []crdv1alpha1.NetworkPolicyPort{ + ports: []crdv1beta1.NetworkPolicyPort{ { Protocol: &k8sProtocolTCP, Port: &strHTTP, @@ -73,7 +72,7 @@ func TestToAntreaServicesForCRD(t *testing.T) { expNamedPortExists: true, }, { - ports: []crdv1alpha1.NetworkPolicyPort{ + ports: []crdv1beta1.NetworkPolicyPort{ { Protocol: &k8sProtocolTCP, Port: &int1000, @@ -90,9 +89,9 @@ func TestToAntreaServicesForCRD(t *testing.T) { expNamedPortExists: false, }, { - protocols: []crdv1alpha1.NetworkPolicyProtocol{ + protocols: []crdv1beta1.NetworkPolicyProtocol{ { - ICMP: &crdv1alpha1.ICMPProtocol{ + ICMP: &crdv1beta1.ICMPProtocol{ ICMPType: &icmpType8, ICMPCode: &icmpCode0, }, @@ -108,9 +107,9 @@ func TestToAntreaServicesForCRD(t *testing.T) { expNamedPortExists: false, }, { - protocols: []crdv1alpha1.NetworkPolicyProtocol{ + protocols: []crdv1beta1.NetworkPolicyProtocol{ { - IGMP: &crdv1alpha1.IGMPProtocol{ + IGMP: &crdv1beta1.IGMPProtocol{ IGMPType: &igmpQuery, GroupAddress: queryStr, }, @@ -125,9 +124,9 @@ func TestToAntreaServicesForCRD(t *testing.T) { }, }, { - protocols: []crdv1alpha1.NetworkPolicyProtocol{ + protocols: []crdv1beta1.NetworkPolicyProtocol{ { - IGMP: &crdv1alpha1.IGMPProtocol{ + IGMP: &crdv1beta1.IGMPProtocol{ IGMPType: &igmpReport, GroupAddress: reportStr, }, @@ -142,9 +141,9 @@ func TestToAntreaServicesForCRD(t *testing.T) { }, }, { - protocols: []crdv1alpha1.NetworkPolicyProtocol{ + protocols: []crdv1beta1.NetworkPolicyProtocol{ { - ICMP: &crdv1alpha1.ICMPProtocol{ + ICMP: &crdv1beta1.ICMPProtocol{ ICMPType: &icmpType8, }, }, @@ -158,9 +157,9 @@ func TestToAntreaServicesForCRD(t *testing.T) { expNamedPortExists: false, }, { - protocols: []crdv1alpha1.NetworkPolicyProtocol{ + protocols: []crdv1beta1.NetworkPolicyProtocol{ { - ICMP: &crdv1alpha1.ICMPProtocol{}, + ICMP: &crdv1beta1.ICMPProtocol{}, }, }, expServices: []controlplane.Service{ @@ -171,15 +170,15 @@ func TestToAntreaServicesForCRD(t *testing.T) { expNamedPortExists: false, }, { - ports: []crdv1alpha1.NetworkPolicyPort{ + ports: []crdv1beta1.NetworkPolicyPort{ { Protocol: &k8sProtocolTCP, Port: &int80, }, }, - protocols: []crdv1alpha1.NetworkPolicyProtocol{ + protocols: []crdv1beta1.NetworkPolicyProtocol{ { - ICMP: &crdv1alpha1.ICMPProtocol{ + ICMP: &crdv1beta1.ICMPProtocol{ ICMPType: &icmpType8, ICMPCode: &icmpCode0, }, @@ -208,20 +207,20 @@ func TestToAntreaServicesForCRD(t *testing.T) { func TestToAntreaL7ProtocolsForCRD(t *testing.T) { tables := []struct { - l7Protocol []crdv1alpha1.L7Protocol + l7Protocol []crdv1beta1.L7Protocol expValue []controlplane.L7Protocol }{ { - []crdv1alpha1.L7Protocol{ - {HTTP: &crdv1alpha1.HTTPProtocol{Host: "test.com", Method: "GET", Path: "/admin"}}, + []crdv1beta1.L7Protocol{ + {HTTP: &crdv1beta1.HTTPProtocol{Host: "test.com", Method: "GET", Path: "/admin"}}, }, []controlplane.L7Protocol{ {HTTP: &controlplane.HTTPProtocol{Host: "test.com", Method: "GET", Path: "/admin"}}, }, }, { - []crdv1alpha1.L7Protocol{ - {TLS: &crdv1alpha1.TLSProtocol{SNI: "test.com"}}, + []crdv1beta1.L7Protocol{ + {TLS: &crdv1beta1.TLSProtocol{SNI: "test.com"}}, }, []controlplane.L7Protocol{ {TLS: &controlplane.TLSProtocol{SNI: "test.com"}}, @@ -240,12 +239,12 @@ func TestToAntreaIPBlockForCRD(t *testing.T) { PrefixLength: 24, } tables := []struct { - ipBlock *crdv1alpha1.IPBlock + ipBlock *crdv1beta1.IPBlock expValue controlplane.IPBlock err error }{ { - &crdv1alpha1.IPBlock{ + &crdv1beta1.IPBlock{ CIDR: "10.0.0.0/24", }, controlplane.IPBlock{ @@ -254,7 +253,7 @@ func TestToAntreaIPBlockForCRD(t *testing.T) { nil, }, { - &crdv1alpha1.IPBlock{ + &crdv1beta1.IPBlock{ CIDR: "10.0.0.0", }, controlplane.IPBlock{}, @@ -282,14 +281,14 @@ func TestToAntreaIPBlockForCRD(t *testing.T) { } func TestToAntreaPeerForCRD(t *testing.T) { - testCNPObj := &crdv1alpha1.ClusterNetworkPolicy{ + testCNPObj := &crdv1beta1.ClusterNetworkPolicy{ ObjectMeta: metav1.ObjectMeta{ Name: "cnpA", }, } cidr := "10.0.0.0/16" cidrIPNet, _ := cidrStrToIPNet(cidr) - selectorIP := crdv1alpha1.IPBlock{CIDR: cidr} + selectorIP := crdv1beta1.IPBlock{CIDR: cidr} selectorA := metav1.LabelSelector{MatchLabels: map[string]string{"foo1": "bar1"}} selectorB := metav1.LabelSelector{MatchLabels: map[string]string{"foo2": "bar2"}} selectorC := metav1.LabelSelector{MatchLabels: map[string]string{"foo3": "bar3"}} @@ -305,7 +304,7 @@ func TestToAntreaPeerForCRD(t *testing.T) { } tests := []struct { name string - inPeers []crdv1alpha1.NetworkPolicyPeer + inPeers []crdv1beta1.NetworkPolicyPeer outPeer controlplane.NetworkPolicyPeer direction controlplane.Direction namedPortExists bool @@ -314,7 +313,7 @@ func TestToAntreaPeerForCRD(t *testing.T) { }{ { name: "pod-ns-selector-peer-ingress", - inPeers: []crdv1alpha1.NetworkPolicyPeer{ + inPeers: []crdv1beta1.NetworkPolicyPeer{ { PodSelector: &selectorA, NamespaceSelector: &selectorB, @@ -333,7 +332,7 @@ func TestToAntreaPeerForCRD(t *testing.T) { }, { name: "pod-ns-selector-peer-egress", - inPeers: []crdv1alpha1.NetworkPolicyPeer{ + inPeers: []crdv1beta1.NetworkPolicyPeer{ { PodSelector: &selectorA, NamespaceSelector: &selectorB, @@ -352,7 +351,7 @@ func TestToAntreaPeerForCRD(t *testing.T) { }, { name: "ipblock-selector-peer-ingress", - inPeers: []crdv1alpha1.NetworkPolicyPeer{ + inPeers: []crdv1beta1.NetworkPolicyPeer{ { IPBlock: &selectorIP, }, @@ -368,7 +367,7 @@ func TestToAntreaPeerForCRD(t *testing.T) { }, { name: "ipblock-selector-peer-egress", - inPeers: []crdv1alpha1.NetworkPolicyPeer{ + inPeers: []crdv1beta1.NetworkPolicyPeer{ { IPBlock: &selectorIP, }, @@ -384,13 +383,13 @@ func TestToAntreaPeerForCRD(t *testing.T) { }, { name: "empty-peer-ingress", - inPeers: []crdv1alpha1.NetworkPolicyPeer{}, + inPeers: []crdv1beta1.NetworkPolicyPeer{}, outPeer: matchAllPeer, direction: controlplane.DirectionIn, }, { name: "peer-ingress-with-cg", - inPeers: []crdv1alpha1.NetworkPolicyPeer{ + inPeers: []crdv1beta1.NetworkPolicyPeer{ { Group: cgA.Name, }, @@ -402,20 +401,20 @@ func TestToAntreaPeerForCRD(t *testing.T) { }, { name: "empty-peer-egress-with-named-port", - inPeers: []crdv1alpha1.NetworkPolicyPeer{}, + inPeers: []crdv1beta1.NetworkPolicyPeer{}, outPeer: matchAllPodsPeer, direction: controlplane.DirectionOut, namedPortExists: true, }, { name: "empty-peer-egress-without-named-port", - inPeers: []crdv1alpha1.NetworkPolicyPeer{}, + inPeers: []crdv1beta1.NetworkPolicyPeer{}, outPeer: matchAllPeer, direction: controlplane.DirectionOut, }, { name: "peer-egress-with-cg", - inPeers: []crdv1alpha1.NetworkPolicyPeer{ + inPeers: []crdv1beta1.NetworkPolicyPeer{ { Group: cgA.Name, }, @@ -427,7 +426,7 @@ func TestToAntreaPeerForCRD(t *testing.T) { }, { name: "node-selector-peer-ingress", - inPeers: []crdv1alpha1.NetworkPolicyPeer{ + inPeers: []crdv1beta1.NetworkPolicyPeer{ { NodeSelector: &selectorA, }, @@ -441,7 +440,7 @@ func TestToAntreaPeerForCRD(t *testing.T) { }, { name: "node-selector-peer-egress", - inPeers: []crdv1alpha1.NetworkPolicyPeer{ + inPeers: []crdv1beta1.NetworkPolicyPeer{ { NodeSelector: &selectorA, }, @@ -455,10 +454,10 @@ func TestToAntreaPeerForCRD(t *testing.T) { }, { name: "stretched-policy-peer", - inPeers: []crdv1alpha1.NetworkPolicyPeer{ + inPeers: []crdv1beta1.NetworkPolicyPeer{ { PodSelector: &selectorA, - Scope: crdv1alpha1.ScopeClusterSet, + Scope: crdv1beta1.ScopeClusterSet, }, }, outPeer: controlplane.NetworkPolicyPeer{ @@ -513,7 +512,7 @@ func TestCreateAppliedToGroupsForGroup(t *testing.T) { // cgB with IPBlock present in cache clusterGroupWithIPBlock := &crdv1beta1.ClusterGroup{ ObjectMeta: metav1.ObjectMeta{Name: "cgB", UID: "uidB"}, - Spec: crdv1beta1.GroupSpec{IPBlocks: []crdv1alpha1.IPBlock{{CIDR: cidr}}}, + Spec: crdv1beta1.GroupSpec{IPBlocks: []crdv1beta1.IPBlock{{CIDR: cidr}}}, } groupWithSelector := &crdv1beta1.Group{ ObjectMeta: metav1.ObjectMeta{Namespace: "nsA", Name: "gA", UID: "uidA"}, @@ -522,7 +521,7 @@ func TestCreateAppliedToGroupsForGroup(t *testing.T) { // gB with IPBlock present in cache groupWithIPBlock := &crdv1beta1.Group{ ObjectMeta: metav1.ObjectMeta{Namespace: "nsB", Name: "gB", UID: "uidB"}, - Spec: crdv1beta1.GroupSpec{IPBlocks: []crdv1alpha1.IPBlock{{CIDR: cidr}}}, + Spec: crdv1beta1.GroupSpec{IPBlocks: []crdv1beta1.IPBlock{{CIDR: cidr}}}, } _, npc := newController(nil, nil) npc.addClusterGroup(clusterGroupWithSelector) diff --git a/pkg/controller/networkpolicy/group.go b/pkg/controller/networkpolicy/group.go index 74349b24e66..4fdb1345792 100644 --- a/pkg/controller/networkpolicy/group.go +++ b/pkg/controller/networkpolicy/group.go @@ -25,7 +25,6 @@ import ( "k8s.io/klog/v2" "antrea.io/antrea/pkg/apis/controlplane" - crdv1alpha1 "antrea.io/antrea/pkg/apis/crd/v1alpha1" crdv1beta1 "antrea.io/antrea/pkg/apis/crd/v1beta1" antreatypes "antrea.io/antrea/pkg/controller/types" ) @@ -221,7 +220,7 @@ func (n *NetworkPolicyController) triggerANNPUpdates(g string) { // If a Group is added/updated, it might have a reference in Antrea NetworkPolicy. annps, _ := n.annpInformer.Informer().GetIndexer().ByIndex(GroupIndex, g) for _, obj := range annps { - n.enqueueInternalNetworkPolicy(getANNPReference(obj.(*crdv1alpha1.NetworkPolicy))) + n.enqueueInternalNetworkPolicy(getANNPReference(obj.(*crdv1beta1.NetworkPolicy))) } } diff --git a/pkg/controller/networkpolicy/group_test.go b/pkg/controller/networkpolicy/group_test.go index 69fa9027542..c743d098d71 100644 --- a/pkg/controller/networkpolicy/group_test.go +++ b/pkg/controller/networkpolicy/group_test.go @@ -24,7 +24,6 @@ import ( metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "antrea.io/antrea/pkg/apis/controlplane" - crdv1alpha1 "antrea.io/antrea/pkg/apis/crd/v1alpha1" crdv1beta1 "antrea.io/antrea/pkg/apis/crd/v1beta1" antreatypes "antrea.io/antrea/pkg/controller/types" ) @@ -102,7 +101,7 @@ func TestProcessGroup(t *testing.T) { inputGroup: &crdv1beta1.Group{ ObjectMeta: metav1.ObjectMeta{Namespace: "nsD", Name: "gD", UID: "uidD"}, Spec: crdv1beta1.GroupSpec{ - IPBlocks: []crdv1alpha1.IPBlock{ + IPBlocks: []crdv1beta1.IPBlock{ { CIDR: cidr, }, @@ -130,7 +129,7 @@ func TestProcessGroup(t *testing.T) { inputGroup: &crdv1beta1.Group{ ObjectMeta: metav1.ObjectMeta{Namespace: "nsE", Name: "gE", UID: "uidE"}, Spec: crdv1beta1.GroupSpec{ - ServiceReference: &crdv1alpha1.NamespacedName{ + ServiceReference: &crdv1beta1.NamespacedName{ Name: "test-svc", Namespace: "nsE", }, @@ -250,7 +249,7 @@ func TestAddGroup(t *testing.T) { inputGroup: &crdv1beta1.Group{ ObjectMeta: metav1.ObjectMeta{Namespace: "nsD", Name: "gD", UID: "uidD"}, Spec: crdv1beta1.GroupSpec{ - IPBlocks: []crdv1alpha1.IPBlock{ + IPBlocks: []crdv1beta1.IPBlock{ { CIDR: cidr, }, @@ -365,7 +364,7 @@ func TestUpdateGroup(t *testing.T) { updatedGroup: &crdv1beta1.Group{ ObjectMeta: metav1.ObjectMeta{Namespace: "nsA", Name: "gA", UID: "uidA"}, Spec: crdv1beta1.GroupSpec{ - IPBlocks: []crdv1alpha1.IPBlock{ + IPBlocks: []crdv1beta1.IPBlock{ { CIDR: cidr, }, @@ -393,7 +392,7 @@ func TestUpdateGroup(t *testing.T) { updatedGroup: &crdv1beta1.Group{ ObjectMeta: metav1.ObjectMeta{Namespace: "nsA", Name: "gA", UID: "uidA"}, Spec: crdv1beta1.GroupSpec{ - ServiceReference: &crdv1alpha1.NamespacedName{ + ServiceReference: &crdv1beta1.NamespacedName{ Name: "test-svc", Namespace: "nsA", }, diff --git a/pkg/controller/networkpolicy/mutate.go b/pkg/controller/networkpolicy/mutate.go index 53762c174fd..70106f1213a 100644 --- a/pkg/controller/networkpolicy/mutate.go +++ b/pkg/controller/networkpolicy/mutate.go @@ -25,7 +25,7 @@ import ( metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/klog/v2" - crdv1alpha1 "antrea.io/antrea/pkg/apis/crd/v1alpha1" + crdv1beta1 "antrea.io/antrea/pkg/apis/crd/v1beta1" ) type NetworkPolicyMutator struct { @@ -54,7 +54,7 @@ func (m *NetworkPolicyMutator) Mutate(ar *admv1.AdmissionReview) *admv1.Admissio switch ar.Request.Kind.Kind { case "ClusterNetworkPolicy": klog.V(2).Info("Mutating Antrea ClusterNetworkPolicy CRD") - var curACNP, oldACNP crdv1alpha1.ClusterNetworkPolicy + var curACNP, oldACNP crdv1beta1.ClusterNetworkPolicy if curRaw != nil { if err := json.Unmarshal(curRaw, &curACNP); err != nil { klog.Errorf("Error de-serializing current Antrea ClusterNetworkPolicy") @@ -70,7 +70,7 @@ func (m *NetworkPolicyMutator) Mutate(ar *admv1.AdmissionReview) *admv1.Admissio msg, allowed, patch = m.mutateAntreaPolicy(op, curACNP.Spec.Ingress, curACNP.Spec.Egress, curACNP.Spec.Tier) case "NetworkPolicy": klog.V(2).Info("Mutating Antrea NetworkPolicy CRD") - var curANNP, oldANNP crdv1alpha1.NetworkPolicy + var curANNP, oldANNP crdv1beta1.NetworkPolicy if curRaw != nil { if err := json.Unmarshal(curRaw, &curANNP); err != nil { klog.Errorf("Error de-serializing current Antrea NetworkPolicy") @@ -108,7 +108,7 @@ func (m *NetworkPolicyMutator) Mutate(ar *admv1.AdmissionReview) *admv1.Admissio // mutateAntreaPolicy will auto-generate a name for this rule. In // addition to the rule names, it also mutates the Tier field to the default // tier name if it is unset. -func (m *NetworkPolicyMutator) mutateAntreaPolicy(op admv1.Operation, ingress, egress []crdv1alpha1.Rule, tier string) (string, bool, []byte) { +func (m *NetworkPolicyMutator) mutateAntreaPolicy(op admv1.Operation, ingress, egress []crdv1beta1.Rule, tier string) (string, bool, []byte) { allowed := true reason := "" var patch []byte @@ -140,7 +140,7 @@ func (m *NetworkPolicyMutator) mutateAntreaPolicy(op admv1.Operation, ingress, e } // generateRuleNames generates unique rule names and returns a list of json paths and the corresponding list of generated names -func generateRuleNames(prefix string, rules []crdv1alpha1.Rule) ([]string, []string) { +func generateRuleNames(prefix string, rules []crdv1beta1.Rule) ([]string, []string) { var paths []string var values []string for idx, rule := range rules { @@ -191,7 +191,7 @@ func createReplacePatch(paths []string, values []string) ([]byte, error) { const ruleNameSuffixLen = 7 // hashRule calculates a string based on the rule's content. -func hashRule(r crdv1alpha1.Rule) string { +func hashRule(r crdv1beta1.Rule) string { hash := sha1.New() // #nosec G401: not used for security purposes b, _ := json.Marshal(r) hash.Write(b) diff --git a/pkg/controller/networkpolicy/mutate_test.go b/pkg/controller/networkpolicy/mutate_test.go index 000dbcbfab8..c5252fabe7c 100644 --- a/pkg/controller/networkpolicy/mutate_test.go +++ b/pkg/controller/networkpolicy/mutate_test.go @@ -22,34 +22,34 @@ import ( admv1 "k8s.io/api/admission/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - crdv1alpha1 "antrea.io/antrea/pkg/apis/crd/v1alpha1" + crdv1beta1 "antrea.io/antrea/pkg/apis/crd/v1beta1" ) func TestMutateAntreaClusterNetworkPolicy(t *testing.T) { tests := []struct { name string - policy *crdv1alpha1.ClusterNetworkPolicy + policy *crdv1beta1.ClusterNetworkPolicy operation admv1.Operation expectPatch []jsonPatch }{ { name: "acnp-create-mutate", - policy: &crdv1alpha1.ClusterNetworkPolicy{ + policy: &crdv1beta1.ClusterNetworkPolicy{ ObjectMeta: metav1.ObjectMeta{ Name: "mutate-rule-name-tier", }, - Spec: crdv1alpha1.ClusterNetworkPolicySpec{ - AppliedTo: []crdv1alpha1.AppliedTo{ + Spec: crdv1beta1.ClusterNetworkPolicySpec{ + AppliedTo: []crdv1beta1.AppliedTo{ { PodSelector: &metav1.LabelSelector{ MatchLabels: map[string]string{"foo": "bar"}, }, }, }, - Ingress: []crdv1alpha1.Rule{ + Ingress: []crdv1beta1.Rule{ { Action: &allowAction, - From: []crdv1alpha1.NetworkPolicyPeer{ + From: []crdv1beta1.NetworkPolicyPeer{ { PodSelector: &metav1.LabelSelector{ MatchLabels: map[string]string{"foo1": "bar1"}, @@ -59,7 +59,7 @@ func TestMutateAntreaClusterNetworkPolicy(t *testing.T) { }, { Action: &allowAction, - From: []crdv1alpha1.NetworkPolicyPeer{ + From: []crdv1beta1.NetworkPolicyPeer{ { PodSelector: &metav1.LabelSelector{ MatchLabels: map[string]string{"foo2": "bar2"}, @@ -68,10 +68,10 @@ func TestMutateAntreaClusterNetworkPolicy(t *testing.T) { }, }, }, - Egress: []crdv1alpha1.Rule{ + Egress: []crdv1beta1.Rule{ { Action: &allowAction, - To: []crdv1alpha1.NetworkPolicyPeer{ + To: []crdv1beta1.NetworkPolicyPeer{ { PodSelector: &metav1.LabelSelector{ MatchLabels: map[string]string{"foo2": "bar2"}, @@ -108,22 +108,22 @@ func TestMutateAntreaClusterNetworkPolicy(t *testing.T) { }, { name: "acnp-update-mutate", - policy: &crdv1alpha1.ClusterNetworkPolicy{ + policy: &crdv1beta1.ClusterNetworkPolicy{ ObjectMeta: metav1.ObjectMeta{ Name: "mutate-tier-name", }, - Spec: crdv1alpha1.ClusterNetworkPolicySpec{ - AppliedTo: []crdv1alpha1.AppliedTo{ + Spec: crdv1beta1.ClusterNetworkPolicySpec{ + AppliedTo: []crdv1beta1.AppliedTo{ { PodSelector: &metav1.LabelSelector{ MatchLabels: map[string]string{"foo": "bar"}, }, }, }, - Ingress: []crdv1alpha1.Rule{ + Ingress: []crdv1beta1.Rule{ { Action: &allowAction, - From: []crdv1alpha1.NetworkPolicyPeer{ + From: []crdv1beta1.NetworkPolicyPeer{ { PodSelector: &metav1.LabelSelector{ MatchLabels: map[string]string{"foo1": "bar1"}, @@ -133,7 +133,7 @@ func TestMutateAntreaClusterNetworkPolicy(t *testing.T) { }, { Action: &allowAction, - From: []crdv1alpha1.NetworkPolicyPeer{ + From: []crdv1beta1.NetworkPolicyPeer{ { PodSelector: &metav1.LabelSelector{ MatchLabels: map[string]string{"foo2": "bar2"}, @@ -142,10 +142,10 @@ func TestMutateAntreaClusterNetworkPolicy(t *testing.T) { }, }, }, - Egress: []crdv1alpha1.Rule{ + Egress: []crdv1beta1.Rule{ { Action: &allowAction, - To: []crdv1alpha1.NetworkPolicyPeer{ + To: []crdv1beta1.NetworkPolicyPeer{ { PodSelector: &metav1.LabelSelector{ MatchLabels: map[string]string{"foo2": "bar2"}, @@ -196,29 +196,29 @@ func TestMutateAntreaClusterNetworkPolicy(t *testing.T) { func TestMutateAntreaNetworkPolicy(t *testing.T) { tests := []struct { name string - policy *crdv1alpha1.NetworkPolicy + policy *crdv1beta1.NetworkPolicy operation admv1.Operation expectPatch []jsonPatch }{ { name: "anp-create-mutate", - policy: &crdv1alpha1.NetworkPolicy{ + policy: &crdv1beta1.NetworkPolicy{ ObjectMeta: metav1.ObjectMeta{ Name: "mutate-rule-name-tier", Namespace: "x", }, - Spec: crdv1alpha1.NetworkPolicySpec{ - AppliedTo: []crdv1alpha1.AppliedTo{ + Spec: crdv1beta1.NetworkPolicySpec{ + AppliedTo: []crdv1beta1.AppliedTo{ { PodSelector: &metav1.LabelSelector{ MatchLabels: map[string]string{"foo": "bar"}, }, }, }, - Ingress: []crdv1alpha1.Rule{ + Ingress: []crdv1beta1.Rule{ { Action: &allowAction, - From: []crdv1alpha1.NetworkPolicyPeer{ + From: []crdv1beta1.NetworkPolicyPeer{ { PodSelector: &metav1.LabelSelector{ MatchLabels: map[string]string{"foo1": "bar1"}, @@ -228,7 +228,7 @@ func TestMutateAntreaNetworkPolicy(t *testing.T) { }, { Action: &allowAction, - From: []crdv1alpha1.NetworkPolicyPeer{ + From: []crdv1beta1.NetworkPolicyPeer{ { PodSelector: &metav1.LabelSelector{ MatchLabels: map[string]string{"foo2": "bar2"}, @@ -237,10 +237,10 @@ func TestMutateAntreaNetworkPolicy(t *testing.T) { }, }, }, - Egress: []crdv1alpha1.Rule{ + Egress: []crdv1beta1.Rule{ { Action: &allowAction, - To: []crdv1alpha1.NetworkPolicyPeer{ + To: []crdv1beta1.NetworkPolicyPeer{ { PodSelector: &metav1.LabelSelector{ MatchLabels: map[string]string{"foo2": "bar2"}, @@ -277,22 +277,22 @@ func TestMutateAntreaNetworkPolicy(t *testing.T) { }, { name: "anp-update-mutate", - policy: &crdv1alpha1.NetworkPolicy{ + policy: &crdv1beta1.NetworkPolicy{ ObjectMeta: metav1.ObjectMeta{ Name: "mutate-rule-name-tier", }, - Spec: crdv1alpha1.NetworkPolicySpec{ - AppliedTo: []crdv1alpha1.AppliedTo{ + Spec: crdv1beta1.NetworkPolicySpec{ + AppliedTo: []crdv1beta1.AppliedTo{ { PodSelector: &metav1.LabelSelector{ MatchLabels: map[string]string{"foo": "bar"}, }, }, }, - Ingress: []crdv1alpha1.Rule{ + Ingress: []crdv1beta1.Rule{ { Action: &allowAction, - From: []crdv1alpha1.NetworkPolicyPeer{ + From: []crdv1beta1.NetworkPolicyPeer{ { PodSelector: &metav1.LabelSelector{ MatchLabels: map[string]string{"foo1": "bar1"}, @@ -302,7 +302,7 @@ func TestMutateAntreaNetworkPolicy(t *testing.T) { }, { Action: &allowAction, - From: []crdv1alpha1.NetworkPolicyPeer{ + From: []crdv1beta1.NetworkPolicyPeer{ { PodSelector: &metav1.LabelSelector{ MatchLabels: map[string]string{"foo2": "bar2"}, @@ -311,10 +311,10 @@ func TestMutateAntreaNetworkPolicy(t *testing.T) { }, }, }, - Egress: []crdv1alpha1.Rule{ + Egress: []crdv1beta1.Rule{ { Action: &allowAction, - To: []crdv1alpha1.NetworkPolicyPeer{ + To: []crdv1beta1.NetworkPolicyPeer{ { PodSelector: &metav1.LabelSelector{ MatchLabels: map[string]string{"foo2": "bar2"}, diff --git a/pkg/controller/networkpolicy/networkpolicy_controller.go b/pkg/controller/networkpolicy/networkpolicy_controller.go index 5d1373cfebe..62ba91260a3 100644 --- a/pkg/controller/networkpolicy/networkpolicy_controller.go +++ b/pkg/controller/networkpolicy/networkpolicy_controller.go @@ -45,14 +45,11 @@ import ( "k8s.io/klog/v2" "antrea.io/antrea/pkg/apis/controlplane" - secv1alpha1 "antrea.io/antrea/pkg/apis/crd/v1alpha1" "antrea.io/antrea/pkg/apis/crd/v1alpha2" secv1beta1 "antrea.io/antrea/pkg/apis/crd/v1beta1" "antrea.io/antrea/pkg/apiserver/storage" "antrea.io/antrea/pkg/client/clientset/versioned" - secinformers "antrea.io/antrea/pkg/client/informers/externalversions/crd/v1alpha1" crdv1b1informers "antrea.io/antrea/pkg/client/informers/externalversions/crd/v1beta1" - seclisters "antrea.io/antrea/pkg/client/listers/crd/v1alpha1" crdv1b1listers "antrea.io/antrea/pkg/client/listers/crd/v1beta1" "antrea.io/antrea/pkg/controller/grouping" "antrea.io/antrea/pkg/controller/labelidentity" @@ -124,7 +121,7 @@ var ( // denyAllEgressRule is a NetworkPolicyRule which denies all egress traffic. denyAllEgressRule = controlplane.NetworkPolicyRule{Direction: controlplane.DirectionOut} // defaultAction is a RuleAction which sets the default Action for the NetworkPolicy rule. - defaultAction = secv1alpha1.RuleActionAllow + defaultAction = secv1beta1.RuleActionAllow ) func getKNPReference(knp *networkingv1.NetworkPolicy) *controlplane.NetworkPolicyReference { @@ -165,17 +162,17 @@ type NetworkPolicyController struct { // networkPolicyListerSynced is a function which returns true if the Network Policy shared informer has been synced at least once. networkPolicyListerSynced cache.InformerSynced - acnpInformer secinformers.ClusterNetworkPolicyInformer + acnpInformer crdv1b1informers.ClusterNetworkPolicyInformer // acnpLister is able to list/get AntreaClusterNetworkPolicies and is populated by the shared informer passed to // NewClusterNetworkPolicyController. - acnpLister seclisters.ClusterNetworkPolicyLister + acnpLister crdv1b1listers.ClusterNetworkPolicyLister // acnpListerSynced is a function which returns true if the AntreaClusterNetworkPolicies shared informer has been synced at least once. acnpListerSynced cache.InformerSynced - annpInformer secinformers.NetworkPolicyInformer + annpInformer crdv1b1informers.NetworkPolicyInformer // annpLister is able to list/get AntreaNetworkPolicies and is populated by the shared informer passed to // NewNetworkPolicyController. - annpLister seclisters.NetworkPolicyLister + annpLister crdv1b1listers.NetworkPolicyLister // annpListerSynced is a function which returns true if the AntreaNetworkPolicies shared informer has been synced at least once. annpListerSynced cache.InformerSynced @@ -266,14 +263,14 @@ var tierIndexers = cache.Indexers{ var acnpIndexers = cache.Indexers{ TierIndex: func(obj interface{}) ([]string, error) { - acnp, ok := obj.(*secv1alpha1.ClusterNetworkPolicy) + acnp, ok := obj.(*secv1beta1.ClusterNetworkPolicy) if !ok { return []string{}, nil } return []string{acnp.Spec.Tier}, nil }, ClusterGroupIndex: func(obj interface{}) ([]string, error) { - acnp, ok := obj.(*secv1alpha1.ClusterNetworkPolicy) + acnp, ok := obj.(*secv1beta1.ClusterNetworkPolicy) if !ok { return []string{}, nil } @@ -286,7 +283,7 @@ var acnpIndexers = cache.Indexers{ if len(acnp.Spec.Ingress) == 0 && len(acnp.Spec.Egress) == 0 { return sets.List(groupNames), nil } - appendGroups := func(rule secv1alpha1.Rule) { + appendGroups := func(rule secv1beta1.Rule) { for _, peer := range rule.To { if peer.Group != "" { groupNames.Insert(peer.Group) @@ -312,7 +309,7 @@ var acnpIndexers = cache.Indexers{ return sets.List(groupNames), nil }, perNamespaceRuleIndex: func(obj interface{}) ([]string, error) { - acnp, ok := obj.(*secv1alpha1.ClusterNetworkPolicy) + acnp, ok := obj.(*secv1beta1.ClusterNetworkPolicy) if !ok { return []string{}, nil } @@ -326,14 +323,14 @@ var acnpIndexers = cache.Indexers{ var annpIndexers = cache.Indexers{ TierIndex: func(obj interface{}) ([]string, error) { - annp, ok := obj.(*secv1alpha1.NetworkPolicy) + annp, ok := obj.(*secv1beta1.NetworkPolicy) if !ok { return []string{}, nil } return []string{annp.Spec.Tier}, nil }, GroupIndex: func(obj interface{}) ([]string, error) { - annp, ok := obj.(*secv1alpha1.NetworkPolicy) + annp, ok := obj.(*secv1beta1.NetworkPolicy) if !ok { return []string{}, nil } @@ -347,7 +344,7 @@ var annpIndexers = cache.Indexers{ if len(annp.Spec.Ingress) == 0 && len(annp.Spec.Egress) == 0 { return sets.List(groupNames), nil } - appendGroups := func(rule secv1alpha1.Rule) { + appendGroups := func(rule secv1beta1.Rule) { for _, peer := range rule.To { if peer.Group != "" { groupNames.Insert(ns + peer.Group) @@ -383,8 +380,8 @@ func NewNetworkPolicyController(kubeClient clientset.Interface, serviceInformer coreinformers.ServiceInformer, networkPolicyInformer networkinginformers.NetworkPolicyInformer, nodeInformer coreinformers.NodeInformer, - acnpInformer secinformers.ClusterNetworkPolicyInformer, - annpInformer secinformers.NetworkPolicyInformer, + acnpInformer crdv1b1informers.ClusterNetworkPolicyInformer, + annpInformer crdv1b1informers.NetworkPolicyInformer, tierInformer crdv1b1informers.TierInformer, cgInformer crdv1b1informers.ClusterGroupInformer, grpInformer crdv1b1informers.GroupInformer, diff --git a/pkg/controller/networkpolicy/networkpolicy_controller_perf_test.go b/pkg/controller/networkpolicy/networkpolicy_controller_perf_test.go index aba86638e50..fcc091a6e52 100644 --- a/pkg/controller/networkpolicy/networkpolicy_controller_perf_test.go +++ b/pkg/controller/networkpolicy/networkpolicy_controller_perf_test.go @@ -39,8 +39,8 @@ import ( "k8s.io/klog/v2" "antrea.io/antrea/pkg/apis/controlplane" - "antrea.io/antrea/pkg/apis/crd/v1alpha1" "antrea.io/antrea/pkg/apis/crd/v1alpha2" + "antrea.io/antrea/pkg/apis/crd/v1beta1" ) /* @@ -227,7 +227,7 @@ func testComputeNetworkPolicy(t *testing.T, maxExecutionTime time.Duration, name switch policy := obj.(type) { case *networkingv1.NetworkPolicy: k8sObjs = append(k8sObjs, policy) - case *v1alpha1.NetworkPolicy: + case *v1beta1.NetworkPolicy: crdObjs = append(crdObjs, policy) } } @@ -469,48 +469,48 @@ func newNetworkPolicy(namespace, name string, podSelector, ingressPodSelector, i return policy } -func newANNPAppliedToExternalEntity(namespace, name string, externalEntitySelector, ingressExternalEntitySelector, ingressNamespaceSelector, egressExternalEntitySelector, egressNamespaceSelector map[string]string) *v1alpha1.NetworkPolicy { +func newANNPAppliedToExternalEntity(namespace, name string, externalEntitySelector, ingressExternalEntitySelector, ingressNamespaceSelector, egressExternalEntitySelector, egressNamespaceSelector map[string]string) *v1beta1.NetworkPolicy { if name == "" { name = "annp-" + rand.String(8) } - annp := &v1alpha1.NetworkPolicy{ + annp := &v1beta1.NetworkPolicy{ ObjectMeta: metav1.ObjectMeta{Namespace: namespace, Name: name, UID: types.UID(uuid.New().String())}, - Spec: v1alpha1.NetworkPolicySpec{ - AppliedTo: []v1alpha1.AppliedTo{ + Spec: v1beta1.NetworkPolicySpec{ + AppliedTo: []v1beta1.AppliedTo{ { ExternalEntitySelector: &metav1.LabelSelector{MatchLabels: externalEntitySelector}, }, }, }, } - allowAction := v1alpha1.RuleActionAllow + allowAction := v1beta1.RuleActionAllow if ingressExternalEntitySelector != nil || ingressNamespaceSelector != nil { - peer := v1alpha1.NetworkPolicyPeer{} + peer := v1beta1.NetworkPolicyPeer{} if ingressExternalEntitySelector != nil { peer.ExternalEntitySelector = &metav1.LabelSelector{MatchLabels: ingressExternalEntitySelector} } if ingressNamespaceSelector != nil { peer.NamespaceSelector = &metav1.LabelSelector{MatchLabels: ingressNamespaceSelector} } - annp.Spec.Ingress = []v1alpha1.Rule{ + annp.Spec.Ingress = []v1beta1.Rule{ { Action: &allowAction, - From: []v1alpha1.NetworkPolicyPeer{peer}, + From: []v1beta1.NetworkPolicyPeer{peer}, }, } } if egressExternalEntitySelector != nil || egressNamespaceSelector != nil { - peer := v1alpha1.NetworkPolicyPeer{} + peer := v1beta1.NetworkPolicyPeer{} if egressExternalEntitySelector != nil { peer.ExternalEntitySelector = &metav1.LabelSelector{MatchLabels: egressExternalEntitySelector} } if egressNamespaceSelector != nil { peer.NamespaceSelector = &metav1.LabelSelector{MatchLabels: egressNamespaceSelector} } - annp.Spec.Egress = []v1alpha1.Rule{ + annp.Spec.Egress = []v1beta1.Rule{ { Action: &allowAction, - To: []v1alpha1.NetworkPolicyPeer{peer}, + To: []v1beta1.NetworkPolicyPeer{peer}, }, } } @@ -602,7 +602,7 @@ func benchmarkInit(b *testing.B, namespaces []*corev1.Namespace, networkPolicies switch policy := obj.(type) { case *networkingv1.NetworkPolicy: k8sObjs = append(k8sObjs, policy) - case *v1alpha1.NetworkPolicy: + case *v1beta1.NetworkPolicy: crdObjs = append(crdObjs, policy) } } @@ -652,7 +652,7 @@ func benchmarkInit(b *testing.B, namespaces []*corev1.Namespace, networkPolicies switch policy := obj.(type) { case *networkingv1.NetworkPolicy: c.addNetworkPolicy(policy) - case *v1alpha1.NetworkPolicy: + case *v1beta1.NetworkPolicy: c.addANNP(policy) } } diff --git a/pkg/controller/networkpolicy/networkpolicy_controller_test.go b/pkg/controller/networkpolicy/networkpolicy_controller_test.go index 0125cc4315b..4286b3f82fa 100644 --- a/pkg/controller/networkpolicy/networkpolicy_controller_test.go +++ b/pkg/controller/networkpolicy/networkpolicy_controller_test.go @@ -45,7 +45,6 @@ import ( fakemcsversioned "antrea.io/antrea/multicluster/pkg/client/clientset/versioned/fake" mcsinformers "antrea.io/antrea/multicluster/pkg/client/informers/externalversions" "antrea.io/antrea/pkg/apis/controlplane" - crdv1alpha1 "antrea.io/antrea/pkg/apis/crd/v1alpha1" "antrea.io/antrea/pkg/apis/crd/v1alpha2" "antrea.io/antrea/pkg/apis/crd/v1beta1" "antrea.io/antrea/pkg/apiserver/storage" @@ -132,8 +131,8 @@ func newController(k8sObjects, crdObjects []runtime.Object) (*fake.Clientset, *n informerFactory.Core().V1().Services(), informerFactory.Networking().V1().NetworkPolicies(), informerFactory.Core().V1().Nodes(), - crdInformerFactory.Crd().V1alpha1().ClusterNetworkPolicies(), - crdInformerFactory.Crd().V1alpha1().NetworkPolicies(), + crdInformerFactory.Crd().V1beta1().ClusterNetworkPolicies(), + crdInformerFactory.Crd().V1beta1().NetworkPolicies(), crdInformerFactory.Crd().V1beta1().Tiers(), cgInformer, gInformer, @@ -158,8 +157,8 @@ func newController(k8sObjects, crdObjects []runtime.Object) (*fake.Clientset, *n informerFactory.Core().V1().Namespaces().Informer().GetStore(), informerFactory.Core().V1().Services().Informer().GetStore(), informerFactory.Networking().V1().NetworkPolicies().Informer().GetStore(), - crdInformerFactory.Crd().V1alpha1().ClusterNetworkPolicies().Informer().GetStore(), - crdInformerFactory.Crd().V1alpha1().NetworkPolicies().Informer().GetStore(), + crdInformerFactory.Crd().V1beta1().ClusterNetworkPolicies().Informer().GetStore(), + crdInformerFactory.Crd().V1beta1().NetworkPolicies().Informer().GetStore(), crdInformerFactory.Crd().V1beta1().Tiers().Informer().GetStore(), crdInformerFactory.Crd().V1beta1().ClusterGroups().Informer().GetStore(), crdInformerFactory.Crd().V1beta1().Groups().Informer().GetStore(), @@ -187,8 +186,8 @@ func newControllerWithoutEventHandler(k8sObjects, crdObjects []runtime.Object) ( namespaceInformer := informerFactory.Core().V1().Namespaces() networkPolicyInformer := informerFactory.Networking().V1().NetworkPolicies() tierInformer := crdInformerFactory.Crd().V1beta1().Tiers() - acnpInformer := crdInformerFactory.Crd().V1alpha1().ClusterNetworkPolicies() - annpInformer := crdInformerFactory.Crd().V1alpha1().NetworkPolicies() + acnpInformer := crdInformerFactory.Crd().V1beta1().ClusterNetworkPolicies() + annpInformer := crdInformerFactory.Crd().V1beta1().NetworkPolicies() cgInformer := crdInformerFactory.Crd().V1beta1().ClusterGroups() groupInformer := crdInformerFactory.Crd().V1beta1().Groups() groupEntityIndex := grouping.NewGroupEntityIndex() @@ -1212,7 +1211,7 @@ func TestAddAndUpdateService(t *testing.T) { Name: "cg-1", }, Spec: v1beta1.GroupSpec{ - ServiceReference: &crdv1alpha1.NamespacedName{ + ServiceReference: &v1beta1.NamespacedName{ Name: "test-svc-1", Namespace: "test-ns", }, @@ -1223,7 +1222,7 @@ func TestAddAndUpdateService(t *testing.T) { Name: "cg-2", }, Spec: v1beta1.GroupSpec{ - ServiceReference: &crdv1alpha1.NamespacedName{ + ServiceReference: &v1beta1.NamespacedName{ Name: "test-svc-2", Namespace: "test-ns", }, @@ -1318,7 +1317,7 @@ func TestDeleteService(t *testing.T) { Name: "test-cg", }, Spec: v1beta1.GroupSpec{ - ServiceReference: &crdv1alpha1.NamespacedName{ + ServiceReference: &v1beta1.NamespacedName{ Name: "test-svc", Namespace: "test-ns", }, @@ -2920,24 +2919,24 @@ func compareIPNet(ipn1, ipn2 controlplane.IPNet) bool { func TestSyncInternalNetworkPolicy(t *testing.T) { p10 := float64(10) - allowAction := crdv1alpha1.RuleActionAllow - inputPolicy := &crdv1alpha1.ClusterNetworkPolicy{ + allowAction := v1beta1.RuleActionAllow + inputPolicy := &v1beta1.ClusterNetworkPolicy{ ObjectMeta: metav1.ObjectMeta{Name: "cnpA", UID: "uidA"}, - Spec: crdv1alpha1.ClusterNetworkPolicySpec{ - AppliedTo: []crdv1alpha1.AppliedTo{ + Spec: v1beta1.ClusterNetworkPolicySpec{ + AppliedTo: []v1beta1.AppliedTo{ {PodSelector: &selectorA}, {PodSelector: &selectorB}, }, Priority: p10, - Ingress: []crdv1alpha1.Rule{ + Ingress: []v1beta1.Rule{ { - From: []crdv1alpha1.NetworkPolicyPeer{{PodSelector: &selectorA}}, + From: []v1beta1.NetworkPolicyPeer{{PodSelector: &selectorA}}, Action: &allowAction, }, }, - Egress: []crdv1alpha1.Rule{ + Egress: []v1beta1.Rule{ { - To: []crdv1alpha1.NetworkPolicyPeer{{PodSelector: &selectorB}}, + To: []v1beta1.NetworkPolicyPeer{{PodSelector: &selectorB}}, Action: &allowAction, }, }, @@ -3244,7 +3243,7 @@ func TestSyncInternalNetworkPolicyConcurrently(t *testing.T) { func TestSyncInternalNetworkPolicyWithGroups(t *testing.T) { p10 := float64(10) - allowAction := crdv1alpha1.RuleActionAllow + allowAction := v1beta1.RuleActionAllow podA := getPod("podA", "nsA", "nodeA", "10.0.0.1", false) podA.Labels = selectorA.MatchLabels podB := getPod("podB", "nsB", "nodeB", "10.0.0.2", false) @@ -3254,7 +3253,7 @@ func TestSyncInternalNetworkPolicyWithGroups(t *testing.T) { tests := []struct { name string groups []*v1beta1.Group - inputPolicy *crdv1alpha1.NetworkPolicy + inputPolicy *v1beta1.NetworkPolicy expectedPolicy *antreatypes.NetworkPolicy }{ { @@ -3265,16 +3264,16 @@ func TestSyncInternalNetworkPolicyWithGroups(t *testing.T) { Spec: v1beta1.GroupSpec{PodSelector: &selectorA}, }, }, - inputPolicy: &crdv1alpha1.NetworkPolicy{ + inputPolicy: &v1beta1.NetworkPolicy{ ObjectMeta: metav1.ObjectMeta{Namespace: "nsA", Name: "annpA", UID: "uidA"}, - Spec: crdv1alpha1.NetworkPolicySpec{ - AppliedTo: []crdv1alpha1.AppliedTo{ + Spec: v1beta1.NetworkPolicySpec{ + AppliedTo: []v1beta1.AppliedTo{ {Group: "groupA"}, }, Priority: p10, - Ingress: []crdv1alpha1.Rule{ + Ingress: []v1beta1.Rule{ { - From: []crdv1alpha1.NetworkPolicyPeer{{PodSelector: &selectorB}}, + From: []v1beta1.NetworkPolicyPeer{{PodSelector: &selectorB}}, Action: &allowAction, }, }, @@ -3314,16 +3313,16 @@ func TestSyncInternalNetworkPolicyWithGroups(t *testing.T) { Spec: v1beta1.GroupSpec{PodSelector: &selectorA}, }, }, - inputPolicy: &crdv1alpha1.NetworkPolicy{ + inputPolicy: &v1beta1.NetworkPolicy{ ObjectMeta: metav1.ObjectMeta{Namespace: "nsA", Name: "annpA", UID: "uidA"}, - Spec: crdv1alpha1.NetworkPolicySpec{ - AppliedTo: []crdv1alpha1.AppliedTo{ + Spec: v1beta1.NetworkPolicySpec{ + AppliedTo: []v1beta1.AppliedTo{ {Group: "parentGroup"}, }, Priority: p10, - Ingress: []crdv1alpha1.Rule{ + Ingress: []v1beta1.Rule{ { - From: []crdv1alpha1.NetworkPolicyPeer{{PodSelector: &selectorB}}, + From: []v1beta1.NetworkPolicyPeer{{PodSelector: &selectorB}}, Action: &allowAction, }, }, @@ -3359,16 +3358,16 @@ func TestSyncInternalNetworkPolicyWithGroups(t *testing.T) { Spec: v1beta1.GroupSpec{NamespaceSelector: &metav1.LabelSelector{}, PodSelector: &selectorA}, }, }, - inputPolicy: &crdv1alpha1.NetworkPolicy{ + inputPolicy: &v1beta1.NetworkPolicy{ ObjectMeta: metav1.ObjectMeta{Namespace: "nsA", Name: "annpA", UID: "uidA"}, - Spec: crdv1alpha1.NetworkPolicySpec{ - AppliedTo: []crdv1alpha1.AppliedTo{ + Spec: v1beta1.NetworkPolicySpec{ + AppliedTo: []v1beta1.AppliedTo{ {Group: "groupA"}, }, Priority: p10, - Ingress: []crdv1alpha1.Rule{ + Ingress: []v1beta1.Rule{ { - From: []crdv1alpha1.NetworkPolicyPeer{{PodSelector: &selectorB}}, + From: []v1beta1.NetworkPolicyPeer{{PodSelector: &selectorB}}, Action: &allowAction, }, }, @@ -3408,16 +3407,16 @@ func TestSyncInternalNetworkPolicyWithGroups(t *testing.T) { Spec: v1beta1.GroupSpec{NamespaceSelector: &metav1.LabelSelector{}, PodSelector: &selectorA}, }, }, - inputPolicy: &crdv1alpha1.NetworkPolicy{ + inputPolicy: &v1beta1.NetworkPolicy{ ObjectMeta: metav1.ObjectMeta{Namespace: "nsA", Name: "annpA", UID: "uidA"}, - Spec: crdv1alpha1.NetworkPolicySpec{ - AppliedTo: []crdv1alpha1.AppliedTo{ + Spec: v1beta1.NetworkPolicySpec{ + AppliedTo: []v1beta1.AppliedTo{ {Group: "parentGroup"}, }, Priority: p10, - Ingress: []crdv1alpha1.Rule{ + Ingress: []v1beta1.Rule{ { - From: []crdv1alpha1.NetworkPolicyPeer{{PodSelector: &selectorB}}, + From: []v1beta1.NetworkPolicyPeer{{PodSelector: &selectorB}}, Action: &allowAction, }, }, @@ -3462,7 +3461,7 @@ func TestSyncInternalNetworkPolicyWithGroups(t *testing.T) { for _, group := range tt.groups { c.crdClient.CrdV1beta1().Groups(group.Namespace).Create(context.TODO(), group, metav1.CreateOptions{}) } - c.crdClient.CrdV1alpha1().NetworkPolicies(tt.inputPolicy.Namespace).Create(context.TODO(), tt.inputPolicy, metav1.CreateOptions{}) + c.crdClient.CrdV1beta1().NetworkPolicies(tt.inputPolicy.Namespace).Create(context.TODO(), tt.inputPolicy, metav1.CreateOptions{}) var gotPolicy *antreatypes.NetworkPolicy err := wait.PollImmediate(100*time.Millisecond, 3*time.Second, func() (done bool, err error) { diff --git a/pkg/controller/networkpolicy/status_controller.go b/pkg/controller/networkpolicy/status_controller.go index 744fe448af9..64a262a7f64 100644 --- a/pkg/controller/networkpolicy/status_controller.go +++ b/pkg/controller/networkpolicy/status_controller.go @@ -34,11 +34,11 @@ import ( "k8s.io/klog/v2" "antrea.io/antrea/pkg/apis/controlplane" - crdv1alpha1 "antrea.io/antrea/pkg/apis/crd/v1alpha1" + crdv1beta1 "antrea.io/antrea/pkg/apis/crd/v1beta1" "antrea.io/antrea/pkg/apiserver/storage" antreaclientset "antrea.io/antrea/pkg/client/clientset/versioned" - crdinformers "antrea.io/antrea/pkg/client/informers/externalversions/crd/v1alpha1" - crdlisters "antrea.io/antrea/pkg/client/listers/crd/v1alpha1" + crdinformers "antrea.io/antrea/pkg/client/informers/externalversions/crd/v1beta1" + crdlisters "antrea.io/antrea/pkg/client/listers/crd/v1beta1" "antrea.io/antrea/pkg/controller/metrics" antreatypes "antrea.io/antrea/pkg/controller/types" ) @@ -113,8 +113,8 @@ func NewStatusController(antreaClient antreaclientset.Interface, internalNetwork } func (c *StatusController) updateACNP(old, cur interface{}) { - curACNP := cur.(*crdv1alpha1.ClusterNetworkPolicy) - oldACNP := old.(*crdv1alpha1.ClusterNetworkPolicy) + curACNP := cur.(*crdv1beta1.ClusterNetworkPolicy) + oldACNP := old.(*crdv1beta1.ClusterNetworkPolicy) if NetworkPolicyStatusEqual(oldACNP.Status, curACNP.Status) { return } @@ -123,8 +123,8 @@ func (c *StatusController) updateACNP(old, cur interface{}) { } func (c *StatusController) updateANNP(old, cur interface{}) { - curANNP := cur.(*crdv1alpha1.NetworkPolicy) - oldANNP := old.(*crdv1alpha1.NetworkPolicy) + curANNP := cur.(*crdv1beta1.NetworkPolicy) + oldANNP := old.(*crdv1beta1.NetworkPolicy) if NetworkPolicyStatusEqual(oldANNP.Status, curANNP.Status) { return } @@ -272,8 +272,8 @@ func (c *StatusController) syncHandler(key string) error { } internalNP := internalNPObj.(*antreatypes.NetworkPolicy) - updateStatus := func(phase crdv1alpha1.NetworkPolicyPhase, currentNodes, desiredNodes int, conditions []crdv1alpha1.NetworkPolicyCondition) error { - status := &crdv1alpha1.NetworkPolicyStatus{ + updateStatus := func(phase crdv1beta1.NetworkPolicyPhase, currentNodes, desiredNodes int, conditions []crdv1beta1.NetworkPolicyCondition) error { + status := &crdv1beta1.NetworkPolicyStatus{ Phase: phase, ObservedGeneration: internalNP.Generation, CurrentNodesRealized: int32(currentNodes), @@ -291,13 +291,13 @@ func (c *StatusController) syncHandler(key string) error { // It means the NetworkPolicy has been processed, and marked as unrealizable. It will enter unrealizable phase // instead of being further realized. Antrea-agents will not process further. if internalNP.SyncError != nil { - return updateStatus(crdv1alpha1.NetworkPolicyPending, 0, 0, conditions) + return updateStatus(crdv1beta1.NetworkPolicyPending, 0, 0, conditions) } // It means the NetworkPolicy hasn't been processed once. Set it to Pending to differentiate from NetworkPolicies // that spans 0 Node. if internalNP.SpanMeta.NodeNames == nil { - return updateStatus(crdv1alpha1.NetworkPolicyPending, 0, 0, conditions) + return updateStatus(crdv1beta1.NetworkPolicyPending, 0, 0, conditions) } desiredNodes := len(internalNP.SpanMeta.NodeNames) @@ -324,8 +324,8 @@ func (c *StatusController) syncHandler(key string) error { if len(failureMessage) > maxConditionMessageLength { failureMessage = fmt.Sprintf("%s...", failureMessage[:maxConditionMessageLength]) } - conditions = append(conditions, crdv1alpha1.NetworkPolicyCondition{ - Type: crdv1alpha1.NetworkPolicyConditionRealizationFailure, + conditions = append(conditions, crdv1beta1.NetworkPolicyCondition{ + Type: crdv1beta1.NetworkPolicyConditionRealizationFailure, Status: v1.ConditionTrue, LastTransitionTime: v1.Now(), Reason: "NetworkPolicyRealizationFailedOnNode", @@ -333,11 +333,11 @@ func (c *StatusController) syncHandler(key string) error { }) } - phase := crdv1alpha1.NetworkPolicyRealizing + phase := crdv1beta1.NetworkPolicyRealizing if currentNodes == desiredNodes { - phase = crdv1alpha1.NetworkPolicyRealized + phase = crdv1beta1.NetworkPolicyRealized } else if currentNodes+len(failedNodes) == desiredNodes { - phase = crdv1alpha1.NetworkPolicyFailed + phase = crdv1beta1.NetworkPolicyFailed } return updateStatus(phase, currentNodes, desiredNodes, conditions) @@ -346,8 +346,8 @@ func (c *StatusController) syncHandler(key string) error { // networkPolicyControlInterface is an interface that knows how to update Antrea NetworkPolicy status. // It's created as an interface to allow testing. type networkPolicyControlInterface interface { - UpdateAntreaNetworkPolicyStatus(namespace, name string, status *crdv1alpha1.NetworkPolicyStatus) error - UpdateAntreaClusterNetworkPolicyStatus(name string, status *crdv1alpha1.NetworkPolicyStatus) error + UpdateAntreaNetworkPolicyStatus(namespace, name string, status *crdv1beta1.NetworkPolicyStatus) error + UpdateAntreaClusterNetworkPolicyStatus(name string, status *crdv1beta1.NetworkPolicyStatus) error } type networkPolicyControl struct { @@ -356,7 +356,7 @@ type networkPolicyControl struct { annpLister crdlisters.NetworkPolicyLister } -func (c *networkPolicyControl) UpdateAntreaNetworkPolicyStatus(namespace, name string, status *crdv1alpha1.NetworkPolicyStatus) error { +func (c *networkPolicyControl) UpdateAntreaNetworkPolicyStatus(namespace, name string, status *crdv1beta1.NetworkPolicyStatus) error { annp, err := c.annpLister.NetworkPolicies(namespace).Get(name) if err != nil { klog.Infof("Didn't find the original Antrea NetworkPolicy %s/%s, skip updating status", namespace, name) @@ -372,9 +372,9 @@ func (c *networkPolicyControl) UpdateAntreaNetworkPolicyStatus(namespace, name s if err := retry.RetryOnConflict(retry.DefaultRetry, func() error { toUpdate.Status = *status klog.V(2).InfoS("Updating Antrea NetworkPolicy", "NetworkPolicy", klog.KObj(toUpdate)) - _, updateErr := c.antreaClient.CrdV1alpha1().NetworkPolicies(namespace).UpdateStatus(context.TODO(), toUpdate, v1.UpdateOptions{}) + _, updateErr := c.antreaClient.CrdV1beta1().NetworkPolicies(namespace).UpdateStatus(context.TODO(), toUpdate, v1.UpdateOptions{}) if updateErr != nil && errors.IsConflict(updateErr) { - if toUpdate, getErr = c.antreaClient.CrdV1alpha1().NetworkPolicies(namespace).Get(context.TODO(), name, v1.GetOptions{}); getErr != nil { + if toUpdate, getErr = c.antreaClient.CrdV1beta1().NetworkPolicies(namespace).Get(context.TODO(), name, v1.GetOptions{}); getErr != nil { return getErr } } @@ -388,7 +388,7 @@ func (c *networkPolicyControl) UpdateAntreaNetworkPolicyStatus(namespace, name s return updateErr } -func (c *networkPolicyControl) UpdateAntreaClusterNetworkPolicyStatus(name string, status *crdv1alpha1.NetworkPolicyStatus) error { +func (c *networkPolicyControl) UpdateAntreaClusterNetworkPolicyStatus(name string, status *crdv1beta1.NetworkPolicyStatus) error { acnp, err := c.acnpLister.Get(name) if err != nil { klog.Infof("Didn't find the original Antrea ClusterNetworkPolicy %s, skip updating status", name) @@ -405,9 +405,9 @@ func (c *networkPolicyControl) UpdateAntreaClusterNetworkPolicyStatus(name strin if err := retry.RetryOnConflict(retry.DefaultRetry, func() error { toUpdate.Status = *status klog.V(2).InfoS("Updating Antrea ClusterNetworkPolicy", "ClusterNetworkPolicy", klog.KObj(toUpdate)) - _, updateErr := c.antreaClient.CrdV1alpha1().ClusterNetworkPolicies().UpdateStatus(context.TODO(), toUpdate, v1.UpdateOptions{}) + _, updateErr := c.antreaClient.CrdV1beta1().ClusterNetworkPolicies().UpdateStatus(context.TODO(), toUpdate, v1.UpdateOptions{}) if updateErr != nil && errors.IsConflict(updateErr) { - if toUpdate, getErr = c.antreaClient.CrdV1alpha1().ClusterNetworkPolicies().Get(context.TODO(), name, v1.GetOptions{}); getErr != nil { + if toUpdate, getErr = c.antreaClient.CrdV1beta1().ClusterNetworkPolicies().Get(context.TODO(), name, v1.GetOptions{}); getErr != nil { return getErr } } @@ -424,18 +424,18 @@ func (c *networkPolicyControl) UpdateAntreaClusterNetworkPolicyStatus(name strin // GenerateNetworkPolicyCondition generates conditions based on the given error type. // Error of nil type means the NetworkPolicyCondition status is True. // Supports ErrNetworkPolicyAppliedToUnsupportedGroup error. -func GenerateNetworkPolicyCondition(err error) []crdv1alpha1.NetworkPolicyCondition { - var conditions []crdv1alpha1.NetworkPolicyCondition +func GenerateNetworkPolicyCondition(err error) []crdv1beta1.NetworkPolicyCondition { + var conditions []crdv1beta1.NetworkPolicyCondition switch err.(type) { case nil: - conditions = append(conditions, crdv1alpha1.NetworkPolicyCondition{ - Type: crdv1alpha1.NetworkPolicyConditionRealizable, + conditions = append(conditions, crdv1beta1.NetworkPolicyCondition{ + Type: crdv1beta1.NetworkPolicyConditionRealizable, Status: v1.ConditionTrue, LastTransitionTime: v1.Now(), }) case *ErrNetworkPolicyAppliedToUnsupportedGroup: - conditions = append(conditions, crdv1alpha1.NetworkPolicyCondition{ - Type: crdv1alpha1.NetworkPolicyConditionRealizable, + conditions = append(conditions, crdv1beta1.NetworkPolicyCondition{ + Type: crdv1beta1.NetworkPolicyConditionRealizable, Status: v1.ConditionFalse, LastTransitionTime: v1.Now(), Reason: "NetworkPolicyAppliedToUnsupportedGroup", diff --git a/pkg/controller/networkpolicy/status_controller_test.go b/pkg/controller/networkpolicy/status_controller_test.go index a493d118ac9..00513ceb9b2 100644 --- a/pkg/controller/networkpolicy/status_controller_test.go +++ b/pkg/controller/networkpolicy/status_controller_test.go @@ -27,7 +27,7 @@ import ( "k8s.io/client-go/util/workqueue" "antrea.io/antrea/pkg/apis/controlplane" - crdv1alpha1 "antrea.io/antrea/pkg/apis/crd/v1alpha1" + crdv1beta1 "antrea.io/antrea/pkg/apis/crd/v1beta1" "antrea.io/antrea/pkg/apiserver/storage" antreaclientset "antrea.io/antrea/pkg/client/clientset/versioned" antreafakeclientset "antrea.io/antrea/pkg/client/clientset/versioned/fake" @@ -38,31 +38,31 @@ import ( type fakeNetworkPolicyControl struct { sync.Mutex - annpStatus *crdv1alpha1.NetworkPolicyStatus - acnpStatus *crdv1alpha1.NetworkPolicyStatus + annpStatus *crdv1beta1.NetworkPolicyStatus + acnpStatus *crdv1beta1.NetworkPolicyStatus } -func (c *fakeNetworkPolicyControl) UpdateAntreaNetworkPolicyStatus(namespace, name string, status *crdv1alpha1.NetworkPolicyStatus) error { +func (c *fakeNetworkPolicyControl) UpdateAntreaNetworkPolicyStatus(namespace, name string, status *crdv1beta1.NetworkPolicyStatus) error { c.Lock() defer c.Unlock() c.annpStatus = status return nil } -func (c *fakeNetworkPolicyControl) UpdateAntreaClusterNetworkPolicyStatus(name string, status *crdv1alpha1.NetworkPolicyStatus) error { +func (c *fakeNetworkPolicyControl) UpdateAntreaClusterNetworkPolicyStatus(name string, status *crdv1beta1.NetworkPolicyStatus) error { c.Lock() defer c.Unlock() c.acnpStatus = status return nil } -func (c *fakeNetworkPolicyControl) getAntreaNetworkPolicyStatus() *crdv1alpha1.NetworkPolicyStatus { +func (c *fakeNetworkPolicyControl) getAntreaNetworkPolicyStatus() *crdv1beta1.NetworkPolicyStatus { c.Lock() defer c.Unlock() return c.annpStatus } -func (c *fakeNetworkPolicyControl) getAntreaClusterNetworkPolicyStatus() *crdv1alpha1.NetworkPolicyStatus { +func (c *fakeNetworkPolicyControl) getAntreaClusterNetworkPolicyStatus() *crdv1beta1.NetworkPolicyStatus { c.Lock() defer c.Unlock() return c.acnpStatus @@ -75,8 +75,8 @@ func newTestStatusController(initialObjects ...runtime.Object) (*StatusControlle antreaInformerFactory := antreainformers.NewSharedInformerFactory(antreaClientset, 0) networkPolicyControl := &fakeNetworkPolicyControl{} - acnpInformer := antreaInformerFactory.Crd().V1alpha1().ClusterNetworkPolicies() - annpInformer := antreaInformerFactory.Crd().V1alpha1().NetworkPolicies() + acnpInformer := antreaInformerFactory.Crd().V1beta1().ClusterNetworkPolicies() + annpInformer := antreaInformerFactory.Crd().V1beta1().NetworkPolicies() statusController := &StatusController{ npControlInterface: networkPolicyControl, queue: workqueue.NewNamedRateLimitingQueue(workqueue.NewItemExponentialFailureRateLimiter(minRetryDelay, maxRetryDelay), "networkpolicy"), @@ -119,7 +119,7 @@ func newNetworkPolicyStatus(name string, nodeName string, generation int64, erro func toAntreaNetworkPolicy(inp *types.NetworkPolicy) runtime.Object { if inp.SourceRef.Type == controlplane.AntreaNetworkPolicy { - return &crdv1alpha1.NetworkPolicy{ + return &crdv1beta1.NetworkPolicy{ ObjectMeta: v1.ObjectMeta{ Namespace: inp.SourceRef.Namespace, Name: inp.SourceRef.Name, @@ -127,7 +127,7 @@ func toAntreaNetworkPolicy(inp *types.NetworkPolicy) runtime.Object { }, } } - return &crdv1alpha1.ClusterNetworkPolicy{ + return &crdv1beta1.ClusterNetworkPolicy{ ObjectMeta: v1.ObjectMeta{ Name: inp.SourceRef.Name, Generation: inp.Generation, @@ -150,11 +150,11 @@ func newAntreaClusterNetworkPolicyReference(name string) *controlplane.NetworkPo } } -func generateRealizationFailureConditions(failedNodeCount int, failedNodeDetails string) []crdv1alpha1.NetworkPolicyCondition { +func generateRealizationFailureConditions(failedNodeCount int, failedNodeDetails string) []crdv1beta1.NetworkPolicyCondition { conditions := GenerateNetworkPolicyCondition(nil) failureMessage := fmt.Sprintf("Failed Nodes count %d: %s", failedNodeCount, failedNodeDetails) - conditions = append(conditions, crdv1alpha1.NetworkPolicyCondition{ - Type: crdv1alpha1.NetworkPolicyConditionRealizationFailure, + conditions = append(conditions, crdv1beta1.NetworkPolicyCondition{ + Type: crdv1beta1.NetworkPolicyConditionRealizationFailure, Status: v1.ConditionTrue, LastTransitionTime: v1.Now(), Reason: "NetworkPolicyRealizationFailedOnNode", @@ -168,8 +168,8 @@ func TestCreateAntreaNetworkPolicy(t *testing.T) { name string networkPolicy []*types.NetworkPolicy collectedNetworkPolicyStatus []*controlplane.NetworkPolicyStatus - expectedANNPStatus *crdv1alpha1.NetworkPolicyStatus - expectedACNPStatus *crdv1alpha1.NetworkPolicyStatus + expectedANNPStatus *crdv1beta1.NetworkPolicyStatus + expectedACNPStatus *crdv1beta1.NetworkPolicyStatus }{ { name: "no realization status", @@ -177,15 +177,15 @@ func TestCreateAntreaNetworkPolicy(t *testing.T) { newInternalNetworkPolicy("annp1", 1, []string{"node1", "node2"}, newAntreaNetworkPolicyReference("ns1", "annp1")), newInternalNetworkPolicy("acnp1", 1, []string{"node1", "node2"}, newAntreaClusterNetworkPolicyReference("acnp1")), }, - expectedANNPStatus: &crdv1alpha1.NetworkPolicyStatus{ - Phase: crdv1alpha1.NetworkPolicyRealizing, + expectedANNPStatus: &crdv1beta1.NetworkPolicyStatus{ + Phase: crdv1beta1.NetworkPolicyRealizing, ObservedGeneration: 1, CurrentNodesRealized: 0, DesiredNodesRealized: 2, Conditions: GenerateNetworkPolicyCondition(nil), }, - expectedACNPStatus: &crdv1alpha1.NetworkPolicyStatus{ - Phase: crdv1alpha1.NetworkPolicyRealizing, + expectedACNPStatus: &crdv1beta1.NetworkPolicyStatus{ + Phase: crdv1beta1.NetworkPolicyRealizing, ObservedGeneration: 1, CurrentNodesRealized: 0, DesiredNodesRealized: 2, @@ -204,15 +204,15 @@ func TestCreateAntreaNetworkPolicy(t *testing.T) { newNetworkPolicyStatus("acnp1", "node1", 2, ""), newNetworkPolicyStatus("acnp1", "node2", 3, ""), }, - expectedANNPStatus: &crdv1alpha1.NetworkPolicyStatus{ - Phase: crdv1alpha1.NetworkPolicyRealizing, + expectedANNPStatus: &crdv1beta1.NetworkPolicyStatus{ + Phase: crdv1beta1.NetworkPolicyRealizing, ObservedGeneration: 2, CurrentNodesRealized: 1, DesiredNodesRealized: 2, Conditions: GenerateNetworkPolicyCondition(nil), }, - expectedACNPStatus: &crdv1alpha1.NetworkPolicyStatus{ - Phase: crdv1alpha1.NetworkPolicyRealizing, + expectedACNPStatus: &crdv1beta1.NetworkPolicyStatus{ + Phase: crdv1beta1.NetworkPolicyRealizing, ObservedGeneration: 3, CurrentNodesRealized: 1, DesiredNodesRealized: 2, @@ -231,15 +231,15 @@ func TestCreateAntreaNetworkPolicy(t *testing.T) { newNetworkPolicyStatus("acnp1", "node1", 4, ""), newNetworkPolicyStatus("acnp1", "node2", 4, ""), }, - expectedANNPStatus: &crdv1alpha1.NetworkPolicyStatus{ - Phase: crdv1alpha1.NetworkPolicyRealized, + expectedANNPStatus: &crdv1beta1.NetworkPolicyStatus{ + Phase: crdv1beta1.NetworkPolicyRealized, ObservedGeneration: 3, CurrentNodesRealized: 2, DesiredNodesRealized: 2, Conditions: GenerateNetworkPolicyCondition(nil), }, - expectedACNPStatus: &crdv1alpha1.NetworkPolicyStatus{ - Phase: crdv1alpha1.NetworkPolicyRealized, + expectedACNPStatus: &crdv1beta1.NetworkPolicyStatus{ + Phase: crdv1beta1.NetworkPolicyRealized, ObservedGeneration: 4, CurrentNodesRealized: 2, DesiredNodesRealized: 2, @@ -258,15 +258,15 @@ func TestCreateAntreaNetworkPolicy(t *testing.T) { newNetworkPolicyStatus("acnp1", "node1", 5, "agent failure"), newNetworkPolicyStatus("acnp1", "node2", 5, "agent crash"), }, - expectedANNPStatus: &crdv1alpha1.NetworkPolicyStatus{ - Phase: crdv1alpha1.NetworkPolicyFailed, + expectedANNPStatus: &crdv1beta1.NetworkPolicyStatus{ + Phase: crdv1beta1.NetworkPolicyFailed, ObservedGeneration: 4, CurrentNodesRealized: 1, DesiredNodesRealized: 2, Conditions: generateRealizationFailureConditions(1, `"node1":"agent failure"`), }, - expectedACNPStatus: &crdv1alpha1.NetworkPolicyStatus{ - Phase: crdv1alpha1.NetworkPolicyFailed, + expectedACNPStatus: &crdv1beta1.NetworkPolicyStatus{ + Phase: crdv1beta1.NetworkPolicyFailed, ObservedGeneration: 5, CurrentNodesRealized: 0, DesiredNodesRealized: 2, @@ -327,15 +327,15 @@ func TestUpdateAntreaNetworkPolicy(t *testing.T) { statusController.UpdateStatus(newNetworkPolicyStatus("acnp1", "node5", 2, "")) // TODO: Use a determinate mechanism. time.Sleep(500 * time.Millisecond) - assert.True(t, NetworkPolicyStatusEqual(crdv1alpha1.NetworkPolicyStatus{ - Phase: crdv1alpha1.NetworkPolicyRealized, + assert.True(t, NetworkPolicyStatusEqual(crdv1beta1.NetworkPolicyStatus{ + Phase: crdv1beta1.NetworkPolicyRealized, ObservedGeneration: 1, CurrentNodesRealized: 2, DesiredNodesRealized: 2, Conditions: GenerateNetworkPolicyCondition(nil), }, *networkPolicyControl.getAntreaNetworkPolicyStatus())) - assert.True(t, NetworkPolicyStatusEqual(crdv1alpha1.NetworkPolicyStatus{ - Phase: crdv1alpha1.NetworkPolicyRealized, + assert.True(t, NetworkPolicyStatusEqual(crdv1beta1.NetworkPolicyStatus{ + Phase: crdv1beta1.NetworkPolicyRealized, ObservedGeneration: 2, CurrentNodesRealized: 3, DesiredNodesRealized: 3, @@ -348,15 +348,15 @@ func TestUpdateAntreaNetworkPolicy(t *testing.T) { networkPolicyStore.Update(acnp1Updated) // TODO: Use a determinate mechanism. time.Sleep(500 * time.Millisecond) - assert.True(t, NetworkPolicyStatusEqual(crdv1alpha1.NetworkPolicyStatus{ - Phase: crdv1alpha1.NetworkPolicyRealizing, + assert.True(t, NetworkPolicyStatusEqual(crdv1beta1.NetworkPolicyStatus{ + Phase: crdv1beta1.NetworkPolicyRealizing, ObservedGeneration: 2, CurrentNodesRealized: 0, DesiredNodesRealized: 3, Conditions: GenerateNetworkPolicyCondition(nil), }, *networkPolicyControl.getAntreaNetworkPolicyStatus())) - assert.True(t, NetworkPolicyStatusEqual(crdv1alpha1.NetworkPolicyStatus{ - Phase: crdv1alpha1.NetworkPolicyRealizing, + assert.True(t, NetworkPolicyStatusEqual(crdv1beta1.NetworkPolicyStatus{ + Phase: crdv1beta1.NetworkPolicyRealizing, ObservedGeneration: 3, CurrentNodesRealized: 0, DesiredNodesRealized: 2, diff --git a/pkg/controller/networkpolicy/validate.go b/pkg/controller/networkpolicy/validate.go index c085ab2782f..b213ea185ae 100644 --- a/pkg/controller/networkpolicy/validate.go +++ b/pkg/controller/networkpolicy/validate.go @@ -33,7 +33,6 @@ import ( "k8s.io/apiserver/pkg/authentication/serviceaccount" "k8s.io/klog/v2" - crdv1alpha1 "antrea.io/antrea/pkg/apis/crd/v1alpha1" crdv1beta1 "antrea.io/antrea/pkg/apis/crd/v1beta1" "antrea.io/antrea/pkg/controller/networkpolicy/store" "antrea.io/antrea/pkg/features" @@ -214,7 +213,7 @@ func (v *NetworkPolicyValidator) Validate(ar *admv1.AdmissionReview) *admv1.Admi msg, allowed = v.validateAntreaGroup(&curG, &oldG, op, ui) case "ClusterNetworkPolicy": klog.V(2).Info("Validating Antrea ClusterNetworkPolicy CRD") - var curACNP, oldACNP crdv1alpha1.ClusterNetworkPolicy + var curACNP, oldACNP crdv1beta1.ClusterNetworkPolicy if curRaw != nil { if err := json.Unmarshal(curRaw, &curACNP); err != nil { klog.Errorf("Error de-serializing current Antrea ClusterNetworkPolicy") @@ -230,7 +229,7 @@ func (v *NetworkPolicyValidator) Validate(ar *admv1.AdmissionReview) *admv1.Admi msg, allowed = v.validateAntreaPolicy(&curACNP, &oldACNP, op, ui) case "NetworkPolicy": klog.V(2).Info("Validating Antrea NetworkPolicy CRD") - var curANNP, oldANNP crdv1alpha1.NetworkPolicy + var curANNP, oldANNP crdv1beta1.NetworkPolicy if curRaw != nil { if err := json.Unmarshal(curRaw, &curANNP); err != nil { klog.Errorf("Error de-serializing current Antrea NetworkPolicy") @@ -289,8 +288,8 @@ func (v *NetworkPolicyValidator) validateAntreaPolicy(curObj, oldObj interface{} } // validatePort validates if ports is valid -func (v *antreaPolicyValidator) validatePort(ingress, egress []crdv1alpha1.Rule) error { - isValid := func(rules []crdv1alpha1.Rule) error { +func (v *antreaPolicyValidator) validatePort(ingress, egress []crdv1beta1.Rule) error { + isValid := func(rules []crdv1beta1.Rule) error { for _, rule := range rules { for _, port := range rule.Ports { if port.EndPort != nil { @@ -418,17 +417,17 @@ func (v *antreaPolicyValidator) createValidate(curObj interface{}, userInfo auth // validatePolicy validates the CREATE and UPDATE events of Antrea-native policies, func (v *antreaPolicyValidator) validatePolicy(curObj interface{}) (string, bool) { var tier string - var ingress, egress []crdv1alpha1.Rule - var specAppliedTo []crdv1alpha1.AppliedTo + var ingress, egress []crdv1beta1.Rule + var specAppliedTo []crdv1beta1.AppliedTo switch curObj.(type) { - case *crdv1alpha1.ClusterNetworkPolicy: - curACNP := curObj.(*crdv1alpha1.ClusterNetworkPolicy) + case *crdv1beta1.ClusterNetworkPolicy: + curACNP := curObj.(*crdv1beta1.ClusterNetworkPolicy) tier = curACNP.Spec.Tier ingress = curACNP.Spec.Ingress egress = curACNP.Spec.Egress specAppliedTo = curACNP.Spec.AppliedTo - case *crdv1alpha1.NetworkPolicy: - curANNP := curObj.(*crdv1alpha1.NetworkPolicy) + case *crdv1beta1.NetworkPolicy: + curANNP := curObj.(*crdv1beta1.NetworkPolicy) tier = curANNP.Spec.Tier ingress = curANNP.Spec.Ingress egress = curANNP.Spec.Egress @@ -480,9 +479,9 @@ func (v *antreaPolicyValidator) validatePolicy(curObj interface{}) (string, bool } // validateRuleName validates if the name of each rule is unique within a policy -func (v *antreaPolicyValidator) validateRuleName(ingress, egress []crdv1alpha1.Rule) bool { +func (v *antreaPolicyValidator) validateRuleName(ingress, egress []crdv1beta1.Rule) bool { uniqueRuleName := sets.New[string]() - isUnique := func(rules []crdv1alpha1.Rule) bool { + isUnique := func(rules []crdv1beta1.Rule) bool { for _, rule := range rules { if uniqueRuleName.Has(rule.Name) { return false @@ -494,9 +493,9 @@ func (v *antreaPolicyValidator) validateRuleName(ingress, egress []crdv1alpha1.R return isUnique(ingress) && isUnique(egress) } -func (v *antreaPolicyValidator) validateAppliedTo(ingress, egress []crdv1alpha1.Rule, specAppliedTo []crdv1alpha1.AppliedTo) (string, bool) { +func (v *antreaPolicyValidator) validateAppliedTo(ingress, egress []crdv1beta1.Rule, specAppliedTo []crdv1beta1.AppliedTo) (string, bool) { appliedToInSpec := len(specAppliedTo) != 0 - countAppliedToInRules := func(rules []crdv1alpha1.Rule) int { + countAppliedToInRules := func(rules []crdv1beta1.Rule) int { num := 0 for _, rule := range rules { if len(rule.AppliedTo) != 0 { @@ -524,7 +523,7 @@ func (v *antreaPolicyValidator) validateAppliedTo(ingress, egress []crdv1alpha1. appliedToEgressRule = 2 ) - checkAppliedTo := func(appliedTo []crdv1alpha1.AppliedTo, appliedToScope int) (string, bool) { + checkAppliedTo := func(appliedTo []crdv1beta1.AppliedTo, appliedToScope int) (string, bool) { appliedToSvcNum := 0 for _, eachAppliedTo := range appliedTo { appliedToFieldsNum := numFieldsSetInStruct(eachAppliedTo) @@ -575,8 +574,8 @@ func (v *antreaPolicyValidator) validateAppliedTo(ingress, egress []crdv1alpha1. // validatePeers ensures that the NetworkPolicyPeer object set in rules are valid, i.e. // currently it ensures that a Group cannot be set with other stand-alone selectors or IPBlock. -func (v *antreaPolicyValidator) validatePeers(ingress, egress []crdv1alpha1.Rule) (string, bool) { - checkPeers := func(peers []crdv1alpha1.NetworkPolicyPeer) (string, bool) { +func (v *antreaPolicyValidator) validatePeers(ingress, egress []crdv1beta1.Rule) (string, bool) { + checkPeers := func(peers []crdv1beta1.NetworkPolicyPeer) (string, bool) { for _, peer := range peers { if peer.NamespaceSelector != nil && peer.Namespaces != nil { return "namespaces and namespaceSelector cannot be set at the same time for a single NetworkPolicyPeer", false @@ -622,8 +621,8 @@ func (v *antreaPolicyValidator) validatePeers(ingress, egress []crdv1alpha1.Rule // validateAppliedToServiceIngressPeer ensures that if a policy or an ingress rule // is applied to Services, the ingress rule can only use ipBlock to select workloads. -func (v *antreaPolicyValidator) validateAppliedToServiceIngressPeer(specAppliedTo []crdv1alpha1.AppliedTo, ingress []crdv1alpha1.Rule) (string, bool) { - isAppliedToService := func(peers []crdv1alpha1.AppliedTo) bool { +func (v *antreaPolicyValidator) validateAppliedToServiceIngressPeer(specAppliedTo []crdv1beta1.AppliedTo, ingress []crdv1beta1.Rule) (string, bool) { + isAppliedToService := func(peers []crdv1beta1.AppliedTo) bool { if len(peers) > 0 { return peers[0].Service != nil } @@ -694,24 +693,24 @@ func (v *antreaPolicyValidator) validateTierForPolicy(tier string) (string, bool } // validateTierForPassAction validates that rules with pass action are not created in the Baseline Tier. -func (v *antreaPolicyValidator) validateTierForPassAction(tier string, ingress, egress []crdv1alpha1.Rule) (string, bool) { +func (v *antreaPolicyValidator) validateTierForPassAction(tier string, ingress, egress []crdv1beta1.Rule) (string, bool) { if strings.ToLower(tier) != baselineTierName { return "", true } for _, rule := range ingress { - if *rule.Action == crdv1alpha1.RuleActionPass { + if *rule.Action == crdv1beta1.RuleActionPass { return fmt.Sprintf("`Pass` action should not be set for Baseline Tier policy rules"), false } } for _, rule := range egress { - if *rule.Action == crdv1alpha1.RuleActionPass { + if *rule.Action == crdv1beta1.RuleActionPass { return fmt.Sprintf("`Pass` action should not be set for Baseline Tier policy rules"), false } } return "", true } -func (v *antreaPolicyValidator) validateEgressMulticastAddress(egressRule []crdv1alpha1.Rule) (string, bool) { +func (v *antreaPolicyValidator) validateEgressMulticastAddress(egressRule []crdv1beta1.Rule) (string, bool) { for _, r := range egressRule { multicast := false unicast := false @@ -733,7 +732,7 @@ func (v *antreaPolicyValidator) validateEgressMulticastAddress(egressRule []crdv to.ExternalEntitySelector != nil || to.ServiceAccount != nil || to.NodeSelector != nil { otherSelectors = true } - if multicast && (*r.Action == crdv1alpha1.RuleActionPass || *r.Action == crdv1alpha1.RuleActionReject) { + if multicast && (*r.Action == crdv1beta1.RuleActionPass || *r.Action == crdv1beta1.RuleActionReject) { return fmt.Sprintf("multicast does not support action Pass or Reject"), false } } @@ -747,7 +746,7 @@ func (v *antreaPolicyValidator) validateEgressMulticastAddress(egressRule []crdv return "", true } -func validateIGMPProtocol(protocol crdv1alpha1.NetworkPolicyProtocol) (string, bool) { +func validateIGMPProtocol(protocol crdv1beta1.NetworkPolicyProtocol) (string, bool) { if protocol.IGMP.GroupAddress == "" { return "", true } @@ -759,7 +758,7 @@ func validateIGMPProtocol(protocol crdv1alpha1.NetworkPolicyProtocol) (string, b return "", true } -func (v *antreaPolicyValidator) validateMulticastIGMP(ingressRules, egressRules []crdv1alpha1.Rule) (string, bool) { +func (v *antreaPolicyValidator) validateMulticastIGMP(ingressRules, egressRules []crdv1beta1.Rule) (string, bool) { haveIGMP := false haveICMP := false for _, r := range append(ingressRules, egressRules...) { @@ -770,7 +769,7 @@ func (v *antreaPolicyValidator) validateMulticastIGMP(ingressRules, egressRules if !allowed { return reason, allowed } - if *r.Action == crdv1alpha1.RuleActionPass || *r.Action == crdv1alpha1.RuleActionReject { + if *r.Action == crdv1beta1.RuleActionPass || *r.Action == crdv1beta1.RuleActionReject { return "protocol IGMP does not support Pass or Reject", false } } @@ -787,7 +786,7 @@ func (v *antreaPolicyValidator) validateMulticastIGMP(ingressRules, egressRules // validateL7Protocols validates the L7Protocols field set in Antrea-native policy // rules are valid, and compatible with the ports or protocols fields. -func (v *antreaPolicyValidator) validateL7Protocols(ingressRules, egressRules []crdv1alpha1.Rule) (string, bool) { +func (v *antreaPolicyValidator) validateL7Protocols(ingressRules, egressRules []crdv1beta1.Rule) (string, bool) { for _, r := range append(ingressRules, egressRules...) { if len(r.L7Protocols) == 0 { continue @@ -795,7 +794,7 @@ func (v *antreaPolicyValidator) validateL7Protocols(ingressRules, egressRules [] if !features.DefaultFeatureGate.Enabled(features.L7NetworkPolicy) { return fmt.Sprintf("layer 7 protocols can only be used when L7NetworkPolicy is enabled"), false } - if *r.Action != crdv1alpha1.RuleActionAllow { + if *r.Action != crdv1beta1.RuleActionAllow { return "layer 7 protocols only support Allow", false } if len(r.ToServices) != 0 { @@ -822,7 +821,7 @@ func (v *antreaPolicyValidator) validateL7Protocols(ingressRules, egressRules [] } // validateFQDNSelectors validates the toFQDN field set in Antrea-native policy egress rules are valid. -func (v *antreaPolicyValidator) validateFQDNSelectors(egressRules []crdv1alpha1.Rule) (string, bool) { +func (v *antreaPolicyValidator) validateFQDNSelectors(egressRules []crdv1beta1.Rule) (string, bool) { for _, r := range egressRules { for _, peer := range r.To { if len(peer.FQDN) > 0 && !allowedFQDNChars.MatchString(peer.FQDN) { diff --git a/pkg/controller/networkpolicy/validate_test.go b/pkg/controller/networkpolicy/validate_test.go index 5bcd58a42c7..7660f866fcd 100644 --- a/pkg/controller/networkpolicy/validate_test.go +++ b/pkg/controller/networkpolicy/validate_test.go @@ -25,16 +25,15 @@ import ( "k8s.io/component-base/featuregate" featuregatetesting "k8s.io/component-base/featuregate/testing" - crdv1alpha1 "antrea.io/antrea/pkg/apis/crd/v1alpha1" crdv1beta1 "antrea.io/antrea/pkg/apis/crd/v1beta1" "antrea.io/antrea/pkg/features" ) var ( - query = crdv1alpha1.IGMPQuery - report = crdv1alpha1.IGMPReportV1 - allowAction = crdv1alpha1.RuleActionAllow - passAction = crdv1alpha1.RuleActionPass + query = crdv1beta1.IGMPQuery + report = crdv1beta1.IGMPReportV1 + allowAction = crdv1beta1.RuleActionAllow + passAction = crdv1beta1.RuleActionPass portNum80 = int32(80) ) @@ -42,18 +41,18 @@ func TestValidateAntreaClusterNetworkPolicy(t *testing.T) { tests := []struct { name string featureGates map[featuregate.Feature]bool - policy *crdv1alpha1.ClusterNetworkPolicy + policy *crdv1beta1.ClusterNetworkPolicy operation admv1.Operation expectedReason string }{ { name: "acnp-non-existent-tier", - policy: &crdv1alpha1.ClusterNetworkPolicy{ + policy: &crdv1beta1.ClusterNetworkPolicy{ ObjectMeta: metav1.ObjectMeta{ Name: "non-existent-tier", }, - Spec: crdv1alpha1.ClusterNetworkPolicySpec{ - AppliedTo: []crdv1alpha1.AppliedTo{ + Spec: crdv1beta1.ClusterNetworkPolicySpec{ + AppliedTo: []crdv1beta1.AppliedTo{ { PodSelector: &metav1.LabelSelector{ MatchLabels: map[string]string{"foo": "bar"}, @@ -68,12 +67,12 @@ func TestValidateAntreaClusterNetworkPolicy(t *testing.T) { }, { name: "acnp-static-tier", - policy: &crdv1alpha1.ClusterNetworkPolicy{ + policy: &crdv1beta1.ClusterNetworkPolicy{ ObjectMeta: metav1.ObjectMeta{ Name: "acnp-static-tier", }, - Spec: crdv1alpha1.ClusterNetworkPolicySpec{ - AppliedTo: []crdv1alpha1.AppliedTo{ + Spec: crdv1beta1.ClusterNetworkPolicySpec{ + AppliedTo: []crdv1beta1.AppliedTo{ { PodSelector: &metav1.LabelSelector{ MatchLabels: map[string]string{"foo": "bar"}, @@ -88,12 +87,12 @@ func TestValidateAntreaClusterNetworkPolicy(t *testing.T) { }, { name: "acnp-ingress-baseline-pass-action", - policy: &crdv1alpha1.ClusterNetworkPolicy{ + policy: &crdv1beta1.ClusterNetworkPolicy{ ObjectMeta: metav1.ObjectMeta{ Name: "acnp-ingress-baseline-pass-action", }, - Spec: crdv1alpha1.ClusterNetworkPolicySpec{ - AppliedTo: []crdv1alpha1.AppliedTo{ + Spec: crdv1beta1.ClusterNetworkPolicySpec{ + AppliedTo: []crdv1beta1.AppliedTo{ { PodSelector: &metav1.LabelSelector{ MatchLabels: map[string]string{"foo1": "bar1"}, @@ -101,10 +100,10 @@ func TestValidateAntreaClusterNetworkPolicy(t *testing.T) { }, }, Tier: "Baseline", - Ingress: []crdv1alpha1.Rule{ + Ingress: []crdv1beta1.Rule{ { Action: &passAction, - From: []crdv1alpha1.NetworkPolicyPeer{ + From: []crdv1beta1.NetworkPolicyPeer{ { PodSelector: &metav1.LabelSelector{ MatchLabels: map[string]string{"foo2": "bar2"}, @@ -120,12 +119,12 @@ func TestValidateAntreaClusterNetworkPolicy(t *testing.T) { }, { name: "acnp-egress-baseline-pass-action", - policy: &crdv1alpha1.ClusterNetworkPolicy{ + policy: &crdv1beta1.ClusterNetworkPolicy{ ObjectMeta: metav1.ObjectMeta{ Name: "acnp-egress-baseline-pass-action", }, - Spec: crdv1alpha1.ClusterNetworkPolicySpec{ - AppliedTo: []crdv1alpha1.AppliedTo{ + Spec: crdv1beta1.ClusterNetworkPolicySpec{ + AppliedTo: []crdv1beta1.AppliedTo{ { PodSelector: &metav1.LabelSelector{ MatchLabels: map[string]string{"foo1": "bar1"}, @@ -133,10 +132,10 @@ func TestValidateAntreaClusterNetworkPolicy(t *testing.T) { }, }, Tier: "Baseline", - Egress: []crdv1alpha1.Rule{ + Egress: []crdv1beta1.Rule{ { Action: &passAction, - To: []crdv1alpha1.NetworkPolicyPeer{ + To: []crdv1beta1.NetworkPolicyPeer{ { PodSelector: &metav1.LabelSelector{ MatchLabels: map[string]string{"foo2": "bar2"}, @@ -152,12 +151,12 @@ func TestValidateAntreaClusterNetworkPolicy(t *testing.T) { }, { name: "acnp-egress-pass-action", - policy: &crdv1alpha1.ClusterNetworkPolicy{ + policy: &crdv1beta1.ClusterNetworkPolicy{ ObjectMeta: metav1.ObjectMeta{ Name: "acnp-egress-pass-action", }, - Spec: crdv1alpha1.ClusterNetworkPolicySpec{ - AppliedTo: []crdv1alpha1.AppliedTo{ + Spec: crdv1beta1.ClusterNetworkPolicySpec{ + AppliedTo: []crdv1beta1.AppliedTo{ { PodSelector: &metav1.LabelSelector{ MatchLabels: map[string]string{"foo1": "bar1"}, @@ -165,10 +164,10 @@ func TestValidateAntreaClusterNetworkPolicy(t *testing.T) { }, }, Tier: "Application", - Egress: []crdv1alpha1.Rule{ + Egress: []crdv1beta1.Rule{ { Action: &passAction, - To: []crdv1alpha1.NetworkPolicyPeer{ + To: []crdv1beta1.NetworkPolicyPeer{ { PodSelector: &metav1.LabelSelector{ MatchLabels: map[string]string{"foo2": "bar2"}, @@ -184,22 +183,22 @@ func TestValidateAntreaClusterNetworkPolicy(t *testing.T) { }, { name: "acnp-non-unique-rule-name", - policy: &crdv1alpha1.ClusterNetworkPolicy{ + policy: &crdv1beta1.ClusterNetworkPolicy{ ObjectMeta: metav1.ObjectMeta{ Name: "acnp-non-unique-rule-name", }, - Spec: crdv1alpha1.ClusterNetworkPolicySpec{ - AppliedTo: []crdv1alpha1.AppliedTo{ + Spec: crdv1beta1.ClusterNetworkPolicySpec{ + AppliedTo: []crdv1beta1.AppliedTo{ { PodSelector: &metav1.LabelSelector{ MatchLabels: map[string]string{"foo1": "bar1"}, }, }, }, - Ingress: []crdv1alpha1.Rule{ + Ingress: []crdv1beta1.Rule{ { Action: &allowAction, - From: []crdv1alpha1.NetworkPolicyPeer{ + From: []crdv1beta1.NetworkPolicyPeer{ { PodSelector: &metav1.LabelSelector{ MatchLabels: map[string]string{"foo2": "bar2"}, @@ -210,7 +209,7 @@ func TestValidateAntreaClusterNetworkPolicy(t *testing.T) { }, { Action: &passAction, - From: []crdv1alpha1.NetworkPolicyPeer{ + From: []crdv1beta1.NetworkPolicyPeer{ { PodSelector: &metav1.LabelSelector{ MatchLabels: map[string]string{"foo3": "bar3"}, @@ -227,29 +226,29 @@ func TestValidateAntreaClusterNetworkPolicy(t *testing.T) { }, { name: "acnp-appliedto-both-spec-rule", - policy: &crdv1alpha1.ClusterNetworkPolicy{ + policy: &crdv1beta1.ClusterNetworkPolicy{ ObjectMeta: metav1.ObjectMeta{ Name: "acnp-appliedto-both-spec-rule", }, - Spec: crdv1alpha1.ClusterNetworkPolicySpec{ - AppliedTo: []crdv1alpha1.AppliedTo{ + Spec: crdv1beta1.ClusterNetworkPolicySpec{ + AppliedTo: []crdv1beta1.AppliedTo{ { PodSelector: &metav1.LabelSelector{ MatchLabels: map[string]string{"foo1": "bar1"}, }, }, }, - Ingress: []crdv1alpha1.Rule{ + Ingress: []crdv1beta1.Rule{ { Action: &allowAction, - From: []crdv1alpha1.NetworkPolicyPeer{ + From: []crdv1beta1.NetworkPolicyPeer{ { PodSelector: &metav1.LabelSelector{ MatchLabels: map[string]string{"foo2": "bar2"}, }, }, }, - AppliedTo: []crdv1alpha1.AppliedTo{ + AppliedTo: []crdv1beta1.AppliedTo{ { PodSelector: &metav1.LabelSelector{ MatchLabels: map[string]string{"foo3": "bar3"}, @@ -265,15 +264,15 @@ func TestValidateAntreaClusterNetworkPolicy(t *testing.T) { }, { name: "acnp-no-appliedto", - policy: &crdv1alpha1.ClusterNetworkPolicy{ + policy: &crdv1beta1.ClusterNetworkPolicy{ ObjectMeta: metav1.ObjectMeta{ Name: "acnp-no-appliedto", }, - Spec: crdv1alpha1.ClusterNetworkPolicySpec{ - Ingress: []crdv1alpha1.Rule{ + Spec: crdv1beta1.ClusterNetworkPolicySpec{ + Ingress: []crdv1beta1.Rule{ { Action: &allowAction, - From: []crdv1alpha1.NetworkPolicyPeer{ + From: []crdv1beta1.NetworkPolicyPeer{ { PodSelector: &metav1.LabelSelector{ MatchLabels: map[string]string{"foo2": "bar2"}, @@ -289,22 +288,22 @@ func TestValidateAntreaClusterNetworkPolicy(t *testing.T) { }, { name: "acnp-portion-rule-appliedto", - policy: &crdv1alpha1.ClusterNetworkPolicy{ + policy: &crdv1beta1.ClusterNetworkPolicy{ ObjectMeta: metav1.ObjectMeta{ Name: "acnp-portion-rule-appliedto", }, - Spec: crdv1alpha1.ClusterNetworkPolicySpec{ - Ingress: []crdv1alpha1.Rule{ + Spec: crdv1beta1.ClusterNetworkPolicySpec{ + Ingress: []crdv1beta1.Rule{ { Action: &allowAction, - From: []crdv1alpha1.NetworkPolicyPeer{ + From: []crdv1beta1.NetworkPolicyPeer{ { PodSelector: &metav1.LabelSelector{ MatchLabels: map[string]string{"foo1": "bar1"}, }, }, }, - AppliedTo: []crdv1alpha1.AppliedTo{ + AppliedTo: []crdv1beta1.AppliedTo{ { PodSelector: &metav1.LabelSelector{ MatchLabels: map[string]string{"foo2": "bar2"}, @@ -315,7 +314,7 @@ func TestValidateAntreaClusterNetworkPolicy(t *testing.T) { }, { Action: &passAction, - From: []crdv1alpha1.NetworkPolicyPeer{ + From: []crdv1beta1.NetworkPolicyPeer{ { PodSelector: &metav1.LabelSelector{ MatchLabels: map[string]string{"foo3": "bar3"}, @@ -332,22 +331,22 @@ func TestValidateAntreaClusterNetworkPolicy(t *testing.T) { }, { name: "acnp-rule-appliedto", - policy: &crdv1alpha1.ClusterNetworkPolicy{ + policy: &crdv1beta1.ClusterNetworkPolicy{ ObjectMeta: metav1.ObjectMeta{ Name: "acnp-rule-appliedto", }, - Spec: crdv1alpha1.ClusterNetworkPolicySpec{ - Ingress: []crdv1alpha1.Rule{ + Spec: crdv1beta1.ClusterNetworkPolicySpec{ + Ingress: []crdv1beta1.Rule{ { Action: &allowAction, - From: []crdv1alpha1.NetworkPolicyPeer{ + From: []crdv1beta1.NetworkPolicyPeer{ { PodSelector: &metav1.LabelSelector{ MatchLabels: map[string]string{"foo1": "bar1"}, }, }, }, - AppliedTo: []crdv1alpha1.AppliedTo{ + AppliedTo: []crdv1beta1.AppliedTo{ { PodSelector: &metav1.LabelSelector{ MatchLabels: map[string]string{"foo2": "bar2"}, @@ -358,14 +357,14 @@ func TestValidateAntreaClusterNetworkPolicy(t *testing.T) { }, { Action: &passAction, - From: []crdv1alpha1.NetworkPolicyPeer{ + From: []crdv1beta1.NetworkPolicyPeer{ { PodSelector: &metav1.LabelSelector{ MatchLabels: map[string]string{"foo3": "bar3"}, }, }, }, - AppliedTo: []crdv1alpha1.AppliedTo{ + AppliedTo: []crdv1beta1.AppliedTo{ { PodSelector: &metav1.LabelSelector{ MatchLabels: map[string]string{"foo4": "bar4"}, @@ -382,12 +381,12 @@ func TestValidateAntreaClusterNetworkPolicy(t *testing.T) { }, { name: "acnp-appliedto-group-set-with-psel", - policy: &crdv1alpha1.ClusterNetworkPolicy{ + policy: &crdv1beta1.ClusterNetworkPolicy{ ObjectMeta: metav1.ObjectMeta{ Name: "acnp-appliedto-group-set-with-psel", }, - Spec: crdv1alpha1.ClusterNetworkPolicySpec{ - AppliedTo: []crdv1alpha1.AppliedTo{ + Spec: crdv1beta1.ClusterNetworkPolicySpec{ + AppliedTo: []crdv1beta1.AppliedTo{ { PodSelector: &metav1.LabelSelector{ MatchLabels: map[string]string{"foo1": "bar1"}, @@ -402,12 +401,12 @@ func TestValidateAntreaClusterNetworkPolicy(t *testing.T) { }, { name: "acnp-appliedto-group-set-with-nssel", - policy: &crdv1alpha1.ClusterNetworkPolicy{ + policy: &crdv1beta1.ClusterNetworkPolicy{ ObjectMeta: metav1.ObjectMeta{ Name: "acnp-appliedto-group-set-with-nssel", }, - Spec: crdv1alpha1.ClusterNetworkPolicySpec{ - AppliedTo: []crdv1alpha1.AppliedTo{ + Spec: crdv1beta1.ClusterNetworkPolicySpec{ + AppliedTo: []crdv1beta1.AppliedTo{ { NamespaceSelector: &metav1.LabelSelector{ MatchLabels: map[string]string{"foo1": "bar1"}, @@ -422,23 +421,23 @@ func TestValidateAntreaClusterNetworkPolicy(t *testing.T) { }, { name: "acnp-appliedto-group-alone", - policy: &crdv1alpha1.ClusterNetworkPolicy{ + policy: &crdv1beta1.ClusterNetworkPolicy{ ObjectMeta: metav1.ObjectMeta{ Name: "acnp-appliedto-group-alone", }, - Spec: crdv1alpha1.ClusterNetworkPolicySpec{ - AppliedTo: []crdv1alpha1.AppliedTo{ + Spec: crdv1beta1.ClusterNetworkPolicySpec{ + AppliedTo: []crdv1beta1.AppliedTo{ { Group: "group1", }, }, - Ingress: []crdv1alpha1.Rule{ + Ingress: []crdv1beta1.Rule{ { Action: &allowAction, - From: []crdv1alpha1.NetworkPolicyPeer{ + From: []crdv1beta1.NetworkPolicyPeer{ { - Namespaces: &crdv1alpha1.PeerNamespaces{ - Match: crdv1alpha1.NamespaceMatchSelf, + Namespaces: &crdv1beta1.PeerNamespaces{ + Match: crdv1beta1.NamespaceMatchSelf, }, }, }, @@ -451,22 +450,22 @@ func TestValidateAntreaClusterNetworkPolicy(t *testing.T) { }, { name: "acnp-rule-group-set-with-psel", - policy: &crdv1alpha1.ClusterNetworkPolicy{ + policy: &crdv1beta1.ClusterNetworkPolicy{ ObjectMeta: metav1.ObjectMeta{ Name: "acnp-rule-group-set-with-psel", }, - Spec: crdv1alpha1.ClusterNetworkPolicySpec{ - AppliedTo: []crdv1alpha1.AppliedTo{ + Spec: crdv1beta1.ClusterNetworkPolicySpec{ + AppliedTo: []crdv1beta1.AppliedTo{ { NamespaceSelector: &metav1.LabelSelector{ MatchLabels: map[string]string{"foo1": "bar1"}, }, }, }, - Ingress: []crdv1alpha1.Rule{ + Ingress: []crdv1beta1.Rule{ { Action: &allowAction, - From: []crdv1alpha1.NetworkPolicyPeer{ + From: []crdv1beta1.NetworkPolicyPeer{ { PodSelector: &metav1.LabelSelector{ MatchLabels: map[string]string{"foo2": "bar2"}, @@ -483,22 +482,22 @@ func TestValidateAntreaClusterNetworkPolicy(t *testing.T) { }, { name: "acnp-rule-group-set-with-nssel", - policy: &crdv1alpha1.ClusterNetworkPolicy{ + policy: &crdv1beta1.ClusterNetworkPolicy{ ObjectMeta: metav1.ObjectMeta{ Name: "acnp-rule-group-set-with-nssel", }, - Spec: crdv1alpha1.ClusterNetworkPolicySpec{ - AppliedTo: []crdv1alpha1.AppliedTo{ + Spec: crdv1beta1.ClusterNetworkPolicySpec{ + AppliedTo: []crdv1beta1.AppliedTo{ { NamespaceSelector: &metav1.LabelSelector{ MatchLabels: map[string]string{"foo1": "bar1"}, }, }, }, - Ingress: []crdv1alpha1.Rule{ + Ingress: []crdv1beta1.Rule{ { Action: &allowAction, - From: []crdv1alpha1.NetworkPolicyPeer{ + From: []crdv1beta1.NetworkPolicyPeer{ { NamespaceSelector: &metav1.LabelSelector{ MatchLabels: map[string]string{"foo2": "bar2"}, @@ -515,24 +514,24 @@ func TestValidateAntreaClusterNetworkPolicy(t *testing.T) { }, { name: "acnp-rule-group-set-with-ipblock", - policy: &crdv1alpha1.ClusterNetworkPolicy{ + policy: &crdv1beta1.ClusterNetworkPolicy{ ObjectMeta: metav1.ObjectMeta{ Name: "acnp-rule-group-set-with-ipblock", }, - Spec: crdv1alpha1.ClusterNetworkPolicySpec{ - AppliedTo: []crdv1alpha1.AppliedTo{ + Spec: crdv1beta1.ClusterNetworkPolicySpec{ + AppliedTo: []crdv1beta1.AppliedTo{ { NamespaceSelector: &metav1.LabelSelector{ MatchLabels: map[string]string{"foo1": "bar1"}, }, }, }, - Ingress: []crdv1alpha1.Rule{ + Ingress: []crdv1beta1.Rule{ { Action: &allowAction, - From: []crdv1alpha1.NetworkPolicyPeer{ + From: []crdv1beta1.NetworkPolicyPeer{ { - IPBlock: &crdv1alpha1.IPBlock{ + IPBlock: &crdv1beta1.IPBlock{ CIDR: "10.0.0.10/32", }, Group: "group1", @@ -547,25 +546,25 @@ func TestValidateAntreaClusterNetworkPolicy(t *testing.T) { }, { name: "acnp-rule-group-set-with-ns", - policy: &crdv1alpha1.ClusterNetworkPolicy{ + policy: &crdv1beta1.ClusterNetworkPolicy{ ObjectMeta: metav1.ObjectMeta{ Name: "acnp-rule-group-set-with-ns", }, - Spec: crdv1alpha1.ClusterNetworkPolicySpec{ - AppliedTo: []crdv1alpha1.AppliedTo{ + Spec: crdv1beta1.ClusterNetworkPolicySpec{ + AppliedTo: []crdv1beta1.AppliedTo{ { NamespaceSelector: &metav1.LabelSelector{ MatchLabels: map[string]string{"foo1": "bar1"}, }, }, }, - Ingress: []crdv1alpha1.Rule{ + Ingress: []crdv1beta1.Rule{ { Action: &allowAction, - From: []crdv1alpha1.NetworkPolicyPeer{ + From: []crdv1beta1.NetworkPolicyPeer{ { - Namespaces: &crdv1alpha1.PeerNamespaces{ - Match: crdv1alpha1.NamespaceMatchSelf, + Namespaces: &crdv1beta1.PeerNamespaces{ + Match: crdv1beta1.NamespaceMatchSelf, }, Group: "group1", }, @@ -579,22 +578,22 @@ func TestValidateAntreaClusterNetworkPolicy(t *testing.T) { }, { name: "acnp-rule-group-set-with-fqdn", - policy: &crdv1alpha1.ClusterNetworkPolicy{ + policy: &crdv1beta1.ClusterNetworkPolicy{ ObjectMeta: metav1.ObjectMeta{ Name: "acnp-rule-group-set-with-fqdn", }, - Spec: crdv1alpha1.ClusterNetworkPolicySpec{ - AppliedTo: []crdv1alpha1.AppliedTo{ + Spec: crdv1beta1.ClusterNetworkPolicySpec{ + AppliedTo: []crdv1beta1.AppliedTo{ { NamespaceSelector: &metav1.LabelSelector{ MatchLabels: map[string]string{"foo1": "bar1"}, }, }, }, - Egress: []crdv1alpha1.Rule{ + Egress: []crdv1beta1.Rule{ { Action: &allowAction, - To: []crdv1alpha1.NetworkPolicyPeer{ + To: []crdv1beta1.NetworkPolicyPeer{ { FQDN: "foo.bar", Group: "group1", @@ -609,22 +608,22 @@ func TestValidateAntreaClusterNetworkPolicy(t *testing.T) { }, { name: "acnp-rule-group-set-with-eesel", - policy: &crdv1alpha1.ClusterNetworkPolicy{ + policy: &crdv1beta1.ClusterNetworkPolicy{ ObjectMeta: metav1.ObjectMeta{ Name: "acnp-rule-group-set-with-eesel", }, - Spec: crdv1alpha1.ClusterNetworkPolicySpec{ - AppliedTo: []crdv1alpha1.AppliedTo{ + Spec: crdv1beta1.ClusterNetworkPolicySpec{ + AppliedTo: []crdv1beta1.AppliedTo{ { NamespaceSelector: &metav1.LabelSelector{ MatchLabels: map[string]string{"foo1": "bar1"}, }, }, }, - Ingress: []crdv1alpha1.Rule{ + Ingress: []crdv1beta1.Rule{ { Action: &allowAction, - From: []crdv1alpha1.NetworkPolicyPeer{ + From: []crdv1beta1.NetworkPolicyPeer{ { ExternalEntitySelector: &metav1.LabelSelector{ MatchLabels: map[string]string{"foo2": "bar2"}, @@ -641,22 +640,22 @@ func TestValidateAntreaClusterNetworkPolicy(t *testing.T) { }, { name: "acnp-rule-group-alone", - policy: &crdv1alpha1.ClusterNetworkPolicy{ + policy: &crdv1beta1.ClusterNetworkPolicy{ ObjectMeta: metav1.ObjectMeta{ Name: "acnp-rule-group-alone", }, - Spec: crdv1alpha1.ClusterNetworkPolicySpec{ - AppliedTo: []crdv1alpha1.AppliedTo{ + Spec: crdv1beta1.ClusterNetworkPolicySpec{ + AppliedTo: []crdv1beta1.AppliedTo{ { NamespaceSelector: &metav1.LabelSelector{ MatchLabels: map[string]string{"foo1": "bar1"}, }, }, }, - Ingress: []crdv1alpha1.Rule{ + Ingress: []crdv1beta1.Rule{ { Action: &allowAction, - From: []crdv1alpha1.NetworkPolicyPeer{ + From: []crdv1beta1.NetworkPolicyPeer{ { Group: "group1", }, @@ -670,28 +669,28 @@ func TestValidateAntreaClusterNetworkPolicy(t *testing.T) { }, { name: "acnp-rule-ns-set-with-nssel", - policy: &crdv1alpha1.ClusterNetworkPolicy{ + policy: &crdv1beta1.ClusterNetworkPolicy{ ObjectMeta: metav1.ObjectMeta{ Name: "acnp-rule-ns-set-with-nssel", }, - Spec: crdv1alpha1.ClusterNetworkPolicySpec{ - AppliedTo: []crdv1alpha1.AppliedTo{ + Spec: crdv1beta1.ClusterNetworkPolicySpec{ + AppliedTo: []crdv1beta1.AppliedTo{ { NamespaceSelector: &metav1.LabelSelector{ MatchLabels: map[string]string{"foo1": "bar1"}, }, }, }, - Ingress: []crdv1alpha1.Rule{ + Ingress: []crdv1beta1.Rule{ { Action: &allowAction, - From: []crdv1alpha1.NetworkPolicyPeer{ + From: []crdv1beta1.NetworkPolicyPeer{ { NamespaceSelector: &metav1.LabelSelector{ MatchLabels: map[string]string{"foo2": "bar2"}, }, - Namespaces: &crdv1alpha1.PeerNamespaces{ - Match: crdv1alpha1.NamespaceMatchSelf, + Namespaces: &crdv1beta1.PeerNamespaces{ + Match: crdv1beta1.NamespaceMatchSelf, }, }, }, @@ -704,29 +703,29 @@ func TestValidateAntreaClusterNetworkPolicy(t *testing.T) { }, { name: "acnp-toservice-set-with-to", - policy: &crdv1alpha1.ClusterNetworkPolicy{ + policy: &crdv1beta1.ClusterNetworkPolicy{ ObjectMeta: metav1.ObjectMeta{ Name: "acnp-toservice-set-with-to", }, - Spec: crdv1alpha1.ClusterNetworkPolicySpec{ - AppliedTo: []crdv1alpha1.AppliedTo{ + Spec: crdv1beta1.ClusterNetworkPolicySpec{ + AppliedTo: []crdv1beta1.AppliedTo{ { NamespaceSelector: &metav1.LabelSelector{ MatchLabels: map[string]string{"foo1": "bar1"}, }, }, }, - Egress: []crdv1alpha1.Rule{ + Egress: []crdv1beta1.Rule{ { Action: &allowAction, - To: []crdv1alpha1.NetworkPolicyPeer{ + To: []crdv1beta1.NetworkPolicyPeer{ { NamespaceSelector: &metav1.LabelSelector{ MatchLabels: map[string]string{"foo2": "bar2"}, }, }, }, - ToServices: []crdv1alpha1.PeerService{ + ToServices: []crdv1beta1.PeerService{ { Name: "foo", Namespace: "bar", @@ -741,27 +740,27 @@ func TestValidateAntreaClusterNetworkPolicy(t *testing.T) { }, { name: "acnp-toservice-set-with-ports", - policy: &crdv1alpha1.ClusterNetworkPolicy{ + policy: &crdv1beta1.ClusterNetworkPolicy{ ObjectMeta: metav1.ObjectMeta{ Name: "acnp-toservice-set-with-ports", }, - Spec: crdv1alpha1.ClusterNetworkPolicySpec{ - AppliedTo: []crdv1alpha1.AppliedTo{ + Spec: crdv1beta1.ClusterNetworkPolicySpec{ + AppliedTo: []crdv1beta1.AppliedTo{ { NamespaceSelector: &metav1.LabelSelector{ MatchLabels: map[string]string{"foo1": "bar1"}, }, }, }, - Egress: []crdv1alpha1.Rule{ + Egress: []crdv1beta1.Rule{ { Action: &allowAction, - Ports: []crdv1alpha1.NetworkPolicyPort{ + Ports: []crdv1beta1.NetworkPolicyPort{ { Port: &int80, }, }, - ToServices: []crdv1alpha1.PeerService{ + ToServices: []crdv1beta1.PeerService{ { Name: "foo", Namespace: "bar", @@ -776,27 +775,27 @@ func TestValidateAntreaClusterNetworkPolicy(t *testing.T) { }, { name: "acnp-toservice-set-with-protocols", - policy: &crdv1alpha1.ClusterNetworkPolicy{ + policy: &crdv1beta1.ClusterNetworkPolicy{ ObjectMeta: metav1.ObjectMeta{ Name: "acnp-toservice-set-with-protocols", }, - Spec: crdv1alpha1.ClusterNetworkPolicySpec{ - AppliedTo: []crdv1alpha1.AppliedTo{ + Spec: crdv1beta1.ClusterNetworkPolicySpec{ + AppliedTo: []crdv1beta1.AppliedTo{ { NamespaceSelector: &metav1.LabelSelector{ MatchLabels: map[string]string{"foo1": "bar1"}, }, }, }, - Egress: []crdv1alpha1.Rule{ + Egress: []crdv1beta1.Rule{ { Action: &allowAction, - Protocols: []crdv1alpha1.NetworkPolicyProtocol{ + Protocols: []crdv1beta1.NetworkPolicyProtocol{ { - ICMP: &crdv1alpha1.ICMPProtocol{}, + ICMP: &crdv1beta1.ICMPProtocol{}, }, }, - ToServices: []crdv1alpha1.PeerService{ + ToServices: []crdv1beta1.PeerService{ { Name: "foo", Namespace: "bar", @@ -811,22 +810,22 @@ func TestValidateAntreaClusterNetworkPolicy(t *testing.T) { }, { name: "acnp-toservice-alone", - policy: &crdv1alpha1.ClusterNetworkPolicy{ + policy: &crdv1beta1.ClusterNetworkPolicy{ ObjectMeta: metav1.ObjectMeta{ Name: "acnp-toservice-alone", }, - Spec: crdv1alpha1.ClusterNetworkPolicySpec{ - AppliedTo: []crdv1alpha1.AppliedTo{ + Spec: crdv1beta1.ClusterNetworkPolicySpec{ + AppliedTo: []crdv1beta1.AppliedTo{ { NamespaceSelector: &metav1.LabelSelector{ MatchLabels: map[string]string{"foo1": "bar1"}, }, }, }, - Egress: []crdv1alpha1.Rule{ + Egress: []crdv1beta1.Rule{ { Action: &allowAction, - ToServices: []crdv1alpha1.PeerService{ + ToServices: []crdv1beta1.PeerService{ { Name: "foo", Namespace: "bar", @@ -841,22 +840,22 @@ func TestValidateAntreaClusterNetworkPolicy(t *testing.T) { }, { name: "acnp-invalid-fqdn", - policy: &crdv1alpha1.ClusterNetworkPolicy{ + policy: &crdv1beta1.ClusterNetworkPolicy{ ObjectMeta: metav1.ObjectMeta{ Name: "acnp-invalid-fqdn", }, - Spec: crdv1alpha1.ClusterNetworkPolicySpec{ - AppliedTo: []crdv1alpha1.AppliedTo{ + Spec: crdv1beta1.ClusterNetworkPolicySpec{ + AppliedTo: []crdv1beta1.AppliedTo{ { NamespaceSelector: &metav1.LabelSelector{ MatchLabels: map[string]string{"foo1": "bar1"}, }, }, }, - Egress: []crdv1alpha1.Rule{ + Egress: []crdv1beta1.Rule{ { Action: &allowAction, - To: []crdv1alpha1.NetworkPolicyPeer{ + To: []crdv1beta1.NetworkPolicyPeer{ { FQDN: "foo!bar", }, @@ -870,22 +869,22 @@ func TestValidateAntreaClusterNetworkPolicy(t *testing.T) { }, { name: "acnp-valid-fqdn", - policy: &crdv1alpha1.ClusterNetworkPolicy{ + policy: &crdv1beta1.ClusterNetworkPolicy{ ObjectMeta: metav1.ObjectMeta{ Name: "acnp-valid-fqdn", }, - Spec: crdv1alpha1.ClusterNetworkPolicySpec{ - AppliedTo: []crdv1alpha1.AppliedTo{ + Spec: crdv1beta1.ClusterNetworkPolicySpec{ + AppliedTo: []crdv1beta1.AppliedTo{ { NamespaceSelector: &metav1.LabelSelector{ MatchLabels: map[string]string{"foo1": "bar1"}, }, }, }, - Egress: []crdv1alpha1.Rule{ + Egress: []crdv1beta1.Rule{ { Action: &allowAction, - To: []crdv1alpha1.NetworkPolicyPeer{ + To: []crdv1beta1.NetworkPolicyPeer{ { FQDN: "foo.bar", }, @@ -899,22 +898,22 @@ func TestValidateAntreaClusterNetworkPolicy(t *testing.T) { }, { name: "acnp-endport-without-port-in-ports", - policy: &crdv1alpha1.ClusterNetworkPolicy{ + policy: &crdv1beta1.ClusterNetworkPolicy{ ObjectMeta: metav1.ObjectMeta{ Name: "acnp-endport-without-port-in-ports", }, - Spec: crdv1alpha1.ClusterNetworkPolicySpec{ - AppliedTo: []crdv1alpha1.AppliedTo{ + Spec: crdv1beta1.ClusterNetworkPolicySpec{ + AppliedTo: []crdv1beta1.AppliedTo{ { NamespaceSelector: &metav1.LabelSelector{ MatchLabels: map[string]string{"foo1": "bar1"}, }, }, }, - Ingress: []crdv1alpha1.Rule{ + Ingress: []crdv1beta1.Rule{ { Action: &allowAction, - Ports: []crdv1alpha1.NetworkPolicyPort{ + Ports: []crdv1beta1.NetworkPolicyPort{ { EndPort: &portNum80, }, @@ -928,22 +927,22 @@ func TestValidateAntreaClusterNetworkPolicy(t *testing.T) { }, { name: "acnp-sourceendport-without-sourceport-in-ports", - policy: &crdv1alpha1.ClusterNetworkPolicy{ + policy: &crdv1beta1.ClusterNetworkPolicy{ ObjectMeta: metav1.ObjectMeta{ Name: "acnp-sourceendport-without-port-in-ports", }, - Spec: crdv1alpha1.ClusterNetworkPolicySpec{ - AppliedTo: []crdv1alpha1.AppliedTo{ + Spec: crdv1beta1.ClusterNetworkPolicySpec{ + AppliedTo: []crdv1beta1.AppliedTo{ { NamespaceSelector: &metav1.LabelSelector{ MatchLabels: map[string]string{"foo1": "bar1"}, }, }, }, - Ingress: []crdv1alpha1.Rule{ + Ingress: []crdv1beta1.Rule{ { Action: &allowAction, - Ports: []crdv1alpha1.NetworkPolicyPort{ + Ports: []crdv1beta1.NetworkPolicyPort{ { SourceEndPort: &int32For32230, }, @@ -957,22 +956,22 @@ func TestValidateAntreaClusterNetworkPolicy(t *testing.T) { }, { name: "acnp-endport-smaller-port-in-ports", - policy: &crdv1alpha1.ClusterNetworkPolicy{ + policy: &crdv1beta1.ClusterNetworkPolicy{ ObjectMeta: metav1.ObjectMeta{ Name: "acnp-endport-smaller-port-in-ports", }, - Spec: crdv1alpha1.ClusterNetworkPolicySpec{ - AppliedTo: []crdv1alpha1.AppliedTo{ + Spec: crdv1beta1.ClusterNetworkPolicySpec{ + AppliedTo: []crdv1beta1.AppliedTo{ { NamespaceSelector: &metav1.LabelSelector{ MatchLabels: map[string]string{"foo1": "bar1"}, }, }, }, - Ingress: []crdv1alpha1.Rule{ + Ingress: []crdv1beta1.Rule{ { Action: &allowAction, - Ports: []crdv1alpha1.NetworkPolicyPort{ + Ports: []crdv1beta1.NetworkPolicyPort{ { Port: &int81, EndPort: &portNum80, @@ -987,22 +986,22 @@ func TestValidateAntreaClusterNetworkPolicy(t *testing.T) { }, { name: "acnp-sourceendport-smaller-sourceport-in-ports", - policy: &crdv1alpha1.ClusterNetworkPolicy{ + policy: &crdv1beta1.ClusterNetworkPolicy{ ObjectMeta: metav1.ObjectMeta{ Name: "acnp-sourceendport-smaller-port-in-ports", }, - Spec: crdv1alpha1.ClusterNetworkPolicySpec{ - AppliedTo: []crdv1alpha1.AppliedTo{ + Spec: crdv1beta1.ClusterNetworkPolicySpec{ + AppliedTo: []crdv1beta1.AppliedTo{ { NamespaceSelector: &metav1.LabelSelector{ MatchLabels: map[string]string{"foo1": "bar1"}, }, }, }, - Ingress: []crdv1alpha1.Rule{ + Ingress: []crdv1beta1.Rule{ { Action: &allowAction, - Ports: []crdv1alpha1.NetworkPolicyPort{ + Ports: []crdv1beta1.NetworkPolicyPort{ { SourcePort: &int32For32230, SourceEndPort: &int32For32220, @@ -1017,22 +1016,22 @@ func TestValidateAntreaClusterNetworkPolicy(t *testing.T) { }, { name: "acnp-named-port-with-endport-in-ports", - policy: &crdv1alpha1.ClusterNetworkPolicy{ + policy: &crdv1beta1.ClusterNetworkPolicy{ ObjectMeta: metav1.ObjectMeta{ Name: "acnp-named-port-with-endport-in-ports", }, - Spec: crdv1alpha1.ClusterNetworkPolicySpec{ - AppliedTo: []crdv1alpha1.AppliedTo{ + Spec: crdv1beta1.ClusterNetworkPolicySpec{ + AppliedTo: []crdv1beta1.AppliedTo{ { NamespaceSelector: &metav1.LabelSelector{ MatchLabels: map[string]string{"foo1": "bar1"}, }, }, }, - Ingress: []crdv1alpha1.Rule{ + Ingress: []crdv1beta1.Rule{ { Action: &allowAction, - Ports: []crdv1alpha1.NetworkPolicyPort{ + Ports: []crdv1beta1.NetworkPolicyPort{ { Port: &strHTTP, EndPort: &portNum80, @@ -1047,22 +1046,22 @@ func TestValidateAntreaClusterNetworkPolicy(t *testing.T) { }, { name: "acnp-port-range-in-ports", - policy: &crdv1alpha1.ClusterNetworkPolicy{ + policy: &crdv1beta1.ClusterNetworkPolicy{ ObjectMeta: metav1.ObjectMeta{ Name: "acnp-port-range-in-ports", }, - Spec: crdv1alpha1.ClusterNetworkPolicySpec{ - AppliedTo: []crdv1alpha1.AppliedTo{ + Spec: crdv1beta1.ClusterNetworkPolicySpec{ + AppliedTo: []crdv1beta1.AppliedTo{ { NamespaceSelector: &metav1.LabelSelector{ MatchLabels: map[string]string{"foo1": "bar1"}, }, }, }, - Ingress: []crdv1alpha1.Rule{ + Ingress: []crdv1beta1.Rule{ { Action: &allowAction, - Ports: []crdv1alpha1.NetworkPolicyPort{ + Ports: []crdv1beta1.NetworkPolicyPort{ { Port: &int80, EndPort: &int32For1999, @@ -1077,12 +1076,12 @@ func TestValidateAntreaClusterNetworkPolicy(t *testing.T) { }, { name: "acnp-invalid-label-key-applied-to", - policy: &crdv1alpha1.ClusterNetworkPolicy{ + policy: &crdv1beta1.ClusterNetworkPolicy{ ObjectMeta: metav1.ObjectMeta{ Name: "acnp-invalid-label-key-applied-to", }, - Spec: crdv1alpha1.ClusterNetworkPolicySpec{ - AppliedTo: []crdv1alpha1.AppliedTo{ + Spec: crdv1beta1.ClusterNetworkPolicySpec{ + AppliedTo: []crdv1beta1.AppliedTo{ { NamespaceSelector: &metav1.LabelSelector{ MatchLabels: map[string]string{"foo=": "bar"}, @@ -1096,22 +1095,22 @@ func TestValidateAntreaClusterNetworkPolicy(t *testing.T) { }, { name: "acnp-invalid-label-value-applied-to", - policy: &crdv1alpha1.ClusterNetworkPolicy{ + policy: &crdv1beta1.ClusterNetworkPolicy{ ObjectMeta: metav1.ObjectMeta{ Name: "acnp-invalid-label-value-applied-to", }, - Spec: crdv1alpha1.ClusterNetworkPolicySpec{ - Ingress: []crdv1alpha1.Rule{ + Spec: crdv1beta1.ClusterNetworkPolicySpec{ + Ingress: []crdv1beta1.Rule{ { Action: &allowAction, - From: []crdv1alpha1.NetworkPolicyPeer{ + From: []crdv1beta1.NetworkPolicyPeer{ { PodSelector: &metav1.LabelSelector{ MatchLabels: map[string]string{"foo": "bar"}, }, }, }, - AppliedTo: []crdv1alpha1.AppliedTo{ + AppliedTo: []crdv1beta1.AppliedTo{ { NamespaceSelector: &metav1.LabelSelector{ MatchLabels: map[string]string{"foo1": "bar="}, @@ -1127,22 +1126,22 @@ func TestValidateAntreaClusterNetworkPolicy(t *testing.T) { }, { name: "acnp-invalid-label-key-rule", - policy: &crdv1alpha1.ClusterNetworkPolicy{ + policy: &crdv1beta1.ClusterNetworkPolicy{ ObjectMeta: metav1.ObjectMeta{ Name: "acnp-invalid-label-key-rule", }, - Spec: crdv1alpha1.ClusterNetworkPolicySpec{ - AppliedTo: []crdv1alpha1.AppliedTo{ + Spec: crdv1beta1.ClusterNetworkPolicySpec{ + AppliedTo: []crdv1beta1.AppliedTo{ { NamespaceSelector: &metav1.LabelSelector{ MatchLabels: map[string]string{"foo": "bar"}, }, }, }, - Ingress: []crdv1alpha1.Rule{ + Ingress: []crdv1beta1.Rule{ { Action: &allowAction, - From: []crdv1alpha1.NetworkPolicyPeer{ + From: []crdv1beta1.NetworkPolicyPeer{ { PodSelector: &metav1.LabelSelector{ MatchLabels: map[string]string{"foo=": "bar1"}, @@ -1158,17 +1157,17 @@ func TestValidateAntreaClusterNetworkPolicy(t *testing.T) { }, { name: "acnp-appliedto-service-set-with-psel", - policy: &crdv1alpha1.ClusterNetworkPolicy{ + policy: &crdv1beta1.ClusterNetworkPolicy{ ObjectMeta: metav1.ObjectMeta{ Name: "acnp-appliedto-service-set-with-psel", }, - Spec: crdv1alpha1.ClusterNetworkPolicySpec{ - AppliedTo: []crdv1alpha1.AppliedTo{ + Spec: crdv1beta1.ClusterNetworkPolicySpec{ + AppliedTo: []crdv1beta1.AppliedTo{ { PodSelector: &metav1.LabelSelector{ MatchLabels: map[string]string{"foo1": "bar1"}, }, - Service: &crdv1alpha1.NamespacedName{ + Service: &crdv1beta1.NamespacedName{ Namespace: "foo2", Name: "bar2", }, @@ -1181,19 +1180,19 @@ func TestValidateAntreaClusterNetworkPolicy(t *testing.T) { }, { name: "acnp-appliedto-service-and-psel", - policy: &crdv1alpha1.ClusterNetworkPolicy{ + policy: &crdv1beta1.ClusterNetworkPolicy{ ObjectMeta: metav1.ObjectMeta{ Name: "acnp-appliedto-service-and-psel", }, - Spec: crdv1alpha1.ClusterNetworkPolicySpec{ - AppliedTo: []crdv1alpha1.AppliedTo{ + Spec: crdv1beta1.ClusterNetworkPolicySpec{ + AppliedTo: []crdv1beta1.AppliedTo{ { PodSelector: &metav1.LabelSelector{ MatchLabels: map[string]string{"foo1": "bar1"}, }, }, { - Service: &crdv1alpha1.NamespacedName{ + Service: &crdv1beta1.NamespacedName{ Namespace: "foo2", Name: "bar2", }, @@ -1206,25 +1205,25 @@ func TestValidateAntreaClusterNetworkPolicy(t *testing.T) { }, { name: "acnp-appliedto-service-with-egress-rule", - policy: &crdv1alpha1.ClusterNetworkPolicy{ + policy: &crdv1beta1.ClusterNetworkPolicy{ ObjectMeta: metav1.ObjectMeta{ Name: "acnp-appliedto-service-with-egress-rule", }, - Spec: crdv1alpha1.ClusterNetworkPolicySpec{ - AppliedTo: []crdv1alpha1.AppliedTo{ + Spec: crdv1beta1.ClusterNetworkPolicySpec{ + AppliedTo: []crdv1beta1.AppliedTo{ { - Service: &crdv1alpha1.NamespacedName{ + Service: &crdv1beta1.NamespacedName{ Namespace: "foo1", Name: "bar1", }, }, }, - Egress: []crdv1alpha1.Rule{ + Egress: []crdv1beta1.Rule{ { Action: &allowAction, - To: []crdv1alpha1.NetworkPolicyPeer{ + To: []crdv1beta1.NetworkPolicyPeer{ { - IPBlock: &crdv1alpha1.IPBlock{ + IPBlock: &crdv1beta1.IPBlock{ CIDR: "10.0.0.10/32", }, }, @@ -1238,24 +1237,24 @@ func TestValidateAntreaClusterNetworkPolicy(t *testing.T) { }, { name: "egress-rule-appliedto-service", - policy: &crdv1alpha1.ClusterNetworkPolicy{ + policy: &crdv1beta1.ClusterNetworkPolicy{ ObjectMeta: metav1.ObjectMeta{ Name: "egress-rule-appliedto-service", }, - Spec: crdv1alpha1.ClusterNetworkPolicySpec{ - Egress: []crdv1alpha1.Rule{ + Spec: crdv1beta1.ClusterNetworkPolicySpec{ + Egress: []crdv1beta1.Rule{ { Action: &allowAction, - To: []crdv1alpha1.NetworkPolicyPeer{ + To: []crdv1beta1.NetworkPolicyPeer{ { - IPBlock: &crdv1alpha1.IPBlock{ + IPBlock: &crdv1beta1.IPBlock{ CIDR: "10.0.0.10/32", }, }, }, - AppliedTo: []crdv1alpha1.AppliedTo{ + AppliedTo: []crdv1beta1.AppliedTo{ { - Service: &crdv1alpha1.NamespacedName{ + Service: &crdv1beta1.NamespacedName{ Namespace: "foo1", Name: "bar1", }, @@ -1270,23 +1269,23 @@ func TestValidateAntreaClusterNetworkPolicy(t *testing.T) { }, { name: "acnp-appliedto-service-from-psel", - policy: &crdv1alpha1.ClusterNetworkPolicy{ + policy: &crdv1beta1.ClusterNetworkPolicy{ ObjectMeta: metav1.ObjectMeta{ Name: "ingress-rule-appliedto-service", }, - Spec: crdv1alpha1.ClusterNetworkPolicySpec{ - AppliedTo: []crdv1alpha1.AppliedTo{ + Spec: crdv1beta1.ClusterNetworkPolicySpec{ + AppliedTo: []crdv1beta1.AppliedTo{ { - Service: &crdv1alpha1.NamespacedName{ + Service: &crdv1beta1.NamespacedName{ Namespace: "foo1", Name: "bar1", }, }, }, - Ingress: []crdv1alpha1.Rule{ + Ingress: []crdv1beta1.Rule{ { Action: &allowAction, - From: []crdv1alpha1.NetworkPolicyPeer{ + From: []crdv1beta1.NetworkPolicyPeer{ { PodSelector: &metav1.LabelSelector{ MatchLabels: map[string]string{"foo1": "bar1"}, @@ -1302,25 +1301,25 @@ func TestValidateAntreaClusterNetworkPolicy(t *testing.T) { }, { name: "acnp-appliedto-service-valid", - policy: &crdv1alpha1.ClusterNetworkPolicy{ + policy: &crdv1beta1.ClusterNetworkPolicy{ ObjectMeta: metav1.ObjectMeta{ Name: "ingress-rule-appliedto-service", }, - Spec: crdv1alpha1.ClusterNetworkPolicySpec{ - AppliedTo: []crdv1alpha1.AppliedTo{ + Spec: crdv1beta1.ClusterNetworkPolicySpec{ + AppliedTo: []crdv1beta1.AppliedTo{ { - Service: &crdv1alpha1.NamespacedName{ + Service: &crdv1beta1.NamespacedName{ Namespace: "foo1", Name: "bar1", }, }, }, - Ingress: []crdv1alpha1.Rule{ + Ingress: []crdv1beta1.Rule{ { Action: &allowAction, - From: []crdv1alpha1.NetworkPolicyPeer{ + From: []crdv1beta1.NetworkPolicyPeer{ { - IPBlock: &crdv1alpha1.IPBlock{ + IPBlock: &crdv1beta1.IPBlock{ CIDR: "10.0.0.10/32", }, }, @@ -1335,25 +1334,25 @@ func TestValidateAntreaClusterNetworkPolicy(t *testing.T) { { name: "acnp-l7protocols-used-with-allow", featureGates: map[featuregate.Feature]bool{features.L7NetworkPolicy: true}, - policy: &crdv1alpha1.ClusterNetworkPolicy{ + policy: &crdv1beta1.ClusterNetworkPolicy{ ObjectMeta: metav1.ObjectMeta{ Name: "ingress-rule-l7protocols", }, - Spec: crdv1alpha1.ClusterNetworkPolicySpec{ - AppliedTo: []crdv1alpha1.AppliedTo{ + Spec: crdv1beta1.ClusterNetworkPolicySpec{ + AppliedTo: []crdv1beta1.AppliedTo{ { - Service: &crdv1alpha1.NamespacedName{ + Service: &crdv1beta1.NamespacedName{ Namespace: "foo1", Name: "bar1", }, }, }, - Ingress: []crdv1alpha1.Rule{ + Ingress: []crdv1beta1.Rule{ { Action: &allowAction, - L7Protocols: []crdv1alpha1.L7Protocol{ + L7Protocols: []crdv1beta1.L7Protocol{ { - HTTP: &crdv1alpha1.HTTPProtocol{ + HTTP: &crdv1beta1.HTTPProtocol{ Host: "test.com", Method: "GET", Path: "/admin", @@ -1370,25 +1369,25 @@ func TestValidateAntreaClusterNetworkPolicy(t *testing.T) { { name: "acnp-l7protocols-used-with-pass", featureGates: map[featuregate.Feature]bool{features.L7NetworkPolicy: true}, - policy: &crdv1alpha1.ClusterNetworkPolicy{ + policy: &crdv1beta1.ClusterNetworkPolicy{ ObjectMeta: metav1.ObjectMeta{ Name: "ingress-rule-l7protocols", }, - Spec: crdv1alpha1.ClusterNetworkPolicySpec{ - AppliedTo: []crdv1alpha1.AppliedTo{ + Spec: crdv1beta1.ClusterNetworkPolicySpec{ + AppliedTo: []crdv1beta1.AppliedTo{ { - Service: &crdv1alpha1.NamespacedName{ + Service: &crdv1beta1.NamespacedName{ Namespace: "foo1", Name: "bar1", }, }, }, - Ingress: []crdv1alpha1.Rule{ + Ingress: []crdv1beta1.Rule{ { Action: &passAction, - L7Protocols: []crdv1alpha1.L7Protocol{ + L7Protocols: []crdv1beta1.L7Protocol{ { - HTTP: &crdv1alpha1.HTTPProtocol{ + HTTP: &crdv1beta1.HTTPProtocol{ Host: "test.com", Method: "GET", }, @@ -1404,30 +1403,30 @@ func TestValidateAntreaClusterNetworkPolicy(t *testing.T) { { name: "acnp-l7protocols-HTTP-used-with-UDP", featureGates: map[featuregate.Feature]bool{features.L7NetworkPolicy: true}, - policy: &crdv1alpha1.ClusterNetworkPolicy{ + policy: &crdv1beta1.ClusterNetworkPolicy{ ObjectMeta: metav1.ObjectMeta{ Name: "ingress-rule-l7protocols", }, - Spec: crdv1alpha1.ClusterNetworkPolicySpec{ - AppliedTo: []crdv1alpha1.AppliedTo{ + Spec: crdv1beta1.ClusterNetworkPolicySpec{ + AppliedTo: []crdv1beta1.AppliedTo{ { - Service: &crdv1alpha1.NamespacedName{ + Service: &crdv1beta1.NamespacedName{ Namespace: "foo1", Name: "bar1", }, }, }, - Ingress: []crdv1alpha1.Rule{ + Ingress: []crdv1beta1.Rule{ { Action: &allowAction, - Ports: []crdv1alpha1.NetworkPolicyPort{ + Ports: []crdv1beta1.NetworkPolicyPort{ { Protocol: &k8sProtocolUDP, }, }, - L7Protocols: []crdv1alpha1.L7Protocol{ + L7Protocols: []crdv1beta1.L7Protocol{ { - HTTP: &crdv1alpha1.HTTPProtocol{ + HTTP: &crdv1beta1.HTTPProtocol{ Host: "test.com", Method: "GET", }, @@ -1443,30 +1442,30 @@ func TestValidateAntreaClusterNetworkPolicy(t *testing.T) { { name: "acnp-l7protocols-HTTP-used-with-ICMP", featureGates: map[featuregate.Feature]bool{features.L7NetworkPolicy: true}, - policy: &crdv1alpha1.ClusterNetworkPolicy{ + policy: &crdv1beta1.ClusterNetworkPolicy{ ObjectMeta: metav1.ObjectMeta{ Name: "ingress-rule-l7protocols", }, - Spec: crdv1alpha1.ClusterNetworkPolicySpec{ - AppliedTo: []crdv1alpha1.AppliedTo{ + Spec: crdv1beta1.ClusterNetworkPolicySpec{ + AppliedTo: []crdv1beta1.AppliedTo{ { - Service: &crdv1alpha1.NamespacedName{ + Service: &crdv1beta1.NamespacedName{ Namespace: "foo1", Name: "bar1", }, }, }, - Ingress: []crdv1alpha1.Rule{ + Ingress: []crdv1beta1.Rule{ { Action: &allowAction, - Protocols: []crdv1alpha1.NetworkPolicyProtocol{ + Protocols: []crdv1beta1.NetworkPolicyProtocol{ { - ICMP: &crdv1alpha1.ICMPProtocol{}, + ICMP: &crdv1beta1.ICMPProtocol{}, }, }, - L7Protocols: []crdv1alpha1.L7Protocol{ + L7Protocols: []crdv1beta1.L7Protocol{ { - HTTP: &crdv1alpha1.HTTPProtocol{ + HTTP: &crdv1beta1.HTTPProtocol{ Host: "test.com", Method: "GET", }, @@ -1482,30 +1481,30 @@ func TestValidateAntreaClusterNetworkPolicy(t *testing.T) { { name: "acnp-l7protocols-used-with-toService", featureGates: map[featuregate.Feature]bool{features.L7NetworkPolicy: true}, - policy: &crdv1alpha1.ClusterNetworkPolicy{ + policy: &crdv1beta1.ClusterNetworkPolicy{ ObjectMeta: metav1.ObjectMeta{ Name: "egress-rule-l7protocols", }, - Spec: crdv1alpha1.ClusterNetworkPolicySpec{ - AppliedTo: []crdv1alpha1.AppliedTo{ + Spec: crdv1beta1.ClusterNetworkPolicySpec{ + AppliedTo: []crdv1beta1.AppliedTo{ { NamespaceSelector: &metav1.LabelSelector{ MatchLabels: map[string]string{"foo1": "bar1"}, }, }, }, - Egress: []crdv1alpha1.Rule{ + Egress: []crdv1beta1.Rule{ { Action: &allowAction, - L7Protocols: []crdv1alpha1.L7Protocol{ + L7Protocols: []crdv1beta1.L7Protocol{ { - HTTP: &crdv1alpha1.HTTPProtocol{ + HTTP: &crdv1beta1.HTTPProtocol{ Host: "test.com", Method: "GET", }, }, }, - ToServices: []crdv1alpha1.PeerService{ + ToServices: []crdv1beta1.PeerService{ { Name: "foo", Namespace: "bar", @@ -1521,20 +1520,20 @@ func TestValidateAntreaClusterNetworkPolicy(t *testing.T) { { name: "L7NetworkPolicy-disabled", featureGates: map[featuregate.Feature]bool{features.L7NetworkPolicy: false}, - policy: &crdv1alpha1.ClusterNetworkPolicy{ + policy: &crdv1beta1.ClusterNetworkPolicy{ ObjectMeta: metav1.ObjectMeta{ Name: "egress-rule-l7protocols", }, - Spec: crdv1alpha1.ClusterNetworkPolicySpec{ - AppliedTo: []crdv1alpha1.AppliedTo{ + Spec: crdv1beta1.ClusterNetworkPolicySpec{ + AppliedTo: []crdv1beta1.AppliedTo{ { NamespaceSelector: &metav1.LabelSelector{}, }, }, - Egress: []crdv1alpha1.Rule{ + Egress: []crdv1beta1.Rule{ { Action: &allowAction, - L7Protocols: []crdv1alpha1.L7Protocol{ + L7Protocols: []crdv1beta1.L7Protocol{ { HTTP: nil, }, @@ -1548,22 +1547,22 @@ func TestValidateAntreaClusterNetworkPolicy(t *testing.T) { }, { name: "igmp-icmp-both-specified", - policy: &crdv1alpha1.ClusterNetworkPolicy{ - Spec: crdv1alpha1.ClusterNetworkPolicySpec{ - AppliedTo: []crdv1alpha1.AppliedTo{ + policy: &crdv1beta1.ClusterNetworkPolicy{ + Spec: crdv1beta1.ClusterNetworkPolicySpec{ + AppliedTo: []crdv1beta1.AppliedTo{ { NamespaceSelector: &metav1.LabelSelector{}, }, }, - Ingress: []crdv1alpha1.Rule{ + Ingress: []crdv1beta1.Rule{ { - Protocols: []crdv1alpha1.NetworkPolicyProtocol{ + Protocols: []crdv1beta1.NetworkPolicyProtocol{ { - ICMP: &crdv1alpha1.ICMPProtocol{ + ICMP: &crdv1beta1.ICMPProtocol{ ICMPType: &icmpType8, ICMPCode: &icmpCode0, }, - IGMP: &crdv1alpha1.IGMPProtocol{ + IGMP: &crdv1beta1.IGMPProtocol{ IGMPType: &query, GroupAddress: "224.0.0.1", }, @@ -1579,19 +1578,19 @@ func TestValidateAntreaClusterNetworkPolicy(t *testing.T) { }, { name: "only-icmp-specified", - policy: &crdv1alpha1.ClusterNetworkPolicy{ - Spec: crdv1alpha1.ClusterNetworkPolicySpec{ - AppliedTo: []crdv1alpha1.AppliedTo{ + policy: &crdv1beta1.ClusterNetworkPolicy{ + Spec: crdv1beta1.ClusterNetworkPolicySpec{ + AppliedTo: []crdv1beta1.AppliedTo{ { NamespaceSelector: &metav1.LabelSelector{}, }, }, - Ingress: []crdv1alpha1.Rule{ + Ingress: []crdv1beta1.Rule{ { Name: "ingressType8", - Protocols: []crdv1alpha1.NetworkPolicyProtocol{ + Protocols: []crdv1beta1.NetworkPolicyProtocol{ { - ICMP: &crdv1alpha1.ICMPProtocol{ + ICMP: &crdv1beta1.ICMPProtocol{ ICMPType: &icmpType8, ICMPCode: &icmpCode0, }, @@ -1599,12 +1598,12 @@ func TestValidateAntreaClusterNetworkPolicy(t *testing.T) { }, }, }, - Egress: []crdv1alpha1.Rule{ + Egress: []crdv1beta1.Rule{ { Name: "egressWithICMP", - Protocols: []crdv1alpha1.NetworkPolicyProtocol{ + Protocols: []crdv1beta1.NetworkPolicyProtocol{ { - ICMP: &crdv1alpha1.ICMPProtocol{}, + ICMP: &crdv1beta1.ICMPProtocol{}, }, }, }, @@ -1615,18 +1614,18 @@ func TestValidateAntreaClusterNetworkPolicy(t *testing.T) { }, { name: "icmp-specified-and-action-set-to-pass", - policy: &crdv1alpha1.ClusterNetworkPolicy{ - Spec: crdv1alpha1.ClusterNetworkPolicySpec{ - AppliedTo: []crdv1alpha1.AppliedTo{ + policy: &crdv1beta1.ClusterNetworkPolicy{ + Spec: crdv1beta1.ClusterNetworkPolicySpec{ + AppliedTo: []crdv1beta1.AppliedTo{ { NamespaceSelector: &metav1.LabelSelector{}, }, }, - Egress: []crdv1alpha1.Rule{ + Egress: []crdv1beta1.Rule{ { - Protocols: []crdv1alpha1.NetworkPolicyProtocol{ + Protocols: []crdv1beta1.NetworkPolicyProtocol{ { - IGMP: &crdv1alpha1.IGMPProtocol{ + IGMP: &crdv1beta1.IGMPProtocol{ IGMPType: &report, GroupAddress: "225.1.2.3", }, @@ -1643,12 +1642,12 @@ func TestValidateAntreaClusterNetworkPolicy(t *testing.T) { // Update use same validate function as create. Only provide one update case here. { name: "acnp-non-existent-tier", - policy: &crdv1alpha1.ClusterNetworkPolicy{ + policy: &crdv1beta1.ClusterNetworkPolicy{ ObjectMeta: metav1.ObjectMeta{ Name: "non-existent-tier", }, - Spec: crdv1alpha1.ClusterNetworkPolicySpec{ - AppliedTo: []crdv1alpha1.AppliedTo{ + Spec: crdv1beta1.ClusterNetworkPolicySpec{ + AppliedTo: []crdv1beta1.AppliedTo{ { PodSelector: &metav1.LabelSelector{ MatchLabels: map[string]string{"foo": "bar"}, @@ -1686,19 +1685,19 @@ func TestValidateAntreaNetworkPolicy(t *testing.T) { tests := []struct { name string featureGates map[featuregate.Feature]bool - policy *crdv1alpha1.NetworkPolicy + policy *crdv1beta1.NetworkPolicy operation admv1.Operation expectedReason string }{ { name: "annp-non-existent-tier", - policy: &crdv1alpha1.NetworkPolicy{ + policy: &crdv1beta1.NetworkPolicy{ ObjectMeta: metav1.ObjectMeta{ Name: "non-existent-tier", Namespace: "x", }, - Spec: crdv1alpha1.NetworkPolicySpec{ - AppliedTo: []crdv1alpha1.AppliedTo{ + Spec: crdv1beta1.NetworkPolicySpec{ + AppliedTo: []crdv1beta1.AppliedTo{ { PodSelector: &metav1.LabelSelector{ MatchLabels: map[string]string{"foo": "bar"}, @@ -1713,13 +1712,13 @@ func TestValidateAntreaNetworkPolicy(t *testing.T) { }, { name: "annp-non-existent-tier", - policy: &crdv1alpha1.NetworkPolicy{ + policy: &crdv1beta1.NetworkPolicy{ ObjectMeta: metav1.ObjectMeta{ Name: "non-existent-tier", Namespace: "x", }, - Spec: crdv1alpha1.NetworkPolicySpec{ - AppliedTo: []crdv1alpha1.AppliedTo{ + Spec: crdv1beta1.NetworkPolicySpec{ + AppliedTo: []crdv1beta1.AppliedTo{ { PodSelector: &metav1.LabelSelector{ MatchLabels: map[string]string{"foo": "bar"}, @@ -1874,7 +1873,7 @@ func TestValidateAntreaClusterGroup(t *testing.T) { PodSelector: &metav1.LabelSelector{ MatchLabels: map[string]string{"foo": "bar"}, }, - IPBlocks: []crdv1alpha1.IPBlock{ + IPBlocks: []crdv1beta1.IPBlock{ {CIDR: "10.0.0.10/32"}, }, }, @@ -1889,7 +1888,7 @@ func TestValidateAntreaClusterGroup(t *testing.T) { Name: "cg-set-with-ipblock", }, Spec: crdv1beta1.GroupSpec{ - IPBlocks: []crdv1alpha1.IPBlock{ + IPBlocks: []crdv1beta1.IPBlock{ {CIDR: "10.0.0.10/32"}, }, }, @@ -1903,7 +1902,7 @@ func TestValidateAntreaClusterGroup(t *testing.T) { Name: "cg-set-with-ipblock", }, Spec: crdv1beta1.GroupSpec{ - IPBlocks: []crdv1alpha1.IPBlock{ + IPBlocks: []crdv1beta1.IPBlock{ {CIDR: "224.0.0.0/24"}, }, }, @@ -1917,7 +1916,7 @@ func TestValidateAntreaClusterGroup(t *testing.T) { Name: "cg-set-with-ipblock", }, Spec: crdv1beta1.GroupSpec{ - IPBlocks: []crdv1alpha1.IPBlock{ + IPBlocks: []crdv1beta1.IPBlock{ {CIDR: "224.0.0.0/24"}, {CIDR: "10.0.0.10/32"}, }, @@ -1988,7 +1987,7 @@ func TestValidateAntreaClusterGroup(t *testing.T) { Name: "cg-update", }, Spec: crdv1beta1.GroupSpec{ - IPBlocks: []crdv1alpha1.IPBlock{ + IPBlocks: []crdv1beta1.IPBlock{ {CIDR: "10.0.0.10/32"}, }, }, @@ -2136,7 +2135,7 @@ func TestValidateAntreaGroup(t *testing.T) { PodSelector: &metav1.LabelSelector{ MatchLabels: map[string]string{"foo": "bar"}, }, - IPBlocks: []crdv1alpha1.IPBlock{ + IPBlocks: []crdv1beta1.IPBlock{ {CIDR: "10.0.0.10/32"}, }, }, @@ -2152,7 +2151,7 @@ func TestValidateAntreaGroup(t *testing.T) { Namespace: "x", }, Spec: crdv1beta1.GroupSpec{ - IPBlocks: []crdv1alpha1.IPBlock{ + IPBlocks: []crdv1beta1.IPBlock{ {CIDR: "10.0.0.10/32"}, }, }, @@ -2243,7 +2242,7 @@ func TestValidateAntreaGroup(t *testing.T) { Namespace: "x", }, Spec: crdv1beta1.GroupSpec{ - IPBlocks: []crdv1alpha1.IPBlock{ + IPBlocks: []crdv1beta1.IPBlock{ {CIDR: "10.0.0.10/32"}, }, }, @@ -2302,8 +2301,8 @@ func TestValidateTier(t *testing.T) { curTier *crdv1beta1.Tier oldTier *crdv1beta1.Tier existTierNum int - existACNP *crdv1alpha1.ClusterNetworkPolicy - existANNP *crdv1alpha1.NetworkPolicy + existACNP *crdv1beta1.ClusterNetworkPolicy + existANNP *crdv1beta1.NetworkPolicy operation admv1.Operation user authenticationv1.UserInfo expectedReason string @@ -2455,9 +2454,9 @@ func TestValidateTier(t *testing.T) { Priority: 0, }, }, - existANNP: &crdv1alpha1.NetworkPolicy{ + existANNP: &crdv1beta1.NetworkPolicy{ ObjectMeta: metav1.ObjectMeta{Namespace: "nsA", Name: "npA", UID: "uidA"}, - Spec: crdv1alpha1.NetworkPolicySpec{ + Spec: crdv1beta1.NetworkPolicySpec{ Tier: "tier-annp-ref", }, }, @@ -2474,9 +2473,9 @@ func TestValidateTier(t *testing.T) { Priority: 0, }, }, - existACNP: &crdv1alpha1.ClusterNetworkPolicy{ + existACNP: &crdv1beta1.ClusterNetworkPolicy{ ObjectMeta: metav1.ObjectMeta{Name: "npA", UID: "uidA"}, - Spec: crdv1alpha1.ClusterNetworkPolicySpec{ + Spec: crdv1beta1.ClusterNetworkPolicySpec{ Tier: "tier-acnp-ref", }, }, diff --git a/pkg/controller/stats/aggregator.go b/pkg/controller/stats/aggregator.go index b43b82f8268..f551104f062 100644 --- a/pkg/controller/stats/aggregator.go +++ b/pkg/controller/stats/aggregator.go @@ -28,9 +28,9 @@ import ( "k8s.io/klog/v2" "antrea.io/antrea/pkg/apis/controlplane" - crdv1alpha1 "antrea.io/antrea/pkg/apis/crd/v1alpha1" + crdv1beta1 "antrea.io/antrea/pkg/apis/crd/v1beta1" statsv1alpha1 "antrea.io/antrea/pkg/apis/stats/v1alpha1" - crdinformers "antrea.io/antrea/pkg/client/informers/externalversions/crd/v1alpha1" + crdinformers "antrea.io/antrea/pkg/client/informers/externalversions/crd/v1beta1" "antrea.io/antrea/pkg/features" "antrea.io/antrea/pkg/util/k8s" ) @@ -170,7 +170,7 @@ func (a *Aggregator) deleteNetworkPolicy(obj interface{}) { // addACNP handles ClusterNetworkPolicy ADD events and creates corresponding ClusterNetworkPolicyStats objects. func (a *Aggregator) addACNP(obj interface{}) { - acnp := obj.(*crdv1alpha1.ClusterNetworkPolicy) + acnp := obj.(*crdv1beta1.ClusterNetworkPolicy) stats := &statsv1alpha1.AntreaClusterNetworkPolicyStats{ ObjectMeta: metav1.ObjectMeta{ Name: acnp.Name, @@ -185,14 +185,14 @@ func (a *Aggregator) addACNP(obj interface{}) { // deleteACNP handles ClusterNetworkPolicy DELETE events and deletes corresponding ClusterNetworkPolicyStats objects. func (a *Aggregator) deleteACNP(obj interface{}) { - acnp, ok := obj.(*crdv1alpha1.ClusterNetworkPolicy) + acnp, ok := obj.(*crdv1beta1.ClusterNetworkPolicy) if !ok { tombstone, ok := obj.(cache.DeletedFinalStateUnknown) if !ok { klog.Errorf("Error decoding object when deleting Antrea ClusterNetworkPolicy, invalid type: %v", obj) return } - acnp, ok = tombstone.Obj.(*crdv1alpha1.ClusterNetworkPolicy) + acnp, ok = tombstone.Obj.(*crdv1beta1.ClusterNetworkPolicy) if !ok { klog.Errorf("Error decoding object tombstone when deleting Antrea ClusterNetworkPolicy, invalid type: %v", tombstone.Obj) return @@ -209,7 +209,7 @@ func (a *Aggregator) deleteACNP(obj interface{}) { // addANNP handles Antrea NetworkPolicy ADD events and creates corresponding AntreaNetworkPolicyStats objects. func (a *Aggregator) addANNP(obj interface{}) { - annp := obj.(*crdv1alpha1.NetworkPolicy) + annp := obj.(*crdv1beta1.NetworkPolicy) stats := &statsv1alpha1.AntreaNetworkPolicyStats{ ObjectMeta: metav1.ObjectMeta{ Namespace: annp.Namespace, @@ -225,14 +225,14 @@ func (a *Aggregator) addANNP(obj interface{}) { // deleteANNP handles Antrea NetworkPolicy DELETE events and deletes corresponding AntreaNetworkPolicyStats objects. func (a *Aggregator) deleteANNP(obj interface{}) { - annp, ok := obj.(*crdv1alpha1.NetworkPolicy) + annp, ok := obj.(*crdv1beta1.NetworkPolicy) if !ok { tombstone, ok := obj.(cache.DeletedFinalStateUnknown) if !ok { klog.Errorf("Error decoding object when deleting Antrea NetworkPolicy, invalid type: %v", obj) return } - annp, ok = tombstone.Obj.(*crdv1alpha1.NetworkPolicy) + annp, ok = tombstone.Obj.(*crdv1beta1.NetworkPolicy) if !ok { klog.Errorf("Error decoding object tombstone when deleting Antrea NetworkPolicy, invalid type: %v", tombstone.Obj) return diff --git a/pkg/controller/stats/aggregator_test.go b/pkg/controller/stats/aggregator_test.go index 1882e8505ff..9ccc5b5d4a3 100644 --- a/pkg/controller/stats/aggregator_test.go +++ b/pkg/controller/stats/aggregator_test.go @@ -30,7 +30,7 @@ import ( featuregatetesting "k8s.io/component-base/featuregate/testing" "antrea.io/antrea/pkg/apis/controlplane" - crdv1alpha1 "antrea.io/antrea/pkg/apis/crd/v1alpha1" + crdv1beta1 "antrea.io/antrea/pkg/apis/crd/v1beta1" statsv1alpha1 "antrea.io/antrea/pkg/apis/stats/v1alpha1" fakeversioned "antrea.io/antrea/pkg/client/clientset/versioned/fake" crdinformers "antrea.io/antrea/pkg/client/informers/externalversions" @@ -44,16 +44,16 @@ var ( np2 = &networkingv1.NetworkPolicy{ ObjectMeta: metav1.ObjectMeta{Namespace: "foo", Name: "baz", UID: "uid2"}, } - acnp1 = &crdv1alpha1.ClusterNetworkPolicy{ + acnp1 = &crdv1beta1.ClusterNetworkPolicy{ ObjectMeta: metav1.ObjectMeta{Namespace: "", Name: "bar", UID: "uid3"}, } - acnp2 = &crdv1alpha1.ClusterNetworkPolicy{ + acnp2 = &crdv1beta1.ClusterNetworkPolicy{ ObjectMeta: metav1.ObjectMeta{Namespace: "", Name: "baz", UID: "uid4"}, } - annp1 = &crdv1alpha1.NetworkPolicy{ + annp1 = &crdv1beta1.NetworkPolicy{ ObjectMeta: metav1.ObjectMeta{Namespace: "foo", Name: "bar", UID: "uid5"}, } - annp2 = &crdv1alpha1.NetworkPolicy{ + annp2 = &crdv1beta1.NetworkPolicy{ ObjectMeta: metav1.ObjectMeta{Namespace: "foo", Name: "baz", UID: "uid6"}, } ) @@ -522,7 +522,7 @@ func TestAggregatorCollectListGet(t *testing.T) { informerFactory := informers.NewSharedInformerFactory(client, 12*time.Hour) crdClient := fakeversioned.NewSimpleClientset(append(tt.existingAntreaClusterNetworkPolicies, tt.existingAntreaNetworkPolicies...)...) crdInformerFactory := crdinformers.NewSharedInformerFactory(crdClient, 12*time.Hour) - a := NewAggregator(informerFactory.Networking().V1().NetworkPolicies(), crdInformerFactory.Crd().V1alpha1().ClusterNetworkPolicies(), crdInformerFactory.Crd().V1alpha1().NetworkPolicies()) + a := NewAggregator(informerFactory.Networking().V1().NetworkPolicies(), crdInformerFactory.Crd().V1beta1().ClusterNetworkPolicies(), crdInformerFactory.Crd().V1beta1().NetworkPolicies()) informerFactory.Start(stopCh) crdInformerFactory.Start(stopCh) expectedPolicyCount := len(tt.expectedNetworkPolicyStats) + len(tt.expectedAntreaClusterNetworkPolicyStats) + len(tt.expectedAntreaNetworkPolicyStats) @@ -561,7 +561,7 @@ func TestDeleteNetworkPolicy(t *testing.T) { informerFactory := informers.NewSharedInformerFactory(client, 12*time.Hour) crdClient := fakeversioned.NewSimpleClientset(acnp1, annp1) crdInformerFactory := crdinformers.NewSharedInformerFactory(crdClient, 12*time.Hour) - a := NewAggregator(informerFactory.Networking().V1().NetworkPolicies(), crdInformerFactory.Crd().V1alpha1().ClusterNetworkPolicies(), crdInformerFactory.Crd().V1alpha1().NetworkPolicies()) + a := NewAggregator(informerFactory.Networking().V1().NetworkPolicies(), crdInformerFactory.Crd().V1beta1().ClusterNetworkPolicies(), crdInformerFactory.Crd().V1beta1().NetworkPolicies()) informerFactory.Start(stopCh) crdInformerFactory.Start(stopCh) @@ -619,8 +619,8 @@ func TestDeleteNetworkPolicy(t *testing.T) { require.Equal(t, 1, len(a.ListAntreaNetworkPolicyStats(""))) client.NetworkingV1().NetworkPolicies(np1.Namespace).Delete(context.TODO(), np1.Name, metav1.DeleteOptions{}) - crdClient.CrdV1alpha1().ClusterNetworkPolicies().Delete(context.TODO(), acnp1.Name, metav1.DeleteOptions{}) - crdClient.CrdV1alpha1().NetworkPolicies(annp1.Namespace).Delete(context.TODO(), annp1.Name, metav1.DeleteOptions{}) + crdClient.CrdV1beta1().ClusterNetworkPolicies().Delete(context.TODO(), acnp1.Name, metav1.DeleteOptions{}) + crdClient.CrdV1beta1().NetworkPolicies(annp1.Namespace).Delete(context.TODO(), annp1.Name, metav1.DeleteOptions{}) // Event handlers are asynchronous, it's supposed to finish very soon. err := wait.PollImmediate(100*time.Millisecond, time.Second, func() (done bool, err error) { return len(a.ListNetworkPolicyStats("")) == 0 && len(a.ListAntreaClusterNetworkPolicyStats()) == 0 && len(a.ListAntreaNetworkPolicyStats("")) == 0, nil diff --git a/pkg/monitor/controller_test.go b/pkg/monitor/controller_test.go index a808a541b8d..3118ffb6444 100644 --- a/pkg/monitor/controller_test.go +++ b/pkg/monitor/controller_test.go @@ -61,8 +61,8 @@ func newControllerMonitor(crdClient *fakeclientset.Clientset) *fakeController { serviceInformer := informerFactory.Core().V1().Services() networkPolicyInformer := informerFactory.Networking().V1().NetworkPolicies() nodeInformer := informerFactory.Core().V1().Nodes() - acnpInformer := crdInformerFactory.Crd().V1alpha1().ClusterNetworkPolicies() - annpInformer := crdInformerFactory.Crd().V1alpha1().NetworkPolicies() + acnpInformer := crdInformerFactory.Crd().V1beta1().ClusterNetworkPolicies() + annpInformer := crdInformerFactory.Crd().V1beta1().NetworkPolicies() tierInformer := crdInformerFactory.Crd().V1beta1().Tiers() cgInformer := crdInformerFactory.Crd().V1beta1().ClusterGroups() grpInformer := crdInformerFactory.Crd().V1beta1().Groups() diff --git a/test/e2e/antreaipam_anp_test.go b/test/e2e/antreaipam_anp_test.go index ebd61081635..9f24825e095 100644 --- a/test/e2e/antreaipam_anp_test.go +++ b/test/e2e/antreaipam_anp_test.go @@ -21,7 +21,7 @@ import ( metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - crdv1alpha1 "antrea.io/antrea/pkg/apis/crd/v1alpha1" + crdv1beta1 "antrea.io/antrea/pkg/apis/crd/v1beta1" annotation "antrea.io/antrea/pkg/ipam" e2eutils "antrea.io/antrea/test/e2e/utils" ) @@ -171,14 +171,14 @@ func testAntreaIPAMACNP(t *testing.T, protocol e2eutils.AntreaPolicyProtocol, ac // meantime. skipIfIPv6Cluster(t) } - var ruleAction crdv1alpha1.RuleAction + var ruleAction crdv1beta1.RuleAction switch action { case Dropped: - ruleAction = crdv1alpha1.RuleActionDrop + ruleAction = crdv1beta1.RuleActionDrop case Rejected: - ruleAction = crdv1alpha1.RuleActionReject + ruleAction = crdv1beta1.RuleActionReject default: - ruleAction = crdv1alpha1.RuleActionAllow + ruleAction = crdv1beta1.RuleActionAllow } builder := &e2eutils.ClusterNetworkPolicySpecBuilder{} builder = builder.SetName(fmt.Sprintf("acnp-%s-a", strings.ToLower(string(ruleAction)))). diff --git a/test/e2e/antreapolicy_test.go b/test/e2e/antreapolicy_test.go index f6215892aee..e61763203e2 100644 --- a/test/e2e/antreapolicy_test.go +++ b/test/e2e/antreapolicy_test.go @@ -242,14 +242,14 @@ func testUpdateValidationInvalidACNP(t *testing.T) { SetAppliedToGroup([]ACNPAppliedToSpec{{PodSelector: map[string]string{"pod": "a"}}}). SetPriority(1.0) builder.AddIngress(ProtocolTCP, nil, nil, nil, nil, nil, nil, nil, nil, map[string]string{"pod": "b"}, nil, - nil, nil, false, nil, crdv1alpha1.RuleActionAllow, "", "", nil) + nil, nil, false, nil, crdv1beta1.RuleActionAllow, "", "", nil) acnp := builder.Get() if _, err := k8sUtils.CreateOrUpdateACNP(acnp); err != nil { failOnError(fmt.Errorf("create ACNP acnp-applied-to-update failed: %v", err), t) } builder.AddIngress(ProtocolTCP, nil, nil, nil, nil, nil, nil, nil, nil, map[string]string{"pod": "c"}, nil, - nil, nil, false, []ACNPAppliedToSpec{{PodSelector: map[string]string{"pod": "b"}}}, crdv1alpha1.RuleActionAllow, "", "", nil) + nil, nil, false, []ACNPAppliedToSpec{{PodSelector: map[string]string{"pod": "b"}}}, crdv1beta1.RuleActionAllow, "", "", nil) acnp = builder.Get() if _, err := k8sUtils.CreateOrUpdateACNP(acnp); err == nil { // Above update of ACNP must fail as it is an invalid spec. @@ -280,14 +280,14 @@ func testUpdateValidationInvalidANNP(t *testing.T) { SetAppliedToGroup([]ANNPAppliedToSpec{{PodSelector: map[string]string{"pod": "a"}}}). SetPriority(1.0) builder.AddIngress(ProtocolTCP, nil, nil, nil, nil, nil, nil, nil, nil, nil, map[string]string{"pod": "c"}, nil, nil, - nil, nil, nil, nil, crdv1alpha1.RuleActionAllow, "", "") + nil, nil, nil, nil, crdv1beta1.RuleActionAllow, "", "") annp := builder.Get() if _, err := k8sUtils.CreateOrUpdateANNP(annp); err != nil { failOnError(fmt.Errorf("create ANNP annp-applied-to-update failed: %v", err), t) } builder.AddIngress(ProtocolTCP, nil, nil, nil, nil, nil, nil, nil, nil, nil, map[string]string{"pod": "b"}, nil, nil, - nil, nil, nil, []ANNPAppliedToSpec{{PodSelector: map[string]string{"pod": "b"}}}, crdv1alpha1.RuleActionAllow, "", "") + nil, nil, nil, []ANNPAppliedToSpec{{PodSelector: map[string]string{"pod": "b"}}}, crdv1beta1.RuleActionAllow, "", "") annp = builder.Get() if _, err := k8sUtils.CreateOrUpdateANNP(annp); err == nil { // Above update of ANNP must fail as it is an invalid spec. @@ -408,7 +408,7 @@ func testACNPAllowXBtoA(t *testing.T) { SetPriority(1.0). SetAppliedToGroup([]ACNPAppliedToSpec{{PodSelector: map[string]string{"pod": "a"}}}) builder.AddIngress(ProtocolTCP, &p80, nil, nil, nil, nil, nil, nil, nil, map[string]string{"pod": "b"}, map[string]string{"ns": namespaces["x"]}, - nil, nil, false, nil, crdv1alpha1.RuleActionAllow, "", "", nil) + nil, nil, false, nil, crdv1beta1.RuleActionAllow, "", "", nil) reachability := NewReachability(allPods, Dropped) reachability.Expect(Pod(namespaces["x"]+"/b"), Pod(namespaces["x"]+"/a"), Connected) @@ -446,21 +446,21 @@ func testACNPSourcePort(t *testing.T) { SetPriority(1.0). SetAppliedToGroup([]ACNPAppliedToSpec{{PodSelector: map[string]string{"pod": "a"}}}) builder.AddIngressForSrcPort(ProtocolTCP, nil, nil, &portStart, &portEnd, nil, nil, nil, nil, nil, map[string]string{"pod": "b"}, map[string]string{"ns": namespaces["x"]}, - nil, nil, false, nil, crdv1alpha1.RuleActionDrop, "", "", nil) + nil, nil, false, nil, crdv1beta1.RuleActionDrop, "", "", nil) builder2 := &ClusterNetworkPolicySpecBuilder{} builder2 = builder2.SetName("acnp-source-port"). SetPriority(1.0). SetAppliedToGroup([]ACNPAppliedToSpec{{PodSelector: map[string]string{"pod": "a"}}}) builder2.AddIngressForSrcPort(ProtocolTCP, &p80, nil, &portStart, &portEnd, nil, nil, nil, nil, nil, map[string]string{"pod": "b"}, map[string]string{"ns": namespaces["x"]}, - nil, nil, false, nil, crdv1alpha1.RuleActionDrop, "", "", nil) + nil, nil, false, nil, crdv1beta1.RuleActionDrop, "", "", nil) builder3 := &ClusterNetworkPolicySpecBuilder{} builder3 = builder3.SetName("acnp-source-port"). SetPriority(1.0). SetAppliedToGroup([]ACNPAppliedToSpec{{PodSelector: map[string]string{"pod": "a"}}}) builder3.AddIngressForSrcPort(ProtocolTCP, &p80, &p81, &portStart, &portEnd, nil, nil, nil, nil, nil, map[string]string{"pod": "b"}, map[string]string{"ns": namespaces["x"]}, - nil, nil, false, nil, crdv1alpha1.RuleActionDrop, "", "", nil) + nil, nil, false, nil, crdv1beta1.RuleActionDrop, "", "", nil) reachability := NewReachability(allPods, Connected) reachability.Expect(Pod(namespaces["x"]+"/b"), Pod(namespaces["x"]+"/a"), Dropped) @@ -513,7 +513,7 @@ func testACNPAllowXBtoYA(t *testing.T) { SetPriority(2.0). SetAppliedToGroup([]ACNPAppliedToSpec{{PodSelector: map[string]string{"pod": "a"}, NSSelector: map[string]string{"ns": namespaces["y"]}}}) builder.AddIngress(ProtocolTCP, nil, &port81Name, nil, nil, nil, nil, nil, nil, map[string]string{"pod": "b"}, map[string]string{"ns": namespaces["x"]}, - nil, nil, false, nil, crdv1alpha1.RuleActionAllow, "", "", nil) + nil, nil, false, nil, crdv1beta1.RuleActionAllow, "", "", nil) reachability := NewReachability(allPods, Dropped) reachability.Expect(Pod(namespaces["x"]+"/b"), Pod(namespaces["y"]+"/a"), Connected) @@ -545,14 +545,14 @@ func testACNPPriorityOverrideDefaultDeny(t *testing.T) { SetPriority(2). SetAppliedToGroup([]ACNPAppliedToSpec{{NSSelector: map[string]string{"ns": namespaces["x"]}}}) builder1.AddIngress(ProtocolTCP, &p80, nil, nil, nil, nil, nil, nil, nil, nil, map[string]string{"ns": namespaces["z"]}, - nil, nil, false, nil, crdv1alpha1.RuleActionAllow, "", "", nil) + nil, nil, false, nil, crdv1beta1.RuleActionAllow, "", "", nil) builder2 := &ClusterNetworkPolicySpecBuilder{} builder2 = builder2.SetName("acnp-priority1"). SetPriority(1). SetAppliedToGroup([]ACNPAppliedToSpec{{PodSelector: map[string]string{"pod": "a"}, NSSelector: map[string]string{"ns": namespaces["x"]}}}) builder2.AddIngress(ProtocolTCP, &p80, nil, nil, nil, nil, nil, nil, nil, nil, map[string]string{"ns": namespaces["z"]}, - nil, nil, false, nil, crdv1alpha1.RuleActionDrop, "", "", nil) + nil, nil, false, nil, crdv1beta1.RuleActionDrop, "", "", nil) // Ingress from ns:z to x/a will be dropped since acnp-priority1 has higher precedence. reachabilityBothACNP := NewReachability(allPods, Dropped) @@ -596,9 +596,9 @@ func testACNPAllowNoDefaultIsolation(t *testing.T, protocol AntreaPolicyProtocol SetPriority(1.1). SetAppliedToGroup([]ACNPAppliedToSpec{{NSSelector: map[string]string{"ns": namespaces["x"]}}}) builder.AddIngress(protocol, &p81, nil, nil, nil, nil, nil, nil, nil, nil, map[string]string{"ns": namespaces["y"]}, - nil, nil, false, nil, crdv1alpha1.RuleActionAllow, "", "", nil) + nil, nil, false, nil, crdv1beta1.RuleActionAllow, "", "", nil) builder.AddEgress(protocol, &p81, nil, nil, nil, nil, nil, nil, nil, nil, map[string]string{"ns": namespaces["z"]}, - nil, nil, false, nil, crdv1alpha1.RuleActionAllow, "", "", nil) + nil, nil, false, nil, crdv1beta1.RuleActionAllow, "", "", nil) reachability := NewReachability(allPods, Connected) testStep := []*TestStep{ @@ -633,7 +633,7 @@ func testACNPDropEgress(t *testing.T, protocol AntreaPolicyProtocol) { SetPriority(1.0). SetAppliedToGroup([]ACNPAppliedToSpec{{PodSelector: map[string]string{"pod": "a"}}}) builder.AddEgress(protocol, &p80, nil, nil, nil, nil, nil, nil, nil, nil, map[string]string{"ns": namespaces["z"]}, - nil, nil, false, nil, crdv1alpha1.RuleActionDrop, "", "", nil) + nil, nil, false, nil, crdv1beta1.RuleActionDrop, "", "", nil) reachability := NewReachability(allPods, Connected) reachability.ExpectEgressToNamespace(Pod(namespaces["x"]+"/a"), namespaces["z"], Dropped) @@ -666,7 +666,7 @@ func testACNPDropIngressInSelectedNamespace(t *testing.T) { SetPriority(1.0). SetAppliedToGroup([]ACNPAppliedToSpec{{NSSelector: map[string]string{"ns": namespaces["x"]}}}) builder.AddIngress(ProtocolTCP, &p80, nil, nil, nil, nil, nil, nil, nil, nil, nil, nil, nil, false, nil, - crdv1alpha1.RuleActionDrop, "", "drop-all-ingress", nil) + crdv1beta1.RuleActionDrop, "", "drop-all-ingress", nil) reachability := NewReachability(allPods, Connected) reachability.ExpectAllIngress(Pod(namespaces["x"]+"/a"), Dropped) @@ -697,7 +697,7 @@ func testACNPNoEffectOnOtherProtocols(t *testing.T) { SetPriority(1.0). SetAppliedToGroup([]ACNPAppliedToSpec{{PodSelector: map[string]string{"pod": "a"}}}) builder.AddIngress(ProtocolTCP, &p80, nil, nil, nil, nil, nil, nil, nil, nil, map[string]string{"ns": namespaces["z"]}, - nil, nil, false, nil, crdv1alpha1.RuleActionDrop, "", "", nil) + nil, nil, false, nil, crdv1beta1.RuleActionDrop, "", "", nil) reachability1 := NewReachability(allPods, Connected) reachability1.Expect(Pod(namespaces["z"]+"/a"), Pod(namespaces["x"]+"/a"), Dropped) @@ -750,7 +750,7 @@ func testACNPAppliedToDenyXBtoCGWithYA(t *testing.T) { SetPriority(2.0). SetAppliedToGroup([]ACNPAppliedToSpec{{Group: cgName}}) builder.AddIngress(ProtocolTCP, nil, &port81Name, nil, nil, nil, nil, nil, nil, map[string]string{"pod": "b"}, map[string]string{"ns": namespaces["x"]}, - nil, nil, false, nil, crdv1alpha1.RuleActionDrop, "", "", nil) + nil, nil, false, nil, crdv1beta1.RuleActionDrop, "", "", nil) reachability := NewReachability(allPods, Connected) reachability.Expect(Pod(namespaces["x"]+"/b"), Pod(namespaces["y"]+"/a"), Dropped) @@ -787,7 +787,7 @@ func testACNPIngressRuleDenyCGWithXBtoYA(t *testing.T) { SetPriority(2.0). SetAppliedToGroup([]ACNPAppliedToSpec{{PodSelector: map[string]string{"pod": "a"}, NSSelector: map[string]string{"ns": namespaces["y"]}}}) builder.AddIngress(ProtocolTCP, nil, &port81Name, nil, nil, nil, nil, nil, nil, nil, nil, - nil, nil, false, nil, crdv1alpha1.RuleActionDrop, cgName, "", nil) + nil, nil, false, nil, crdv1beta1.RuleActionDrop, cgName, "", nil) reachability := NewReachability(allPods, Connected) reachability.Expect(Pod(namespaces["x"]+"/b"), Pod(namespaces["y"]+"/a"), Dropped) @@ -819,7 +819,7 @@ func testACNPAppliedToRuleCGWithPodsAToNsZ(t *testing.T) { builder = builder.SetName("acnp-deny-cg-with-a-to-z"). SetPriority(1.0) builder.AddEgress(ProtocolTCP, &p80, nil, nil, nil, nil, nil, nil, nil, nil, map[string]string{"ns": namespaces["z"]}, - nil, nil, false, []ACNPAppliedToSpec{{Group: cgName}}, crdv1alpha1.RuleActionDrop, "", "", nil) + nil, nil, false, []ACNPAppliedToSpec{{Group: cgName}}, crdv1beta1.RuleActionDrop, "", "", nil) reachability := NewReachability(allPods, Connected) reachability.ExpectEgressToNamespace(Pod(namespaces["x"]+"/a"), namespaces["z"], Dropped) @@ -854,7 +854,7 @@ func testACNPEgressRulePodsAToCGWithNsZ(t *testing.T) { SetPriority(1.0). SetAppliedToGroup([]ACNPAppliedToSpec{{PodSelector: map[string]string{"pod": "a"}}}) builder.AddEgress(ProtocolTCP, &p80, nil, nil, nil, nil, nil, nil, nil, nil, nil, - nil, nil, false, nil, crdv1alpha1.RuleActionDrop, cgName, "", nil) + nil, nil, false, nil, crdv1beta1.RuleActionDrop, cgName, "", nil) reachability := NewReachability(allPods, Connected) reachability.ExpectEgressToNamespace(Pod(namespaces["x"]+"/a"), namespaces["z"], Dropped) @@ -891,7 +891,7 @@ func testACNPClusterGroupUpdateAppliedTo(t *testing.T) { SetPriority(1.0). SetAppliedToGroup([]ACNPAppliedToSpec{{Group: cgName}}) builder.AddEgress(ProtocolTCP, &p80, nil, nil, nil, nil, nil, nil, nil, nil, map[string]string{"ns": namespaces["z"]}, - nil, nil, false, nil, crdv1alpha1.RuleActionDrop, "", "", nil) + nil, nil, false, nil, crdv1beta1.RuleActionDrop, "", "", nil) reachability := NewReachability(allPods, Connected) reachability.ExpectEgressToNamespace(Pod(namespaces["x"]+"/a"), namespaces["z"], Dropped) @@ -942,7 +942,7 @@ func testACNPClusterGroupUpdate(t *testing.T) { SetPriority(1.0). SetAppliedToGroup([]ACNPAppliedToSpec{{PodSelector: map[string]string{"pod": "a"}}}) builder.AddEgress(ProtocolTCP, &p80, nil, nil, nil, nil, nil, nil, nil, nil, nil, - nil, nil, false, nil, crdv1alpha1.RuleActionDrop, cgName, "", nil) + nil, nil, false, nil, crdv1beta1.RuleActionDrop, cgName, "", nil) reachability := NewReachability(allPods, Connected) reachability.ExpectEgressToNamespace(Pod(namespaces["x"]+"/a"), namespaces["z"], Dropped) @@ -992,7 +992,7 @@ func testACNPClusterGroupAppliedToPodAdd(t *testing.T, data *TestData) { SetPriority(1.0). SetAppliedToGroup([]ACNPAppliedToSpec{{Group: cgName}}) builder.AddEgress(ProtocolTCP, &p80, nil, nil, nil, nil, nil, nil, nil, map[string]string{"pod": "j"}, map[string]string{"ns": namespaces["x"]}, - nil, nil, false, nil, crdv1alpha1.RuleActionDrop, "", "", nil) + nil, nil, false, nil, crdv1beta1.RuleActionDrop, "", "", nil) cp := []*CustomProbe{ { SourcePod: CustomPod{ @@ -1040,7 +1040,7 @@ func testACNPClusterGroupRefRulePodAdd(t *testing.T, data *TestData) { }, }) builder.AddEgress(ProtocolTCP, &p80, nil, nil, nil, nil, nil, nil, nil, nil, nil, - nil, nil, false, nil, crdv1alpha1.RuleActionDrop, cgName, "", nil) + nil, nil, false, nil, crdv1beta1.RuleActionDrop, cgName, "", nil) cp := []*CustomProbe{ { SourcePod: CustomPod{ @@ -1089,12 +1089,12 @@ func testACNPClusterGroupRefRuleIPBlocks(t *testing.T) { } return ip + "/128" } - var ipBlock1, ipBlock2 []crdv1alpha1.IPBlock + var ipBlock1, ipBlock2 []crdv1beta1.IPBlock for i := 0; i < len(podXAIP); i++ { - ipBlock1 = append(ipBlock1, crdv1alpha1.IPBlock{CIDR: genCIDR(podXAIP[i])}) - ipBlock1 = append(ipBlock1, crdv1alpha1.IPBlock{CIDR: genCIDR(podXBIP[i])}) - ipBlock1 = append(ipBlock1, crdv1alpha1.IPBlock{CIDR: genCIDR(podXCIP[i])}) - ipBlock2 = append(ipBlock2, crdv1alpha1.IPBlock{CIDR: genCIDR(podZAIP[i])}) + ipBlock1 = append(ipBlock1, crdv1beta1.IPBlock{CIDR: genCIDR(podXAIP[i])}) + ipBlock1 = append(ipBlock1, crdv1beta1.IPBlock{CIDR: genCIDR(podXBIP[i])}) + ipBlock1 = append(ipBlock1, crdv1beta1.IPBlock{CIDR: genCIDR(podXCIP[i])}) + ipBlock2 = append(ipBlock2, crdv1beta1.IPBlock{CIDR: genCIDR(podZAIP[i])}) } cgName := "cg-ipblocks-pod-in-ns-x" @@ -1116,9 +1116,9 @@ func testACNPClusterGroupRefRuleIPBlocks(t *testing.T) { }, }) builder.AddIngress(ProtocolTCP, &p80, nil, nil, nil, nil, nil, nil, nil, nil, nil, - nil, nil, false, nil, crdv1alpha1.RuleActionDrop, cgName, "", nil) + nil, nil, false, nil, crdv1beta1.RuleActionDrop, cgName, "", nil) builder.AddIngress(ProtocolTCP, &p80, nil, nil, nil, nil, nil, nil, nil, nil, nil, - nil, nil, false, nil, crdv1alpha1.RuleActionDrop, cgName2, "", nil) + nil, nil, false, nil, crdv1beta1.RuleActionDrop, cgName2, "", nil) reachability := NewReachability(allPods, Connected) reachability.Expect(Pod(namespaces["x"]+"/a"), Pod(namespaces["y"]+"/a"), Dropped) @@ -1152,7 +1152,7 @@ func testANNPEgressRulePodsAToGrpWithPodsC(t *testing.T) { SetPriority(1.0). SetAppliedToGroup([]ANNPAppliedToSpec{{PodSelector: map[string]string{"pod": "a"}}}) builder.AddEgress(ProtocolTCP, &p80, nil, nil, nil, nil, nil, nil, nil, nil, nil, nil, nil, - nil, nil, nil, nil, crdv1alpha1.RuleActionDrop, grpName, "") + nil, nil, nil, nil, crdv1beta1.RuleActionDrop, grpName, "") reachability := NewReachability(allPods, Connected) reachability.Expect(Pod(namespaces["x"]+"/a"), Pod(namespaces["x"]+"/c"), Dropped) @@ -1185,7 +1185,7 @@ func testANNPIngressRuleDenyGrpWithXCtoXA(t *testing.T) { SetPriority(2.0). SetAppliedToGroup([]ANNPAppliedToSpec{{PodSelector: map[string]string{"pod": "a"}}}) builder.AddIngress(ProtocolTCP, nil, &port81Name, nil, nil, nil, nil, nil, nil, nil, - nil, nil, nil, nil, nil, nil, nil, crdv1alpha1.RuleActionDrop, grpName, "") + nil, nil, nil, nil, nil, nil, nil, crdv1beta1.RuleActionDrop, grpName, "") reachability := NewReachability(allPods, Connected) reachability.Expect(Pod(namespaces["x"]+"/b"), Pod(namespaces["x"]+"/a"), Dropped) @@ -1220,7 +1220,7 @@ func testANNPGroupUpdate(t *testing.T) { SetPriority(1.0). SetAppliedToGroup([]ANNPAppliedToSpec{{PodSelector: map[string]string{"pod": "a"}}}) builder.AddEgress(ProtocolTCP, &p80, nil, nil, nil, nil, nil, nil, nil, nil, nil, nil, nil, - nil, nil, nil, nil, crdv1alpha1.RuleActionDrop, grpName, "") + nil, nil, nil, nil, crdv1beta1.RuleActionDrop, grpName, "") reachability := NewReachability(allPods, Connected) reachability.Expect(Pod(namespaces["x"]+"/a"), Pod(namespaces["x"]+"/c"), Dropped) @@ -1264,7 +1264,7 @@ func testANNPAppliedToDenyXBtoGrpWithXA(t *testing.T) { SetPriority(2.0). SetAppliedToGroup([]ANNPAppliedToSpec{{Group: grpName}}) builder.AddIngress(ProtocolTCP, nil, &port81Name, nil, nil, nil, nil, nil, nil, nil, map[string]string{"pod": "b"}, nil, nil, - nil, nil, nil, nil, crdv1alpha1.RuleActionDrop, "", "") + nil, nil, nil, nil, crdv1beta1.RuleActionDrop, "", "") reachability := NewReachability(allPods, Connected) reachability.Expect(Pod(namespaces["x"]+"/b"), Pod(namespaces["x"]+"/a"), Dropped) @@ -1297,7 +1297,7 @@ func testANNPAppliedToRuleGrpWithPodsAToPodsC(t *testing.T) { builder = builder.SetName(namespaces["x"], "annp-deny-grp-with-a-to-c"). SetPriority(1.0) builder.AddEgress(ProtocolTCP, &p80, nil, nil, nil, nil, nil, nil, nil, nil, map[string]string{"pod": "c"}, nil, nil, - nil, nil, nil, []ANNPAppliedToSpec{{Group: grpName}}, crdv1alpha1.RuleActionDrop, "", "") + nil, nil, nil, []ANNPAppliedToSpec{{Group: grpName}}, crdv1beta1.RuleActionDrop, "", "") reachability := NewReachability(allPods, Connected) reachability.Expect(Pod(namespaces["x"]+"/a"), Pod(namespaces["x"]+"/c"), Dropped) @@ -1331,7 +1331,7 @@ func testANNPGroupUpdateAppliedTo(t *testing.T) { SetPriority(1.0). SetAppliedToGroup([]ANNPAppliedToSpec{{Group: grpName}}) builder.AddEgress(ProtocolTCP, &p80, nil, nil, nil, nil, nil, nil, nil, nil, map[string]string{"pod": "c"}, nil, nil, - nil, nil, nil, nil, crdv1alpha1.RuleActionDrop, "", "") + nil, nil, nil, nil, crdv1beta1.RuleActionDrop, "", "") reachability := NewReachability(allPods, Connected) reachability.Expect(Pod(namespaces["x"]+"/a"), Pod(namespaces["x"]+"/c"), Dropped) @@ -1373,7 +1373,7 @@ func testANNPGroupAppliedToPodAdd(t *testing.T, data *TestData) { SetPriority(1.0). SetAppliedToGroup([]ANNPAppliedToSpec{{Group: grpName}}) builder.AddEgress(ProtocolTCP, &p80, nil, nil, nil, nil, nil, nil, nil, nil, map[string]string{"pod": "d"}, nil, nil, - nil, nil, nil, nil, crdv1alpha1.RuleActionDrop, "", "") + nil, nil, nil, nil, crdv1beta1.RuleActionDrop, "", "") cp := []*CustomProbe{ { SourcePod: CustomPod{ @@ -1418,7 +1418,7 @@ func testANNPGroupServiceRefPodAdd(t *testing.T, data *TestData) { builder := &AntreaNetworkPolicySpecBuilder{} builder = builder.SetName(namespaces["x"], "annp-grp-svc-ref").SetPriority(1.0).SetAppliedToGroup([]ANNPAppliedToSpec{{Group: grp1Name}}) builder.AddIngress(ProtocolTCP, &p80, nil, nil, nil, nil, nil, nil, nil, nil, nil, nil, nil, - nil, nil, nil, nil, crdv1alpha1.RuleActionDrop, grp2Name, "") + nil, nil, nil, nil, crdv1beta1.RuleActionDrop, grp2Name, "") svc1PodName := randName("test-pod-svc1-") svc2PodName := randName("test-pod-svc2-") @@ -1479,7 +1479,7 @@ func testANNPGroupServiceRefDelete(t *testing.T) { builder := &AntreaNetworkPolicySpecBuilder{} builder = builder.SetName(namespaces["x"], "annp-grp-svc-ref").SetPriority(1.0).SetAppliedToGroup([]ANNPAppliedToSpec{{Group: grp1Name}}) builder.AddIngress(ProtocolTCP, &p80, nil, nil, nil, nil, nil, nil, nil, nil, nil, nil, nil, - nil, nil, nil, nil, crdv1alpha1.RuleActionDrop, grp2Name, "") + nil, nil, nil, nil, crdv1beta1.RuleActionDrop, grp2Name, "") annp := builder.Get() k8sUtils.CreateOrUpdateANNP(annp) failOnError(waitForResourceReady(t, timeout, annp), t) @@ -1520,7 +1520,7 @@ func testANNPGroupServiceRefCreateAndUpdate(t *testing.T) { builder := &AntreaNetworkPolicySpecBuilder{} builder = builder.SetName(namespaces["x"], "annp-grp-svc-ref").SetPriority(1.0).SetAppliedToGroup([]ANNPAppliedToSpec{{Group: grp1Name}}) builder.AddIngress(ProtocolTCP, &p80, nil, nil, nil, nil, nil, nil, nil, nil, nil, nil, nil, - nil, nil, nil, nil, crdv1alpha1.RuleActionDrop, grp2Name, "") + nil, nil, nil, nil, crdv1beta1.RuleActionDrop, grp2Name, "") // Pods backing svc1 (label pod=a) in Namespace x should not allow ingress from Pods backing svc2 (label pod=b) in Namespace x. reachability := NewReachability(allPods, Connected) @@ -1574,10 +1574,10 @@ func testANNPGroupRefRuleIPBlocks(t *testing.T) { } return ip + "/128" } - var ipBlock []crdv1alpha1.IPBlock + var ipBlock []crdv1beta1.IPBlock for i := 0; i < len(podXBIP); i++ { - ipBlock = append(ipBlock, crdv1alpha1.IPBlock{CIDR: genCIDR(podXBIP[i])}) - ipBlock = append(ipBlock, crdv1alpha1.IPBlock{CIDR: genCIDR(podXCIP[i])}) + ipBlock = append(ipBlock, crdv1beta1.IPBlock{CIDR: genCIDR(podXBIP[i])}) + ipBlock = append(ipBlock, crdv1beta1.IPBlock{CIDR: genCIDR(podXCIP[i])}) } grpName := "grp-ipblocks-pod-xb-xc" @@ -1589,7 +1589,7 @@ func testANNPGroupRefRuleIPBlocks(t *testing.T) { SetPriority(1.0). SetAppliedToGroup([]ANNPAppliedToSpec{{PodSelector: map[string]string{"pod": "a"}}}) builder.AddIngress(ProtocolTCP, &p80, nil, nil, nil, nil, nil, nil, nil, nil, nil, nil, nil, - nil, nil, nil, nil, crdv1alpha1.RuleActionDrop, grpName, "") + nil, nil, nil, nil, crdv1beta1.RuleActionDrop, grpName, "") reachability := NewReachability(allPods, Connected) reachability.Expect(Pod(namespaces["x"]+"/b"), Pod(namespaces["x"]+"/a"), Dropped) @@ -1629,7 +1629,7 @@ func testANNPNestedGroupCreateAndUpdate(t *testing.T, data *TestData) { builder = builder.SetName(namespaces["x"], "annp-nested-grp").SetPriority(1.0). SetAppliedToGroup([]ANNPAppliedToSpec{{}}). AddIngress(ProtocolTCP, &p80, nil, nil, nil, nil, nil, nil, nil, nil, nil, nil, nil, - nil, nil, nil, nil, crdv1alpha1.RuleActionDrop, grpNestedName, "") + nil, nil, nil, nil, crdv1beta1.RuleActionDrop, grpNestedName, "") // Pods in Namespace x should not allow traffic from Pods backing svc1 (label pod=a) in Namespace x. // Note that in this testStep grp3 will not be created yet, so even though grp-nested selects grp1 and @@ -1720,7 +1720,7 @@ func testBaselineNamespaceIsolation(t *testing.T) { SetAppliedToGroup([]ACNPAppliedToSpec{{NSSelector: map[string]string{"ns": namespaces["x"]}}}) builder.AddIngress(ProtocolTCP, &p80, nil, nil, nil, nil, nil, nil, nil, nil, nil, nil, []metav1.LabelSelectorRequirement{nsExpOtherThanX}, false, - nil, crdv1alpha1.RuleActionDrop, "", "", nil) + nil, crdv1beta1.RuleActionDrop, "", "", nil) // create a K8s NetworkPolicy for Pods in namespace x to allow ingress traffic from Pods in the same namespace, // as well as from the y/a Pod. It should open up ingress from y/a since it's evaluated before the baseline tier. @@ -1771,7 +1771,7 @@ func testACNPPriorityOverride(t *testing.T) { SetAppliedToGroup([]ACNPAppliedToSpec{{PodSelector: map[string]string{"pod": "a"}, NSSelector: map[string]string{"ns": namespaces["x"]}}}) // Highest priority. Drops traffic from z/b to x/a. builder1.AddIngress(ProtocolTCP, &p80, nil, nil, nil, nil, nil, nil, nil, map[string]string{"pod": "b"}, map[string]string{"ns": namespaces["z"]}, - nil, nil, false, nil, crdv1alpha1.RuleActionDrop, "", "", nil) + nil, nil, false, nil, crdv1beta1.RuleActionDrop, "", "", nil) builder2 := &ClusterNetworkPolicySpecBuilder{} builder2 = builder2.SetName("acnp-priority2"). @@ -1779,7 +1779,7 @@ func testACNPPriorityOverride(t *testing.T) { SetAppliedToGroup([]ACNPAppliedToSpec{{PodSelector: map[string]string{"pod": "a"}, NSSelector: map[string]string{"ns": namespaces["x"]}}}) // Medium priority. Allows traffic from z to x/a. builder2.AddIngress(ProtocolTCP, &p80, nil, nil, nil, nil, nil, nil, nil, nil, map[string]string{"ns": namespaces["z"]}, - nil, nil, false, nil, crdv1alpha1.RuleActionAllow, "", "", nil) + nil, nil, false, nil, crdv1beta1.RuleActionAllow, "", "", nil) builder3 := &ClusterNetworkPolicySpecBuilder{} builder3 = builder3.SetName("acnp-priority3"). @@ -1787,7 +1787,7 @@ func testACNPPriorityOverride(t *testing.T) { SetAppliedToGroup([]ACNPAppliedToSpec{{NSSelector: map[string]string{"ns": namespaces["x"]}}}) // Lowest priority. Drops traffic from z to x. builder3.AddIngress(ProtocolTCP, &p80, nil, nil, nil, nil, nil, nil, nil, nil, map[string]string{"ns": namespaces["z"]}, - nil, nil, false, nil, crdv1alpha1.RuleActionDrop, "", "", nil) + nil, nil, false, nil, crdv1beta1.RuleActionDrop, "", "", nil) reachabilityTwoACNPs := NewReachability(allPods, Connected) reachabilityTwoACNPs.Expect(Pod(namespaces["z"]+"/a"), Pod(namespaces["x"]+"/b"), Dropped) @@ -1846,7 +1846,7 @@ func testACNPTierOverride(t *testing.T) { SetAppliedToGroup([]ACNPAppliedToSpec{{PodSelector: map[string]string{"pod": "a"}, NSSelector: map[string]string{"ns": namespaces["x"]}}}) // Highest priority tier. Drops traffic from z/b to x/a. builder1.AddIngress(ProtocolTCP, &p80, nil, nil, nil, nil, nil, nil, nil, map[string]string{"pod": "b"}, map[string]string{"ns": namespaces["z"]}, - nil, nil, false, nil, crdv1alpha1.RuleActionDrop, "", "", nil) + nil, nil, false, nil, crdv1beta1.RuleActionDrop, "", "", nil) builder2 := &ClusterNetworkPolicySpecBuilder{} builder2 = builder2.SetName("acnp-tier-securityops"). @@ -1855,7 +1855,7 @@ func testACNPTierOverride(t *testing.T) { SetAppliedToGroup([]ACNPAppliedToSpec{{PodSelector: map[string]string{"pod": "a"}, NSSelector: map[string]string{"ns": namespaces["x"]}}}) // Medium priority tier. Allows traffic from z to x/a. builder2.AddIngress(ProtocolTCP, &p80, nil, nil, nil, nil, nil, nil, nil, nil, map[string]string{"ns": namespaces["z"]}, - nil, nil, false, nil, crdv1alpha1.RuleActionAllow, "", "", nil) + nil, nil, false, nil, crdv1beta1.RuleActionAllow, "", "", nil) builder3 := &ClusterNetworkPolicySpecBuilder{} builder3 = builder3.SetName("acnp-tier-application"). @@ -1864,7 +1864,7 @@ func testACNPTierOverride(t *testing.T) { SetAppliedToGroup([]ACNPAppliedToSpec{{NSSelector: map[string]string{"ns": namespaces["x"]}}}) // Lowest priority tier. Drops traffic from z to x. builder3.AddIngress(ProtocolTCP, &p80, nil, nil, nil, nil, nil, nil, nil, nil, map[string]string{"ns": namespaces["z"]}, - nil, nil, false, nil, crdv1alpha1.RuleActionDrop, "", "", nil) + nil, nil, false, nil, crdv1beta1.RuleActionDrop, "", "", nil) reachabilityTwoACNPs := NewReachability(allPods, Connected) reachabilityTwoACNPs.Expect(Pod(namespaces["z"]+"/a"), Pod(namespaces["x"]+"/b"), Dropped) @@ -1930,7 +1930,7 @@ func testACNPCustomTiers(t *testing.T) { SetAppliedToGroup([]ACNPAppliedToSpec{{PodSelector: map[string]string{"pod": "a"}, NSSelector: map[string]string{"ns": namespaces["x"]}}}) // Medium priority tier. Allows traffic from z to x/a. builder1.AddIngress(ProtocolTCP, &p80, nil, nil, nil, nil, nil, nil, nil, nil, map[string]string{"ns": namespaces["z"]}, - nil, nil, false, nil, crdv1alpha1.RuleActionAllow, "", "", nil) + nil, nil, false, nil, crdv1beta1.RuleActionAllow, "", "", nil) builder2 := &ClusterNetworkPolicySpecBuilder{} builder2 = builder2.SetName("acnp-tier-low"). @@ -1939,7 +1939,7 @@ func testACNPCustomTiers(t *testing.T) { SetAppliedToGroup([]ACNPAppliedToSpec{{NSSelector: map[string]string{"ns": namespaces["x"]}}}) // Lowest priority tier. Drops traffic from z to x. builder2.AddIngress(ProtocolTCP, &p80, nil, nil, nil, nil, nil, nil, nil, nil, map[string]string{"ns": namespaces["z"]}, - nil, nil, false, nil, crdv1alpha1.RuleActionDrop, "", "", nil) + nil, nil, false, nil, crdv1beta1.RuleActionDrop, "", "", nil) reachabilityTwoACNPs := NewReachability(allPods, Connected) reachabilityTwoACNPs.Expect(Pod(namespaces["z"]+"/a"), Pod(namespaces["x"]+"/b"), Dropped) @@ -1978,7 +1978,7 @@ func testACNPPriorityConflictingRule(t *testing.T) { SetPriority(1). SetAppliedToGroup([]ACNPAppliedToSpec{{NSSelector: map[string]string{"ns": namespaces["x"]}}}) builder1.AddIngress(ProtocolTCP, &p80, nil, nil, nil, nil, nil, nil, nil, nil, map[string]string{"ns": namespaces["z"]}, - nil, nil, false, nil, crdv1alpha1.RuleActionDrop, "", "", nil) + nil, nil, false, nil, crdv1beta1.RuleActionDrop, "", "", nil) builder2 := &ClusterNetworkPolicySpecBuilder{} builder2 = builder2.SetName("acnp-allow"). @@ -1987,7 +1987,7 @@ func testACNPPriorityConflictingRule(t *testing.T) { // The following ingress rule will take no effect as it is exactly the same as ingress rule of cnp-drop, // but cnp-allow has lower priority. builder2.AddIngress(ProtocolTCP, &p80, nil, nil, nil, nil, nil, nil, nil, nil, map[string]string{"ns": namespaces["z"]}, - nil, nil, false, nil, crdv1alpha1.RuleActionAllow, "", "", nil) + nil, nil, false, nil, crdv1beta1.RuleActionAllow, "", "", nil) reachabilityBothACNP := NewReachability(allPods, Connected) reachabilityBothACNP.ExpectEgressToNamespace(Pod(namespaces["z"]+"/a"), namespaces["x"], Dropped) @@ -2019,10 +2019,10 @@ func testACNPRulePriority(t *testing.T) { SetPriority(5). SetAppliedToGroup([]ACNPAppliedToSpec{{NSSelector: map[string]string{"ns": namespaces["x"]}}}) builder1.AddEgress(ProtocolTCP, &p80, nil, nil, nil, nil, nil, nil, nil, nil, map[string]string{"ns": namespaces["y"]}, - nil, nil, false, nil, crdv1alpha1.RuleActionDrop, "", "", nil) + nil, nil, false, nil, crdv1beta1.RuleActionDrop, "", "", nil) // This rule should take no effect as it will be overridden by the first rule of cnp-allow builder1.AddEgress(ProtocolTCP, &p80, nil, nil, nil, nil, nil, nil, nil, nil, map[string]string{"ns": namespaces["z"]}, - nil, nil, false, nil, crdv1alpha1.RuleActionDrop, "", "", nil) + nil, nil, false, nil, crdv1beta1.RuleActionDrop, "", "", nil) builder2 := &ClusterNetworkPolicySpecBuilder{} // acnp-allow will also apply to all pods in namespace x @@ -2030,10 +2030,10 @@ func testACNPRulePriority(t *testing.T) { SetPriority(5). SetAppliedToGroup([]ACNPAppliedToSpec{{NSSelector: map[string]string{"ns": namespaces["x"]}}}) builder2.AddEgress(ProtocolTCP, &p80, nil, nil, nil, nil, nil, nil, nil, nil, map[string]string{"ns": namespaces["z"]}, - nil, nil, false, nil, crdv1alpha1.RuleActionAllow, "", "", nil) + nil, nil, false, nil, crdv1beta1.RuleActionAllow, "", "", nil) // This rule should take no effect as it will be overridden by the first rule of cnp-drop builder2.AddEgress(ProtocolTCP, &p80, nil, nil, nil, nil, nil, nil, nil, nil, map[string]string{"ns": namespaces["y"]}, - nil, nil, false, nil, crdv1alpha1.RuleActionAllow, "", "", nil) + nil, nil, false, nil, crdv1beta1.RuleActionAllow, "", "", nil) // Only egress from pods in namespace x to namespace y should be denied reachabilityBothACNP := NewReachability(allPods, Connected) @@ -2064,7 +2064,7 @@ func testACNPPortRange(t *testing.T) { SetPriority(1.0). SetAppliedToGroup([]ACNPAppliedToSpec{{PodSelector: map[string]string{"pod": "a"}}}) builder.AddEgress(ProtocolTCP, &p8080, nil, &p8082, nil, nil, nil, nil, nil, nil, map[string]string{"ns": namespaces["z"]}, - nil, nil, false, nil, crdv1alpha1.RuleActionDrop, "", "acnp-port-range", nil) + nil, nil, false, nil, crdv1beta1.RuleActionDrop, "", "acnp-port-range", nil) reachability := NewReachability(allPods, Connected) reachability.ExpectEgressToNamespace(Pod(namespaces["x"]+"/a"), namespaces["z"], Dropped) @@ -2096,7 +2096,7 @@ func testACNPRejectEgress(t *testing.T) { SetPriority(1.0). SetAppliedToGroup([]ACNPAppliedToSpec{{PodSelector: map[string]string{"pod": "a"}}}) builder.AddEgress(ProtocolTCP, &p80, nil, nil, nil, nil, nil, nil, nil, nil, map[string]string{"ns": namespaces["z"]}, - nil, nil, false, nil, crdv1alpha1.RuleActionReject, "", "", nil) + nil, nil, false, nil, crdv1beta1.RuleActionReject, "", "", nil) reachability := NewReachability(allPods, Connected) reachability.ExpectEgressToNamespace(Pod(namespaces["x"]+"/a"), namespaces["z"], Rejected) @@ -2127,7 +2127,7 @@ func testACNPRejectIngress(t *testing.T, protocol AntreaPolicyProtocol) { SetPriority(1.0). SetAppliedToGroup([]ACNPAppliedToSpec{{PodSelector: map[string]string{"pod": "a"}}}) builder.AddIngress(protocol, &p80, nil, nil, nil, nil, nil, nil, nil, nil, map[string]string{"ns": namespaces["z"]}, - nil, nil, false, nil, crdv1alpha1.RuleActionReject, "", "", nil) + nil, nil, false, nil, crdv1beta1.RuleActionReject, "", "", nil) reachability := NewReachability(allPods, Connected) reachability.ExpectIngressFromNamespace(Pod(namespaces["x"]+"/a"), namespaces["z"], Rejected) @@ -2185,9 +2185,9 @@ func testRejectServiceTraffic(t *testing.T, data *TestData, clientNamespace, ser SetPriority(1.0). SetAppliedToGroup([]ACNPAppliedToSpec{{PodSelector: map[string]string{"antrea-e2e": "agnhost-client"}}}) builder1.AddEgress(ProtocolTCP, &p80, nil, nil, nil, nil, nil, nil, nil, svc1.Spec.Selector, nil, - nil, nil, false, nil, crdv1alpha1.RuleActionReject, "", "", nil) + nil, nil, false, nil, crdv1beta1.RuleActionReject, "", "", nil) builder1.AddEgress(ProtocolTCP, &p80, nil, nil, nil, nil, nil, nil, nil, svc2.Spec.Selector, nil, - nil, nil, false, nil, crdv1alpha1.RuleActionReject, "", "", nil) + nil, nil, false, nil, crdv1beta1.RuleActionReject, "", "", nil) acnpEgress := builder1.Get() k8sUtils.CreateOrUpdateACNP(acnpEgress) @@ -2212,7 +2212,7 @@ func testRejectServiceTraffic(t *testing.T, data *TestData, clientNamespace, ser SetPriority(1.0). SetAppliedToGroup([]ACNPAppliedToSpec{{PodSelector: svc1.Spec.Selector}, {PodSelector: svc2.Spec.Selector}}) builder2.AddIngress(ProtocolTCP, &p80, nil, nil, nil, nil, nil, nil, nil, map[string]string{"antrea-e2e": "agnhost-client"}, nil, - nil, nil, false, nil, crdv1alpha1.RuleActionReject, "", "", nil) + nil, nil, false, nil, crdv1beta1.RuleActionReject, "", "", nil) acnpIngress := builder2.Get() k8sUtils.CreateOrUpdateACNP(acnpIngress) @@ -2280,7 +2280,7 @@ func testRejectNoInfiniteLoop(t *testing.T, data *TestData, clientNamespace, ser }...) } - runTestsWithACNP := func(acnp *crdv1alpha1.ClusterNetworkPolicy, testcases []podToAddrTestStep) { + runTestsWithACNP := func(acnp *crdv1beta1.ClusterNetworkPolicy, testcases []podToAddrTestStep) { k8sUtils.CreateOrUpdateACNP(acnp) failOnError(waitForResourceReady(t, timeout, acnp), t) @@ -2303,9 +2303,9 @@ func testRejectNoInfiniteLoop(t *testing.T, data *TestData, clientNamespace, ser builder1 = builder1.SetName("acnp-reject-ingress-double-dir"). SetPriority(1.0) builder1.AddIngress(ProtocolTCP, nil, nil, nil, nil, nil, nil, nil, nil, map[string]string{"app": "nginx"}, nil, - nil, nil, false, []ACNPAppliedToSpec{{PodSelector: map[string]string{"antrea-e2e": clientName}}}, crdv1alpha1.RuleActionReject, "", "", nil) + nil, nil, false, []ACNPAppliedToSpec{{PodSelector: map[string]string{"antrea-e2e": clientName}}}, crdv1beta1.RuleActionReject, "", "", nil) builder1.AddIngress(ProtocolTCP, nil, nil, nil, nil, nil, nil, nil, nil, map[string]string{"antrea-e2e": clientName}, nil, - nil, nil, false, []ACNPAppliedToSpec{{PodSelector: map[string]string{"app": "nginx"}}}, crdv1alpha1.RuleActionReject, "", "", nil) + nil, nil, false, []ACNPAppliedToSpec{{PodSelector: map[string]string{"app": "nginx"}}}, crdv1beta1.RuleActionReject, "", "", nil) runTestsWithACNP(builder1.Get(), testcases) @@ -2314,9 +2314,9 @@ func testRejectNoInfiniteLoop(t *testing.T, data *TestData, clientNamespace, ser builder2 = builder2.SetName("acnp-reject-egress-double-dir"). SetPriority(1.0) builder2.AddEgress(ProtocolTCP, nil, nil, nil, nil, nil, nil, nil, nil, map[string]string{"app": "nginx"}, nil, - nil, nil, false, []ACNPAppliedToSpec{{PodSelector: map[string]string{"antrea-e2e": clientName}}}, crdv1alpha1.RuleActionReject, "", "", nil) + nil, nil, false, []ACNPAppliedToSpec{{PodSelector: map[string]string{"antrea-e2e": clientName}}}, crdv1beta1.RuleActionReject, "", "", nil) builder2.AddEgress(ProtocolTCP, nil, nil, nil, nil, nil, nil, nil, nil, map[string]string{"antrea-e2e": clientName}, nil, - nil, nil, false, []ACNPAppliedToSpec{{PodSelector: map[string]string{"app": "nginx"}}}, crdv1alpha1.RuleActionReject, "", "", nil) + nil, nil, false, []ACNPAppliedToSpec{{PodSelector: map[string]string{"app": "nginx"}}}, crdv1beta1.RuleActionReject, "", "", nil) runTestsWithACNP(builder2.Get(), testcases) @@ -2326,9 +2326,9 @@ func testRejectNoInfiniteLoop(t *testing.T, data *TestData, clientNamespace, ser SetPriority(1.0). SetAppliedToGroup([]ACNPAppliedToSpec{{PodSelector: map[string]string{"app": "nginx"}}}) builder3.AddIngress(ProtocolTCP, nil, nil, nil, nil, nil, nil, nil, nil, map[string]string{"antrea-e2e": clientName}, nil, - nil, nil, false, nil, crdv1alpha1.RuleActionReject, "", "", nil) + nil, nil, false, nil, crdv1beta1.RuleActionReject, "", "", nil) builder3.AddEgress(ProtocolTCP, nil, nil, nil, nil, nil, nil, nil, nil, map[string]string{"antrea-e2e": clientName}, nil, - nil, nil, false, nil, crdv1alpha1.RuleActionReject, "", "", nil) + nil, nil, false, nil, crdv1beta1.RuleActionReject, "", "", nil) runTestsWithACNP(builder3.Get(), testcases) @@ -2338,9 +2338,9 @@ func testRejectNoInfiniteLoop(t *testing.T, data *TestData, clientNamespace, ser SetPriority(1.0). SetAppliedToGroup([]ACNPAppliedToSpec{{PodSelector: map[string]string{"antrea-e2e": clientName}}}) builder4.AddIngress(ProtocolTCP, nil, nil, nil, nil, nil, nil, nil, nil, map[string]string{"app": "nginx"}, nil, - nil, nil, false, nil, crdv1alpha1.RuleActionReject, "", "", nil) + nil, nil, false, nil, crdv1beta1.RuleActionReject, "", "", nil) builder4.AddEgress(ProtocolTCP, nil, nil, nil, nil, nil, nil, nil, nil, map[string]string{"app": "nginx"}, nil, - nil, nil, false, nil, crdv1alpha1.RuleActionReject, "", "", nil) + nil, nil, false, nil, crdv1beta1.RuleActionReject, "", "", nil) runTestsWithACNP(builder4.Get(), testcases) } @@ -2352,7 +2352,7 @@ func testANNPPortRange(t *testing.T) { SetPriority(1.0). SetAppliedToGroup([]ANNPAppliedToSpec{{PodSelector: map[string]string{"pod": "b"}}}) builder.AddEgress(ProtocolTCP, &p8080, nil, &p8082, nil, nil, nil, nil, nil, nil, map[string]string{"pod": "c"}, map[string]string{"ns": namespaces["x"]}, nil, - nil, nil, nil, nil, crdv1alpha1.RuleActionDrop, "", "annp-port-range") + nil, nil, nil, nil, crdv1beta1.RuleActionDrop, "", "annp-port-range") reachability := NewReachability(allPods, Connected) reachability.Expect(Pod(namespaces["y"]+"/b"), Pod(namespaces["x"]+"/c"), Dropped) @@ -2382,7 +2382,7 @@ func testANNPBasic(t *testing.T) { SetPriority(1.0). SetAppliedToGroup([]ANNPAppliedToSpec{{PodSelector: map[string]string{"pod": "a"}}}) builder.AddIngress(ProtocolTCP, &p80, nil, nil, nil, nil, nil, nil, nil, nil, map[string]string{"pod": "b"}, map[string]string{"ns": namespaces["x"]}, nil, - nil, nil, nil, nil, crdv1alpha1.RuleActionDrop, "", "") + nil, nil, nil, nil, crdv1beta1.RuleActionDrop, "", "") reachability := NewReachability(allPods, Connected) reachability.Expect(Pod(namespaces["x"]+"/b"), Pod(namespaces["y"]+"/a"), Dropped) @@ -2433,12 +2433,12 @@ func testANNPMultipleAppliedTo(t *testing.T, data *TestData, singleRule bool) { if singleRule { builder.SetAppliedToGroup([]ANNPAppliedToSpec{{PodSelector: map[string]string{"pod": "a"}}, {PodSelector: map[string]string{tempLabel: ""}}}) builder.AddIngress(ProtocolTCP, &p80, nil, nil, nil, nil, nil, nil, nil, nil, map[string]string{"pod": "b"}, map[string]string{"ns": namespaces["x"]}, nil, - nil, nil, nil, nil, crdv1alpha1.RuleActionDrop, "", "") + nil, nil, nil, nil, crdv1beta1.RuleActionDrop, "", "") } else { builder.AddIngress(ProtocolTCP, &p80, nil, nil, nil, nil, nil, nil, nil, nil, map[string]string{"pod": "b"}, map[string]string{"ns": namespaces["x"]}, nil, - nil, nil, nil, []ANNPAppliedToSpec{{PodSelector: map[string]string{"pod": "a"}}}, crdv1alpha1.RuleActionDrop, "", "") + nil, nil, nil, []ANNPAppliedToSpec{{PodSelector: map[string]string{"pod": "a"}}}, crdv1beta1.RuleActionDrop, "", "") builder.AddIngress(ProtocolTCP, &p80, nil, nil, nil, nil, nil, nil, nil, nil, map[string]string{"pod": "b"}, map[string]string{"ns": namespaces["x"]}, nil, - nil, nil, nil, []ANNPAppliedToSpec{{PodSelector: map[string]string{tempLabel: ""}}}, crdv1alpha1.RuleActionDrop, "", "") + nil, nil, nil, []ANNPAppliedToSpec{{PodSelector: map[string]string{tempLabel: ""}}}, crdv1beta1.RuleActionDrop, "", "") } reachability := NewReachability(allPods, Connected) @@ -2583,7 +2583,7 @@ func testAuditLoggingBasic(t *testing.T, data *TestData) { SetPriority(1.0). SetAppliedToGroup([]ACNPAppliedToSpec{{PodSelector: map[string]string{"pod": "a"}, NSSelector: map[string]string{"ns": namespaces["x"]}}}) builder.AddEgress(ProtocolTCP, &p80, nil, nil, nil, nil, nil, nil, nil, nil, map[string]string{"ns": namespaces["z"]}, - nil, nil, false, nil, crdv1alpha1.RuleActionDrop, "", ruleName, nil) + nil, nil, false, nil, crdv1beta1.RuleActionDrop, "", ruleName, nil) builder.AddEgressLogging(logLabel) npRef := fmt.Sprintf("AntreaClusterNetworkPolicy:%s", npName) @@ -2754,9 +2754,9 @@ func testAppliedToPerRule(t *testing.T) { annpATGrp1 := ANNPAppliedToSpec{PodSelector: map[string]string{"pod": "a"}, PodSelectorMatchExp: nil} annpATGrp2 := ANNPAppliedToSpec{PodSelector: map[string]string{"pod": "b"}, PodSelectorMatchExp: nil} builder.AddIngress(ProtocolTCP, &p80, nil, nil, nil, nil, nil, nil, nil, nil, map[string]string{"pod": "b"}, map[string]string{"ns": namespaces["x"]}, nil, - nil, nil, nil, []ANNPAppliedToSpec{annpATGrp1}, crdv1alpha1.RuleActionDrop, "", "") + nil, nil, nil, []ANNPAppliedToSpec{annpATGrp1}, crdv1beta1.RuleActionDrop, "", "") builder.AddIngress(ProtocolTCP, &p80, nil, nil, nil, nil, nil, nil, nil, nil, map[string]string{"pod": "b"}, map[string]string{"ns": namespaces["z"]}, nil, - nil, nil, nil, []ANNPAppliedToSpec{annpATGrp2}, crdv1alpha1.RuleActionDrop, "", "") + nil, nil, nil, []ANNPAppliedToSpec{annpATGrp2}, crdv1beta1.RuleActionDrop, "", "") reachability := NewReachability(allPods, Connected) reachability.Expect(Pod(namespaces["x"]+"/b"), Pod(namespaces["y"]+"/a"), Dropped) @@ -2780,9 +2780,9 @@ func testAppliedToPerRule(t *testing.T) { PodSelector: map[string]string{"pod": "b"}, NSSelector: map[string]string{"ns": namespaces["y"]}, PodSelectorMatchExp: nil, NSSelectorMatchExp: nil} builder2.AddIngress(ProtocolTCP, &p80, nil, nil, nil, nil, nil, nil, nil, map[string]string{"pod": "b"}, map[string]string{"ns": namespaces["x"]}, - nil, nil, false, []ACNPAppliedToSpec{cnpATGrp1}, crdv1alpha1.RuleActionDrop, "", "", nil) + nil, nil, false, []ACNPAppliedToSpec{cnpATGrp1}, crdv1beta1.RuleActionDrop, "", "", nil) builder2.AddIngress(ProtocolTCP, &p80, nil, nil, nil, nil, nil, nil, nil, map[string]string{"pod": "b"}, map[string]string{"ns": namespaces["z"]}, - nil, nil, false, []ACNPAppliedToSpec{cnpATGrp2}, crdv1alpha1.RuleActionDrop, "", "", nil) + nil, nil, false, []ACNPAppliedToSpec{cnpATGrp2}, crdv1beta1.RuleActionDrop, "", "", nil) reachability2 := NewReachability(allPods, Connected) reachability2.Expect(Pod(namespaces["x"]+"/b"), Pod(namespaces["x"]+"/a"), Dropped) @@ -2821,7 +2821,7 @@ func testACNPClusterGroupServiceRefCreateAndUpdate(t *testing.T, data *TestData) builder := &ClusterNetworkPolicySpecBuilder{} builder = builder.SetName("cnp-cg-svc-ref").SetPriority(1.0).SetAppliedToGroup([]ACNPAppliedToSpec{{Group: cg1Name}}) builder.AddIngress(ProtocolTCP, &p80, nil, nil, nil, nil, nil, nil, nil, nil, nil, nil, nil, - false, nil, crdv1alpha1.RuleActionDrop, cg2Name, "", nil) + false, nil, crdv1beta1.RuleActionDrop, cg2Name, "", nil) // Pods backing svc1 (label pod=a) in Namespace x should not allow ingress from Pods backing svc2 (label pod=b) in Namespace y. reachability := NewReachability(allPods, Connected) @@ -2874,7 +2874,7 @@ func testACNPClusterGroupServiceRefCreateAndUpdate(t *testing.T, data *TestData) builderUpdated = builderUpdated.SetName("cnp-cg-svc-ref").SetPriority(1.0) builderUpdated.SetAppliedToGroup([]ACNPAppliedToSpec{{PodSelector: map[string]string{"pod": "a"}, NSSelector: map[string]string{"ns": namespaces["x"]}}}) builderUpdated.AddIngress(ProtocolTCP, &p80, nil, nil, nil, nil, nil, nil, nil, map[string]string{"pod": "b"}, map[string]string{"ns": namespaces["y"]}, - nil, nil, false, nil, crdv1alpha1.RuleActionDrop, "", "", nil) + nil, nil, false, nil, crdv1beta1.RuleActionDrop, "", "", nil) // Pod x/a should not allow ingress from y/b per the updated ACNP spec. testStep3 := &TestStep{ @@ -2916,7 +2916,7 @@ func testACNPNestedClusterGroupCreateAndUpdate(t *testing.T, data *TestData) { builder = builder.SetName("cnp-nested-cg").SetPriority(1.0). SetAppliedToGroup([]ACNPAppliedToSpec{{NSSelector: map[string]string{"ns": namespaces["z"]}}}). AddIngress(ProtocolTCP, &p80, nil, nil, nil, nil, nil, nil, nil, nil, nil, nil, nil, - false, nil, crdv1alpha1.RuleActionDrop, cgNestedName, "", nil) + false, nil, crdv1beta1.RuleActionDrop, cgNestedName, "", nil) // Pods in Namespace z should not allow traffic from Pods backing svc1 (label pod=a) in Namespace x. // Note that in this testStep cg3 will not be created yet, so even though cg-nested selects cg1 and @@ -3004,10 +3004,10 @@ func testACNPNestedIPBlockClusterGroupCreateAndUpdate(t *testing.T) { } cg1Name, cg2Name, cg3Name := "cg-x-a-ipb", "cg-x-b-ipb", "cg-select-x-c" cgParentName := "cg-parent" - var ipBlockXA, ipBlockXB []crdv1alpha1.IPBlock + var ipBlockXA, ipBlockXB []crdv1beta1.IPBlock for i := 0; i < len(podXAIP); i++ { - ipBlockXA = append(ipBlockXA, crdv1alpha1.IPBlock{CIDR: genCIDR(podXAIP[i])}) - ipBlockXB = append(ipBlockXB, crdv1alpha1.IPBlock{CIDR: genCIDR(podXBIP[i])}) + ipBlockXA = append(ipBlockXA, crdv1beta1.IPBlock{CIDR: genCIDR(podXAIP[i])}) + ipBlockXB = append(ipBlockXB, crdv1beta1.IPBlock{CIDR: genCIDR(podXBIP[i])}) } cgBuilder1 := &ClusterGroupSpecBuilder{} cgBuilder1 = cgBuilder1.SetName(cg1Name).SetIPBlocks(ipBlockXA) @@ -3026,7 +3026,7 @@ func testACNPNestedIPBlockClusterGroupCreateAndUpdate(t *testing.T) { }, }) builder.AddIngress(ProtocolTCP, &p80, nil, nil, nil, nil, nil, nil, nil, nil, nil, - nil, nil, false, nil, crdv1alpha1.RuleActionDrop, cgParentName, "", nil) + nil, nil, false, nil, crdv1beta1.RuleActionDrop, cgParentName, "", nil) reachability := NewReachability(allPods, Connected) reachability.Expect(Pod(namespaces["x"]+"/a"), Pod(namespaces["y"]+"/a"), Dropped) @@ -3075,9 +3075,9 @@ func testACNPNamespaceIsolation(t *testing.T) { SetAppliedToGroup([]ACNPAppliedToSpec{{NSSelector: map[string]string{}}}) // deny ingress traffic except from own namespace, which is always allowed. builder.AddIngress(ProtocolTCP, nil, nil, nil, nil, nil, nil, nil, nil, nil, nil, nil, nil, - true, nil, crdv1alpha1.RuleActionAllow, "", "", nil) + true, nil, crdv1beta1.RuleActionAllow, "", "", nil) builder.AddIngress(ProtocolTCP, nil, nil, nil, nil, nil, nil, nil, nil, nil, map[string]string{}, nil, nil, - false, nil, crdv1alpha1.RuleActionDrop, "", "", nil) + false, nil, crdv1beta1.RuleActionDrop, "", "", nil) reachability := NewReachability(allPods, Dropped) reachability.ExpectAllSelfNamespace(Connected) @@ -3096,9 +3096,9 @@ func testACNPNamespaceIsolation(t *testing.T) { SetTier("baseline"). SetPriority(1.0) builder2.AddEgress(ProtocolTCP, nil, nil, nil, nil, nil, nil, nil, nil, nil, nil, nil, nil, - true, []ACNPAppliedToSpec{{NSSelector: map[string]string{"ns": namespaces["x"]}}}, crdv1alpha1.RuleActionAllow, "", "", nil) + true, []ACNPAppliedToSpec{{NSSelector: map[string]string{"ns": namespaces["x"]}}}, crdv1beta1.RuleActionAllow, "", "", nil) builder2.AddEgress(ProtocolTCP, nil, nil, nil, nil, nil, nil, nil, nil, nil, map[string]string{}, nil, nil, - false, []ACNPAppliedToSpec{{NSSelector: map[string]string{"ns": namespaces["x"]}}}, crdv1alpha1.RuleActionDrop, "", "", nil) + false, []ACNPAppliedToSpec{{NSSelector: map[string]string{"ns": namespaces["x"]}}}, crdv1beta1.RuleActionDrop, "", "", nil) reachability2 := NewReachability(allPods, Connected) reachability2.ExpectEgressToNamespace(Pod(namespaces["x"]+"/a"), namespaces["y"], Dropped) @@ -3131,9 +3131,9 @@ func testACNPStrictNamespacesIsolation(t *testing.T) { SetPriority(1.0). SetAppliedToGroup([]ACNPAppliedToSpec{{NSSelector: map[string]string{}}}) builder.AddIngress(ProtocolTCP, nil, nil, nil, nil, nil, nil, nil, nil, nil, nil, nil, nil, - true, nil, crdv1alpha1.RuleActionPass, "", "", nil) + true, nil, crdv1beta1.RuleActionPass, "", "", nil) builder.AddIngress(ProtocolTCP, nil, nil, nil, nil, nil, nil, nil, nil, nil, map[string]string{}, nil, nil, - false, nil, crdv1alpha1.RuleActionDrop, "", "", nil) + false, nil, crdv1beta1.RuleActionDrop, "", "", nil) // deny ingress traffic except from own namespace, which is delegated to Namespace owners (who can create K8s // NetworkPolicies to regulate intra-Namespace traffic) reachability := NewReachability(allPods, Dropped) @@ -3192,10 +3192,10 @@ func testFQDNPolicy(t *testing.T) { // So we changed the target domain from google.com to github.com, which has a more stable DNS resolution result. The // change could be reverted once we support inspecting DNS/TCP traffic. // See https://github.com/antrea-io/antrea/issues/4130 for more details. - builder.AddFQDNRule("*github.com", ProtocolTCP, nil, nil, nil, "r1", nil, crdv1alpha1.RuleActionReject) - builder.AddFQDNRule("wayfair.com", ProtocolTCP, nil, nil, nil, "r2", nil, crdv1alpha1.RuleActionDrop) + builder.AddFQDNRule("*github.com", ProtocolTCP, nil, nil, nil, "r1", nil, crdv1beta1.RuleActionReject) + builder.AddFQDNRule("wayfair.com", ProtocolTCP, nil, nil, nil, "r2", nil, crdv1beta1.RuleActionDrop) // Test upper-case FQDN. - builder.AddFQDNRule("Stackoverflow.com", ProtocolTCP, nil, nil, nil, "r3", nil, crdv1alpha1.RuleActionDrop) + builder.AddFQDNRule("Stackoverflow.com", ProtocolTCP, nil, nil, nil, "r3", nil, crdv1beta1.RuleActionDrop) // All client Pods below are randomly chosen from test Namespaces. testcases := []podToAddrTestStep{ @@ -3289,8 +3289,8 @@ func testFQDNPolicyInClusterService(t *testing.T) { SetTier("application"). SetPriority(1.0) for idx, service := range services { - builder.AddFQDNRule(svcDNSName(service), ProtocolTCP, nil, nil, nil, fmt.Sprintf("r%d", idx*2), []ACNPAppliedToSpec{{NSSelector: map[string]string{"ns": namespaces["y"]}, PodSelector: map[string]string{"pod": "b"}}}, crdv1alpha1.RuleActionReject) - builder.AddFQDNRule(svcDNSName(service), ProtocolTCP, nil, nil, nil, fmt.Sprintf("r%d", idx*2+1), []ACNPAppliedToSpec{{NSSelector: map[string]string{"ns": namespaces["z"]}, PodSelector: map[string]string{"pod": "c"}}}, crdv1alpha1.RuleActionDrop) + builder.AddFQDNRule(svcDNSName(service), ProtocolTCP, nil, nil, nil, fmt.Sprintf("r%d", idx*2), []ACNPAppliedToSpec{{NSSelector: map[string]string{"ns": namespaces["y"]}, PodSelector: map[string]string{"pod": "b"}}}, crdv1beta1.RuleActionReject) + builder.AddFQDNRule(svcDNSName(service), ProtocolTCP, nil, nil, nil, fmt.Sprintf("r%d", idx*2+1), []ACNPAppliedToSpec{{NSSelector: map[string]string{"ns": namespaces["z"]}, PodSelector: map[string]string{"pod": "c"}}}, crdv1beta1.RuleActionDrop) } acnp := builder.Get() k8sUtils.CreateOrUpdateACNP(acnp) @@ -3355,7 +3355,7 @@ func testFQDNPolicyTCP(t *testing.T) { SetTier("application"). SetPriority(1.0). SetAppliedToGroup([]ACNPAppliedToSpec{{NSSelector: map[string]string{}}}) - builder.AddFQDNRule("github.com", ProtocolTCP, nil, nil, nil, "", nil, crdv1alpha1.RuleActionDrop) + builder.AddFQDNRule("github.com", ProtocolTCP, nil, nil, nil, "", nil, crdv1beta1.RuleActionDrop) testcases := []podToAddrTestStep{ { Pod(namespaces["y"] + "/a"), @@ -3401,12 +3401,12 @@ func testToServices(t *testing.T) { services = append(services, ipv6Svc) } - var svcRefs []crdv1alpha1.PeerService + var svcRefs []crdv1beta1.PeerService var builtSvcs []*v1.Service for _, service := range services { builtSvc, _ := k8sUtils.CreateOrUpdateService(service) failOnError(waitForResourceReady(t, timeout, service), t) - svcRefs = append(svcRefs, crdv1alpha1.PeerService{ + svcRefs = append(svcRefs, crdv1beta1.PeerService{ Name: service.Name, Namespace: service.Namespace, }) @@ -3417,7 +3417,7 @@ func testToServices(t *testing.T) { builder = builder.SetName("test-acnp-to-services"). SetTier("application"). SetPriority(1.0) - builder.AddToServicesRule(svcRefs, "svc", []ACNPAppliedToSpec{{NSSelector: map[string]string{"ns": namespaces["y"]}}}, crdv1alpha1.RuleActionDrop) + builder.AddToServicesRule(svcRefs, "svc", []ACNPAppliedToSpec{{NSSelector: map[string]string{"ns": namespaces["y"]}}}, crdv1beta1.RuleActionDrop) time.Sleep(networkPolicyDelay) acnp := builder.Get() @@ -3474,7 +3474,7 @@ func testServiceAccountSelector(t *testing.T, data *TestData) { client1Name, _, cleanupFunc := createAndWaitForPodWithServiceAccount(t, data, data.createAgnhostPodWithSAOnNode, "client", controlPlaneNodeName(), namespaces["x"], false, "default") defer cleanupFunc() - sa := &crdv1alpha1.NamespacedName{ + sa := &crdv1beta1.NamespacedName{ Name: "test-sa", Namespace: namespaces["x"], } @@ -3484,7 +3484,7 @@ func testServiceAccountSelector(t *testing.T, data *TestData) { SetPriority(1.0). SetAppliedToGroup([]ACNPAppliedToSpec{{PodSelector: map[string]string{"antrea-e2e": serverName}}}) builder.AddIngress(ProtocolTCP, &p80, nil, nil, nil, nil, nil, nil, nil, nil, nil, - nil, nil, false, nil, crdv1alpha1.RuleActionDrop, "", "", sa) + nil, nil, false, nil, crdv1beta1.RuleActionDrop, "", "", sa) acnp := builder.Get() _, err := k8sUtils.CreateOrUpdateACNP(acnp) @@ -3551,7 +3551,7 @@ func testACNPNodeSelectorEgress(t *testing.T) { nodeSelector := metav1.LabelSelector{MatchLabels: map[string]string{"kubernetes.io/hostname": controlPlaneNodeName()}} builder.AddNodeSelectorRule(&nodeSelector, ProtocolTCP, &p6443, "egress-control-plane-drop", []ACNPAppliedToSpec{{NSSelector: map[string]string{"ns": namespaces["x"]}, PodSelector: map[string]string{"pod": "a"}}}, - crdv1alpha1.RuleActionDrop, true) + crdv1beta1.RuleActionDrop, true) var testcases []podToAddrTestStep if clusterInfo.podV4NetworkCIDR != "" { @@ -3626,7 +3626,7 @@ func testACNPNodeSelectorIngress(t *testing.T, data *TestData) { nodeSelector := metav1.LabelSelector{MatchLabels: map[string]string{"kubernetes.io/hostname": controlPlaneNodeName()}} builder.AddNodeSelectorRule(&nodeSelector, ProtocolTCP, &p80, "ingress-control-plane-drop", []ACNPAppliedToSpec{{NSSelector: map[string]string{"ns": namespaces["x"]}}}, - crdv1alpha1.RuleActionDrop, false) + crdv1beta1.RuleActionDrop, false) testcases := []podToAddrTestStep{} if clusterInfo.podV4NetworkCIDR != "" { @@ -3698,9 +3698,9 @@ func testACNPICMPSupport(t *testing.T, data *TestData) { builder = builder.SetName("test-acnp-icmp"). SetPriority(1.0).SetAppliedToGroup([]ACNPAppliedToSpec{{PodSelector: map[string]string{"antrea-e2e": clientName}}}) builder.AddEgress(ProtocolICMP, nil, nil, nil, &icmpType, &icmpCode, nil, nil, nil, map[string]string{"antrea-e2e": server0Name}, nil, - nil, nil, false, nil, crdv1alpha1.RuleActionReject, "", "", nil) + nil, nil, false, nil, crdv1beta1.RuleActionReject, "", "", nil) builder.AddEgress(ProtocolICMP, nil, nil, nil, nil, nil, nil, nil, nil, map[string]string{"antrea-e2e": server1Name}, nil, - nil, nil, false, nil, crdv1alpha1.RuleActionDrop, "", "", nil) + nil, nil, false, nil, crdv1beta1.RuleActionDrop, "", "", nil) testcases := []podToAddrTestStep{} if clusterInfo.podV4NetworkCIDR != "" { @@ -3794,14 +3794,14 @@ func testACNPNodePortServiceSupport(t *testing.T, data *TestData, serverNamespac SetPriority(1.0). SetAppliedToGroup([]ACNPAppliedToSpec{ { - Service: &crdv1alpha1.NamespacedName{ + Service: &crdv1beta1.NamespacedName{ Name: nodePortSvc.Name, Namespace: nodePortSvc.Namespace, }, }, }) builder.AddIngress(ProtocolTCP, nil, nil, nil, nil, nil, nil, nil, &cidr, nil, nil, - nil, nil, false, nil, crdv1alpha1.RuleActionReject, "", "", nil) + nil, nil, false, nil, crdv1beta1.RuleActionReject, "", "", nil) acnp, err := k8sUtils.CreateOrUpdateACNP(builder.Get()) failOnError(err, t) @@ -3830,14 +3830,14 @@ func testACNPNodePortServiceSupport(t *testing.T, data *TestData, serverNamespac } func testACNPIGMPQueryAllow(t *testing.T, data *TestData) { - testACNPIGMPQuery(t, data, "test-acnp-igmp-query-allow", "testMulticastIGMPQueryAllow", "224.3.4.13", crdv1alpha1.RuleActionAllow) + testACNPIGMPQuery(t, data, "test-acnp-igmp-query-allow", "testMulticastIGMPQueryAllow", "224.3.4.13", crdv1beta1.RuleActionAllow) } func testACNPIGMPQueryDrop(t *testing.T, data *TestData) { - testACNPIGMPQuery(t, data, "test-acnp-igmp-query-drop", "testMulticastIGMPQueryDrop", "224.3.4.14", crdv1alpha1.RuleActionDrop) + testACNPIGMPQuery(t, data, "test-acnp-igmp-query-drop", "testMulticastIGMPQueryDrop", "224.3.4.14", crdv1beta1.RuleActionDrop) } -func testACNPIGMPQuery(t *testing.T, data *TestData, acnpName, caseName, groupAddress string, action crdv1alpha1.RuleAction) { +func testACNPIGMPQuery(t *testing.T, data *TestData, acnpName, caseName, groupAddress string, action crdv1beta1.RuleAction) { mcjoinWaitTimeout := defaultTimeout / time.Second testNamespace := data.testNamespace mc := multicastTestcase{ @@ -3897,14 +3897,14 @@ func testACNPIGMPQuery(t *testing.T, data *TestData, acnpName, caseName, groupAd nil, nil, false, nil, action, "", "", nil) acnp := builder.Get() _, err = k8sUtils.CreateOrUpdateACNP(acnp) - defer data.crdClient.CrdV1alpha1().ClusterNetworkPolicies().Delete(context.TODO(), acnp.Name, metav1.DeleteOptions{}) + defer data.crdClient.CrdV1beta1().ClusterNetworkPolicies().Delete(context.TODO(), acnp.Name, metav1.DeleteOptions{}) if err != nil { t.Fatalf("failed to create acnp %v: %v", acnpName, err) } // check if IGMP is dropped or not based on rule action captured, err := checkPacketCaptureResult(t, data, tcpdumpName, cmd) - if action == crdv1alpha1.RuleActionAllow { + if action == crdv1beta1.RuleActionAllow { if !captured || err != nil { t.Fatalf("failed to apply acnp policy: %+v, err: %v ", *acnp, err) } @@ -3916,14 +3916,14 @@ func testACNPIGMPQuery(t *testing.T, data *TestData, acnpName, caseName, groupAd } func testACNPMulticastEgressAllow(t *testing.T, data *TestData) { - testACNPMulticastEgress(t, data, "test-acnp-multicast-egress-allow", "testMulticastEgressAllowTraffic", "224.3.4.15", crdv1alpha1.RuleActionAllow) + testACNPMulticastEgress(t, data, "test-acnp-multicast-egress-allow", "testMulticastEgressAllowTraffic", "224.3.4.15", crdv1beta1.RuleActionAllow) } func testACNPMulticastEgressDrop(t *testing.T, data *TestData) { - testACNPMulticastEgress(t, data, "test-acnp-multicast-egress-drop", "testMulticastEgressDropTrafficFor", "224.3.4.16", crdv1alpha1.RuleActionDrop) + testACNPMulticastEgress(t, data, "test-acnp-multicast-egress-drop", "testMulticastEgressDropTrafficFor", "224.3.4.16", crdv1beta1.RuleActionDrop) } -func testACNPMulticastEgress(t *testing.T, data *TestData, acnpName, caseName, groupAddress string, action crdv1alpha1.RuleAction) { +func testACNPMulticastEgress(t *testing.T, data *TestData, acnpName, caseName, groupAddress string, action crdv1beta1.RuleAction) { mcjoinWaitTimeout := defaultTimeout / time.Second testNamespace := data.testNamespace mc := multicastTestcase{ @@ -3982,14 +3982,14 @@ func testACNPMulticastEgress(t *testing.T, data *TestData, acnpName, caseName, g if err != nil { t.Fatalf("failed to create acnp %v: %v", acnpName, err) } - defer data.crdClient.CrdV1alpha1().ClusterNetworkPolicies().Delete(context.TODO(), acnp.Name, metav1.DeleteOptions{}) + defer data.crdClient.CrdV1beta1().ClusterNetworkPolicies().Delete(context.TODO(), acnp.Name, metav1.DeleteOptions{}) captured, err := checkPacketCaptureResult(t, data, tcpdumpName, cmd) - if action == crdv1alpha1.RuleActionAllow { + if action == crdv1beta1.RuleActionAllow { if !captured || err != nil { t.Fatalf("failed to apply acnp policy: %+v, err: %v", *acnp, err) } - } else if action == crdv1alpha1.RuleActionDrop { + } else if action == crdv1beta1.RuleActionDrop { if captured || err != nil { t.Fatalf("failed to apply acnp policy: %+v, err: %v", *acnp, err) } @@ -4127,10 +4127,10 @@ func doProbe(t *testing.T, data *TestData, p *CustomProbe, protocol AntreaPolicy func applyTestStepResources(t *testing.T, step *TestStep) { for _, r := range step.TestResources { switch o := r.(type) { - case *crdv1alpha1.ClusterNetworkPolicy: + case *crdv1beta1.ClusterNetworkPolicy: _, err := k8sUtils.CreateOrUpdateACNP(o) failOnError(err, t) - case *crdv1alpha1.NetworkPolicy: + case *crdv1beta1.NetworkPolicy: _, err := k8sUtils.CreateOrUpdateANNP(o) failOnError(err, t) case *v1net.NetworkPolicy: @@ -4159,9 +4159,9 @@ func cleanupTestCaseResources(t *testing.T, c *TestCase) { for _, step := range c.Steps { for _, r := range step.TestResources { switch o := r.(type) { - case *crdv1alpha1.ClusterNetworkPolicy: + case *crdv1beta1.ClusterNetworkPolicy: acnpsToDelete.Insert(o.Name) - case *crdv1alpha1.NetworkPolicy: + case *crdv1beta1.NetworkPolicy: annpsToDelete.Insert(o.Namespace + "/" + o.Name) case *v1net.NetworkPolicy: npsToDelete.Insert(o.Namespace + "/" + o.Name) @@ -4237,9 +4237,9 @@ func printResults() { func waitForResourceReady(t *testing.T, timeout time.Duration, obj metav1.Object) error { defer timeCost()("ready") switch p := obj.(type) { - case *crdv1alpha1.ClusterNetworkPolicy: + case *crdv1beta1.ClusterNetworkPolicy: return k8sUtils.waitForACNPRealized(t, p.Name, timeout) - case *crdv1alpha1.NetworkPolicy: + case *crdv1beta1.NetworkPolicy: return k8sUtils.waitForANNPRealized(t, p.Namespace, p.Name, timeout) case *v1net.NetworkPolicy: time.Sleep(100 * time.Millisecond) @@ -4427,27 +4427,27 @@ func TestAntreaPolicyStatus(t *testing.T) { SetPriority(1.0). SetAppliedToGroup([]ANNPAppliedToSpec{{PodSelector: map[string]string{"app": "nginx"}}}) annpBuilder.AddIngress(ProtocolTCP, &p80, nil, nil, nil, nil, nil, nil, nil, nil, map[string]string{"pod": "b"}, map[string]string{"ns": namespaces["x"]}, nil, - nil, nil, nil, nil, crdv1alpha1.RuleActionAllow, "", "") + nil, nil, nil, nil, crdv1beta1.RuleActionAllow, "", "") annp := annpBuilder.Get() log.Debugf("creating ANNP %v", annp.Name) - _, err = data.crdClient.CrdV1alpha1().NetworkPolicies(annp.Namespace).Create(context.TODO(), annp, metav1.CreateOptions{}) + _, err = data.crdClient.CrdV1beta1().NetworkPolicies(annp.Namespace).Create(context.TODO(), annp, metav1.CreateOptions{}) assert.NoError(t, err) - defer data.crdClient.CrdV1alpha1().NetworkPolicies(annp.Namespace).Delete(context.TODO(), annp.Name, metav1.DeleteOptions{}) + defer data.crdClient.CrdV1beta1().NetworkPolicies(annp.Namespace).Delete(context.TODO(), annp.Name, metav1.DeleteOptions{}) acnpBuilder := &ClusterNetworkPolicySpecBuilder{} acnpBuilder = acnpBuilder.SetName("acnp-applied-to-two-nodes"). SetPriority(1.0). SetAppliedToGroup([]ACNPAppliedToSpec{{PodSelector: map[string]string{"app": "nginx"}}}) acnpBuilder.AddIngress(ProtocolTCP, &p80, nil, nil, nil, nil, nil, nil, nil, map[string]string{"pod": "b"}, map[string]string{"ns": namespaces["x"]}, - nil, nil, false, nil, crdv1alpha1.RuleActionAllow, "", "", nil) + nil, nil, false, nil, crdv1beta1.RuleActionAllow, "", "", nil) acnp := acnpBuilder.Get() log.Debugf("creating ACNP %v", acnp.Name) - _, err = data.crdClient.CrdV1alpha1().ClusterNetworkPolicies().Create(context.TODO(), acnp, metav1.CreateOptions{}) + _, err = data.crdClient.CrdV1beta1().ClusterNetworkPolicies().Create(context.TODO(), acnp, metav1.CreateOptions{}) assert.NoError(t, err) - defer data.crdClient.CrdV1alpha1().ClusterNetworkPolicies().Delete(context.TODO(), acnp.Name, metav1.DeleteOptions{}) + defer data.crdClient.CrdV1beta1().ClusterNetworkPolicies().Delete(context.TODO(), acnp.Name, metav1.DeleteOptions{}) - expectedStatus := crdv1alpha1.NetworkPolicyStatus{ - Phase: crdv1alpha1.NetworkPolicyRealized, + expectedStatus := crdv1beta1.NetworkPolicyStatus{ + Phase: crdv1beta1.NetworkPolicyRealized, ObservedGeneration: 1, CurrentNodesRealized: 2, DesiredNodesRealized: 2, @@ -4476,17 +4476,17 @@ func TestAntreaPolicyStatusWithAppliedToPerRule(t *testing.T) { annpBuilder = annpBuilder.SetName(data.testNamespace, "annp-applied-to-per-rule"). SetPriority(1.0) annpBuilder.AddIngress(ProtocolTCP, &p80, nil, nil, nil, nil, nil, nil, nil, nil, map[string]string{"pod": "b"}, map[string]string{"ns": namespaces["x"]}, nil, - nil, nil, nil, []ANNPAppliedToSpec{{PodSelector: map[string]string{"antrea-e2e": server0Name}}}, crdv1alpha1.RuleActionAllow, "", "") + nil, nil, nil, []ANNPAppliedToSpec{{PodSelector: map[string]string{"antrea-e2e": server0Name}}}, crdv1beta1.RuleActionAllow, "", "") annpBuilder.AddIngress(ProtocolTCP, &p80, nil, nil, nil, nil, nil, nil, nil, nil, map[string]string{"pod": "b"}, map[string]string{"ns": namespaces["x"]}, nil, - nil, nil, nil, []ANNPAppliedToSpec{{PodSelector: map[string]string{"antrea-e2e": server1Name}}}, crdv1alpha1.RuleActionAllow, "", "") + nil, nil, nil, []ANNPAppliedToSpec{{PodSelector: map[string]string{"antrea-e2e": server1Name}}}, crdv1beta1.RuleActionAllow, "", "") annp := annpBuilder.Get() log.Debugf("creating ANNP %v", annp.Name) - annp, err = data.crdClient.CrdV1alpha1().NetworkPolicies(annp.Namespace).Create(context.TODO(), annp, metav1.CreateOptions{}) + annp, err = data.crdClient.CrdV1beta1().NetworkPolicies(annp.Namespace).Create(context.TODO(), annp, metav1.CreateOptions{}) assert.NoError(t, err) - defer data.crdClient.CrdV1alpha1().NetworkPolicies(annp.Namespace).Delete(context.TODO(), annp.Name, metav1.DeleteOptions{}) + defer data.crdClient.CrdV1beta1().NetworkPolicies(annp.Namespace).Delete(context.TODO(), annp.Name, metav1.DeleteOptions{}) - annp = checkANNPStatus(t, data, annp, crdv1alpha1.NetworkPolicyStatus{ - Phase: crdv1alpha1.NetworkPolicyRealized, + annp = checkANNPStatus(t, data, annp, crdv1beta1.NetworkPolicyStatus{ + Phase: crdv1beta1.NetworkPolicyRealized, ObservedGeneration: 1, CurrentNodesRealized: 2, DesiredNodesRealized: 2, @@ -4495,10 +4495,10 @@ func TestAntreaPolicyStatusWithAppliedToPerRule(t *testing.T) { // Remove the second ingress rule. annp.Spec.Ingress = annp.Spec.Ingress[0:1] - _, err = data.crdClient.CrdV1alpha1().NetworkPolicies(annp.Namespace).Update(context.TODO(), annp, metav1.UpdateOptions{}) + _, err = data.crdClient.CrdV1beta1().NetworkPolicies(annp.Namespace).Update(context.TODO(), annp, metav1.UpdateOptions{}) assert.NoError(t, err) - annp = checkANNPStatus(t, data, annp, crdv1alpha1.NetworkPolicyStatus{ - Phase: crdv1alpha1.NetworkPolicyRealized, + annp = checkANNPStatus(t, data, annp, crdv1beta1.NetworkPolicyStatus{ + Phase: crdv1beta1.NetworkPolicyRealized, ObservedGeneration: 2, CurrentNodesRealized: 1, DesiredNodesRealized: 1, @@ -4507,11 +4507,11 @@ func TestAntreaPolicyStatusWithAppliedToPerRule(t *testing.T) { // Add a non-existing group. // Although nothing will be changed in datapath, the policy's status should be realized with the latest generation. - annp.Spec.Ingress[0].AppliedTo = append(annp.Spec.Ingress[0].AppliedTo, crdv1alpha1.AppliedTo{Group: "foo"}) - _, err = data.crdClient.CrdV1alpha1().NetworkPolicies(annp.Namespace).Update(context.TODO(), annp, metav1.UpdateOptions{}) + annp.Spec.Ingress[0].AppliedTo = append(annp.Spec.Ingress[0].AppliedTo, crdv1beta1.AppliedTo{Group: "foo"}) + _, err = data.crdClient.CrdV1beta1().NetworkPolicies(annp.Namespace).Update(context.TODO(), annp, metav1.UpdateOptions{}) assert.NoError(t, err) - annp = checkANNPStatus(t, data, annp, crdv1alpha1.NetworkPolicyStatus{ - Phase: crdv1alpha1.NetworkPolicyRealized, + annp = checkANNPStatus(t, data, annp, crdv1beta1.NetworkPolicyStatus{ + Phase: crdv1beta1.NetworkPolicyRealized, ObservedGeneration: 3, CurrentNodesRealized: 1, DesiredNodesRealized: 1, @@ -4521,10 +4521,10 @@ func TestAntreaPolicyStatusWithAppliedToPerRule(t *testing.T) { // Delete the non-existing group. // Although nothing will be changed in datapath, the policy's status should be realized with the latest generation. annp.Spec.Ingress[0].AppliedTo = annp.Spec.Ingress[0].AppliedTo[0:1] - _, err = data.crdClient.CrdV1alpha1().NetworkPolicies(annp.Namespace).Update(context.TODO(), annp, metav1.UpdateOptions{}) + _, err = data.crdClient.CrdV1beta1().NetworkPolicies(annp.Namespace).Update(context.TODO(), annp, metav1.UpdateOptions{}) assert.NoError(t, err) - checkANNPStatus(t, data, annp, crdv1alpha1.NetworkPolicyStatus{ - Phase: crdv1alpha1.NetworkPolicyRealized, + checkANNPStatus(t, data, annp, crdv1beta1.NetworkPolicyStatus{ + Phase: crdv1beta1.NetworkPolicyRealized, ObservedGeneration: 4, CurrentNodesRealized: 1, DesiredNodesRealized: 1, @@ -4568,14 +4568,14 @@ func TestAntreaPolicyStatusWithAppliedToUnsupportedGroup(t *testing.T) { SetAppliedToGroup([]ANNPAppliedToSpec{{Group: grpName}}) annp, err := k8sUtils.CreateOrUpdateANNP(annpBuilder.Get()) failOnError(err, t) - expectedStatus := crdv1alpha1.NetworkPolicyStatus{ - Phase: crdv1alpha1.NetworkPolicyPending, + expectedStatus := crdv1beta1.NetworkPolicyStatus{ + Phase: crdv1beta1.NetworkPolicyPending, ObservedGeneration: 1, CurrentNodesRealized: 0, DesiredNodesRealized: 0, - Conditions: []crdv1alpha1.NetworkPolicyCondition{ + Conditions: []crdv1beta1.NetworkPolicyCondition{ { - Type: crdv1alpha1.NetworkPolicyConditionRealizable, + Type: crdv1beta1.NetworkPolicyConditionRealizable, Status: metav1.ConditionFalse, LastTransitionTime: metav1.Now(), Reason: "NetworkPolicyAppliedToUnsupportedGroup", @@ -4601,10 +4601,10 @@ func TestAntreaPolicyStatusWithAppliedToUnsupportedGroup(t *testing.T) { k8sUtils.Cleanup(namespaces) } -func checkANNPStatus(t *testing.T, data *TestData, annp *crdv1alpha1.NetworkPolicy, expectedStatus crdv1alpha1.NetworkPolicyStatus) *crdv1alpha1.NetworkPolicy { +func checkANNPStatus(t *testing.T, data *TestData, annp *crdv1beta1.NetworkPolicy, expectedStatus crdv1beta1.NetworkPolicyStatus) *crdv1beta1.NetworkPolicy { err := wait.Poll(100*time.Millisecond, policyRealizedTimeout, func() (bool, error) { var err error - annp, err = data.crdClient.CrdV1alpha1().NetworkPolicies(annp.Namespace).Get(context.TODO(), annp.Name, metav1.GetOptions{}) + annp, err = data.crdClient.CrdV1beta1().NetworkPolicies(annp.Namespace).Get(context.TODO(), annp.Name, metav1.GetOptions{}) if err != nil { return false, err } @@ -4614,10 +4614,10 @@ func checkANNPStatus(t *testing.T, data *TestData, annp *crdv1alpha1.NetworkPoli return annp } -func checkACNPStatus(t *testing.T, data *TestData, acnp *crdv1alpha1.ClusterNetworkPolicy, expectedStatus crdv1alpha1.NetworkPolicyStatus) *crdv1alpha1.ClusterNetworkPolicy { +func checkACNPStatus(t *testing.T, data *TestData, acnp *crdv1beta1.ClusterNetworkPolicy, expectedStatus crdv1beta1.NetworkPolicyStatus) *crdv1beta1.ClusterNetworkPolicy { err := wait.Poll(100*time.Millisecond, policyRealizedTimeout, func() (bool, error) { var err error - acnp, err = data.crdClient.CrdV1alpha1().ClusterNetworkPolicies().Get(context.TODO(), acnp.Name, metav1.GetOptions{}) + acnp, err = data.crdClient.CrdV1beta1().ClusterNetworkPolicies().Get(context.TODO(), acnp.Name, metav1.GetOptions{}) if err != nil { return false, err } @@ -4633,11 +4633,11 @@ func checkACNPStatus(t *testing.T, data *TestData, acnp *crdv1alpha1.ClusterNetw func (data *TestData) waitForANNPRealized(t *testing.T, namespace string, name string, timeout time.Duration) error { t.Logf("Waiting for ANNP '%s/%s' to be realized", namespace, name) if err := wait.Poll(100*time.Millisecond, timeout, func() (bool, error) { - annp, err := data.crdClient.CrdV1alpha1().NetworkPolicies(namespace).Get(context.TODO(), name, metav1.GetOptions{}) + annp, err := data.crdClient.CrdV1beta1().NetworkPolicies(namespace).Get(context.TODO(), name, metav1.GetOptions{}) if err != nil { return false, err } - return annp.Status.ObservedGeneration == annp.Generation && annp.Status.Phase == crdv1alpha1.NetworkPolicyRealized, nil + return annp.Status.ObservedGeneration == annp.Generation && annp.Status.Phase == crdv1beta1.NetworkPolicyRealized, nil }); err != nil { return fmt.Errorf("error when waiting for ANNP '%s/%s' to be realized: %v", namespace, name, err) } @@ -4650,11 +4650,11 @@ func (data *TestData) waitForANNPRealized(t *testing.T, namespace string, name s func (data *TestData) waitForACNPRealized(t *testing.T, name string, timeout time.Duration) error { t.Logf("Waiting for ACNP '%s' to be realized", name) if err := wait.Poll(100*time.Millisecond, timeout, func() (bool, error) { - acnp, err := data.crdClient.CrdV1alpha1().ClusterNetworkPolicies().Get(context.TODO(), name, metav1.GetOptions{}) + acnp, err := data.crdClient.CrdV1beta1().ClusterNetworkPolicies().Get(context.TODO(), name, metav1.GetOptions{}) if err != nil { return false, err } - return acnp.Status.ObservedGeneration == acnp.Generation && acnp.Status.Phase == crdv1alpha1.NetworkPolicyRealized, nil + return acnp.Status.ObservedGeneration == acnp.Generation && acnp.Status.Phase == crdv1beta1.NetworkPolicyRealized, nil }); err != nil { return fmt.Errorf("error when waiting for ACNP '%s' to be realized: %v", name, err) } @@ -4675,8 +4675,8 @@ func testANNPNetworkPolicyStatsWithDropAction(t *testing.T, data *TestData) { p10 := float64(10) intstr80 := intstr.FromInt(80) intstr443 := intstr.FromInt(443) - dropAction := crdv1alpha1.RuleActionDrop - allowAction := crdv1alpha1.RuleActionAllow + dropAction := crdv1beta1.RuleActionDrop + allowAction := crdv1beta1.RuleActionAllow selectorB := metav1.LabelSelector{MatchLabels: map[string]string{"antrea-e2e": clientName}} selectorC := metav1.LabelSelector{MatchLabels: map[string]string{"antrea-e2e": serverName}} protocol, _ := AntreaPolicyProtocolToK8sProtocol(ProtocolUDP) @@ -4692,22 +4692,22 @@ func testANNPNetworkPolicyStatsWithDropAction(t *testing.T, data *TestData) { cmd := []string{"/bin/sh", "-c", fmt.Sprintf("nc -vz -w 4 %s 80", serverIPs.ipv6.String())} data.RunCommandFromPod(data.testNamespace, clientName, busyboxContainerName, cmd) } - var annp = &crdv1alpha1.NetworkPolicy{ + var annp = &crdv1beta1.NetworkPolicy{ ObjectMeta: metav1.ObjectMeta{Namespace: data.testNamespace, Name: "np1", Labels: map[string]string{"antrea-e2e": "np1"}}, - Spec: crdv1alpha1.NetworkPolicySpec{ - AppliedTo: []crdv1alpha1.AppliedTo{ + Spec: crdv1beta1.NetworkPolicySpec{ + AppliedTo: []crdv1beta1.AppliedTo{ {PodSelector: &selectorC}, }, Priority: p10, - Ingress: []crdv1alpha1.Rule{ + Ingress: []crdv1beta1.Rule{ { - Ports: []crdv1alpha1.NetworkPolicyPort{ + Ports: []crdv1beta1.NetworkPolicyPort{ { Port: &intstr80, Protocol: &protocol, }, }, - From: []crdv1alpha1.NetworkPolicyPeer{ + From: []crdv1beta1.NetworkPolicyPeer{ { PodSelector: &selectorB, }, @@ -4715,13 +4715,13 @@ func testANNPNetworkPolicyStatsWithDropAction(t *testing.T, data *TestData) { Action: &dropAction, }, { - Ports: []crdv1alpha1.NetworkPolicyPort{ + Ports: []crdv1beta1.NetworkPolicyPort{ { Port: &intstr443, Protocol: &protocol, }, }, - From: []crdv1alpha1.NetworkPolicyPeer{ + From: []crdv1beta1.NetworkPolicyPeer{ { PodSelector: &selectorB, }, @@ -4729,7 +4729,7 @@ func testANNPNetworkPolicyStatsWithDropAction(t *testing.T, data *TestData) { Action: &allowAction, }, }, - Egress: []crdv1alpha1.Rule{}, + Egress: []crdv1beta1.Rule{}, }, } @@ -4810,8 +4810,8 @@ func testAntreaClusterNetworkPolicyStats(t *testing.T, data *TestData) { p10 := float64(10) intstr800 := intstr.FromInt(800) intstr4430 := intstr.FromInt(4430) - dropAction := crdv1alpha1.RuleActionDrop - allowAction := crdv1alpha1.RuleActionAllow + dropAction := crdv1beta1.RuleActionDrop + allowAction := crdv1beta1.RuleActionAllow selectorB := metav1.LabelSelector{MatchLabels: map[string]string{"antrea-e2e": clientName}} selectorC := metav1.LabelSelector{MatchLabels: map[string]string{"antrea-e2e": serverName}} protocol, _ := AntreaPolicyProtocolToK8sProtocol(ProtocolUDP) @@ -4827,22 +4827,22 @@ func testAntreaClusterNetworkPolicyStats(t *testing.T, data *TestData) { cmd := []string{"/bin/sh", "-c", fmt.Sprintf("nc -vz -w 4 %s 80", serverIPs.ipv6.String())} data.RunCommandFromPod(data.testNamespace, clientName, busyboxContainerName, cmd) } - var acnp = &crdv1alpha1.ClusterNetworkPolicy{ + var acnp = &crdv1beta1.ClusterNetworkPolicy{ ObjectMeta: metav1.ObjectMeta{Namespace: data.testNamespace, Name: "cnp1", Labels: map[string]string{"antrea-e2e": "cnp1"}}, - Spec: crdv1alpha1.ClusterNetworkPolicySpec{ - AppliedTo: []crdv1alpha1.AppliedTo{ + Spec: crdv1beta1.ClusterNetworkPolicySpec{ + AppliedTo: []crdv1beta1.AppliedTo{ {PodSelector: &selectorC}, }, Priority: p10, - Ingress: []crdv1alpha1.Rule{ + Ingress: []crdv1beta1.Rule{ { - Ports: []crdv1alpha1.NetworkPolicyPort{ + Ports: []crdv1beta1.NetworkPolicyPort{ { Port: &intstr800, Protocol: &protocol, }, }, - From: []crdv1alpha1.NetworkPolicyPeer{ + From: []crdv1beta1.NetworkPolicyPeer{ { PodSelector: &selectorB, }, @@ -4850,13 +4850,13 @@ func testAntreaClusterNetworkPolicyStats(t *testing.T, data *TestData) { Action: &allowAction, }, { - Ports: []crdv1alpha1.NetworkPolicyPort{ + Ports: []crdv1beta1.NetworkPolicyPort{ { Port: &intstr4430, Protocol: &protocol, }, }, - From: []crdv1alpha1.NetworkPolicyPeer{ + From: []crdv1beta1.NetworkPolicyPeer{ { PodSelector: &selectorB, }, @@ -4864,7 +4864,7 @@ func testAntreaClusterNetworkPolicyStats(t *testing.T, data *TestData) { Action: &dropAction, }, }, - Egress: []crdv1alpha1.Rule{}, + Egress: []crdv1beta1.Rule{}, }, } diff --git a/test/e2e/clustergroup_test.go b/test/e2e/clustergroup_test.go index cca0f0b6e9b..17267ba788d 100644 --- a/test/e2e/clustergroup_test.go +++ b/test/e2e/clustergroup_test.go @@ -22,7 +22,6 @@ import ( v1 "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - crdv1alpha1 "antrea.io/antrea/pkg/apis/crd/v1alpha1" crdv1beta1 "antrea.io/antrea/pkg/apis/crd/v1beta1" ) @@ -31,7 +30,7 @@ func testInvalidCGIPBlockWithPodSelector(t *testing.T) { cgName := "ipb-pod" pSel := &metav1.LabelSelector{MatchLabels: map[string]string{"pod": "x"}} cidr := "10.0.0.10/32" - ipb := []crdv1alpha1.IPBlock{{CIDR: cidr}} + ipb := []crdv1beta1.IPBlock{{CIDR: cidr}} cg := &crdv1beta1.ClusterGroup{ ObjectMeta: metav1.ObjectMeta{ Name: cgName, @@ -52,7 +51,7 @@ func testInvalidCGIPBlockWithNSSelector(t *testing.T) { cgName := "ipb-ns" nSel := &metav1.LabelSelector{MatchLabels: map[string]string{"ns": namespaces["y"]}} cidr := "10.0.0.10/32" - ipb := []crdv1alpha1.IPBlock{{CIDR: cidr}} + ipb := []crdv1beta1.IPBlock{{CIDR: cidr}} cg := &crdv1beta1.ClusterGroup{ ObjectMeta: metav1.ObjectMeta{ Name: cgName, @@ -72,7 +71,7 @@ func testInvalidCGServiceRefWithPodSelector(t *testing.T) { invalidErr := fmt.Errorf("clustergroup created with serviceReference and podSelector") cgName := "svcref-pod-selector" pSel := &metav1.LabelSelector{MatchLabels: map[string]string{"pod": "x"}} - svcRef := &crdv1alpha1.NamespacedName{ + svcRef := &crdv1beta1.NamespacedName{ Namespace: namespaces["y"], Name: "test-svc", } @@ -95,7 +94,7 @@ func testInvalidCGServiceRefWithNSSelector(t *testing.T) { invalidErr := fmt.Errorf("clustergroup created with serviceReference and namespaceSelector") cgName := "svcref-ns-selector" nSel := &metav1.LabelSelector{MatchLabels: map[string]string{"ns": namespaces["y"]}} - svcRef := &crdv1alpha1.NamespacedName{ + svcRef := &crdv1beta1.NamespacedName{ Namespace: namespaces["y"], Name: "test-svc", } @@ -118,8 +117,8 @@ func testInvalidCGServiceRefWithIPBlock(t *testing.T) { invalidErr := fmt.Errorf("clustergroup created with ipblock and namespaceSelector") cgName := "ipb-svcref" cidr := "10.0.0.10/32" - ipb := []crdv1alpha1.IPBlock{{CIDR: cidr}} - svcRef := &crdv1alpha1.NamespacedName{ + ipb := []crdv1beta1.IPBlock{{CIDR: cidr}} + svcRef := &crdv1beta1.NamespacedName{ Namespace: namespaces["y"], Name: "test-svc", } @@ -182,7 +181,7 @@ func testInvalidCGChildGroupWithPodSelector(t *testing.T) { func testInvalidCGChildGroupWithServiceReference(t *testing.T) { invalidErr := fmt.Errorf("clustergroup created with childGroups and ServiceReference") cgName := "child-group-svcref" - svcRef := &crdv1alpha1.NamespacedName{ + svcRef := &crdv1beta1.NamespacedName{ Namespace: namespaces["y"], Name: "test-svc", } @@ -288,7 +287,7 @@ func testClusterGroupRealizationStatus(t *testing.T) { Name: "child-cg-2", }, Spec: crdv1beta1.GroupSpec{ - IPBlocks: []crdv1alpha1.IPBlock{ + IPBlocks: []crdv1beta1.IPBlock{ {CIDR: "192.168.2.0/24"}, }, }, diff --git a/test/e2e/flowaggregator_test.go b/test/e2e/flowaggregator_test.go index e3c7c66ad05..8ebb0f36082 100644 --- a/test/e2e/flowaggregator_test.go +++ b/test/e2e/flowaggregator_test.go @@ -37,7 +37,7 @@ import ( "antrea.io/antrea/pkg/agent/openflow" "antrea.io/antrea/pkg/antctl" "antrea.io/antrea/pkg/antctl/runtime" - secv1alpha1 "antrea.io/antrea/pkg/apis/crd/v1alpha1" + secv1beta1 "antrea.io/antrea/pkg/apis/crd/v1beta1" "antrea.io/antrea/test/e2e/utils" ) @@ -1323,14 +1323,14 @@ func deployK8sNetworkPolicies(t *testing.T, data *TestData, srcPod, dstPod strin return np1, np2 } -func deployAntreaNetworkPolicies(t *testing.T, data *TestData, srcPod, dstPod string, srcNode, dstNode string) (anp1 *secv1alpha1.NetworkPolicy, anp2 *secv1alpha1.NetworkPolicy) { +func deployAntreaNetworkPolicies(t *testing.T, data *TestData, srcPod, dstPod string, srcNode, dstNode string) (anp1 *secv1beta1.NetworkPolicy, anp2 *secv1beta1.NetworkPolicy) { builder1 := &utils.AntreaNetworkPolicySpecBuilder{} // apply anp to dstPod, allow ingress from srcPod builder1 = builder1.SetName(data.testNamespace, ingressAntreaNetworkPolicyName). SetPriority(2.0). SetAppliedToGroup([]utils.ANNPAppliedToSpec{{PodSelector: map[string]string{"antrea-e2e": dstPod}}}) builder1 = builder1.AddIngress(utils.ProtocolTCP, nil, nil, nil, nil, nil, nil, nil, nil, nil, map[string]string{"antrea-e2e": srcPod}, map[string]string{}, nil, - nil, nil, nil, nil, secv1alpha1.RuleActionAllow, "", testIngressRuleName) + nil, nil, nil, nil, secv1beta1.RuleActionAllow, "", testIngressRuleName) anp1 = builder1.Get() anp1, err1 := k8sUtils.CreateOrUpdateANNP(anp1) if err1 != nil { @@ -1343,7 +1343,7 @@ func deployAntreaNetworkPolicies(t *testing.T, data *TestData, srcPod, dstPod st SetPriority(2.0). SetAppliedToGroup([]utils.ANNPAppliedToSpec{{PodSelector: map[string]string{"antrea-e2e": srcPod}}}) builder2 = builder2.AddEgress(utils.ProtocolTCP, nil, nil, nil, nil, nil, nil, nil, nil, nil, map[string]string{"antrea-e2e": dstPod}, map[string]string{}, nil, - nil, nil, nil, nil, secv1alpha1.RuleActionAllow, "", testEgressRuleName) + nil, nil, nil, nil, secv1beta1.RuleActionAllow, "", testEgressRuleName) anp2 = builder2.Get() anp2, err2 := k8sUtils.CreateOrUpdateANNP(anp2) if err2 != nil { @@ -1361,7 +1361,7 @@ func deployAntreaNetworkPolicies(t *testing.T, data *TestData, srcPod, dstPod st return anp1, anp2 } -func deployDenyAntreaNetworkPolicies(t *testing.T, data *TestData, srcPod, podReject, podDrop string, srcNode, dstNode string, isIngress bool) (anp1 *secv1alpha1.NetworkPolicy, anp2 *secv1alpha1.NetworkPolicy) { +func deployDenyAntreaNetworkPolicies(t *testing.T, data *TestData, srcPod, podReject, podDrop string, srcNode, dstNode string, isIngress bool) (anp1 *secv1beta1.NetworkPolicy, anp2 *secv1beta1.NetworkPolicy) { var err error builder1 := &utils.AntreaNetworkPolicySpecBuilder{} builder2 := &utils.AntreaNetworkPolicySpecBuilder{} @@ -1374,12 +1374,12 @@ func deployDenyAntreaNetworkPolicies(t *testing.T, data *TestData, srcPod, podRe SetPriority(2.0). SetAppliedToGroup([]utils.ANNPAppliedToSpec{{PodSelector: map[string]string{"antrea-e2e": podReject}}}) builder1 = builder1.AddIngress(utils.ProtocolTCP, nil, nil, nil, nil, nil, nil, nil, nil, nil, map[string]string{"antrea-e2e": srcPod}, map[string]string{}, nil, - nil, nil, nil, nil, secv1alpha1.RuleActionReject, "", testIngressRuleName) + nil, nil, nil, nil, secv1beta1.RuleActionReject, "", testIngressRuleName) builder2 = builder2.SetName(data.testNamespace, ingressDropANPName). SetPriority(2.0). SetAppliedToGroup([]utils.ANNPAppliedToSpec{{PodSelector: map[string]string{"antrea-e2e": podDrop}}}) builder2 = builder2.AddIngress(utils.ProtocolTCP, nil, nil, nil, nil, nil, nil, nil, nil, nil, map[string]string{"antrea-e2e": srcPod}, map[string]string{}, nil, - nil, nil, nil, nil, secv1alpha1.RuleActionDrop, "", testIngressRuleName) + nil, nil, nil, nil, secv1beta1.RuleActionDrop, "", testIngressRuleName) table = openflow.AntreaPolicyIngressRuleTable flowCount = antreaIngressTableInitFlowCount + 2 nodeName = dstNode @@ -1389,12 +1389,12 @@ func deployDenyAntreaNetworkPolicies(t *testing.T, data *TestData, srcPod, podRe SetPriority(2.0). SetAppliedToGroup([]utils.ANNPAppliedToSpec{{PodSelector: map[string]string{"antrea-e2e": srcPod}}}) builder1 = builder1.AddEgress(utils.ProtocolTCP, nil, nil, nil, nil, nil, nil, nil, nil, nil, map[string]string{"antrea-e2e": podReject}, map[string]string{}, nil, - nil, nil, nil, nil, secv1alpha1.RuleActionReject, "", testEgressRuleName) + nil, nil, nil, nil, secv1beta1.RuleActionReject, "", testEgressRuleName) builder2 = builder2.SetName(data.testNamespace, egressDropANPName). SetPriority(2.0). SetAppliedToGroup([]utils.ANNPAppliedToSpec{{PodSelector: map[string]string{"antrea-e2e": srcPod}}}) builder2 = builder2.AddEgress(utils.ProtocolTCP, nil, nil, nil, nil, nil, nil, nil, nil, nil, map[string]string{"antrea-e2e": podDrop}, map[string]string{}, nil, - nil, nil, nil, nil, secv1alpha1.RuleActionDrop, "", testEgressRuleName) + nil, nil, nil, nil, secv1beta1.RuleActionDrop, "", testEgressRuleName) table = openflow.AntreaPolicyEgressRuleTable flowCount = antreaEgressTableInitFlowCount + 2 nodeName = srcNode diff --git a/test/e2e/group_test.go b/test/e2e/group_test.go index 3ff30784dd1..a35651c7b8f 100644 --- a/test/e2e/group_test.go +++ b/test/e2e/group_test.go @@ -20,7 +20,6 @@ import ( metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - crdv1alpha1 "antrea.io/antrea/pkg/apis/crd/v1alpha1" crdv1beta1 "antrea.io/antrea/pkg/apis/crd/v1beta1" ) @@ -29,7 +28,7 @@ func testInvalidGroupIPBlockWithPodSelector(t *testing.T) { gName := "ipb-pod" pSel := &metav1.LabelSelector{MatchLabels: map[string]string{"pod": "x"}} cidr := "10.0.0.10/32" - ipb := []crdv1alpha1.IPBlock{{CIDR: cidr}} + ipb := []crdv1beta1.IPBlock{{CIDR: cidr}} g := &crdv1beta1.Group{ ObjectMeta: metav1.ObjectMeta{ Name: gName, @@ -51,7 +50,7 @@ func testInvalidGroupIPBlockWithNSSelector(t *testing.T) { gName := "ipb-ns" nSel := &metav1.LabelSelector{MatchLabels: map[string]string{"ns": namespaces["y"]}} cidr := "10.0.0.10/32" - ipb := []crdv1alpha1.IPBlock{{CIDR: cidr}} + ipb := []crdv1beta1.IPBlock{{CIDR: cidr}} g := &crdv1beta1.Group{ ObjectMeta: metav1.ObjectMeta{ Name: gName, @@ -72,7 +71,7 @@ func testInvalidGroupServiceRefWithPodSelector(t *testing.T) { invalidErr := fmt.Errorf("group created with serviceReference and podSelector") gName := "svcref-pod-selector" pSel := &metav1.LabelSelector{MatchLabels: map[string]string{"pod": "x"}} - svcRef := &crdv1alpha1.NamespacedName{ + svcRef := &crdv1beta1.NamespacedName{ Namespace: namespaces["y"], Name: "test-svc", } @@ -96,7 +95,7 @@ func testInvalidGroupServiceRefWithNSSelector(t *testing.T) { invalidErr := fmt.Errorf("group created with serviceReference and namespaceSelector") gName := "svcref-ns-selector" nSel := &metav1.LabelSelector{MatchLabels: map[string]string{"ns": namespaces["y"]}} - svcRef := &crdv1alpha1.NamespacedName{ + svcRef := &crdv1beta1.NamespacedName{ Namespace: namespaces["y"], Name: "test-svc", } @@ -120,8 +119,8 @@ func testInvalidGroupServiceRefWithIPBlock(t *testing.T) { invalidErr := fmt.Errorf("group created with ipblock and namespaceSelector") gName := "ipb-svcref" cidr := "10.0.0.10/32" - ipb := []crdv1alpha1.IPBlock{{CIDR: cidr}} - svcRef := &crdv1alpha1.NamespacedName{ + ipb := []crdv1beta1.IPBlock{{CIDR: cidr}} + svcRef := &crdv1beta1.NamespacedName{ Namespace: namespaces["y"], Name: "test-svc", } @@ -190,7 +189,7 @@ func testInvalidGroupChildGroupWithPodSelector(t *testing.T) { func testInvalidGroupChildGroupWithServiceReference(t *testing.T) { invalidErr := fmt.Errorf("group created with childGroups and ServiceReference") gName := "child-group-svcref" - svcRef := &crdv1alpha1.NamespacedName{ + svcRef := &crdv1beta1.NamespacedName{ Name: "test-svc", Namespace: namespaces[testChildGroupNamespace], } diff --git a/test/e2e/k8s_util.go b/test/e2e/k8s_util.go index da7cfd7d582..f293afc330b 100644 --- a/test/e2e/k8s_util.go +++ b/test/e2e/k8s_util.go @@ -32,7 +32,6 @@ import ( "k8s.io/apimachinery/pkg/util/intstr" "k8s.io/apimachinery/pkg/util/wait" - crdv1alpha1 "antrea.io/antrea/pkg/apis/crd/v1alpha1" crdv1beta1 "antrea.io/antrea/pkg/apis/crd/v1beta1" "antrea.io/antrea/test/e2e/utils" ) @@ -893,12 +892,12 @@ func (k *KubernetesUtils) CleanGroups(namespace string) error { } // CreateOrUpdateACNP is a convenience function for updating/creating AntreaClusterNetworkPolicies. -func (data *TestData) CreateOrUpdateACNP(cnp *crdv1alpha1.ClusterNetworkPolicy) (*crdv1alpha1.ClusterNetworkPolicy, error) { +func (data *TestData) CreateOrUpdateACNP(cnp *crdv1beta1.ClusterNetworkPolicy) (*crdv1beta1.ClusterNetworkPolicy, error) { log.Infof("Creating/updating ClusterNetworkPolicy %s", cnp.Name) - cnpReturned, err := data.crdClient.CrdV1alpha1().ClusterNetworkPolicies().Get(context.TODO(), cnp.Name, metav1.GetOptions{}) + cnpReturned, err := data.crdClient.CrdV1beta1().ClusterNetworkPolicies().Get(context.TODO(), cnp.Name, metav1.GetOptions{}) if err != nil { log.Debugf("Creating ClusterNetworkPolicy %s", cnp.Name) - cnp, err = data.crdClient.CrdV1alpha1().ClusterNetworkPolicies().Create(context.TODO(), cnp, metav1.CreateOptions{}) + cnp, err = data.crdClient.CrdV1beta1().ClusterNetworkPolicies().Create(context.TODO(), cnp, metav1.CreateOptions{}) if err != nil { log.Debugf("Unable to create ClusterNetworkPolicy: %s", err) } @@ -906,15 +905,15 @@ func (data *TestData) CreateOrUpdateACNP(cnp *crdv1alpha1.ClusterNetworkPolicy) } else if cnpReturned.Name != "" { log.Debugf("ClusterNetworkPolicy with name %s already exists, updating", cnp.Name) cnpReturned.Spec = cnp.Spec - cnp, err = data.crdClient.CrdV1alpha1().ClusterNetworkPolicies().Update(context.TODO(), cnpReturned, metav1.UpdateOptions{}) + cnp, err = data.crdClient.CrdV1beta1().ClusterNetworkPolicies().Update(context.TODO(), cnpReturned, metav1.UpdateOptions{}) return cnp, err } return nil, fmt.Errorf("error occurred in creating/updating ClusterNetworkPolicy %s", cnp.Name) } // GetACNP is a convenience function for getting AntreaClusterNetworkPolicies. -func (data *TestData) GetACNP(name string) (*crdv1alpha1.ClusterNetworkPolicy, error) { - res, err := data.crdClient.CrdV1alpha1().ClusterNetworkPolicies().Get(context.TODO(), name, metav1.GetOptions{}) +func (data *TestData) GetACNP(name string) (*crdv1beta1.ClusterNetworkPolicy, error) { + res, err := data.crdClient.CrdV1beta1().ClusterNetworkPolicies().Get(context.TODO(), name, metav1.GetOptions{}) if err != nil { return nil, err } @@ -924,7 +923,7 @@ func (data *TestData) GetACNP(name string) (*crdv1alpha1.ClusterNetworkPolicy, e // DeleteACNP is a convenience function for deleting ACNP by name. func (data *TestData) DeleteACNP(name string) error { log.Infof("Deleting AntreaClusterNetworkPolicies %s", name) - err := data.crdClient.CrdV1alpha1().ClusterNetworkPolicies().Delete(context.TODO(), name, metav1.DeleteOptions{}) + err := data.crdClient.CrdV1beta1().ClusterNetworkPolicies().Delete(context.TODO(), name, metav1.DeleteOptions{}) if err != nil { return errors.Wrapf(err, "unable to delete ClusterNetworkPolicy %s", name) } @@ -933,7 +932,7 @@ func (data *TestData) DeleteACNP(name string) error { // CleanACNPs is a convenience function for deleting all Antrea ClusterNetworkPolicies in the cluster. func (data *TestData) CleanACNPs() error { - l, err := data.crdClient.CrdV1alpha1().ClusterNetworkPolicies().List(context.TODO(), metav1.ListOptions{}) + l, err := data.crdClient.CrdV1beta1().ClusterNetworkPolicies().List(context.TODO(), metav1.ListOptions{}) if err != nil { return errors.Wrapf(err, "unable to list AntreaClusterNetworkPolicies") } @@ -946,33 +945,33 @@ func (data *TestData) CleanACNPs() error { } // CreateOrUpdateANNP is a convenience function for updating/creating Antrea NetworkPolicies. -func (data *TestData) CreateOrUpdateANNP(annp *crdv1alpha1.NetworkPolicy) (*crdv1alpha1.NetworkPolicy, error) { +func (data *TestData) CreateOrUpdateANNP(annp *crdv1beta1.NetworkPolicy) (*crdv1beta1.NetworkPolicy, error) { log.Infof("Creating/updating Antrea NetworkPolicy %s/%s", annp.Namespace, annp.Name) - cnpReturned, err := data.crdClient.CrdV1alpha1().NetworkPolicies(annp.Namespace).Get(context.TODO(), annp.Name, metav1.GetOptions{}) + cnpReturned, err := data.crdClient.CrdV1beta1().NetworkPolicies(annp.Namespace).Get(context.TODO(), annp.Name, metav1.GetOptions{}) if err != nil { log.Debugf("Creating Antrea NetworkPolicy %s", annp.Name) - annp, err = data.crdClient.CrdV1alpha1().NetworkPolicies(annp.Namespace).Create(context.TODO(), annp, metav1.CreateOptions{}) + annp, err = data.crdClient.CrdV1beta1().NetworkPolicies(annp.Namespace).Create(context.TODO(), annp, metav1.CreateOptions{}) if err != nil { log.Debugf("Unable to create Antrea NetworkPolicy: %s", err) } return annp, err } else if cnpReturned.Name != "" { log.Debugf("Antrea NetworkPolicy with name %s already exists, updating", annp.Name) - annp, err = data.crdClient.CrdV1alpha1().NetworkPolicies(annp.Namespace).Update(context.TODO(), annp, metav1.UpdateOptions{}) + annp, err = data.crdClient.CrdV1beta1().NetworkPolicies(annp.Namespace).Update(context.TODO(), annp, metav1.UpdateOptions{}) return annp, err } return nil, fmt.Errorf("error occurred in creating/updating Antrea NetworkPolicy %s", annp.Name) } // GetANNP is a convenience function for getting AntreaNetworkPolicies. -func (data *TestData) GetANNP(namespace, name string) (*crdv1alpha1.NetworkPolicy, error) { - return data.crdClient.CrdV1alpha1().NetworkPolicies(namespace).Get(context.TODO(), name, metav1.GetOptions{}) +func (data *TestData) GetANNP(namespace, name string) (*crdv1beta1.NetworkPolicy, error) { + return data.crdClient.CrdV1beta1().NetworkPolicies(namespace).Get(context.TODO(), name, metav1.GetOptions{}) } // DeleteANNP is a convenience function for deleting ANNP by name and Namespace. func (data *TestData) DeleteANNP(ns, name string) error { log.Infof("Deleting Antrea NetworkPolicy '%s/%s'", ns, name) - err := data.crdClient.CrdV1alpha1().NetworkPolicies(ns).Delete(context.TODO(), name, metav1.DeleteOptions{}) + err := data.crdClient.CrdV1beta1().NetworkPolicies(ns).Delete(context.TODO(), name, metav1.DeleteOptions{}) if err != nil { return errors.Wrapf(err, "unable to delete Antrea NetworkPolicy %s", name) } @@ -982,7 +981,7 @@ func (data *TestData) DeleteANNP(ns, name string) error { // CleanANNPs is a convenience function for deleting all Antrea NetworkPolicies in provided namespaces. func (data *TestData) CleanANNPs(namespaces []string) error { for _, ns := range namespaces { - l, err := data.crdClient.CrdV1alpha1().NetworkPolicies(ns).List(context.TODO(), metav1.ListOptions{}) + l, err := data.crdClient.CrdV1beta1().NetworkPolicies(ns).List(context.TODO(), metav1.ListOptions{}) if err != nil { return errors.Wrapf(err, "unable to list Antrea NetworkPolicies in ns %s", ns) } @@ -998,11 +997,11 @@ func (data *TestData) CleanANNPs(namespaces []string) error { func (data *TestData) WaitForANNPCreationAndRealization(t *testing.T, namespace string, name string, timeout time.Duration) error { t.Logf("Waiting for ANNP '%s/%s' to be realized", namespace, name) if err := wait.Poll(100*time.Millisecond, timeout, func() (bool, error) { - annp, err := data.crdClient.CrdV1alpha1().NetworkPolicies(namespace).Get(context.TODO(), name, metav1.GetOptions{}) + annp, err := data.crdClient.CrdV1beta1().NetworkPolicies(namespace).Get(context.TODO(), name, metav1.GetOptions{}) if err != nil { return false, nil } - return annp.Status.ObservedGeneration == annp.Generation && annp.Status.Phase == crdv1alpha1.NetworkPolicyRealized, nil + return annp.Status.ObservedGeneration == annp.Generation && annp.Status.Phase == crdv1beta1.NetworkPolicyRealized, nil }); err != nil { return fmt.Errorf("error when waiting for ANNP '%s/%s' to be realized: %v", namespace, name, err) } @@ -1012,11 +1011,11 @@ func (data *TestData) WaitForANNPCreationAndRealization(t *testing.T, namespace func (data *TestData) WaitForACNPCreationAndRealization(t *testing.T, name string, timeout time.Duration) error { t.Logf("Waiting for ACNP '%s' to be created and realized", name) if err := wait.Poll(100*time.Millisecond, timeout, func() (bool, error) { - acnp, err := data.crdClient.CrdV1alpha1().ClusterNetworkPolicies().Get(context.TODO(), name, metav1.GetOptions{}) + acnp, err := data.crdClient.CrdV1beta1().ClusterNetworkPolicies().Get(context.TODO(), name, metav1.GetOptions{}) if err != nil { return false, nil } - return acnp.Status.ObservedGeneration == acnp.Generation && acnp.Status.Phase == crdv1alpha1.NetworkPolicyRealized, nil + return acnp.Status.ObservedGeneration == acnp.Generation && acnp.Status.Phase == crdv1beta1.NetworkPolicyRealized, nil }); err != nil { return fmt.Errorf("error when waiting for ACNP '%s' to be realized: %v", name, err) } diff --git a/test/e2e/l7networkpolicy_test.go b/test/e2e/l7networkpolicy_test.go index c35c40dcc5e..ba30ef86ecc 100644 --- a/test/e2e/l7networkpolicy_test.go +++ b/test/e2e/l7networkpolicy_test.go @@ -27,7 +27,7 @@ import ( metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/util/wait" - crdv1alpha1 "antrea.io/antrea/pkg/apis/crd/v1alpha1" + crdv1beta1 "antrea.io/antrea/pkg/apis/crd/v1beta1" agentconfig "antrea.io/antrea/pkg/config/agent" "antrea.io/antrea/pkg/features" . "antrea.io/antrea/test/e2e/utils" @@ -71,7 +71,7 @@ func createL7NetworkPolicy(t *testing.T, appliedToPodSelector map[string]string, l4Protocol AntreaPolicyProtocol, port int32, - l7Protocols []crdv1alpha1.L7Protocol) { + l7Protocols []crdv1beta1.L7Protocol) { annpBuilder := &AntreaNetworkPolicySpecBuilder{} annpBuilder = annpBuilder.SetName(data.testNamespace, name).SetPriority(priority) if isIngress { @@ -92,7 +92,7 @@ func createL7NetworkPolicy(t *testing.T, nil, nil, []ANNPAppliedToSpec{{PodSelector: appliedToPodSelector}}, - crdv1alpha1.RuleActionAllow, + crdv1beta1.RuleActionAllow, "", "") } else { @@ -113,14 +113,14 @@ func createL7NetworkPolicy(t *testing.T, nil, nil, []ANNPAppliedToSpec{{PodSelector: appliedToPodSelector}}, - crdv1alpha1.RuleActionAllow, + crdv1beta1.RuleActionAllow, "", "") } annp := annpBuilder.Get() t.Logf("Creating ANNP %v", annp.Name) - _, err := data.crdClient.CrdV1alpha1().NetworkPolicies(data.testNamespace).Create(context.TODO(), annp, metav1.CreateOptions{}) + _, err := data.crdClient.CrdV1beta1().NetworkPolicies(data.testNamespace).Create(context.TODO(), annp, metav1.CreateOptions{}) assert.NoError(t, err) } @@ -211,17 +211,17 @@ func testL7NetworkPolicyHTTP(t *testing.T, data *TestData) { serverIPs = append(serverIPs, podIPs.ipv6) } - l7ProtocolAllowsPathHostname := []crdv1alpha1.L7Protocol{ + l7ProtocolAllowsPathHostname := []crdv1beta1.L7Protocol{ { - HTTP: &crdv1alpha1.HTTPProtocol{ + HTTP: &crdv1beta1.HTTPProtocol{ Method: "GET", Path: "/host*", }, }, } - l7ProtocolAllowsAnyPath := []crdv1alpha1.L7Protocol{ + l7ProtocolAllowsAnyPath := []crdv1beta1.L7Protocol{ { - HTTP: &crdv1alpha1.HTTPProtocol{ + HTTP: &crdv1beta1.HTTPProtocol{ Method: "GET", }, }, @@ -246,14 +246,14 @@ func testL7NetworkPolicyHTTP(t *testing.T, data *TestData) { probeL7NetworkPolicyHTTP(t, data, serverPodName, clientPodName, serverIPs, true, false) // Delete the first L7 NetworkPolicy that only allows HTTP path 'hostname'. - data.crdClient.CrdV1alpha1().NetworkPolicies(data.testNamespace).Delete(context.TODO(), policyAllowPathHostname, metav1.DeleteOptions{}) + data.crdClient.CrdV1beta1().NetworkPolicies(data.testNamespace).Delete(context.TODO(), policyAllowPathHostname, metav1.DeleteOptions{}) time.Sleep(networkPolicyDelay) // Since the fist L7 NetworkPolicy has been deleted, corresponding packets will be matched by the second L7 NetworkPolicy, // and the second L7 NetworkPolicy allows any HTTP path, then both path 'hostname' and 'clientip' are allowed. probeL7NetworkPolicyHTTP(t, data, serverPodName, clientPodName, serverIPs, true, true) - data.crdClient.CrdV1alpha1().NetworkPolicies(data.testNamespace).Delete(context.TODO(), policyAllowAnyPath, metav1.DeleteOptions{}) + data.crdClient.CrdV1beta1().NetworkPolicies(data.testNamespace).Delete(context.TODO(), policyAllowAnyPath, metav1.DeleteOptions{}) }) time.Sleep(networkPolicyDelay) @@ -273,7 +273,7 @@ func testL7NetworkPolicyHTTP(t *testing.T, data *TestData) { probeL7NetworkPolicyHTTP(t, data, serverPodName, clientPodName, serverIPs, true, false) // Delete the first L7 NetworkPolicy that only allows HTTP path 'hostname'. - data.crdClient.CrdV1alpha1().NetworkPolicies(data.testNamespace).Delete(context.TODO(), policyAllowPathHostname, metav1.DeleteOptions{}) + data.crdClient.CrdV1beta1().NetworkPolicies(data.testNamespace).Delete(context.TODO(), policyAllowPathHostname, metav1.DeleteOptions{}) time.Sleep(networkPolicyDelay) // Since the fist L7 NetworkPolicy has been deleted, corresponding packets will be matched by the second L7 NetworkPolicy, @@ -294,16 +294,16 @@ func testL7NetworkPolicyTLS(t *testing.T, data *TestData) { } require.NoError(t, data.podWaitForRunning(defaultTimeout, clientPodName, data.testNamespace)) - l7ProtocolAllowsGoogle := []crdv1alpha1.L7Protocol{ + l7ProtocolAllowsGoogle := []crdv1beta1.L7Protocol{ { - TLS: &crdv1alpha1.TLSProtocol{ + TLS: &crdv1beta1.TLSProtocol{ SNI: "*.google.com", }, }, } - l7ProtocolAllowsFacebook := []crdv1alpha1.L7Protocol{ + l7ProtocolAllowsFacebook := []crdv1beta1.L7Protocol{ { - TLS: &crdv1alpha1.TLSProtocol{ + TLS: &crdv1beta1.TLSProtocol{ SNI: "*.facebook.com", }, }, @@ -323,7 +323,7 @@ func testL7NetworkPolicyTLS(t *testing.T, data *TestData) { probeL7NetworkPolicyTLS(t, data, clientPodName, "www.facebook.com", false) // Delete the first L7 NetworkPolicy that allows server name '*.google.com'. - data.crdClient.CrdV1alpha1().NetworkPolicies(data.testNamespace).Delete(context.TODO(), policyAllowSNI1, metav1.DeleteOptions{}) + data.crdClient.CrdV1beta1().NetworkPolicies(data.testNamespace).Delete(context.TODO(), policyAllowSNI1, metav1.DeleteOptions{}) time.Sleep(networkPolicyDelay) probeL7NetworkPolicyTLS(t, data, clientPodName, "apis.google.com", false) diff --git a/test/e2e/multicast_test.go b/test/e2e/multicast_test.go index 56af1cb3d93..50bb83646cc 100644 --- a/test/e2e/multicast_test.go +++ b/test/e2e/multicast_test.go @@ -32,7 +32,7 @@ import ( "antrea.io/antrea/pkg/agent/config" "antrea.io/antrea/pkg/agent/multicast" - crdv1alpha1 "antrea.io/antrea/pkg/apis/crd/v1alpha1" + crdv1beta1 "antrea.io/antrea/pkg/apis/crd/v1beta1" ) func skipIfMulticastDisabled(tb testing.TB, data *TestData) { @@ -183,8 +183,8 @@ func runMulticastTestCases(t *testing.T, data *TestData, nodeMulticastInterfaces name: "anp1-multicast", appliedToPod: "test1-sender-1", ruleConfigs: []ruleConfig{ - {name: "allow-multicast-traffic", address: "225.20.2.3", action: crdv1alpha1.RuleActionAllow}, - {name: "drop-multicast-traffic", address: "225.20.2.2", action: crdv1alpha1.RuleActionDrop}, + {name: "allow-multicast-traffic", address: "225.20.2.3", action: crdv1beta1.RuleActionAllow}, + {name: "drop-multicast-traffic", address: "225.20.2.2", action: crdv1beta1.RuleActionDrop}, }, }, }, @@ -205,8 +205,8 @@ func runMulticastTestCases(t *testing.T, data *TestData, nodeMulticastInterfaces name: "anp1-igmp", appliedToPod: "test2-receiver-1", ruleConfigs: []ruleConfig{ - {name: "allow-igmp-report", address: "225.20.3.3", action: crdv1alpha1.RuleActionAllow}, - {name: "drop-igmp-report", address: "225.20.3.2", action: crdv1alpha1.RuleActionDrop}, + {name: "allow-igmp-report", address: "225.20.3.3", action: crdv1beta1.RuleActionAllow}, + {name: "drop-igmp-report", address: "225.20.3.2", action: crdv1beta1.RuleActionDrop}, }, }, }, @@ -235,8 +235,8 @@ func runMulticastTestCases(t *testing.T, data *TestData, nodeMulticastInterfaces name: "anp1-mixed", appliedToPod: "test3-sender-1", ruleConfigs: []ruleConfig{ - {name: "allow-multicast-traffic", address: "225.20.1.3", action: crdv1alpha1.RuleActionAllow}, - {name: "drop-multicast-traffic", address: "225.20.1.2", action: crdv1alpha1.RuleActionDrop}, + {name: "allow-multicast-traffic", address: "225.20.1.3", action: crdv1beta1.RuleActionAllow}, + {name: "drop-multicast-traffic", address: "225.20.1.2", action: crdv1beta1.RuleActionDrop}, }, }, }, @@ -245,14 +245,14 @@ func runMulticastTestCases(t *testing.T, data *TestData, nodeMulticastInterfaces name: "anp2-mixed", appliedToPod: "test3-receiver-1", ruleConfigs: []ruleConfig{ - {name: "allow-igmp-report", address: "225.20.1.2", action: crdv1alpha1.RuleActionAllow}, - {name: "drop-igmp-report", address: "225.20.1.3", action: crdv1alpha1.RuleActionDrop}, + {name: "allow-igmp-report", address: "225.20.1.2", action: crdv1beta1.RuleActionAllow}, + {name: "drop-igmp-report", address: "225.20.1.3", action: crdv1beta1.RuleActionDrop}, }, }, { name: "anp3-mixed", appliedToPod: "test3-receiver-1", - ruleConfigs: []ruleConfig{{name: "allow-igmp-query", igmpType: &igmpQueryType, address: "224.0.0.1", action: crdv1alpha1.RuleActionAllow}}, + ruleConfigs: []ruleConfig{{name: "allow-igmp-query", igmpType: &igmpQueryType, address: "224.0.0.1", action: crdv1beta1.RuleActionAllow}}, }, }, antctlResults: map[string]multicast.PodTrafficStats{ @@ -331,7 +331,7 @@ type ruleConfig struct { name string address string igmpType *int32 - action crdv1alpha1.RuleAction + action crdv1beta1.RuleAction } // testMulticastStatsWithSendersReceivers tests multiple multicast senders and receivers cases with specified AntreaNetworkPolicies which may drop/allow IGMP or Multicast traffic. @@ -354,21 +354,21 @@ func testMulticastStatsWithSendersReceivers(t *testing.T, data *TestData, mc mul p10 := float64(10) for _, anp := range mc.multicastANPConfigs { - np := &crdv1alpha1.NetworkPolicy{ + np := &crdv1beta1.NetworkPolicy{ ObjectMeta: metav1.ObjectMeta{Namespace: data.testNamespace, Name: anp.name, Labels: map[string]string{"antrea-e2e": anp.name}}, - Spec: crdv1alpha1.NetworkPolicySpec{ + Spec: crdv1beta1.NetworkPolicySpec{ Priority: p10, - AppliedTo: []crdv1alpha1.AppliedTo{ + AppliedTo: []crdv1beta1.AppliedTo{ {PodSelector: &metav1.LabelSelector{MatchLabels: map[string]string{"antrea-e2e": anp.appliedToPod}}}, }, - Egress: []crdv1alpha1.Rule{}, + Egress: []crdv1beta1.Rule{}, }, } for i := range anp.ruleConfigs { - np.Spec.Egress = append(np.Spec.Egress, crdv1alpha1.Rule{ - To: []crdv1alpha1.NetworkPolicyPeer{ + np.Spec.Egress = append(np.Spec.Egress, crdv1beta1.Rule{ + To: []crdv1beta1.NetworkPolicyPeer{ { - IPBlock: &crdv1alpha1.IPBlock{ + IPBlock: &crdv1beta1.IPBlock{ CIDR: fmt.Sprintf("%s/32", anp.ruleConfigs[i].address), }, }, @@ -388,23 +388,23 @@ func testMulticastStatsWithSendersReceivers(t *testing.T, data *TestData, mc mul } for _, anp := range mc.igmpANPConfigs { - np := &crdv1alpha1.NetworkPolicy{ + np := &crdv1beta1.NetworkPolicy{ ObjectMeta: metav1.ObjectMeta{Namespace: data.testNamespace, Name: anp.name, Labels: map[string]string{"antrea-e2e": anp.name}}, - Spec: crdv1alpha1.NetworkPolicySpec{ + Spec: crdv1beta1.NetworkPolicySpec{ Priority: p10, - AppliedTo: []crdv1alpha1.AppliedTo{ + AppliedTo: []crdv1beta1.AppliedTo{ {PodSelector: &metav1.LabelSelector{MatchLabels: map[string]string{"antrea-e2e": anp.appliedToPod}}}, }, - Egress: []crdv1alpha1.Rule{}, - Ingress: []crdv1alpha1.Rule{}, + Egress: []crdv1beta1.Rule{}, + Ingress: []crdv1beta1.Rule{}, }, } for i := range anp.ruleConfigs { - rule := crdv1alpha1.Rule{ - From: []crdv1alpha1.NetworkPolicyPeer{}, - Protocols: []crdv1alpha1.NetworkPolicyProtocol{ + rule := crdv1beta1.Rule{ + From: []crdv1beta1.NetworkPolicyPeer{}, + Protocols: []crdv1beta1.NetworkPolicyProtocol{ { - IGMP: &crdv1alpha1.IGMPProtocol{IGMPType: anp.ruleConfigs[i].igmpType, GroupAddress: anp.ruleConfigs[i].address}, + IGMP: &crdv1beta1.IGMPProtocol{IGMPType: anp.ruleConfigs[i].igmpType, GroupAddress: anp.ruleConfigs[i].address}, }, }, Action: &anp.ruleConfigs[i].action, diff --git a/test/e2e/traceflow_test.go b/test/e2e/traceflow_test.go index eceabc66d61..ff955ab31e0 100644 --- a/test/e2e/traceflow_test.go +++ b/test/e2e/traceflow_test.go @@ -35,6 +35,7 @@ import ( "antrea.io/antrea/pkg/apis/controlplane/v1beta2" "antrea.io/antrea/pkg/apis/crd/v1alpha1" "antrea.io/antrea/pkg/apis/crd/v1alpha2" + "antrea.io/antrea/pkg/apis/crd/v1beta1" "antrea.io/antrea/pkg/features" "antrea.io/antrea/pkg/util/k8s" ) @@ -117,7 +118,7 @@ func testTraceflowIntraNodeANNP(t *testing.T, data *TestData) { // Containerd configures port asynchronously, which could cause execution time of installing flow longer than docker. time.Sleep(time.Second * 1) - var denyIngress *v1alpha1.NetworkPolicy + var denyIngress *v1beta1.NetworkPolicy denyIngressName := "test-annp-deny-ingress" if denyIngress, err = data.createANNPDenyIngress("antrea-e2e", node1Pods[1], denyIngressName, false); err != nil { t.Fatalf("Error when creating Antrea NetworkPolicy: %v", err) @@ -130,7 +131,7 @@ func testTraceflowIntraNodeANNP(t *testing.T, data *TestData) { if err = data.waitForANNPRealized(t, data.testNamespace, denyIngressName, policyRealizedTimeout); err != nil { t.Fatal(err) } - var rejectIngress *v1alpha1.NetworkPolicy + var rejectIngress *v1beta1.NetworkPolicy rejectIngressName := "test-annp-reject-ingress" if rejectIngress, err = data.createANNPDenyIngress("antrea-e2e", node1Pods[2], rejectIngressName, true); err != nil { t.Fatalf("Error when creating Antrea NetworkPolicy: %v", err) @@ -2281,22 +2282,22 @@ func compareObservations(expected v1alpha1.NodeResult, actual v1alpha1.NodeResul } // createANNPDenyIngress creates an Antrea NetworkPolicy that denies ingress traffic for pods of specific label. -func (data *TestData) createANNPDenyIngress(key string, value string, name string, isReject bool) (*v1alpha1.NetworkPolicy, error) { - dropACT := v1alpha1.RuleActionDrop +func (data *TestData) createANNPDenyIngress(key string, value string, name string, isReject bool) (*v1beta1.NetworkPolicy, error) { + dropACT := v1beta1.RuleActionDrop if isReject { - dropACT = v1alpha1.RuleActionReject + dropACT = v1beta1.RuleActionReject } - annp := v1alpha1.NetworkPolicy{ + annp := v1beta1.NetworkPolicy{ ObjectMeta: metav1.ObjectMeta{ Name: name, Labels: map[string]string{ "antrea-e2e": name, }, }, - Spec: v1alpha1.NetworkPolicySpec{ + Spec: v1beta1.NetworkPolicySpec{ Tier: defaultTierName, Priority: 250, - AppliedTo: []v1alpha1.AppliedTo{ + AppliedTo: []v1beta1.AppliedTo{ { PodSelector: &metav1.LabelSelector{ MatchLabels: map[string]string{ @@ -2305,18 +2306,18 @@ func (data *TestData) createANNPDenyIngress(key string, value string, name strin }, }, }, - Ingress: []v1alpha1.Rule{ + Ingress: []v1beta1.Rule{ { Action: &dropACT, - Ports: []v1alpha1.NetworkPolicyPort{}, - From: []v1alpha1.NetworkPolicyPeer{}, - To: []v1alpha1.NetworkPolicyPeer{}, + Ports: []v1beta1.NetworkPolicyPort{}, + From: []v1beta1.NetworkPolicyPeer{}, + To: []v1beta1.NetworkPolicyPeer{}, }, }, - Egress: []v1alpha1.Rule{}, + Egress: []v1beta1.Rule{}, }, } - annpCreated, err := k8sUtils.crdClient.CrdV1alpha1().NetworkPolicies(data.testNamespace).Create(context.TODO(), &annp, metav1.CreateOptions{}) + annpCreated, err := k8sUtils.crdClient.CrdV1beta1().NetworkPolicies(data.testNamespace).Create(context.TODO(), &annp, metav1.CreateOptions{}) if err != nil { return nil, err } @@ -2324,8 +2325,8 @@ func (data *TestData) createANNPDenyIngress(key string, value string, name strin } // deleteAntreaNetworkpolicy deletes an Antrea NetworkPolicy. -func (data *TestData) deleteAntreaNetworkpolicy(policy *v1alpha1.NetworkPolicy) error { - if err := k8sUtils.crdClient.CrdV1alpha1().NetworkPolicies(data.testNamespace).Delete(context.TODO(), policy.Name, metav1.DeleteOptions{}); err != nil { +func (data *TestData) deleteAntreaNetworkpolicy(policy *v1beta1.NetworkPolicy) error { + if err := k8sUtils.crdClient.CrdV1beta1().NetworkPolicies(data.testNamespace).Delete(context.TODO(), policy.Name, metav1.DeleteOptions{}); err != nil { return fmt.Errorf("unable to cleanup policy %v: %v", policy.Name, err) } return nil diff --git a/test/e2e/utils/annp_spec_builder.go b/test/e2e/utils/annp_spec_builder.go index 0f4e2f415a7..670aa584ca4 100644 --- a/test/e2e/utils/annp_spec_builder.go +++ b/test/e2e/utils/annp_spec_builder.go @@ -17,11 +17,11 @@ package utils import ( metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - crdv1alpha1 "antrea.io/antrea/pkg/apis/crd/v1alpha1" + crdv1beta1 "antrea.io/antrea/pkg/apis/crd/v1beta1" ) type AntreaNetworkPolicySpecBuilder struct { - Spec crdv1alpha1.NetworkPolicySpec + Spec crdv1beta1.NetworkPolicySpec Name string Namespace string } @@ -34,14 +34,14 @@ type ANNPAppliedToSpec struct { Group string } -func (b *AntreaNetworkPolicySpecBuilder) Get() *crdv1alpha1.NetworkPolicy { +func (b *AntreaNetworkPolicySpecBuilder) Get() *crdv1beta1.NetworkPolicy { if b.Spec.Ingress == nil { - b.Spec.Ingress = []crdv1alpha1.Rule{} + b.Spec.Ingress = []crdv1beta1.Rule{} } if b.Spec.Egress == nil { - b.Spec.Egress = []crdv1alpha1.Rule{} + b.Spec.Egress = []crdv1beta1.Rule{} } - return &crdv1alpha1.NetworkPolicy{ + return &crdv1beta1.NetworkPolicy{ ObjectMeta: metav1.ObjectMeta{ Name: b.Name, Namespace: b.Namespace, @@ -78,7 +78,7 @@ func (b *AntreaNetworkPolicySpecBuilder) GetAppliedToPeer(podSelector map[string podSelectorMatchExp []metav1.LabelSelectorRequirement, entitySelector map[string]string, entitySelectorMatchExp []metav1.LabelSelectorRequirement, - appliedToGrp string) crdv1alpha1.AppliedTo { + appliedToGrp string) crdv1beta1.AppliedTo { var ps, ees *metav1.LabelSelector if len(entitySelector) > 0 || len(entitySelectorMatchExp) > 0 { ees = &metav1.LabelSelector{ @@ -92,7 +92,7 @@ func (b *AntreaNetworkPolicySpecBuilder) GetAppliedToPeer(podSelector map[string MatchExpressions: podSelectorMatchExp, } } - peer := crdv1alpha1.AppliedTo{ + peer := crdv1beta1.AppliedTo{ PodSelector: ps, ExternalEntitySelector: ees, } @@ -103,14 +103,14 @@ func (b *AntreaNetworkPolicySpecBuilder) GetAppliedToPeer(podSelector map[string } func (b *AntreaNetworkPolicySpecBuilder) AddIngress(protoc AntreaPolicyProtocol, - port *int32, portName *string, endPort, icmpType, icmpCode, igmpType *int32, l7Protocols []crdv1alpha1.L7Protocol, + port *int32, portName *string, endPort, icmpType, icmpCode, igmpType *int32, l7Protocols []crdv1beta1.L7Protocol, groupAddress, cidr *string, podSelector map[string]string, nsSelector map[string]string, eeSelector map[string]string, podSelectorMatchExp []metav1.LabelSelectorRequirement, nsSelectorMatchExp []metav1.LabelSelectorRequirement, eeSelectorMatchExp []metav1.LabelSelectorRequirement, - ruleAppliedToSpecs []ANNPAppliedToSpec, action crdv1alpha1.RuleAction, ruleGroup, name string) *AntreaNetworkPolicySpecBuilder { + ruleAppliedToSpecs []ANNPAppliedToSpec, action crdv1beta1.RuleAction, ruleGroup, name string) *AntreaNetworkPolicySpecBuilder { var ps, ns, ees *metav1.LabelSelector - var appliedTos []crdv1alpha1.AppliedTo + var appliedTos []crdv1beta1.AppliedTo if b.Spec.Ingress == nil { - b.Spec.Ingress = []crdv1alpha1.Rule{} + b.Spec.Ingress = []crdv1beta1.Rule{} } if len(podSelector) > 0 || len(podSelectorMatchExp) > 0 { @@ -131,9 +131,9 @@ func (b *AntreaNetworkPolicySpecBuilder) AddIngress(protoc AntreaPolicyProtocol, MatchExpressions: eeSelectorMatchExp, } } - var ipBlock *crdv1alpha1.IPBlock + var ipBlock *crdv1beta1.IPBlock if cidr != nil { - ipBlock = &crdv1alpha1.IPBlock{ + ipBlock = &crdv1beta1.IPBlock{ CIDR: *cidr, } } @@ -141,9 +141,9 @@ func (b *AntreaNetworkPolicySpecBuilder) AddIngress(protoc AntreaPolicyProtocol, appliedTos = append(appliedTos, b.GetAppliedToPeer(at.PodSelector, at.PodSelectorMatchExp, at.ExternalEntitySelector, at.ExternalEntitySelectorMatchExp, at.Group)) } // An empty From/To in ANNP rules evaluates to match all addresses. - policyPeer := make([]crdv1alpha1.NetworkPolicyPeer, 0) + policyPeer := make([]crdv1beta1.NetworkPolicyPeer, 0) if ps != nil || ns != nil || ipBlock != nil || ruleGroup != "" || ees != nil { - policyPeer = []crdv1alpha1.NetworkPolicyPeer{{ + policyPeer = []crdv1beta1.NetworkPolicyPeer{{ PodSelector: ps, NamespaceSelector: ns, ExternalEntitySelector: ees, @@ -152,7 +152,7 @@ func (b *AntreaNetworkPolicySpecBuilder) AddIngress(protoc AntreaPolicyProtocol, }} } ports, protocols := GenPortsOrProtocols(protoc, port, portName, endPort, nil, nil, icmpType, icmpCode, igmpType, groupAddress) - newRule := crdv1alpha1.Rule{ + newRule := crdv1beta1.Rule{ From: policyPeer, Ports: ports, Protocols: protocols, @@ -166,10 +166,10 @@ func (b *AntreaNetworkPolicySpecBuilder) AddIngress(protoc AntreaPolicyProtocol, } func (b *AntreaNetworkPolicySpecBuilder) AddEgress(protoc AntreaPolicyProtocol, - port *int32, portName *string, endPort, icmpType, icmpCode, igmpType *int32, l7Protocols []crdv1alpha1.L7Protocol, + port *int32, portName *string, endPort, icmpType, icmpCode, igmpType *int32, l7Protocols []crdv1beta1.L7Protocol, groupAddress, cidr *string, podSelector map[string]string, nsSelector map[string]string, eeSelector map[string]string, podSelectorMatchExp []metav1.LabelSelectorRequirement, nsSelectorMatchExp []metav1.LabelSelectorRequirement, eeSelectorMatchExp []metav1.LabelSelectorRequirement, - ruleAppliedToSpecs []ANNPAppliedToSpec, action crdv1alpha1.RuleAction, ruleGroup, name string) *AntreaNetworkPolicySpecBuilder { + ruleAppliedToSpecs []ANNPAppliedToSpec, action crdv1beta1.RuleAction, ruleGroup, name string) *AntreaNetworkPolicySpecBuilder { // For simplicity, we just reuse the Ingress code here. The underlying data model for ingress/egress is identical // With the exception of calling the rule `To` vs. `From`. @@ -178,7 +178,7 @@ func (b *AntreaNetworkPolicySpecBuilder) AddEgress(protoc AntreaPolicyProtocol, podSelectorMatchExp, nsSelectorMatchExp, eeSelectorMatchExp, ruleAppliedToSpecs, action, ruleGroup, name) theRule := c.Get().Spec.Ingress[0] - b.Spec.Egress = append(b.Spec.Egress, crdv1alpha1.Rule{ + b.Spec.Egress = append(b.Spec.Egress, crdv1beta1.Rule{ To: theRule.From, Ports: theRule.Ports, Action: theRule.Action, @@ -189,14 +189,14 @@ func (b *AntreaNetworkPolicySpecBuilder) AddEgress(protoc AntreaPolicyProtocol, return b } -func (b *AntreaNetworkPolicySpecBuilder) AddToServicesRule(svcRefs []crdv1alpha1.PeerService, - name string, ruleAppliedToSpecs []ANNPAppliedToSpec, action crdv1alpha1.RuleAction) *AntreaNetworkPolicySpecBuilder { - var appliedTos []crdv1alpha1.AppliedTo +func (b *AntreaNetworkPolicySpecBuilder) AddToServicesRule(svcRefs []crdv1beta1.PeerService, + name string, ruleAppliedToSpecs []ANNPAppliedToSpec, action crdv1beta1.RuleAction) *AntreaNetworkPolicySpecBuilder { + var appliedTos []crdv1beta1.AppliedTo for _, at := range ruleAppliedToSpecs { appliedTos = append(appliedTos, b.GetAppliedToPeer(at.PodSelector, at.PodSelectorMatchExp, at.ExternalEntitySelector, at.ExternalEntitySelectorMatchExp, at.Group)) } - newRule := crdv1alpha1.Rule{ - To: make([]crdv1alpha1.NetworkPolicyPeer, 0), + newRule := crdv1beta1.Rule{ + To: make([]crdv1beta1.NetworkPolicyPeer, 0), ToServices: svcRefs, Action: &action, Name: name, diff --git a/test/e2e/utils/cg_spec_builder.go b/test/e2e/utils/cg_spec_builder.go index a8cf41dad1d..05be51ffa09 100644 --- a/test/e2e/utils/cg_spec_builder.go +++ b/test/e2e/utils/cg_spec_builder.go @@ -17,7 +17,6 @@ package utils import ( metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - crdv1alpha1 "antrea.io/antrea/pkg/apis/crd/v1alpha1" crdv1beta1 "antrea.io/antrea/pkg/apis/crd/v1beta1" ) @@ -69,13 +68,13 @@ func (b *ClusterGroupSpecBuilder) SetNamespaceSelector(nsSelector map[string]str return b } -func (b *ClusterGroupSpecBuilder) SetIPBlocks(ipBlocks []crdv1alpha1.IPBlock) *ClusterGroupSpecBuilder { +func (b *ClusterGroupSpecBuilder) SetIPBlocks(ipBlocks []crdv1beta1.IPBlock) *ClusterGroupSpecBuilder { b.Spec.IPBlocks = ipBlocks return b } func (b *ClusterGroupSpecBuilder) SetServiceReference(svcNS, svcName string) *ClusterGroupSpecBuilder { - svcRef := &crdv1alpha1.NamespacedName{ + svcRef := &crdv1beta1.NamespacedName{ Namespace: svcNS, Name: svcName, } diff --git a/test/e2e/utils/cnp_spec_builder.go b/test/e2e/utils/cnp_spec_builder.go index 187213f2e65..83d0ee424bb 100644 --- a/test/e2e/utils/cnp_spec_builder.go +++ b/test/e2e/utils/cnp_spec_builder.go @@ -18,11 +18,11 @@ import ( metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/util/intstr" - crdv1alpha1 "antrea.io/antrea/pkg/apis/crd/v1alpha1" + crdv1beta1 "antrea.io/antrea/pkg/apis/crd/v1beta1" ) type ClusterNetworkPolicySpecBuilder struct { - Spec crdv1alpha1.ClusterNetworkPolicySpec + Spec crdv1beta1.ClusterNetworkPolicySpec Name string } @@ -32,17 +32,17 @@ type ACNPAppliedToSpec struct { PodSelectorMatchExp []metav1.LabelSelectorRequirement NSSelectorMatchExp []metav1.LabelSelectorRequirement Group string - Service *crdv1alpha1.NamespacedName + Service *crdv1beta1.NamespacedName } -func (b *ClusterNetworkPolicySpecBuilder) Get() *crdv1alpha1.ClusterNetworkPolicy { +func (b *ClusterNetworkPolicySpecBuilder) Get() *crdv1beta1.ClusterNetworkPolicy { if b.Spec.Ingress == nil { - b.Spec.Ingress = []crdv1alpha1.Rule{} + b.Spec.Ingress = []crdv1beta1.Rule{} } if b.Spec.Egress == nil { - b.Spec.Egress = []crdv1alpha1.Rule{} + b.Spec.Egress = []crdv1beta1.Rule{} } - return &crdv1alpha1.ClusterNetworkPolicy{ + return &crdv1beta1.ClusterNetworkPolicy{ ObjectMeta: metav1.ObjectMeta{ Name: b.Name, }, @@ -78,7 +78,7 @@ func (b *ClusterNetworkPolicySpecBuilder) GetAppliedToPeer(podSelector map[strin podSelectorMatchExp []metav1.LabelSelectorRequirement, nsSelectorMatchExp []metav1.LabelSelectorRequirement, appliedToCG string, - service *crdv1alpha1.NamespacedName) crdv1alpha1.AppliedTo { + service *crdv1beta1.NamespacedName) crdv1beta1.AppliedTo { var ps *metav1.LabelSelector var ns *metav1.LabelSelector @@ -95,7 +95,7 @@ func (b *ClusterNetworkPolicySpecBuilder) GetAppliedToPeer(podSelector map[strin MatchExpressions: nsSelectorMatchExp, } } - peer := crdv1alpha1.AppliedTo{ + peer := crdv1beta1.AppliedTo{ PodSelector: ps, NamespaceSelector: ns, } @@ -112,16 +112,16 @@ func (b *ClusterNetworkPolicySpecBuilder) AddIngress(protoc AntreaPolicyProtocol port *int32, portName *string, endPort, icmpType, icmpCode, igmpType *int32, groupAddress, cidr *string, podSelector map[string]string, nsSelector map[string]string, podSelectorMatchExp []metav1.LabelSelectorRequirement, nsSelectorMatchExp []metav1.LabelSelectorRequirement, selfNS bool, - ruleAppliedToSpecs []ACNPAppliedToSpec, action crdv1alpha1.RuleAction, ruleClusterGroup, name string, serviceAccount *crdv1alpha1.NamespacedName) *ClusterNetworkPolicySpecBuilder { + ruleAppliedToSpecs []ACNPAppliedToSpec, action crdv1beta1.RuleAction, ruleClusterGroup, name string, serviceAccount *crdv1beta1.NamespacedName) *ClusterNetworkPolicySpecBuilder { var pSel *metav1.LabelSelector var nSel *metav1.LabelSelector - var ns *crdv1alpha1.PeerNamespaces - var appliedTos []crdv1alpha1.AppliedTo - matchSelf := crdv1alpha1.NamespaceMatchSelf + var ns *crdv1beta1.PeerNamespaces + var appliedTos []crdv1beta1.AppliedTo + matchSelf := crdv1beta1.NamespaceMatchSelf if b.Spec.Ingress == nil { - b.Spec.Ingress = []crdv1alpha1.Rule{} + b.Spec.Ingress = []crdv1beta1.Rule{} } if podSelector != nil || podSelectorMatchExp != nil { @@ -137,13 +137,13 @@ func (b *ClusterNetworkPolicySpecBuilder) AddIngress(protoc AntreaPolicyProtocol } } if selfNS == true { - ns = &crdv1alpha1.PeerNamespaces{ + ns = &crdv1beta1.PeerNamespaces{ Match: matchSelf, } } - var ipBlock *crdv1alpha1.IPBlock + var ipBlock *crdv1beta1.IPBlock if cidr != nil { - ipBlock = &crdv1alpha1.IPBlock{ + ipBlock = &crdv1beta1.IPBlock{ CIDR: *cidr, } } @@ -151,9 +151,9 @@ func (b *ClusterNetworkPolicySpecBuilder) AddIngress(protoc AntreaPolicyProtocol appliedTos = append(appliedTos, b.GetAppliedToPeer(at.PodSelector, at.NSSelector, at.PodSelectorMatchExp, at.NSSelectorMatchExp, at.Group, at.Service)) } // An empty From/To in ACNP rules evaluates to match all addresses. - policyPeer := make([]crdv1alpha1.NetworkPolicyPeer, 0) + policyPeer := make([]crdv1beta1.NetworkPolicyPeer, 0) if pSel != nil || nSel != nil || ns != nil || ipBlock != nil || ruleClusterGroup != "" || serviceAccount != nil { - policyPeer = []crdv1alpha1.NetworkPolicyPeer{{ + policyPeer = []crdv1beta1.NetworkPolicyPeer{{ PodSelector: pSel, NamespaceSelector: nSel, Namespaces: ns, @@ -163,7 +163,7 @@ func (b *ClusterNetworkPolicySpecBuilder) AddIngress(protoc AntreaPolicyProtocol }} } ports, protocols := GenPortsOrProtocols(protoc, port, portName, endPort, nil, nil, icmpType, icmpCode, igmpType, groupAddress) - newRule := crdv1alpha1.Rule{ + newRule := crdv1beta1.Rule{ From: policyPeer, Ports: ports, Protocols: protocols, @@ -182,16 +182,16 @@ func (b *ClusterNetworkPolicySpecBuilder) AddIngressForSrcPort(protoc AntreaPoli port, endPort, srcPort, endSrcPort, icmpType, icmpCode, igmpType *int32, groupAddress, cidr *string, podSelector map[string]string, nsSelector map[string]string, podSelectorMatchExp []metav1.LabelSelectorRequirement, nsSelectorMatchExp []metav1.LabelSelectorRequirement, selfNS bool, - ruleAppliedToSpecs []ACNPAppliedToSpec, action crdv1alpha1.RuleAction, ruleClusterGroup, name string, serviceAccount *crdv1alpha1.NamespacedName) *ClusterNetworkPolicySpecBuilder { + ruleAppliedToSpecs []ACNPAppliedToSpec, action crdv1beta1.RuleAction, ruleClusterGroup, name string, serviceAccount *crdv1beta1.NamespacedName) *ClusterNetworkPolicySpecBuilder { var pSel *metav1.LabelSelector var nSel *metav1.LabelSelector - var ns *crdv1alpha1.PeerNamespaces - var appliedTos []crdv1alpha1.AppliedTo - matchSelf := crdv1alpha1.NamespaceMatchSelf + var ns *crdv1beta1.PeerNamespaces + var appliedTos []crdv1beta1.AppliedTo + matchSelf := crdv1beta1.NamespaceMatchSelf if b.Spec.Ingress == nil { - b.Spec.Ingress = []crdv1alpha1.Rule{} + b.Spec.Ingress = []crdv1beta1.Rule{} } if podSelector != nil || podSelectorMatchExp != nil { @@ -207,13 +207,13 @@ func (b *ClusterNetworkPolicySpecBuilder) AddIngressForSrcPort(protoc AntreaPoli } } if selfNS == true { - ns = &crdv1alpha1.PeerNamespaces{ + ns = &crdv1beta1.PeerNamespaces{ Match: matchSelf, } } - var ipBlock *crdv1alpha1.IPBlock + var ipBlock *crdv1beta1.IPBlock if cidr != nil { - ipBlock = &crdv1alpha1.IPBlock{ + ipBlock = &crdv1beta1.IPBlock{ CIDR: *cidr, } } @@ -221,9 +221,9 @@ func (b *ClusterNetworkPolicySpecBuilder) AddIngressForSrcPort(protoc AntreaPoli appliedTos = append(appliedTos, b.GetAppliedToPeer(at.PodSelector, at.NSSelector, at.PodSelectorMatchExp, at.NSSelectorMatchExp, at.Group, at.Service)) } // An empty From/To in ACNP rules evaluates to match all addresses. - policyPeer := make([]crdv1alpha1.NetworkPolicyPeer, 0) + policyPeer := make([]crdv1beta1.NetworkPolicyPeer, 0) if pSel != nil || nSel != nil || ns != nil || ipBlock != nil || ruleClusterGroup != "" || serviceAccount != nil { - policyPeer = []crdv1alpha1.NetworkPolicyPeer{{ + policyPeer = []crdv1beta1.NetworkPolicyPeer{{ PodSelector: pSel, NamespaceSelector: nSel, Namespaces: ns, @@ -233,7 +233,7 @@ func (b *ClusterNetworkPolicySpecBuilder) AddIngressForSrcPort(protoc AntreaPoli }} } ports, protocols := GenPortsOrProtocols(protoc, port, nil, endPort, srcPort, endSrcPort, icmpType, icmpCode, igmpType, groupAddress) - newRule := crdv1alpha1.Rule{ + newRule := crdv1beta1.Rule{ From: policyPeer, Ports: ports, Protocols: protocols, @@ -249,7 +249,7 @@ func (b *ClusterNetworkPolicySpecBuilder) AddEgress(protoc AntreaPolicyProtocol, port *int32, portName *string, endPort, icmpType, icmpCode, igmpType *int32, groupAddress, cidr *string, podSelector map[string]string, nsSelector map[string]string, podSelectorMatchExp []metav1.LabelSelectorRequirement, nsSelectorMatchExp []metav1.LabelSelectorRequirement, selfNS bool, - ruleAppliedToSpecs []ACNPAppliedToSpec, action crdv1alpha1.RuleAction, ruleClusterGroup, name string, serviceAccount *crdv1alpha1.NamespacedName) *ClusterNetworkPolicySpecBuilder { + ruleAppliedToSpecs []ACNPAppliedToSpec, action crdv1beta1.RuleAction, ruleClusterGroup, name string, serviceAccount *crdv1beta1.NamespacedName) *ClusterNetworkPolicySpecBuilder { // For simplicity, we just reuse the Ingress code here. The underlying data model for ingress/egress is identical // With the exception of calling the rule `To` vs. `From`. @@ -258,7 +258,7 @@ func (b *ClusterNetworkPolicySpecBuilder) AddEgress(protoc AntreaPolicyProtocol, podSelectorMatchExp, nsSelectorMatchExp, selfNS, ruleAppliedToSpecs, action, ruleClusterGroup, name, serviceAccount) theRule := c.Get().Spec.Ingress[0] - b.Spec.Egress = append(b.Spec.Egress, crdv1alpha1.Rule{ + b.Spec.Egress = append(b.Spec.Egress, crdv1beta1.Rule{ To: theRule.From, Ports: theRule.Ports, Action: theRule.Action, @@ -269,15 +269,15 @@ func (b *ClusterNetworkPolicySpecBuilder) AddEgress(protoc AntreaPolicyProtocol, } func (b *ClusterNetworkPolicySpecBuilder) AddNodeSelectorRule(nodeSelector *metav1.LabelSelector, protoc AntreaPolicyProtocol, port *int32, name string, - ruleAppliedToSpecs []ACNPAppliedToSpec, action crdv1alpha1.RuleAction, isEgress bool) *ClusterNetworkPolicySpecBuilder { - var appliedTos []crdv1alpha1.AppliedTo + ruleAppliedToSpecs []ACNPAppliedToSpec, action crdv1beta1.RuleAction, isEgress bool) *ClusterNetworkPolicySpecBuilder { + var appliedTos []crdv1beta1.AppliedTo for _, at := range ruleAppliedToSpecs { appliedTos = append(appliedTos, b.GetAppliedToPeer(at.PodSelector, at.NSSelector, at.PodSelectorMatchExp, at.NSSelectorMatchExp, at.Group, at.Service)) } - policyPeer := []crdv1alpha1.NetworkPolicyPeer{{NodeSelector: nodeSelector}} + policyPeer := []crdv1beta1.NetworkPolicyPeer{{NodeSelector: nodeSelector}} k8sProtocol, _ := AntreaPolicyProtocolToK8sProtocol(protoc) - newRule := crdv1alpha1.Rule{ - Ports: []crdv1alpha1.NetworkPolicyPort{ + newRule := crdv1beta1.Rule{ + Ports: []crdv1beta1.NetworkPolicyPort{ {Protocol: &k8sProtocol, Port: &intstr.IntOrString{IntVal: *port}}, }, Action: &action, @@ -296,14 +296,14 @@ func (b *ClusterNetworkPolicySpecBuilder) AddNodeSelectorRule(nodeSelector *meta func (b *ClusterNetworkPolicySpecBuilder) AddFQDNRule(fqdn string, protoc AntreaPolicyProtocol, port *int32, portName *string, endPort *int32, name string, - ruleAppliedToSpecs []ACNPAppliedToSpec, action crdv1alpha1.RuleAction) *ClusterNetworkPolicySpecBuilder { - var appliedTos []crdv1alpha1.AppliedTo + ruleAppliedToSpecs []ACNPAppliedToSpec, action crdv1beta1.RuleAction) *ClusterNetworkPolicySpecBuilder { + var appliedTos []crdv1beta1.AppliedTo for _, at := range ruleAppliedToSpecs { appliedTos = append(appliedTos, b.GetAppliedToPeer(at.PodSelector, at.NSSelector, at.PodSelectorMatchExp, at.NSSelectorMatchExp, at.Group, at.Service)) } - policyPeer := []crdv1alpha1.NetworkPolicyPeer{{FQDN: fqdn}} + policyPeer := []crdv1beta1.NetworkPolicyPeer{{FQDN: fqdn}} ports, _ := GenPortsOrProtocols(protoc, port, portName, endPort, nil, nil, nil, nil, nil, nil) - newRule := crdv1alpha1.Rule{ + newRule := crdv1beta1.Rule{ To: policyPeer, Ports: ports, Action: &action, @@ -314,14 +314,14 @@ func (b *ClusterNetworkPolicySpecBuilder) AddFQDNRule(fqdn string, return b } -func (b *ClusterNetworkPolicySpecBuilder) AddToServicesRule(svcRefs []crdv1alpha1.PeerService, - name string, ruleAppliedToSpecs []ACNPAppliedToSpec, action crdv1alpha1.RuleAction) *ClusterNetworkPolicySpecBuilder { - var appliedTos []crdv1alpha1.AppliedTo +func (b *ClusterNetworkPolicySpecBuilder) AddToServicesRule(svcRefs []crdv1beta1.PeerService, + name string, ruleAppliedToSpecs []ACNPAppliedToSpec, action crdv1beta1.RuleAction) *ClusterNetworkPolicySpecBuilder { + var appliedTos []crdv1beta1.AppliedTo for _, at := range ruleAppliedToSpecs { appliedTos = append(appliedTos, b.GetAppliedToPeer(at.PodSelector, at.NSSelector, at.PodSelectorMatchExp, at.NSSelectorMatchExp, at.Group, at.Service)) } - newRule := crdv1alpha1.Rule{ - To: make([]crdv1alpha1.NetworkPolicyPeer, 0), + newRule := crdv1beta1.Rule{ + To: make([]crdv1beta1.NetworkPolicyPeer, 0), ToServices: svcRefs, Action: &action, Name: name, @@ -332,14 +332,14 @@ func (b *ClusterNetworkPolicySpecBuilder) AddToServicesRule(svcRefs []crdv1alpha } func (b *ClusterNetworkPolicySpecBuilder) AddStretchedIngressRule(pSel, nsSel map[string]string, - name string, ruleAppliedToSpecs []ACNPAppliedToSpec, action crdv1alpha1.RuleAction) *ClusterNetworkPolicySpecBuilder { + name string, ruleAppliedToSpecs []ACNPAppliedToSpec, action crdv1beta1.RuleAction) *ClusterNetworkPolicySpecBuilder { - var appliedTos []crdv1alpha1.AppliedTo + var appliedTos []crdv1beta1.AppliedTo for _, at := range ruleAppliedToSpecs { appliedTos = append(appliedTos, b.GetAppliedToPeer(at.PodSelector, at.NSSelector, at.PodSelectorMatchExp, at.NSSelectorMatchExp, at.Group, at.Service)) } - newRule := crdv1alpha1.Rule{ - From: []crdv1alpha1.NetworkPolicyPeer{{Scope: "ClusterSet"}}, + newRule := crdv1beta1.Rule{ + From: []crdv1beta1.NetworkPolicyPeer{{Scope: "ClusterSet"}}, Action: &action, Name: name, AppliedTo: appliedTos, @@ -357,7 +357,7 @@ func (b *ClusterNetworkPolicySpecBuilder) AddStretchedIngressRule(pSel, nsSel ma // AddEgressDNS mutates the nth policy rule to allow DNS, convenience method func (b *ClusterNetworkPolicySpecBuilder) WithEgressDNS() *ClusterNetworkPolicySpecBuilder { protocolUDP, _ := AntreaPolicyProtocolToK8sProtocol(ProtocolUDP) - route53 := crdv1alpha1.NetworkPolicyPort{ + route53 := crdv1beta1.NetworkPolicyPort{ Protocol: &protocolUDP, Port: &intstr.IntOrString{Type: intstr.Int, IntVal: 53}, } diff --git a/test/e2e/utils/grp_spec_builder.go b/test/e2e/utils/grp_spec_builder.go index 5f5c04e45e5..7b5f2088531 100644 --- a/test/e2e/utils/grp_spec_builder.go +++ b/test/e2e/utils/grp_spec_builder.go @@ -17,7 +17,6 @@ package utils import ( metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - crdv1alpha1 "antrea.io/antrea/pkg/apis/crd/v1alpha1" crdv1beta1 "antrea.io/antrea/pkg/apis/crd/v1beta1" ) @@ -76,13 +75,13 @@ func (b *GroupSpecBuilder) SetNamespaceSelector(nsSelector map[string]string, ns return b } -func (b *GroupSpecBuilder) SetIPBlocks(ipBlocks []crdv1alpha1.IPBlock) *GroupSpecBuilder { +func (b *GroupSpecBuilder) SetIPBlocks(ipBlocks []crdv1beta1.IPBlock) *GroupSpecBuilder { b.Spec.IPBlocks = ipBlocks return b } func (b *GroupSpecBuilder) SetServiceReference(svcNS, svcName string) *GroupSpecBuilder { - svcRef := &crdv1alpha1.NamespacedName{ + svcRef := &crdv1beta1.NamespacedName{ Namespace: svcNS, Name: svcName, } diff --git a/test/e2e/utils/helper.go b/test/e2e/utils/helper.go index fafa13d4a68..2f1b356f559 100644 --- a/test/e2e/utils/helper.go +++ b/test/e2e/utils/helper.go @@ -20,7 +20,7 @@ import ( v1 "k8s.io/api/core/v1" "k8s.io/apimachinery/pkg/util/intstr" - crdv1alpha1 "antrea.io/antrea/pkg/apis/crd/v1alpha1" + crdv1beta1 "antrea.io/antrea/pkg/apis/crd/v1beta1" ) type AntreaPolicyProtocol string @@ -46,11 +46,11 @@ func AntreaPolicyProtocolToK8sProtocol(antreaProtocol AntreaPolicyProtocol) (v1. } } -func GenPortsOrProtocols(protoc AntreaPolicyProtocol, port *int32, portName *string, endPort, srcPort, srcEndPort, icmpType, icmpCode, igmpType *int32, groupAddress *string) ([]crdv1alpha1.NetworkPolicyPort, []crdv1alpha1.NetworkPolicyProtocol) { +func GenPortsOrProtocols(protoc AntreaPolicyProtocol, port *int32, portName *string, endPort, srcPort, srcEndPort, icmpType, icmpCode, igmpType *int32, groupAddress *string) ([]crdv1beta1.NetworkPolicyPort, []crdv1beta1.NetworkPolicyProtocol) { if protoc == ProtocolICMP { - return nil, []crdv1alpha1.NetworkPolicyProtocol{ + return nil, []crdv1beta1.NetworkPolicyProtocol{ { - ICMP: &crdv1alpha1.ICMPProtocol{ + ICMP: &crdv1beta1.ICMPProtocol{ ICMPType: icmpType, ICMPCode: icmpCode, }, @@ -58,22 +58,22 @@ func GenPortsOrProtocols(protoc AntreaPolicyProtocol, port *int32, portName *str } } if protoc == ProtocolIGMP { - return nil, []crdv1alpha1.NetworkPolicyProtocol{ + return nil, []crdv1beta1.NetworkPolicyProtocol{ { - IGMP: &crdv1alpha1.IGMPProtocol{ + IGMP: &crdv1beta1.IGMPProtocol{ IGMPType: igmpType, GroupAddress: *groupAddress, }, }, } } - var ports []crdv1alpha1.NetworkPolicyPort + var ports []crdv1beta1.NetworkPolicyPort k8sProtocol, _ := AntreaPolicyProtocolToK8sProtocol(protoc) if port != nil && portName != nil { panic("specify portname or port, not both") } if portName != nil { - ports = []crdv1alpha1.NetworkPolicyPort{ + ports = []crdv1beta1.NetworkPolicyPort{ { Port: &intstr.IntOrString{Type: intstr.String, StrVal: *portName}, Protocol: &k8sProtocol, @@ -85,7 +85,7 @@ func GenPortsOrProtocols(protoc AntreaPolicyProtocol, port *int32, portName *str if port != nil { pVal = &intstr.IntOrString{IntVal: *port} } - ports = []crdv1alpha1.NetworkPolicyPort{ + ports = []crdv1beta1.NetworkPolicyPort{ { Port: pVal, EndPort: endPort, diff --git a/test/e2e/vmagent_test.go b/test/e2e/vmagent_test.go index b7845d16a3e..884c81d7c8f 100644 --- a/test/e2e/vmagent_test.go +++ b/test/e2e/vmagent_test.go @@ -31,6 +31,7 @@ import ( "k8s.io/apimachinery/pkg/util/wait" crdv1alpha1 "antrea.io/antrea/pkg/apis/crd/v1alpha1" + crdv1beta1 "antrea.io/antrea/pkg/apis/crd/v1beta1" "antrea.io/antrea/pkg/features" "antrea.io/antrea/pkg/util/externalnode" . "antrea.io/antrea/test/e2e/utils" @@ -466,17 +467,17 @@ func testANPOnVMs(t *testing.T, data *TestData, vmList []vmInfo, osType string) // Test TCP rules in ANP t.Run("testANPOnExternalNodeWithTCP", func(t *testing.T) { // Use ExternalEntity in an ingress rule configuration. - testANPProtocolTCPOrUDP(t, data, "anp-vmagent-ingress-tcp-entity", namespace, *appliedToVM, peerVM, ProtocolTCP, true, crdv1alpha1.RuleActionDrop, true) + testANPProtocolTCPOrUDP(t, data, "anp-vmagent-ingress-tcp-entity", namespace, *appliedToVM, peerVM, ProtocolTCP, true, crdv1beta1.RuleActionDrop, true) // Use IP in an egress rule configuration. - testANPProtocolTCPOrUDP(t, data, "anp-vmagent-egress-tcp-ip", namespace, *appliedToVM, peerVM, ProtocolTCP, false, crdv1alpha1.RuleActionDrop, false) + testANPProtocolTCPOrUDP(t, data, "anp-vmagent-egress-tcp-ip", namespace, *appliedToVM, peerVM, ProtocolTCP, false, crdv1beta1.RuleActionDrop, false) }) // Test UDP rules in ANP t.Run("testANPOnExternalNodeWithUDP", func(t *testing.T) { - testANPProtocolTCPOrUDP(t, data, "anp-vmagent-ingress-udp-entity", namespace, *appliedToVM, peerVM, ProtocolUDP, true, crdv1alpha1.RuleActionReject, false) + testANPProtocolTCPOrUDP(t, data, "anp-vmagent-ingress-udp-entity", namespace, *appliedToVM, peerVM, ProtocolUDP, true, crdv1beta1.RuleActionReject, false) }) // Test ICMP rules in ANP t.Run("testANPOnExternalNodeWithICMP", func(t *testing.T) { - testANPProtocolICMP(t, data, "anp-vmagent-ingress-icmp-ip", namespace, *appliedToVM, crdv1alpha1.RuleActionDrop) + testANPProtocolICMP(t, data, "anp-vmagent-ingress-icmp-ip", namespace, *appliedToVM, crdv1beta1.RuleActionDrop) }) // Test FQDN rules in ANP t.Run("testANPOnExternalNodeWithFQDN", func(t *testing.T) { @@ -499,21 +500,21 @@ func testANPWithFQDN(t *testing.T, data *TestData, name string, namespace string var err error allURLs := append(append(allowedURLs, droppedURLs...), rejectedURLs...) for _, url := range allURLs { - err := runCurlCommandOnVM(data, appliedToVM, url, crdv1alpha1.RuleActionAllow) + err := runCurlCommandOnVM(data, appliedToVM, url, crdv1beta1.RuleActionAllow) assert.NoError(t, err, "Failed to run curl command on URL %s on VM %s", url, appliedToVM.nodeName) } - fqdnSettings := make(map[string]*crdv1alpha1.RuleAction, 0) + fqdnSettings := make(map[string]*crdv1beta1.RuleAction, 0) for _, url := range allowedURLs { - action := crdv1alpha1.RuleActionAllow + action := crdv1beta1.RuleActionAllow fqdnSettings[url] = &action } for _, url := range droppedURLs { - action := crdv1alpha1.RuleActionDrop + action := crdv1beta1.RuleActionDrop fqdnSettings[url] = &action } for _, url := range rejectedURLs { - action := crdv1alpha1.RuleActionReject + action := crdv1beta1.RuleActionReject fqdnSettings[url] = &action } @@ -525,7 +526,7 @@ func testANPWithFQDN(t *testing.T, data *TestData, name string, namespace string err = data.DeleteANNP(anp.Namespace, anp.Name) require.Nil(t, err) for _, url := range allURLs { - err := runCurlCommandOnVM(data, appliedToVM, url, crdv1alpha1.RuleActionAllow) + err := runCurlCommandOnVM(data, appliedToVM, url, crdv1beta1.RuleActionAllow) assert.NoError(t, err, "Failed to run curl command on URL %s on VM %s", url, appliedToVM.nodeName) } } @@ -534,7 +535,7 @@ func testANPWithFQDN(t *testing.T, data *TestData, name string, namespace string // Note: master Node is used as the client in the test. This is because the Windows native ping utility always uses 256 // as the identifier in any ICMP echo request packet, and this setting introduces a mis-match in OVS conntrack when // identifying a new connection. -func testANPProtocolICMP(t *testing.T, data *TestData, name string, namespace string, appliedToVM vmInfo, ruleAction crdv1alpha1.RuleAction) { +func testANPProtocolICMP(t *testing.T, data *TestData, name string, namespace string, appliedToVM vmInfo, ruleAction crdv1beta1.RuleAction) { // The initial network connectivity is working as expected before ANP is created. err := runPingCommandOnVM(data, appliedToVM, true) require.NoError(t, err, "Failed to verify connectivity before applying ANP") @@ -548,7 +549,7 @@ func testANPProtocolICMP(t *testing.T, data *TestData, name string, namespace st t.Logf("ANP test with nameE %s is done", name) } -func testANPProtocolTCPOrUDP(t *testing.T, data *TestData, name string, namespace string, appliedToVM vmInfo, peerVM *vmInfo, proto AntreaPolicyProtocol, ingress bool, ruleAction crdv1alpha1.RuleAction, matchPeerEntity bool) { +func testANPProtocolTCPOrUDP(t *testing.T, data *TestData, name string, namespace string, appliedToVM vmInfo, peerVM *vmInfo, proto AntreaPolicyProtocol, ingress bool, ruleAction crdv1beta1.RuleAction, matchPeerEntity bool) { var srcVM, dstVM vmInfo if ingress { srcVM = *peerVM @@ -577,7 +578,7 @@ func testANPProtocolTCPOrUDP(t *testing.T, data *TestData, name string, namespac } func createANPForExternalNode(t *testing.T, data *TestData, name, namespace string, ingress bool, proto AntreaPolicyProtocol, - appliedToVM vmInfo, peerVM *vmInfo, matchLabel bool, ruleAction crdv1alpha1.RuleAction) *crdv1alpha1.NetworkPolicy { + appliedToVM vmInfo, peerVM *vmInfo, matchLabel bool, ruleAction crdv1beta1.RuleAction) *crdv1beta1.NetworkPolicy { eeSelector := map[string]string{externalNodeLabelKey: appliedToVM.nodeName} builder := &AntreaNetworkPolicySpecBuilder{} builder = builder. @@ -620,7 +621,7 @@ func createANPForExternalNode(t *testing.T, data *TestData, name, namespace stri return anp } -func createANPWithFQDN(t *testing.T, data *TestData, name string, namespace string, appliedToVM vmInfo, fqdnSettings map[string]*crdv1alpha1.RuleAction) *crdv1alpha1.NetworkPolicy { +func createANPWithFQDN(t *testing.T, data *TestData, name string, namespace string, appliedToVM vmInfo, fqdnSettings map[string]*crdv1beta1.RuleAction) *crdv1beta1.NetworkPolicy { eeSelector := map[string]string{externalNodeLabelKey: appliedToVM.nodeName} builder := &AntreaNetworkPolicySpecBuilder{} builder = builder. @@ -631,9 +632,9 @@ func createANPWithFQDN(t *testing.T, data *TestData, name string, namespace stri i := 0 for fqdn, action := range fqdnSettings { ruleName := fmt.Sprintf("name-%d", i) - policyPeer := []crdv1alpha1.NetworkPolicyPeer{{FQDN: fqdn}} + policyPeer := []crdv1beta1.NetworkPolicyPeer{{FQDN: fqdn}} ports, _ := GenPortsOrProtocols(ProtocolTCP, nil, nil, nil, nil, nil, nil, nil, nil, nil) - newRule := crdv1alpha1.Rule{ + newRule := crdv1beta1.Rule{ To: policyPeer, Ports: ports, Action: action, @@ -669,7 +670,7 @@ func runPingCommandOnVM(data *TestData, dstVM vmInfo, connected bool) error { return err } -func runIperfCommandOnVMs(t *testing.T, data *TestData, srcVM vmInfo, dstVM vmInfo, connected bool, isUDP bool, ruleAction crdv1alpha1.RuleAction) error { +func runIperfCommandOnVMs(t *testing.T, data *TestData, srcVM vmInfo, dstVM vmInfo, connected bool, isUDP bool, ruleAction crdv1beta1.RuleAction) error { svrIP := net.ParseIP(dstVM.ip) err := wait.PollImmediate(time.Second*5, time.Second*20, func() (done bool, err error) { if err := runIperfClient(t, data, srcVM, svrIP, iperfPort, isUDP, connected, ruleAction); err != nil { @@ -707,7 +708,7 @@ func stopIperfCommand(t *testing.T, data *TestData, vm vmInfo) error { return nil } -func runIperfClient(t *testing.T, data *TestData, targetVM vmInfo, svrIP net.IP, dstPort int32, isUDP bool, connected bool, ruleAction crdv1alpha1.RuleAction) error { +func runIperfClient(t *testing.T, data *TestData, targetVM vmInfo, svrIP net.IP, dstPort int32, isUDP bool, connected bool, ruleAction crdv1beta1.RuleAction) error { cmd := getIperf3Command(targetVM.osType, svrIP, dstPort, isUDP, false) cmdStr := strings.Join(cmd, " ") if targetVM.osType == windowsOS { @@ -716,9 +717,9 @@ func runIperfClient(t *testing.T, data *TestData, targetVM vmInfo, svrIP net.IP, expectedOutput := "iperf Done" if !connected { switch ruleAction { - case crdv1alpha1.RuleActionDrop: + case crdv1beta1.RuleActionDrop: expectedOutput = "Connection timed out" - case crdv1alpha1.RuleActionReject: + case crdv1beta1.RuleActionReject: if isUDP { expectedOutput = "No route to host" } else { @@ -751,17 +752,17 @@ func runIperfClient(t *testing.T, data *TestData, targetVM vmInfo, svrIP net.IP, } } -func runCurlCommandOnVM(data *TestData, targetVM vmInfo, url string, action crdv1alpha1.RuleAction) error { +func runCurlCommandOnVM(data *TestData, targetVM vmInfo, url string, action crdv1beta1.RuleAction) error { cmd := getCurlCommand(targetVM.osType, url) cmdStr := strings.Join(cmd, " ") var expectedErr, expectedOutput string switch action { - case crdv1alpha1.RuleActionAllow: + case crdv1beta1.RuleActionAllow: expectedOutput = "HTTP/1.1" - case crdv1alpha1.RuleActionDrop: + case crdv1beta1.RuleActionDrop: expectedErr = "Connection timed out" - case crdv1alpha1.RuleActionReject: + case crdv1beta1.RuleActionReject: expectedErr = "Connection refused" } err := wait.PollImmediate(time.Second*5, time.Second*20, func() (done bool, err error) { diff --git a/test/integration/agent/openflow_test.go b/test/integration/agent/openflow_test.go index df1297cf4fd..5c8ea2af0e0 100644 --- a/test/integration/agent/openflow_test.go +++ b/test/integration/agent/openflow_test.go @@ -40,8 +40,8 @@ import ( "antrea.io/antrea/pkg/agent/types" "antrea.io/antrea/pkg/agent/util" "antrea.io/antrea/pkg/apis/controlplane/v1beta2" - crdv1alpha1 "antrea.io/antrea/pkg/apis/crd/v1alpha1" "antrea.io/antrea/pkg/apis/crd/v1alpha2" + crdv1beta1 "antrea.io/antrea/pkg/apis/crd/v1beta1" ofconfig "antrea.io/antrea/pkg/ovs/openflow" "antrea.io/antrea/pkg/ovs/ovsconfig" "antrea.io/antrea/pkg/ovs/ovsctl" @@ -303,7 +303,7 @@ func TestReplayFlowsNetworkPolicyFlows(t *testing.T) { port2 := intstr.FromInt(8080) tcpProtocol := v1beta2.ProtocolTCP - defaultAction := crdv1alpha1.RuleActionAllow + defaultAction := crdv1beta1.RuleActionAllow npPort1 := v1beta2.Service{Protocol: &tcpProtocol, Port: &port2} toIPList := prepareIPAddresses(toList) rule := &types.PolicyRule{ @@ -488,7 +488,7 @@ func TestNetworkPolicyFlows(t *testing.T) { port2 := intstr.FromInt(8080) tcpProtocol := v1beta2.ProtocolTCP - defaultAction := crdv1alpha1.RuleActionAllow + defaultAction := crdv1beta1.RuleActionAllow npPort1 := v1beta2.Service{Protocol: &tcpProtocol, Port: &port2} toIPList := prepareIPAddresses(toList) rule := &types.PolicyRule{