kubesphere.io/api@v0.0.0-20231107125330-c9a03957060c/network/v1alpha1/namespacenetworkpolicy_types.go (about) 1 /* 2 Copyright 2019 The KubeSphere authors. 3 4 Licensed under the Apache License, Version 2.0 (the "License"); 5 you may not use this file except in compliance with the License. 6 You may obtain a copy of the License at 7 8 http://www.apache.org/licenses/LICENSE-2.0 9 10 Unless required by applicable law or agreed to in writing, software 11 distributed under the License is distributed on an "AS IS" BASIS, 12 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 See the License for the specific language governing permissions and 14 limitations under the License. 15 */ 16 17 package v1alpha1 18 19 import ( 20 k8snet "k8s.io/api/networking/v1" 21 metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" 22 ) 23 24 const ( 25 ResourceKindNamespaceNetworkPolicy = "NamespaceNetworkPolicy" 26 ResourceSingularNamespaceNetworkPolicy = "namespacenetworkpolicy" 27 ResourcePluralNamespaceNetworkPolicy = "namespacenetworkpolicies" 28 ) 29 30 // NamespaceNetworkPolicySpec provides the specification of a NamespaceNetworkPolicy 31 type NamespaceNetworkPolicySpec struct { 32 // List of ingress rules to be applied to the selected pods. Traffic is allowed to 33 // a pod if there are no NetworkPolicies selecting the pod 34 // (and cluster policy otherwise allows the traffic), OR if the traffic source is 35 // the pod's local node, OR if the traffic matches at least one ingress rule 36 // across all of the NetworkPolicy objects whose podSelector matches the pod. If 37 // this field is empty then this NetworkPolicy does not allow any traffic (and serves 38 // solely to ensure that the pods it selects are isolated by default) 39 // +optional 40 Ingress []NetworkPolicyIngressRule `json:"ingress,omitempty" protobuf:"bytes,1,rep,name=ingress"` 41 42 // List of egress rules to be applied to the selected pods. Outgoing traffic is 43 // allowed if there are no NetworkPolicies selecting the pod (and cluster policy 44 // otherwise allows the traffic), OR if the traffic matches at least one egress rule 45 // across all of the NetworkPolicy objects whose podSelector matches the pod. If 46 // this field is empty then this NetworkPolicy limits all outgoing traffic (and serves 47 // solely to ensure that the pods it selects are isolated by default). 48 // This field is beta-level in 1.8 49 // +optional 50 Egress []NetworkPolicyEgressRule `json:"egress,omitempty" protobuf:"bytes,2,rep,name=egress"` 51 52 // List of rule types that the NetworkPolicy relates to. 53 // Valid options are "Ingress", "Egress", or "Ingress,Egress". 54 // If this field is not specified, it will default based on the existence of Ingress or Egress rules; 55 // policies that contain an Egress section are assumed to affect Egress, and all policies 56 // (whether or not they contain an Ingress section) are assumed to affect Ingress. 57 // If you want to write an egress-only policy, you must explicitly specify policyTypes [ "Egress" ]. 58 // Likewise, if you want to write a policy that specifies that no egress is allowed, 59 // you must specify a policyTypes value that include "Egress" (since such a policy would not include 60 // an Egress section and would otherwise default to just [ "Ingress" ]). 61 // This field is beta-level in 1.8 62 // +optional 63 PolicyTypes []k8snet.PolicyType `json:"policyTypes,omitempty" protobuf:"bytes,3,rep,name=policyTypes,casttype=PolicyType"` 64 } 65 66 // NetworkPolicyIngressRule describes a particular set of traffic that is allowed to the pods 67 // matched by a NetworkPolicySpec's podSelector. The traffic must match both ports and from. 68 type NetworkPolicyIngressRule struct { 69 // List of ports which should be made accessible on the pods selected for this 70 // rule. Each item in this list is combined using a logical OR. If this field is 71 // empty or missing, this rule matches all ports (traffic not restricted by port). 72 // If this field is present and contains at least one item, then this rule allows 73 // traffic only if the traffic matches at least one port in the list. 74 // +optional 75 Ports []k8snet.NetworkPolicyPort `json:"ports,omitempty" protobuf:"bytes,1,rep,name=ports"` 76 77 // List of sources which should be able to access the pods selected for this rule. 78 // Items in this list are combined using a logical OR operation. If this field is 79 // empty or missing, this rule matches all sources (traffic not restricted by 80 // source). If this field is present and contains at least one item, this rule 81 // allows traffic only if the traffic matches at least one item in the from list. 82 // +optional 83 From []NetworkPolicyPeer `json:"from,omitempty" protobuf:"bytes,2,rep,name=from"` 84 } 85 86 // NetworkPolicyEgressRule describes a particular set of traffic that is allowed out of pods 87 // matched by a NetworkPolicySpec's podSelector. The traffic must match both ports and to. 88 // This type is beta-level in 1.8 89 type NetworkPolicyEgressRule struct { 90 // List of destination ports for outgoing traffic. 91 // Each item in this list is combined using a logical OR. If this field is 92 // empty or missing, this rule matches all ports (traffic not restricted by port). 93 // If this field is present and contains at least one item, then this rule allows 94 // traffic only if the traffic matches at least one port in the list. 95 // +optional 96 Ports []k8snet.NetworkPolicyPort `json:"ports,omitempty" protobuf:"bytes,1,rep,name=ports"` 97 98 // List of destinations for outgoing traffic of pods selected for this rule. 99 // Items in this list are combined using a logical OR operation. If this field is 100 // empty or missing, this rule matches all destinations (traffic not restricted by 101 // destination). If this field is present and contains at least one item, this rule 102 // allows traffic only if the traffic matches at least one item in the to list. 103 // +optional 104 To []NetworkPolicyPeer `json:"to,omitempty" protobuf:"bytes,2,rep,name=to"` 105 } 106 107 type NamespaceSelector struct { 108 Name string `json:"name" protobuf:"bytes,1,name=name"` 109 } 110 111 type ServiceSelector struct { 112 Name string `json:"name" protobuf:"bytes,1,name=name"` 113 Namespace string `json:"namespace" protobuf:"bytes,2,name=namespace"` 114 } 115 116 // NetworkPolicyPeer describes a peer to allow traffic from. Only certain combinations of 117 // fields are allowed 118 type NetworkPolicyPeer struct { 119 // +optional 120 NamespaceSelector *NamespaceSelector `json:"namespace,omitempty" protobuf:"bytes,1,opt,name=namespace"` 121 122 // IPBlock defines policy on a particular IPBlock. If this field is set then 123 // neither of the other fields can be. 124 // +optional 125 IPBlock *k8snet.IPBlock `json:"ipBlock,omitempty" protobuf:"bytes,2,rep,name=ipBlock"` 126 127 ServiceSelector *ServiceSelector `json:"service,omitempty" protobuf:"bytes,3,opt,name=service"` 128 } 129 130 // +genclient 131 // +kubebuilder:object:root=true 132 133 // NamespaceNetworkPolicy is the Schema for the namespacenetworkpolicies API 134 // +k8s:openapi-gen=true 135 // +kubebuilder:resource:categories="networking",shortName="nsnp" 136 type NamespaceNetworkPolicy struct { 137 metav1.TypeMeta `json:",inline"` 138 metav1.ObjectMeta `json:"metadata,omitempty"` 139 140 Spec NamespaceNetworkPolicySpec `json:"spec,omitempty"` 141 } 142 143 // +kubebuilder:object:root=true 144 145 // NamespaceNetworkPolicyList contains a list of NamespaceNetworkPolicy 146 type NamespaceNetworkPolicyList struct { 147 metav1.TypeMeta `json:",inline"` 148 metav1.ListMeta `json:"metadata,omitempty"` 149 Items []NamespaceNetworkPolicy `json:"items"` 150 } 151 152 const ( 153 NSNPPrefix = "nsnp-" 154 )