Skip to content

Commit

Permalink
Add GKE NetworkPolicy support
Browse files Browse the repository at this point in the history
  • Loading branch information
kahun committed Mar 12, 2024
1 parent b1f3dff commit a41565e
Show file tree
Hide file tree
Showing 6 changed files with 70 additions and 1 deletion.
3 changes: 3 additions & 0 deletions .gitignore
Original file line number Diff line number Diff line change
Expand Up @@ -52,6 +52,9 @@ manager_pull_policy.yaml-e
# junit files
junit.*.xml

# asdf
.tool-versions

.DS_Store

# Tilt files.
Expand Down
18 changes: 17 additions & 1 deletion cloud/services/container/clusters/reconcile.go
Original file line number Diff line number Diff line change
Expand Up @@ -268,6 +268,9 @@ func (s *Service) createCluster(ctx context.Context, log *logr.Logger) error {
if !s.scope.IsAutopilotCluster() {
cluster.NodePools = scope.ConvertToSdkNodePools(nodePools, machinePools, isRegional, cluster.Name)
}
if s.scope.GCPManagedControlPlane.Spec.NetworkPolicy != nil {
cluster.NetworkPolicy = convertToSdkNetworkPolicy(s.scope.GCPManagedControlPlane.Spec.NetworkPolicy)
}

createClusterRequest := &containerpb.CreateClusterRequest{
Cluster: cluster,
Expand Down Expand Up @@ -366,6 +369,20 @@ func convertToSdkMasterAuthorizedNetworksConfig(config *infrav1exp.MasterAuthori
}
}

// convertToSdkNetworkPolicy converts NetworkPolicy config to a value that is used by GCP SDK.
func convertToSdkNetworkPolicy(networkPolicy *infrav1exp.NetworkPolicy) *containerpb.NetworkPolicy {
sdkNetworkPolicy := containerpb.NetworkPolicy{
Enabled: true,
}
switch networkPolicy.Provider {
case "calico":
sdkNetworkPolicy.Provider = containerpb.NetworkPolicy_CALICO
default:
sdkNetworkPolicy.Provider = containerpb.NetworkPolicy_PROVIDER_UNSPECIFIED
}
return &sdkNetworkPolicy
}

func (s *Service) checkDiffAndPrepareUpdate(existingCluster *containerpb.Cluster, log *logr.Logger) (bool, *containerpb.UpdateClusterRequest) {
log.V(4).Info("Checking diff and preparing update.")

Expand All @@ -390,7 +407,6 @@ func (s *Service) checkDiffAndPrepareUpdate(existingCluster *containerpb.Cluster
log.V(2).Info("Master version update required", "current", existingClusterMasterVersion, "desired", desiredMasterVersion)
}
}

// DesiredMasterAuthorizedNetworksConfig
// When desiredMasterAuthorizedNetworksConfig is nil, it means that the user wants to disable the feature.
desiredMasterAuthorizedNetworksConfig := convertToSdkMasterAuthorizedNetworksConfig(s.scope.GCPManagedControlPlane.Spec.MasterAuthorizedNetworksConfig)
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -117,6 +117,17 @@ spec:
Public IP addresses.
type: boolean
type: object
networkPolicy:
description: NetworkPolicy represents configuration options for NetworkPolicy
feature of the GKE cluster. This feature is disabled if this field
is not specified.
properties:
provider:
description: The selected network policy provider.
enum:
- calico
type: string
type: object
project:
description: Project is the name of the project to deploy the cluster
to.
Expand Down
12 changes: 12 additions & 0 deletions exp/api/v1beta1/gcpmanagedcontrolplane_types.go
Original file line number Diff line number Diff line change
Expand Up @@ -57,6 +57,10 @@ type GCPManagedControlPlaneSpec struct {
// This feature is disabled if this field is not specified.
// +optional
MasterAuthorizedNetworksConfig *MasterAuthorizedNetworksConfig `json:"master_authorized_networks_config,omitempty"`
// NetworkPolicy represents configuration options for NetworkPolicy feature of the GKE cluster.
// This feature is disabled if this field is not specified.
// +optional
NetworkPolicy *NetworkPolicy `json:"networkPolicy,omitempty"`
}

// GCPManagedControlPlaneStatus defines the observed state of GCPManagedControlPlane.
Expand Down Expand Up @@ -142,6 +146,14 @@ type MasterAuthorizedNetworksConfigCidrBlock struct {
CidrBlock string `json:"cidr_block,omitempty"`
}

// NetworkPolicy represents configuration options for NetworkPolicy feature of the GKE cluster.
type NetworkPolicy struct {
// The selected network policy provider.
// +kubebuilder:validation:Enum=calico
// +optional
Provider string `json:"provider,omitempty"`
}

// GetConditions returns the control planes conditions.
func (r *GCPManagedControlPlane) GetConditions() clusterv1.Conditions {
return r.Status.Conditions
Expand Down
7 changes: 7 additions & 0 deletions exp/api/v1beta1/gcpmanagedcontrolplane_webhook.go
Original file line number Diff line number Diff line change
Expand Up @@ -130,6 +130,13 @@ func (r *GCPManagedControlPlane) ValidateUpdate(oldRaw runtime.Object) (admissio
)
}

if !cmp.Equal(r.Spec.NetworkPolicy, old.Spec.NetworkPolicy) {
allErrs = append(allErrs,
field.Invalid(field.NewPath("spec", "NetworkPolicy"),
r.Spec.NetworkPolicy, "field is immutable"),
)
}

if len(allErrs) == 0 {
return nil, nil
}
Expand Down
20 changes: 20 additions & 0 deletions exp/api/v1beta1/zz_generated.deepcopy.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

0 comments on commit a41565e

Please sign in to comment.