github.com/tigera/api@v0.0.0-20240320170621-278e89a8c5fb/pkg/apis/projectcalico/v3/networkpolicy.go

github.com/tigera/api@v0.0.0-20240320170621-278e89a8c5fb/pkg/apis/projectcalico/v3/networkpolicy.go (about)

     1  // Copyright (c) 2017,2019,2021 Tigera, Inc. All rights reserved.
     2  
     3  // Licensed under the Apache License, Version 2.0 (the "License");
     4  // you may not use this file except in compliance with the License.
     5  // You may obtain a copy of the License at
     6  //
     7  //     http://www.apache.org/licenses/LICENSE-2.0
     8  //
     9  // Unless required by applicable law or agreed to in writing, software
    10  // distributed under the License is distributed on an "AS IS" BASIS,
    11  // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    12  // See the License for the specific language governing permissions and
    13  // limitations under the License.
    14  
    15  package v3
    16  
    17  import (
    18  	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
    19  )
    20  
    21  const (
    22  	KindNetworkPolicy     = "NetworkPolicy"
    23  	KindNetworkPolicyList = "NetworkPolicyList"
    24  )
    25  
    26  // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
    27  
    28  // NetworkPolicyList is a list of Policy objects.
    29  type NetworkPolicyList struct {
    30  	metav1.TypeMeta `json:",inline"`
    31  	metav1.ListMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
    32  
    33  	Items []NetworkPolicy `json:"items" protobuf:"bytes,2,rep,name=items"`
    34  }
    35  
    36  // +genclient
    37  // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
    38  
    39  type NetworkPolicy struct {
    40  	metav1.TypeMeta   `json:",inline"`
    41  	metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
    42  
    43  	Spec NetworkPolicySpec `json:"spec,omitempty" protobuf:"bytes,2,opt,name=spec"`
    44  }
    45  
    46  type NetworkPolicySpec struct {
    47  	// The name of the tier that this policy belongs to.  If this is omitted, the default
    48  	// tier (name is "default") is assumed.  The specified tier must exist in order to create
    49  	// security policies within the tier, the "default" tier is created automatically if it
    50  	// does not exist, this means for deployments requiring only a single Tier, the tier name
    51  	// may be omitted on all policy management requests.
    52  	Tier string `json:"tier,omitempty" validate:"omitempty,name"`
    53  	// Order is an optional field that specifies the order in which the policy is applied.
    54  	// Policies with higher "order" are applied after those with lower
    55  	// order within the same tier.  If the order is omitted, it may be considered to be "infinite" - i.e. the
    56  	// policy will be applied last.  Policies with identical order will be applied in
    57  	// alphanumerical order based on the Policy "Name" within the tier.
    58  	Order *float64 `json:"order,omitempty"`
    59  	// The ordered set of ingress rules.  Each rule contains a set of packet match criteria and
    60  	// a corresponding action to apply.
    61  	Ingress []Rule `json:"ingress,omitempty" validate:"omitempty,dive"`
    62  	// The ordered set of egress rules.  Each rule contains a set of packet match criteria and
    63  	// a corresponding action to apply.
    64  	Egress []Rule `json:"egress,omitempty" validate:"omitempty,dive"`
    65  	// The selector is an expression used to pick out the endpoints that the policy should
    66  	// be applied to.
    67  	//
    68  	// Selector expressions follow this syntax:
    69  	//
    70  	// 	label == "string_literal"  ->  comparison, e.g. my_label == "foo bar"
    71  	// 	label != "string_literal"   ->  not equal; also matches if label is not present
    72  	// 	label in { "a", "b", "c", ... }  ->  true if the value of label X is one of "a", "b", "c"
    73  	// 	label not in { "a", "b", "c", ... }  ->  true if the value of label X is not one of "a", "b", "c"
    74  	// 	has(label_name)  -> True if that label is present
    75  	// 	! expr -> negation of expr
    76  	// 	expr && expr  -> Short-circuit and
    77  	// 	expr || expr  -> Short-circuit or
    78  	// 	( expr ) -> parens for grouping
    79  	// 	all() or the empty selector -> matches all endpoints.
    80  	//
    81  	// Label names are allowed to contain alphanumerics, -, _ and /. String literals are more permissive
    82  	// but they do not support escape characters.
    83  	//
    84  	// Examples (with made-up labels):
    85  	//
    86  	// 	type == "webserver" && deployment == "prod"
    87  	// 	type in {"frontend", "backend"}
    88  	// 	deployment != "dev"
    89  	// 	! has(label_name)
    90  	Selector string `json:"selector,omitempty" validate:"selector"`
    91  	// Types indicates whether this policy applies to ingress, or to egress, or to both.  When
    92  	// not explicitly specified (and so the value on creation is empty or nil), Calico defaults
    93  	// Types according to what Ingress and Egress are present in the policy.  The
    94  	// default is:
    95  	//
    96  	// - [ PolicyTypeIngress ], if there are no Egress rules (including the case where there are
    97  	//   also no Ingress rules)
    98  	//
    99  	// - [ PolicyTypeEgress ], if there are Egress rules but no Ingress rules
   100  	//
   101  	// - [ PolicyTypeIngress, PolicyTypeEgress ], if there are both Ingress and Egress rules.
   102  	//
   103  	// When the policy is read back again, Types will always be one of these values, never empty
   104  	// or nil.
   105  	Types []PolicyType `json:"types,omitempty" validate:"omitempty,dive,policyType"`
   106  
   107  	// ServiceAccountSelector is an optional field for an expression used to select a pod based on service accounts.
   108  	ServiceAccountSelector string `json:"serviceAccountSelector,omitempty" validate:"selector"`
   109  
   110  	// PerformanceHints contains a list of hints to Calico's policy engine to
   111  	// help process the policy more efficiently.  Hints never change the
   112  	// enforcement behaviour of the policy.
   113  	//
   114  	// Currently, the only available hint is "AssumeNeededOnEveryNode".  When
   115  	// that hint is set on a policy, Felix will act as if the policy matches
   116  	// a local endpoint even if it does not. This is useful for "preloading"
   117  	// any large static policies that are known to be used on every node.
   118  	// If the policy is _not_ used on a particular node then the work
   119  	// done to preload the policy (and to maintain it) is wasted.
   120  	PerformanceHints []PolicyPerformanceHint `json:"performanceHints,omitempty" validate:"omitempty,unique,dive,oneof=AssumeNeededOnEveryNode"`
   121  }
   122  
   123  type PolicyPerformanceHint string
   124  
   125  const (
   126  	PerfHintAssumeNeededOnEveryNode PolicyPerformanceHint = "AssumeNeededOnEveryNode"
   127  )
   128  
   129  // NewNetworkPolicy creates a new (zeroed) NetworkPolicy struct with the TypeMetadata initialised to the current
   130  // version.
   131  func NewNetworkPolicy() *NetworkPolicy {
   132  	return &NetworkPolicy{
   133  		TypeMeta: metav1.TypeMeta{
   134  			Kind:       KindNetworkPolicy,
   135  			APIVersion: GroupVersionCurrent,
   136  		},
   137  	}
   138  }