Skip to content

Commit

Permalink
ANP global policies
Browse files Browse the repository at this point in the history
  • Loading branch information
Joseph Chen committed Jul 30, 2024
1 parent ece7a09 commit e181855
Show file tree
Hide file tree
Showing 33 changed files with 4,612 additions and 2,348 deletions.
2 changes: 1 addition & 1 deletion Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,7 @@
# limitations under the License.

# Image URL to use all building/pushing image targets
IMG ?= public.ecr.aws/eks/amazon-network-policy-controller-k8s:v1.0.2
IMG ?= public.ecr.aws/q1l2n4k8/npc:anp
# ENVTEST_K8S_VERSION refers to the version of kubebuilder assets to be downloaded by envtest binary.
ENVTEST_K8S_VERSION = 1.26.1
# ARCHS define the target architectures for the controller image be build
Expand Down
969 changes: 969 additions & 0 deletions adminpol.yaml

Large diffs are not rendered by default.

10 changes: 10 additions & 0 deletions api/v1alpha1/policyendpoint_types.go
Original file line number Diff line number Diff line change
Expand Up @@ -48,6 +48,7 @@ type Port struct {

// EndpointInfo defines the network endpoint information for the policy ingress/egress
type EndpointInfo struct {
Action string `json:"action"`
// CIDR is the network address(s) of the endpoint
CIDR NetworkAddress `json:"cidr"`

Expand All @@ -72,6 +73,15 @@ type PodEndpoint struct {

// PolicyEndpointSpec defines the desired state of PolicyEndpoint
type PolicyEndpointSpec struct {
// IsGlobal specifies whether the parent policy is an admin policy
IsGlobal bool `json:"isGlobal"`

// Namespaces of the pod selector, will be empty for cluster wide
Namespaces []string `json:"namespaces"`

// Priority of the policy, lower value is higher priority
Priority int `json:"priority"`

// PodSelector is the podSelector from the policy resource
PodSelector *metav1.LabelSelector `json:"podSelector,omitempty"`

Expand Down
28 changes: 23 additions & 5 deletions charts/amazon-network-policy-controller-k8s/crds/crds.yaml
Original file line number Diff line number Diff line change
@@ -1,11 +1,9 @@
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.15.0
creationTimestamp: null
labels:
app.kubernetes.io/name: amazon-network-policy-controller-k8s
controller-gen.kubebuilder.io/version: v0.12.1
name: policyendpoints.networking.k8s.aws
spec:
group: networking.k8s.aws
Expand Down Expand Up @@ -43,6 +41,8 @@ spec:
description: EndpointInfo defines the network endpoint information
for the policy ingress/egress
properties:
action:
type: string
cidr:
description: CIDR is the network address(s) of the endpoint
type: string
Expand Down Expand Up @@ -77,6 +77,7 @@ spec:
type: object
type: array
required:
- action
- cidr
type: object
type: array
Expand All @@ -87,6 +88,8 @@ spec:
description: EndpointInfo defines the network endpoint information
for the policy ingress/egress
properties:
action:
type: string
cidr:
description: CIDR is the network address(s) of the endpoint
type: string
Expand Down Expand Up @@ -121,9 +124,18 @@ spec:
type: object
type: array
required:
- action
- cidr
type: object
type: array
isGlobal:
type: boolean
namespaces:
description: Namespaces of the pod selector, will be empty for cluster
wide
items:
type: string
type: array
podIsolation:
description: PodIsolation specifies whether the pod needs to be isolated
for a particular traffic direction Ingress or Egress, or both. If
Expand Down Expand Up @@ -164,11 +176,13 @@ spec:
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
Expand Down Expand Up @@ -221,8 +235,12 @@ spec:
- name
- namespace
type: object
priority:
type: integer
required:
- isGlobal
- policyRef
- priority
type: object
status:
description: PolicyEndpointStatus defines the observed state of PolicyEndpoint
Expand All @@ -231,4 +249,4 @@ spec:
served: true
storage: true
subresources:
status: {}
status: {}
10 changes: 10 additions & 0 deletions charts/amazon-network-policy-controller-k8s/templates/rbac.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -116,6 +116,16 @@ rules:
- patch
- update
- watch
- apiGroups:
- policy.networking.k8s.io
resources:
- adminnetworkpolicies
verbs:
- get
- list
- patch
- update
- watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
Expand Down
10 changes: 10 additions & 0 deletions cmd/main.go
Original file line number Diff line number Diff line change
Expand Up @@ -43,6 +43,7 @@ import (
"github.com/aws/amazon-network-policy-controller-k8s/pkg/policyendpoints"
"github.com/aws/amazon-network-policy-controller-k8s/pkg/utils/configmap"
"github.com/aws/amazon-network-policy-controller-k8s/pkg/version"
adminnetworking "sigs.k8s.io/network-policy-api/apis/v1alpha1"
//+kubebuilder:scaffold:imports
)

Expand All @@ -55,6 +56,8 @@ func init() {
utilruntime.Must(clientgoscheme.AddToScheme(scheme))

utilruntime.Must(policyinfo.AddToScheme(scheme))

utilruntime.Must(adminnetworking.AddToScheme(scheme))
//+kubebuilder:scaffold:scheme
}

Expand Down Expand Up @@ -121,12 +124,19 @@ func main() {
finalizerManager := k8s.NewDefaultFinalizerManager(mgr.GetClient(), ctrl.Log.WithName("finalizer-manager"))
policyController := controllers.NewPolicyReconciler(mgr.GetClient(), policyEndpointsManager,
controllerCFG, finalizerManager, ctrl.Log.WithName("controllers").WithName("policy"))
adminPolicyController := controllers.NewAdminPolicyReconciler(mgr.GetClient(), policyEndpointsManager,
controllerCFG, finalizerManager, ctrl.Log.WithName("controllers").WithName("admin-policy"))
if enableNetworkPolicyController {
setupLog.Info("Network Policy controller is enabled, starting watches")
if err := policyController.SetupWithManager(ctx, mgr); err != nil {
setupLog.Error(err, "Unable to setup network policy controller")
os.Exit(1)
}
setupLog.Info("Admin Network Policy controller is enabled, starting watches")
if err := adminPolicyController.SetupWithManager(ctx, mgr); err != nil {
setupLog.Error(err, "Unable to setup admin network policy controller")
os.Exit(1)
}
}

//+kubebuilder:scaffold:builder
Expand Down
1 change: 1 addition & 0 deletions config/controller/controller.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,7 @@ spec:
spec:
containers:
- image: controller:latest
imagePullPolicy: Always
args:
- --enable-configmap-check=false
name: controller
Expand Down
4 changes: 2 additions & 2 deletions config/controller/kustomization.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -4,5 +4,5 @@ apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
images:
- name: controller
newName: public.ecr.aws/eks/amazon-network-policy-controller-k8s
newTag: v0.5.0
newName: public.ecr.aws/q1l2n4k8/npc
newTag: anp
19 changes: 19 additions & 0 deletions config/crd/bases/networking.k8s.aws_policyendpoints.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -46,6 +46,8 @@ spec:
description: EndpointInfo defines the network endpoint information
for the policy ingress/egress
properties:
action:
type: string
cidr:
description: CIDR is the network address(s) of the endpoint
type: string
Expand Down Expand Up @@ -80,6 +82,7 @@ spec:
type: object
type: array
required:
- action
- cidr
type: object
type: array
Expand All @@ -90,6 +93,8 @@ spec:
description: EndpointInfo defines the network endpoint information
for the policy ingress/egress
properties:
action:
type: string
cidr:
description: CIDR is the network address(s) of the endpoint
type: string
Expand Down Expand Up @@ -124,9 +129,18 @@ spec:
type: object
type: array
required:
- action
- cidr
type: object
type: array
isGlobal:
type: boolean
namespaces:
description: Namespaces of the pod selector, will be empty for cluster
wide
items:
type: string
type: array
podIsolation:
description: |-
PodIsolation specifies whether the pod needs to be isolated for a
Expand Down Expand Up @@ -227,8 +241,13 @@ spec:
- name
- namespace
type: object
priority:
type: integer
required:
- isGlobal
- namespaces
- policyRef
- priority
type: object
status:
description: PolicyEndpointStatus defines the observed state of PolicyEndpoint
Expand Down
10 changes: 10 additions & 0 deletions config/rbac/role.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -64,6 +64,16 @@ rules:
- patch
- update
- watch
- apiGroups:
- policy.networking.k8s.io
resources:
- adminnetworkpolicies
verbs:
- get
- list
- patch
- update
- watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
Expand Down
1 change: 1 addition & 0 deletions go.mod
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,7 @@ require (
k8s.io/apimachinery v0.30.1
k8s.io/client-go v0.30.1
sigs.k8s.io/controller-runtime v0.18.3
sigs.k8s.io/network-policy-api v0.1.5
)

require (
Expand Down
2 changes: 2 additions & 0 deletions go.sum
Original file line number Diff line number Diff line change
Expand Up @@ -199,6 +199,8 @@ sigs.k8s.io/controller-runtime v0.18.3 h1:B5Wmmo8WMWK7izei+2LlXLVDGzMwAHBNLX68lw
sigs.k8s.io/controller-runtime v0.18.3/go.mod h1:TVoGrfdpbA9VRFaRnKgk9P5/atA0pMwq+f+msb9M8Sg=
sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd h1:EDPBXCAspyGV4jQlpZSudPeMmr1bNJefnuqLsRAsHZo=
sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd/go.mod h1:B8JuhiUyNFVKdsE8h686QcCxMaH6HrOAZj4vswFpcB0=
sigs.k8s.io/network-policy-api v0.1.5 h1:xyS7VAaM9EfyB428oFk7WjWaCK6B129i+ILUF4C8l6E=
sigs.k8s.io/network-policy-api v0.1.5/go.mod h1:D7Nkr43VLNd7iYryemnj8qf0N/WjBzTZDxYA+g4u1/Y=
sigs.k8s.io/structured-merge-diff/v4 v4.4.1 h1:150L+0vs/8DA78h1u02ooW1/fFq/Lwr+sGiqlzvrtq4=
sigs.k8s.io/structured-merge-diff/v4 v4.4.1/go.mod h1:N8hJocpFajUSSeSJ9bOZ77VzejKZaXsTtZo4/u7Io08=
sigs.k8s.io/yaml v1.4.0 h1:Mk1wCc2gy/F0THH0TAp1QYyJNzRm2KCLy3o5ASXVI5E=
Expand Down
Loading

0 comments on commit e181855

Please sign in to comment.