From 825e0269301d0c61fab0f19ae968d52c02965c4d Mon Sep 17 00:00:00 2001 From: Duan Jiong Date: Wed, 10 Jun 2020 18:08:56 +0800 Subject: [PATCH] validate cidr only accept validated cidr. And fix the error handle when network-isotate is diabled. And remove the useless crd. Signed-off-by: Duan Jiong --- ...ubesphere.io_namespacenetworkpolicies.yaml | 762 ------------------ ...ubesphere.io_namespacenetworkpolicies.yaml | 1 + .../nsnetworkpolicy_controller.go | 10 +- 3 files changed, 7 insertions(+), 766 deletions(-) delete mode 100644 config/crd/bases/network.kubesphere.io_namespacenetworkpolicies.yaml diff --git a/config/crd/bases/network.kubesphere.io_namespacenetworkpolicies.yaml b/config/crd/bases/network.kubesphere.io_namespacenetworkpolicies.yaml deleted file mode 100644 index 0be1db2ab..000000000 --- a/config/crd/bases/network.kubesphere.io_namespacenetworkpolicies.yaml +++ /dev/null @@ -1,762 +0,0 @@ - ---- -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: (devel) - creationTimestamp: null - name: namespacenetworkpolicies.network.kubesphere.io -spec: - group: network.kubesphere.io - names: - categories: - - networking - kind: NamespaceNetworkPolicy - listKind: NamespaceNetworkPolicyList - plural: namespacenetworkpolicies - shortNames: - - nsnp - singular: namespacenetworkpolicy - scope: Namespaced - validation: - openAPIV3Schema: - description: NamespaceNetworkPolicy is the Schema for the namespacenetworkpolicies - API - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: NamespaceNetworkPolicySpec defines the desired state of NamespaceNetworkPolicy - properties: - egress: - description: The ordered set of egress rules. Each rule contains a - set of packet match criteria and a corresponding action to apply. - items: - description: "A Rule encapsulates a set of match criteria and an action. - \ Both selector-based security Policy and security Profiles reference - rules - separated out as a list of rules for both ingress and egress - packet matching. \n Each positive match criteria has a negated version, - prefixed with ”Not”. All the match criteria within a rule must be - satisfied for a packet to match. A single rule can contain the positive - and negative version of a match and both must be satisfied for the - rule to match." - properties: - action: - type: string - destination: - description: Destination contains the match criteria that apply - to destination entity. - properties: - namespaceSelector: - description: "NamespaceSelector is an optional field that - contains a selector expression. Only traffic that originates - from (or terminates at) endpoints within the selected namespaces - will be matched. When both NamespaceSelector and Selector - are defined on the same rule, then only workload endpoints - that are matched by both selectors will be selected by the - rule. \n For NetworkPolicy, an empty NamespaceSelector implies - that the Selector is limited to selecting only workload - endpoints in the same namespace as the NetworkPolicy. \n - For GlobalNetworkPolicy, an empty NamespaceSelector implies - the Selector applies to workload endpoints across all namespaces." - type: string - nets: - description: Nets is an optional field that restricts the - rule to only apply to traffic that originates from (or terminates - at) IP addresses in any of the given subnets. - items: - type: string - type: array - notNets: - description: NotNets is the negated version of the Nets field. - items: - type: string - type: array - notPorts: - description: NotPorts is the negated version of the Ports - field. Since only some protocols have ports, if any ports - are specified it requires the Protocol match in the Rule - to be set to "TCP" or "UDP". - items: - description: "Port represents either a range of numeric - ports or a named port. \n - For a named port, set - the PortName, leaving MinPort and MaxPort as 0. - - For a port range, set MinPort and MaxPort to the (inclusive) - port numbers. Set PortName to \"\". - For a - single port, set MinPort = MaxPort and PortName = \"\"." - properties: - maxPort: - type: integer - minPort: - type: integer - portName: - type: string - type: object - type: array - notSelector: - description: NotSelector is the negated version of the Selector - field. See Selector field for subtleties with negated selectors. - type: string - ports: - description: "Ports is an optional field that restricts the - rule to only apply to traffic that has a source (destination) - port that matches one of these ranges/values. This value - is a list of integers or strings that represent ranges of - ports. \n Since only some protocols have ports, if any ports - are specified it requires the Protocol match in the Rule - to be set to \"TCP\" or \"UDP\"." - items: - description: "Port represents either a range of numeric - ports or a named port. \n - For a named port, set - the PortName, leaving MinPort and MaxPort as 0. - - For a port range, set MinPort and MaxPort to the (inclusive) - port numbers. Set PortName to \"\". - For a - single port, set MinPort = MaxPort and PortName = \"\"." - properties: - maxPort: - type: integer - minPort: - type: integer - portName: - type: string - type: object - type: array - selector: - description: "Selector is an optional field that contains - a selector expression (see Policy for sample syntax). Only - traffic that originates from (terminates at) endpoints matching - the selector will be matched. \n Note that: in addition - to the negated version of the Selector (see NotSelector - below), the selector expression syntax itself supports negation. - \ The two types of negation are subtly different. One negates - the set of matched endpoints, the other negates the whole - match: \n \tSelector = \"!has(my_label)\" matches packets - that are from other Calico-controlled \tendpoints that do - not have the label “my_label”. \n \tNotSelector = \"has(my_label)\" - matches packets that are not from Calico-controlled \tendpoints - that do have the label “my_label”. \n The effect is that - the latter will accept packets from non-Calico sources whereas - the former is limited to packets from Calico-controlled - endpoints." - type: string - serviceAccounts: - description: ServiceAccounts is an optional field that restricts - the rule to only apply to traffic that originates from (or - terminates at) a pod running as a matching service account. - properties: - names: - description: Names is an optional field that restricts - the rule to only apply to traffic that originates from - (or terminates at) a pod running as a service account - whose name is in the list. - items: - type: string - type: array - selector: - description: Selector is an optional field that restricts - the rule to only apply to traffic that originates from - (or terminates at) a pod running as a service account - that matches the given label selector. If both Names - and Selector are specified then they are AND'ed. - type: string - type: object - type: object - http: - description: HTTP contains match criteria that apply to HTTP requests. - properties: - methods: - description: Methods is an optional field that restricts the - rule to apply only to HTTP requests that use one of the - listed HTTP Methods (e.g. GET, PUT, etc.) Multiple methods - are OR'd together. - items: - type: string - type: array - paths: - description: 'Paths is an optional field that restricts the - rule to apply to HTTP requests that use one of the listed - HTTP Paths. Multiple paths are OR''d together. e.g: - exact: - /foo - prefix: /bar NOTE: Each entry may ONLY specify either - a `exact` or a `prefix` match. The validator will check - for it.' - items: - description: 'HTTPPath specifies an HTTP path to match. - It may be either of the form: exact: : which matches - the path exactly or prefix: : which matches - the path prefix' - properties: - exact: - type: string - prefix: - type: string - type: object - type: array - type: object - icmp: - description: ICMP is an optional field that restricts the rule - to apply to a specific type and code of ICMP traffic. This - should only be specified if the Protocol field is set to "ICMP" - or "ICMPv6". - properties: - code: - description: Match on a specific ICMP code. If specified, - the Type value must also be specified. This is a technical - limitation imposed by the kernel’s iptables firewall, which - Calico uses to enforce the rule. - type: integer - type: - description: Match on a specific ICMP type. For example a - value of 8 refers to ICMP Echo Request (i.e. pings). - type: integer - type: object - ipVersion: - description: IPVersion is an optional field that restricts the - rule to only match a specific IP version. - type: integer - notICMP: - description: NotICMP is the negated version of the ICMP field. - properties: - code: - description: Match on a specific ICMP code. If specified, - the Type value must also be specified. This is a technical - limitation imposed by the kernel’s iptables firewall, which - Calico uses to enforce the rule. - type: integer - type: - description: Match on a specific ICMP type. For example a - value of 8 refers to ICMP Echo Request (i.e. pings). - type: integer - type: object - notProtocol: - description: NotProtocol is the negated version of the Protocol - field. - type: string - protocol: - description: "Protocol is an optional field that restricts the - rule to only apply to traffic of a specific IP protocol. Required - if any of the EntityRules contain Ports (because ports only - apply to certain protocols). \n Must be one of these string - values: \"TCP\", \"UDP\", \"ICMP\", \"ICMPv6\", \"SCTP\", \"UDPLite\" - or an integer in the range 1-255." - type: string - source: - description: Source contains the match criteria that apply to - source entity. - properties: - namespaceSelector: - description: "NamespaceSelector is an optional field that - contains a selector expression. Only traffic that originates - from (or terminates at) endpoints within the selected namespaces - will be matched. When both NamespaceSelector and Selector - are defined on the same rule, then only workload endpoints - that are matched by both selectors will be selected by the - rule. \n For NetworkPolicy, an empty NamespaceSelector implies - that the Selector is limited to selecting only workload - endpoints in the same namespace as the NetworkPolicy. \n - For GlobalNetworkPolicy, an empty NamespaceSelector implies - the Selector applies to workload endpoints across all namespaces." - type: string - nets: - description: Nets is an optional field that restricts the - rule to only apply to traffic that originates from (or terminates - at) IP addresses in any of the given subnets. - items: - type: string - type: array - notNets: - description: NotNets is the negated version of the Nets field. - items: - type: string - type: array - notPorts: - description: NotPorts is the negated version of the Ports - field. Since only some protocols have ports, if any ports - are specified it requires the Protocol match in the Rule - to be set to "TCP" or "UDP". - items: - description: "Port represents either a range of numeric - ports or a named port. \n - For a named port, set - the PortName, leaving MinPort and MaxPort as 0. - - For a port range, set MinPort and MaxPort to the (inclusive) - port numbers. Set PortName to \"\". - For a - single port, set MinPort = MaxPort and PortName = \"\"." - properties: - maxPort: - type: integer - minPort: - type: integer - portName: - type: string - type: object - type: array - notSelector: - description: NotSelector is the negated version of the Selector - field. See Selector field for subtleties with negated selectors. - type: string - ports: - description: "Ports is an optional field that restricts the - rule to only apply to traffic that has a source (destination) - port that matches one of these ranges/values. This value - is a list of integers or strings that represent ranges of - ports. \n Since only some protocols have ports, if any ports - are specified it requires the Protocol match in the Rule - to be set to \"TCP\" or \"UDP\"." - items: - description: "Port represents either a range of numeric - ports or a named port. \n - For a named port, set - the PortName, leaving MinPort and MaxPort as 0. - - For a port range, set MinPort and MaxPort to the (inclusive) - port numbers. Set PortName to \"\". - For a - single port, set MinPort = MaxPort and PortName = \"\"." - properties: - maxPort: - type: integer - minPort: - type: integer - portName: - type: string - type: object - type: array - selector: - description: "Selector is an optional field that contains - a selector expression (see Policy for sample syntax). Only - traffic that originates from (terminates at) endpoints matching - the selector will be matched. \n Note that: in addition - to the negated version of the Selector (see NotSelector - below), the selector expression syntax itself supports negation. - \ The two types of negation are subtly different. One negates - the set of matched endpoints, the other negates the whole - match: \n \tSelector = \"!has(my_label)\" matches packets - that are from other Calico-controlled \tendpoints that do - not have the label “my_label”. \n \tNotSelector = \"has(my_label)\" - matches packets that are not from Calico-controlled \tendpoints - that do have the label “my_label”. \n The effect is that - the latter will accept packets from non-Calico sources whereas - the former is limited to packets from Calico-controlled - endpoints." - type: string - serviceAccounts: - description: ServiceAccounts is an optional field that restricts - the rule to only apply to traffic that originates from (or - terminates at) a pod running as a matching service account. - properties: - names: - description: Names is an optional field that restricts - the rule to only apply to traffic that originates from - (or terminates at) a pod running as a service account - whose name is in the list. - items: - type: string - type: array - selector: - description: Selector is an optional field that restricts - the rule to only apply to traffic that originates from - (or terminates at) a pod running as a service account - that matches the given label selector. If both Names - and Selector are specified then they are AND'ed. - type: string - type: object - type: object - required: - - action - type: object - type: array - ingress: - description: The ordered set of ingress rules. Each rule contains a - set of packet match criteria and a corresponding action to apply. - items: - description: "A Rule encapsulates a set of match criteria and an action. - \ Both selector-based security Policy and security Profiles reference - rules - separated out as a list of rules for both ingress and egress - packet matching. \n Each positive match criteria has a negated version, - prefixed with ”Not”. All the match criteria within a rule must be - satisfied for a packet to match. A single rule can contain the positive - and negative version of a match and both must be satisfied for the - rule to match." - properties: - action: - type: string - destination: - description: Destination contains the match criteria that apply - to destination entity. - properties: - namespaceSelector: - description: "NamespaceSelector is an optional field that - contains a selector expression. Only traffic that originates - from (or terminates at) endpoints within the selected namespaces - will be matched. When both NamespaceSelector and Selector - are defined on the same rule, then only workload endpoints - that are matched by both selectors will be selected by the - rule. \n For NetworkPolicy, an empty NamespaceSelector implies - that the Selector is limited to selecting only workload - endpoints in the same namespace as the NetworkPolicy. \n - For GlobalNetworkPolicy, an empty NamespaceSelector implies - the Selector applies to workload endpoints across all namespaces." - type: string - nets: - description: Nets is an optional field that restricts the - rule to only apply to traffic that originates from (or terminates - at) IP addresses in any of the given subnets. - items: - type: string - type: array - notNets: - description: NotNets is the negated version of the Nets field. - items: - type: string - type: array - notPorts: - description: NotPorts is the negated version of the Ports - field. Since only some protocols have ports, if any ports - are specified it requires the Protocol match in the Rule - to be set to "TCP" or "UDP". - items: - description: "Port represents either a range of numeric - ports or a named port. \n - For a named port, set - the PortName, leaving MinPort and MaxPort as 0. - - For a port range, set MinPort and MaxPort to the (inclusive) - port numbers. Set PortName to \"\". - For a - single port, set MinPort = MaxPort and PortName = \"\"." - properties: - maxPort: - type: integer - minPort: - type: integer - portName: - type: string - type: object - type: array - notSelector: - description: NotSelector is the negated version of the Selector - field. See Selector field for subtleties with negated selectors. - type: string - ports: - description: "Ports is an optional field that restricts the - rule to only apply to traffic that has a source (destination) - port that matches one of these ranges/values. This value - is a list of integers or strings that represent ranges of - ports. \n Since only some protocols have ports, if any ports - are specified it requires the Protocol match in the Rule - to be set to \"TCP\" or \"UDP\"." - items: - description: "Port represents either a range of numeric - ports or a named port. \n - For a named port, set - the PortName, leaving MinPort and MaxPort as 0. - - For a port range, set MinPort and MaxPort to the (inclusive) - port numbers. Set PortName to \"\". - For a - single port, set MinPort = MaxPort and PortName = \"\"." - properties: - maxPort: - type: integer - minPort: - type: integer - portName: - type: string - type: object - type: array - selector: - description: "Selector is an optional field that contains - a selector expression (see Policy for sample syntax). Only - traffic that originates from (terminates at) endpoints matching - the selector will be matched. \n Note that: in addition - to the negated version of the Selector (see NotSelector - below), the selector expression syntax itself supports negation. - \ The two types of negation are subtly different. One negates - the set of matched endpoints, the other negates the whole - match: \n \tSelector = \"!has(my_label)\" matches packets - that are from other Calico-controlled \tendpoints that do - not have the label “my_label”. \n \tNotSelector = \"has(my_label)\" - matches packets that are not from Calico-controlled \tendpoints - that do have the label “my_label”. \n The effect is that - the latter will accept packets from non-Calico sources whereas - the former is limited to packets from Calico-controlled - endpoints." - type: string - serviceAccounts: - description: ServiceAccounts is an optional field that restricts - the rule to only apply to traffic that originates from (or - terminates at) a pod running as a matching service account. - properties: - names: - description: Names is an optional field that restricts - the rule to only apply to traffic that originates from - (or terminates at) a pod running as a service account - whose name is in the list. - items: - type: string - type: array - selector: - description: Selector is an optional field that restricts - the rule to only apply to traffic that originates from - (or terminates at) a pod running as a service account - that matches the given label selector. If both Names - and Selector are specified then they are AND'ed. - type: string - type: object - type: object - http: - description: HTTP contains match criteria that apply to HTTP requests. - properties: - methods: - description: Methods is an optional field that restricts the - rule to apply only to HTTP requests that use one of the - listed HTTP Methods (e.g. GET, PUT, etc.) Multiple methods - are OR'd together. - items: - type: string - type: array - paths: - description: 'Paths is an optional field that restricts the - rule to apply to HTTP requests that use one of the listed - HTTP Paths. Multiple paths are OR''d together. e.g: - exact: - /foo - prefix: /bar NOTE: Each entry may ONLY specify either - a `exact` or a `prefix` match. The validator will check - for it.' - items: - description: 'HTTPPath specifies an HTTP path to match. - It may be either of the form: exact: : which matches - the path exactly or prefix: : which matches - the path prefix' - properties: - exact: - type: string - prefix: - type: string - type: object - type: array - type: object - icmp: - description: ICMP is an optional field that restricts the rule - to apply to a specific type and code of ICMP traffic. This - should only be specified if the Protocol field is set to "ICMP" - or "ICMPv6". - properties: - code: - description: Match on a specific ICMP code. If specified, - the Type value must also be specified. This is a technical - limitation imposed by the kernel’s iptables firewall, which - Calico uses to enforce the rule. - type: integer - type: - description: Match on a specific ICMP type. For example a - value of 8 refers to ICMP Echo Request (i.e. pings). - type: integer - type: object - ipVersion: - description: IPVersion is an optional field that restricts the - rule to only match a specific IP version. - type: integer - notICMP: - description: NotICMP is the negated version of the ICMP field. - properties: - code: - description: Match on a specific ICMP code. If specified, - the Type value must also be specified. This is a technical - limitation imposed by the kernel’s iptables firewall, which - Calico uses to enforce the rule. - type: integer - type: - description: Match on a specific ICMP type. For example a - value of 8 refers to ICMP Echo Request (i.e. pings). - type: integer - type: object - notProtocol: - description: NotProtocol is the negated version of the Protocol - field. - type: string - protocol: - description: "Protocol is an optional field that restricts the - rule to only apply to traffic of a specific IP protocol. Required - if any of the EntityRules contain Ports (because ports only - apply to certain protocols). \n Must be one of these string - values: \"TCP\", \"UDP\", \"ICMP\", \"ICMPv6\", \"SCTP\", \"UDPLite\" - or an integer in the range 1-255." - type: string - source: - description: Source contains the match criteria that apply to - source entity. - properties: - namespaceSelector: - description: "NamespaceSelector is an optional field that - contains a selector expression. Only traffic that originates - from (or terminates at) endpoints within the selected namespaces - will be matched. When both NamespaceSelector and Selector - are defined on the same rule, then only workload endpoints - that are matched by both selectors will be selected by the - rule. \n For NetworkPolicy, an empty NamespaceSelector implies - that the Selector is limited to selecting only workload - endpoints in the same namespace as the NetworkPolicy. \n - For GlobalNetworkPolicy, an empty NamespaceSelector implies - the Selector applies to workload endpoints across all namespaces." - type: string - nets: - description: Nets is an optional field that restricts the - rule to only apply to traffic that originates from (or terminates - at) IP addresses in any of the given subnets. - items: - type: string - type: array - notNets: - description: NotNets is the negated version of the Nets field. - items: - type: string - type: array - notPorts: - description: NotPorts is the negated version of the Ports - field. Since only some protocols have ports, if any ports - are specified it requires the Protocol match in the Rule - to be set to "TCP" or "UDP". - items: - description: "Port represents either a range of numeric - ports or a named port. \n - For a named port, set - the PortName, leaving MinPort and MaxPort as 0. - - For a port range, set MinPort and MaxPort to the (inclusive) - port numbers. Set PortName to \"\". - For a - single port, set MinPort = MaxPort and PortName = \"\"." - properties: - maxPort: - type: integer - minPort: - type: integer - portName: - type: string - type: object - type: array - notSelector: - description: NotSelector is the negated version of the Selector - field. See Selector field for subtleties with negated selectors. - type: string - ports: - description: "Ports is an optional field that restricts the - rule to only apply to traffic that has a source (destination) - port that matches one of these ranges/values. This value - is a list of integers or strings that represent ranges of - ports. \n Since only some protocols have ports, if any ports - are specified it requires the Protocol match in the Rule - to be set to \"TCP\" or \"UDP\"." - items: - description: "Port represents either a range of numeric - ports or a named port. \n - For a named port, set - the PortName, leaving MinPort and MaxPort as 0. - - For a port range, set MinPort and MaxPort to the (inclusive) - port numbers. Set PortName to \"\". - For a - single port, set MinPort = MaxPort and PortName = \"\"." - properties: - maxPort: - type: integer - minPort: - type: integer - portName: - type: string - type: object - type: array - selector: - description: "Selector is an optional field that contains - a selector expression (see Policy for sample syntax). Only - traffic that originates from (terminates at) endpoints matching - the selector will be matched. \n Note that: in addition - to the negated version of the Selector (see NotSelector - below), the selector expression syntax itself supports negation. - \ The two types of negation are subtly different. One negates - the set of matched endpoints, the other negates the whole - match: \n \tSelector = \"!has(my_label)\" matches packets - that are from other Calico-controlled \tendpoints that do - not have the label “my_label”. \n \tNotSelector = \"has(my_label)\" - matches packets that are not from Calico-controlled \tendpoints - that do have the label “my_label”. \n The effect is that - the latter will accept packets from non-Calico sources whereas - the former is limited to packets from Calico-controlled - endpoints." - type: string - serviceAccounts: - description: ServiceAccounts is an optional field that restricts - the rule to only apply to traffic that originates from (or - terminates at) a pod running as a matching service account. - properties: - names: - description: Names is an optional field that restricts - the rule to only apply to traffic that originates from - (or terminates at) a pod running as a service account - whose name is in the list. - items: - type: string - type: array - selector: - description: Selector is an optional field that restricts - the rule to only apply to traffic that originates from - (or terminates at) a pod running as a service account - that matches the given label selector. If both Names - and Selector are specified then they are AND'ed. - type: string - type: object - type: object - required: - - action - type: object - type: array - order: - description: Order is an optional field that specifies the order in - which the policy is applied. Policies with higher "order" are applied - after those with lower order. If the order is omitted, it may be - considered to be "infinite" - i.e. the policy will be applied last. Policies - with identical order will be applied in alphanumerical order based - on the Policy "Name". - type: integer - selector: - description: "The selector is an expression used to pick pick out the - endpoints that the policy should be applied to. \n Selector expressions - follow this syntax: \n \tlabel == \"string_literal\" -> comparison, - e.g. my_label == \"foo bar\" \tlabel != \"string_literal\" -> not - equal; also matches if label is not present \tlabel in { \"a\", \"b\", - \"c\", ... } -> true if the value of label X is one of \"a\", \"b\", - \"c\" \tlabel not in { \"a\", \"b\", \"c\", ... } -> true if the - value of label X is not one of \"a\", \"b\", \"c\" \thas(label_name) - \ -> True if that label is present \t! expr -> negation of expr \texpr - && expr -> Short-circuit and \texpr || expr -> Short-circuit or - \t( expr ) -> parens for grouping \tall() or the empty selector -> - matches all endpoints. \n Label names are allowed to contain alphanumerics, - -, _ and /. String literals are more permissive but they do not support - escape characters. \n Examples (with made-up labels): \n \ttype == - \"webserver\" && deployment == \"prod\" \ttype in {\"frontend\", \"backend\"} - \tdeployment != \"dev\" \t! has(label_name)" - type: string - types: - description: "Types indicates whether this policy applies to ingress, - or to egress, or to both. When not explicitly specified (and so the - value on creation is empty or nil), Calico defaults Types according - to what Ingress and Egress are present in the policy. The default - is: \n - [ PolicyTypeIngress ], if there are no Egress rules (including - the case where there are also no Ingress rules) \n - [ PolicyTypeEgress - ], if there are Egress rules but no Ingress rules \n - [ PolicyTypeIngress, - PolicyTypeEgress ], if there are both Ingress and Egress rules. \n - When the policy is read back again, Types will always be one of these - values, never empty or nil." - items: - type: string - type: array - required: - - selector - type: object - type: object - version: v1alpha1 - versions: - - name: v1alpha1 - served: true - storage: true -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] diff --git a/config/crds/network.kubesphere.io_namespacenetworkpolicies.yaml b/config/crds/network.kubesphere.io_namespacenetworkpolicies.yaml index e827a6e95..d7ef63060 100644 --- a/config/crds/network.kubesphere.io_namespacenetworkpolicies.yaml +++ b/config/crds/network.kubesphere.io_namespacenetworkpolicies.yaml @@ -101,6 +101,7 @@ spec: description: CIDR is a string representing the IP Block Valid examples are "192.168.1.1/24" type: string + pattern: ^([0-9]{1,3}\.){3}[0-9]{1,3}(\/([0-9]|[1-2][0-9]|3[0-2]))$ except: description: Except is a slice of CIDRs that should not be included within an IP Block Valid examples diff --git a/pkg/controller/network/nsnetworkpolicy/nsnetworkpolicy_controller.go b/pkg/controller/network/nsnetworkpolicy/nsnetworkpolicy_controller.go index f38e82432..17e7ba8ab 100644 --- a/pkg/controller/network/nsnetworkpolicy/nsnetworkpolicy_controller.go +++ b/pkg/controller/network/nsnetworkpolicy/nsnetworkpolicy_controller.go @@ -428,19 +428,21 @@ func (c *NSNetworkPolicyController) syncNs(key string) error { matchWorkspace := false delete := false - nsnpList, _ := c.informer.Lister().NamespaceNetworkPolicies(ns.Name).List(labels.Everything()) + nsnpList, err := c.informer.Lister().NamespaceNetworkPolicies(ns.Name).List(labels.Everything()) if isNetworkIsolateEnabled(ns) { matchWorkspace = false } else if wksp.Spec.NetworkIsolation { matchWorkspace = true + } else { + delete = true + } + if delete || matchWorkspace { //delete all namespace np when networkisolate not active - if err != nil && len(nsnpList) > 0 { + if err == nil && len(nsnpList) > 0 { if c.ksclient.NamespaceNetworkPolicies(ns.Name).DeleteCollection(nil, typev1.ListOptions{}) != nil { klog.Errorf("Error when delete all nsnps in namespace %s", ns.Name) } } - } else { - delete = true } policy := generateNSNP(workspaceName, ns.Name, matchWorkspace)