From 90fa38851fbefbc5c247252fd78e4f850e4d2d3c Mon Sep 17 00:00:00 2001 From: magicsong Date: Mon, 5 Aug 2019 18:48:32 +0800 Subject: [PATCH] add ns networkpolicy --- .gitattributes | 4 + Makefile | 2 +- api/api-rules/violation_exceptions.list | 2 +- build/ks-network/Dockerfile | 4 + cmd/ks-network/main.go | 65 ++ config/manager/network.yaml | 75 ++ ...ubesphere.io_namespacenetworkpolicies.yaml | 713 ++++++++++++++++++ ...ubesphere.io_workspacenetworkpolicies.yaml | 8 +- config/rbac/rbac_role_binding_network.yaml | 13 + config/rbac/role.yaml | 31 + ...twork_v1alpha1_namespacenetworkpolicy.yaml | 9 + config/webhook/manifests.yaml | 0 go.mod | 20 +- go.sum | 83 ++ hack/generate_client.sh | 4 +- hack/generate_group.sh | 1 + hack/network-test.sh | 57 ++ pkg/apis/network/v1alpha1/common.go | 170 +++++ .../v1alpha1/namespacenetworkpolicy_types.go | 108 +++ .../namespacenetworkpolicy_types_test.go | 58 ++ .../network/v1alpha1/numorstring/asnumber.go | 73 ++ pkg/apis/network/v1alpha1/numorstring/doc.go | 19 + .../numorstring/numorstring_suite_test.go | 26 + .../v1alpha1/numorstring/numorstring_test.go | 204 +++++ pkg/apis/network/v1alpha1/numorstring/port.go | 144 ++++ .../network/v1alpha1/numorstring/protocol.go | 134 ++++ pkg/apis/network/v1alpha1/numorstring/type.go | 23 + .../v1alpha1/numorstring/uint8orstring.go | 80 ++ .../network/v1alpha1/v1alpha1_suite_test.go | 2 +- .../v1alpha1/workspacenetworkpolicy_types.go | 1 + .../network/v1alpha1/zz_generated.deepcopy.go | 279 ++++++- pkg/client/clientset/versioned/clientset.go | 3 +- pkg/client/clientset/versioned/doc.go | 3 +- .../versioned/fake/clientset_generated.go | 3 +- pkg/client/clientset/versioned/fake/doc.go | 3 +- .../clientset/versioned/fake/register.go | 3 +- pkg/client/clientset/versioned/scheme/doc.go | 3 +- .../clientset/versioned/scheme/register.go | 3 +- .../versioned/typed/network/v1alpha1/doc.go | 3 +- .../typed/network/v1alpha1/fake/doc.go | 3 +- .../fake/fake_namespacenetworkpolicy.go | 127 ++++ .../v1alpha1/fake/fake_network_client.go | 7 +- .../fake/fake_workspacenetworkpolicy.go | 3 +- .../network/v1alpha1/generated_expansion.go | 5 +- .../v1alpha1/namespacenetworkpolicy.go | 173 +++++ .../typed/network/v1alpha1/network_client.go | 8 +- .../v1alpha1/workspacenetworkpolicy.go | 3 +- .../typed/servicemesh/v1alpha2/doc.go | 3 +- .../typed/servicemesh/v1alpha2/fake/doc.go | 3 +- .../v1alpha2/fake/fake_servicemesh_client.go | 3 +- .../v1alpha2/fake/fake_servicepolicy.go | 3 +- .../v1alpha2/fake/fake_strategy.go | 3 +- .../v1alpha2/generated_expansion.go | 3 +- .../v1alpha2/servicemesh_client.go | 3 +- .../servicemesh/v1alpha2/servicepolicy.go | 3 +- .../typed/servicemesh/v1alpha2/strategy.go | 3 +- .../versioned/typed/tenant/v1alpha1/doc.go | 3 +- .../typed/tenant/v1alpha1/fake/doc.go | 3 +- .../v1alpha1/fake/fake_tenant_client.go | 3 +- .../tenant/v1alpha1/fake/fake_workspace.go | 3 +- .../tenant/v1alpha1/generated_expansion.go | 3 +- .../typed/tenant/v1alpha1/tenant_client.go | 3 +- .../typed/tenant/v1alpha1/workspace.go | 3 +- .../informers/externalversions/factory.go | 3 +- .../informers/externalversions/generic.go | 5 +- .../internalinterfaces/factory_interfaces.go | 3 +- .../externalversions/network/interface.go | 3 +- .../network/v1alpha1/interface.go | 10 +- .../v1alpha1/namespacenetworkpolicy.go | 88 +++ .../v1alpha1/workspacenetworkpolicy.go | 3 +- .../externalversions/servicemesh/interface.go | 3 +- .../servicemesh/v1alpha2/interface.go | 3 +- .../servicemesh/v1alpha2/servicepolicy.go | 3 +- .../servicemesh/v1alpha2/strategy.go | 3 +- .../externalversions/tenant/interface.go | 3 +- .../tenant/v1alpha1/interface.go | 3 +- .../tenant/v1alpha1/workspace.go | 3 +- .../network/v1alpha1/expansion_generated.go | 11 +- .../v1alpha1/namespacenetworkpolicy.go | 93 +++ .../v1alpha1/workspacenetworkpolicy.go | 3 +- .../v1alpha2/expansion_generated.go | 3 +- .../servicemesh/v1alpha2/servicepolicy.go | 3 +- .../listers/servicemesh/v1alpha2/strategy.go | 3 +- .../tenant/v1alpha1/expansion_generated.go | 3 +- .../listers/tenant/v1alpha1/workspace.go | 3 +- .../network/controllerapi/interface.go | 6 + pkg/controller/network/doc.go | 5 + .../network/nsnetworkpolicy/controller.go | 177 +++++ .../nsnetworkpolicy_suite_test.go | 21 + .../nsnetworkpolicy/nsnetworkpolicy_test.go | 93 +++ .../network/nsnetworkpolicy/reconcile.go | 119 +++ .../network/provider/fake_ns_calico.go | 66 ++ pkg/controller/network/provider/global_np.go | 1 + .../network/provider/namespace_np.go | 35 + pkg/controller/network/provider/ns_calico.go | 144 ++++ pkg/controller/network/utils/strings.go | 22 + .../network/wsnetworkpolicy/controller.go | 7 +- .../wsnetworkpolicy/wsnetworkpolicy_test.go | 3 +- test/network/OWNERS | 13 + test/network/manifests/sample1.yaml | 57 ++ test/network/manifests/test-job.yaml | 17 + 101 files changed, 3737 insertions(+), 120 deletions(-) create mode 100644 build/ks-network/Dockerfile create mode 100644 cmd/ks-network/main.go create mode 100644 config/manager/network.yaml create mode 100644 config/mannual-crds/network.kubesphere.io_namespacenetworkpolicies.yaml rename config/{crds => mannual-crds}/network.kubesphere.io_workspacenetworkpolicies.yaml (99%) create mode 100644 config/rbac/rbac_role_binding_network.yaml create mode 100644 config/rbac/role.yaml create mode 100644 config/samples/network_v1alpha1_namespacenetworkpolicy.yaml create mode 100644 config/webhook/manifests.yaml create mode 100755 hack/network-test.sh create mode 100644 pkg/apis/network/v1alpha1/common.go create mode 100644 pkg/apis/network/v1alpha1/namespacenetworkpolicy_types.go create mode 100644 pkg/apis/network/v1alpha1/namespacenetworkpolicy_types_test.go create mode 100644 pkg/apis/network/v1alpha1/numorstring/asnumber.go create mode 100644 pkg/apis/network/v1alpha1/numorstring/doc.go create mode 100644 pkg/apis/network/v1alpha1/numorstring/numorstring_suite_test.go create mode 100644 pkg/apis/network/v1alpha1/numorstring/numorstring_test.go create mode 100644 pkg/apis/network/v1alpha1/numorstring/port.go create mode 100644 pkg/apis/network/v1alpha1/numorstring/protocol.go create mode 100644 pkg/apis/network/v1alpha1/numorstring/type.go create mode 100644 pkg/apis/network/v1alpha1/numorstring/uint8orstring.go create mode 100644 pkg/client/clientset/versioned/typed/network/v1alpha1/fake/fake_namespacenetworkpolicy.go create mode 100644 pkg/client/clientset/versioned/typed/network/v1alpha1/namespacenetworkpolicy.go create mode 100644 pkg/client/informers/externalversions/network/v1alpha1/namespacenetworkpolicy.go create mode 100644 pkg/client/listers/network/v1alpha1/namespacenetworkpolicy.go create mode 100644 pkg/controller/network/controllerapi/interface.go create mode 100644 pkg/controller/network/doc.go create mode 100644 pkg/controller/network/nsnetworkpolicy/controller.go create mode 100644 pkg/controller/network/nsnetworkpolicy/nsnetworkpolicy_suite_test.go create mode 100644 pkg/controller/network/nsnetworkpolicy/nsnetworkpolicy_test.go create mode 100644 pkg/controller/network/nsnetworkpolicy/reconcile.go create mode 100644 pkg/controller/network/provider/fake_ns_calico.go create mode 100644 pkg/controller/network/provider/global_np.go create mode 100644 pkg/controller/network/provider/namespace_np.go create mode 100644 pkg/controller/network/provider/ns_calico.go create mode 100644 pkg/controller/network/utils/strings.go create mode 100644 test/network/OWNERS create mode 100644 test/network/manifests/sample1.yaml create mode 100644 test/network/manifests/test-job.yaml diff --git a/.gitattributes b/.gitattributes index ce07fed00..ba8ee6625 100644 --- a/.gitattributes +++ b/.gitattributes @@ -1,2 +1,6 @@ pkg/cmd/api/spec/api.swagger.json linguist-generated=true pkg/cmd/api/spec/static.go linguist-generated=true +pkg/client/* linguist-generated=true +config/crds/* linguist-generated=true +config/rbac/* linguist-generated=true +zz_generated.deepcopy.go linguist-generated=true \ No newline at end of file diff --git a/Makefile b/Makefile index 478adb549..24703c74d 100644 --- a/Makefile +++ b/Makefile @@ -70,7 +70,7 @@ manifests: go run vendor/sigs.k8s.io/controller-tools/cmd/controller-gen/main.go all crds: - $(CONTROLLER_GEN) $(CRD_OPTIONS) rbac:roleName=manager-role webhook paths="./pkg/apis/network/..." output:crd:artifacts:config=config/crd/bases + $(CONTROLLER_GEN) $(CRD_OPTIONS) rbac:roleName=net-manager-role webhook paths="./pkg/apis/network/..." paths="./pkg/controller/network/..." output:crd:artifacts:config=config/crds deploy: manifests kubectl apply -f config/crds kustomize build config/default | kubectl apply -f - diff --git a/api/api-rules/violation_exceptions.list b/api/api-rules/violation_exceptions.list index 20be45d9c..b6b82484c 100644 --- a/api/api-rules/violation_exceptions.list +++ b/api/api-rules/violation_exceptions.list @@ -1,3 +1,4 @@ +API rule violation: names_match,./network/v1alpha1,WorkspaceNetworkPolicyEgressRule,To API rule violation: names_match,k8s.io/api/core/v1,AzureDiskVolumeSource,DataDiskURI API rule violation: names_match,k8s.io/api/core/v1,ContainerStatus,LastTerminationState API rule violation: names_match,k8s.io/api/core/v1,DaemonEndpoint,Port @@ -44,4 +45,3 @@ API rule violation: names_match,k8s.io/apimachinery/pkg/runtime,Unknown,Raw API rule violation: names_match,k8s.io/apimachinery/pkg/util/intstr,IntOrString,IntVal API rule violation: names_match,k8s.io/apimachinery/pkg/util/intstr,IntOrString,StrVal API rule violation: names_match,k8s.io/apimachinery/pkg/util/intstr,IntOrString,Type -API rule violation: names_match,kubesphere.io/kubesphere/pkg/apis/network/v1alpha1,WorkspaceNetworkPolicyEgressRule,To diff --git a/build/ks-network/Dockerfile b/build/ks-network/Dockerfile new file mode 100644 index 000000000..fb5223cf3 --- /dev/null +++ b/build/ks-network/Dockerfile @@ -0,0 +1,4 @@ +FROM gcr.io/distroless/static:latest +WORKDIR / +COPY ks-network . +ENTRYPOINT ["/ks-network"] diff --git a/cmd/ks-network/main.go b/cmd/ks-network/main.go new file mode 100644 index 000000000..236c316cd --- /dev/null +++ b/cmd/ks-network/main.go @@ -0,0 +1,65 @@ +package main + +import ( + "flag" + "time" + + "github.com/projectcalico/libcalico-go/lib/apiconfig" + "github.com/projectcalico/libcalico-go/lib/clientv3" + "k8s.io/client-go/kubernetes" + "k8s.io/client-go/rest" + "k8s.io/klog" + "kubesphere.io/kubesphere/pkg/client/clientset/versioned" + ksinformer "kubesphere.io/kubesphere/pkg/client/informers/externalversions" + "kubesphere.io/kubesphere/pkg/controller/network/nsnetworkpolicy" + "kubesphere.io/kubesphere/pkg/controller/network/provider" +) + +const ( + certPath = "/calicocerts" +) + +var npProviderFlag string + +func init() { + flag.StringVar(&npProviderFlag, "np-provider", "calico", "specify the network policy provider, k8s or calico") +} +func main() { + klog.InitFlags(nil) + flag.Set("logtostderr", "true") + flag.Parse() + klog.V(1).Info("Preparing kubernetes client") + config, err := rest.InClusterConfig() + if err != nil { + panic(err.Error()) + } + // creates the clientset + k8sClientset := kubernetes.NewForConfigOrDie(config) + ksClientset := versioned.NewForConfigOrDie(config) + informer := ksinformer.NewSharedInformerFactory(ksClientset, time.Minute*10) + klog.V(1).Info("Kubernetes client initialized successfully") + var npProvider provider.NsNetworkPolicyProvider + if npProviderFlag == "calico" { + klog.V(1).Info("Preparing calico client") + config := apiconfig.NewCalicoAPIConfig() + config.Spec.EtcdEndpoints = "https://127.0.0.1:2379" + config.Spec.EtcdKeyFile = certPath + "/etcd-key" + config.Spec.EtcdCertFile = certPath + "/etcd-cert" + config.Spec.EtcdCACertFile = certPath + "/etcd-ca" + config.Spec.DatastoreType = apiconfig.EtcdV3 + client, err := clientv3.New(*config) + if err != nil { + klog.Fatal("Failed to initialize calico client", err) + } + npProvider = provider.NewCalicoNetworkProvider(client.NetworkPolicies()) + klog.V(1).Info("Calico client initialized successfully") + } + //TODO: support no-calico cni + c := nsnetworkpolicy.NewController(k8sClientset, ksClientset, informer.Network().V1alpha1().NamespaceNetworkPolicies(), npProvider) + stop := make(chan struct{}) + klog.V(1).Infof("Starting controller") + go informer.Network().V1alpha1().NamespaceNetworkPolicies().Informer().Run(stop) + if err := c.Run(1, stop); err != nil { + klog.Fatal(err) + } +} diff --git a/config/manager/network.yaml b/config/manager/network.yaml new file mode 100644 index 000000000..0562f5e51 --- /dev/null +++ b/config/manager/network.yaml @@ -0,0 +1,75 @@ +apiVersion: v1 +kind: Namespace +metadata: + labels: + control-plane: network-manager + name: network-system +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: network-manager + namespace: network-system + labels: + control-plane: network-manager +spec: + selector: + matchLabels: + control-plane: network-manager + replicas: 1 + template: + metadata: + labels: + control-plane: network-manager + spec: + nodeSelector: + node-role.kubernetes.io/master: "" + hostNetwork: true + tolerations: + - key: "CriticalAddonsOnly" + operator: "Exists" + - key: "node-role.kubernetes.io/master" + effect: NoSchedule + containers: + - command: + - /ks-network + args: + - -v=4 + - np-provider=calico + image: network:latest + imagePullPolicy: Always + name: manager + resources: + limits: + cpu: 100m + memory: 30Mi + requests: + cpu: 100m + memory: 20Mi + volumeMounts: + - mountPath: /calicocerts + name: etcd-certs + readOnly: true + terminationGracePeriodSeconds: 10 + volumes: + - name: etcd-certs + secret: + secretName: calico-etcd-secrets + defaultMode: 0400 + +--- +apiVersion: v1 +kind: Secret +type: Opaque +metadata: + name: calico-etcd-secrets + namespace: network-system +data: + # Populate the following with etcd TLS configuration if desired, but leave blank if + # not using TLS for etcd. + # The keys below should be uncommented and the values populated with the base64 + # encoded contents of each file that would be associated with the TLS data. + # Example command for encoding a file contents: cat | base64 -w 0 + etcd-ca: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUN3akNDQWFxZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRc0ZBREFTTVJBd0RnWURWUVFERXdkbGRHTmsKTFdOaE1CNFhEVEU1TURnd09EQXlNelF6TTFvWERUSTVNRGd3TlRBeU16UXpNMW93RWpFUU1BNEdBMVVFQXhNSApaWFJqWkMxallUQ0NBU0l3RFFZSktvWklodmNOQVFFQkJRQURnZ0VQQURDQ0FRb0NnZ0VCQU12UUFqODhZRVlpClpZY0Q0QzJWWFNLNmJRMzd3STRkWE5kQ1EvN09CU3BuVmJpNWcrZEgvU3JhY2lHUUs2YU4vM3FJM21DNHcvUWEKS2s1NjJMKzhiY2RTV2tUejFYSVZwS0p0a1RUL0pYcy9DaXdDdEErTEZkendZMHNwL3h2bUIwQzc1YzB5ajVXcQpHaHVqRE1VS29PSlhaV3NhK1NCRDVKVFlXVEVOeGZ6VlQxYllEWHdUNXMzd2RQc2VjR3VQMjZUSGlEM0duUndoCkJqNGRKQ2g2VGpxdEg4cVh6L01lMUNFaDBIb2p2dGpiT3Bsd2VEeXNLampDNUIxT09nZHdWK0J2cnI2VDU5a04KNzJEVGxJN1p5cktqTldUNCtuRDZ0SGRRa21nallTZ3JVMFNOZzFoWGpmMk54OEJpakp0eGZ2MlV5TWQyNFNkWgpFSVNSMytUcmVUTUNBd0VBQWFNak1DRXdEZ1lEVlIwUEFRSC9CQVFEQWdLa01BOEdBMVVkRXdFQi93UUZNQU1CCkFmOHdEUVlKS29aSWh2Y05BUUVMQlFBRGdnRUJBSTNCeGk3NEdvWmdlYUVlT1NSOEpQSjRVS1NJTW1UQmxkUTYKaCtmWmoyK3BGMlFGRXhidzNwODhoQndKeEl4dWZ5MXRieityck9mN3RUMXhGUlZQZkxSU1l2b01xekhYa1h0cgpVSmtEWjhaeWJTTnh1eGZHWXdyaEl4U05GWTI5RnduUFJGY0tCYmNudWJlcWxXT0czWXl3RkZjRWJNdlhiTlRiCklTSGQ2VkZPbVZCZEFoUysrNEZ0NWI0QzR3Zjd6c1YzYVFrNVhIdndhV3RXQUJKaEdwVEZ4VUp3SkM1VmllY3UKaG5FMG9jY2FYSThoVEZqMENUSTZyK09rL0FLTzJRK2V0MnFPUnJPUlkyRGxWakd1aE5mUENsUTJVRlVRV29aaApYcHZEeWVYN0RxeVdyWnpPMDhSU2pybDhzWTdBcTlXTDJnWEd3L253Zis5QWlicmpIems9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K + etcd-cert: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUMrVENDQWVHZ0F3SUJBZ0lJTTV6T0ZXLzZzbll3RFFZSktvWklodmNOQVFFTEJRQXdFakVRTUE0R0ExVUUKQXhNSFpYUmpaQzFqWVRBZUZ3MHhPVEE0TURnd01qTTBNek5hRncweU1EQTRNRGN3TWpNME16VmFNRDR4RnpBVgpCZ05WQkFvVERuTjVjM1JsYlRwdFlYTjBaWEp6TVNNd0lRWURWUVFERXhwcmRXSmxMV0Z3YVhObGNuWmxjaTFsCmRHTmtMV05zYVdWdWREQ0NBU0l3RFFZSktvWklodmNOQVFFQkJRQURnZ0VQQURDQ0FRb0NnZ0VCQUxmcWxqdGwKT2E1OUZrS0JrYzIyUDgwV3RMbkppeHB2eDJwSVZ1L3pJeE9YdERkNy9GUldsaW9iSmltZm5zdjd2Y0dUaXpvKwovZ2crV2RtdDNma294TVNlTndLenNvdGxEU1liNjJDRkV6bVlocWt6cjVRN2l5MHIyU1ZhV0lzUUJyNVNxczc0ClA4aUxQbjR6NmFjV3RCU2E5ZWVnOXRWQ3JxRUVpNFNtT25qMzNiekhEVVpUWDBDNitZTEdxSkxZT3JPNSs1STAKMmdmVmgvV0NIZ0YzWU9VRE5VU2Y3RXJlUFpRTUpGUUhvVDhaWWViOWxvNXozTHZTUEZVSVo4QkluQXFRbkw1QwpkZitVV1dYN2pvNVFUVC8zeUcxRkNGM2hBeXFDYlFoKzJPNjd4TjFPOTNlYWV1TXBESXNwWm9LS2VraDF1WHFYCjZtUjVXVTVISnZvRjJmTUNBd0VBQWFNbk1DVXdEZ1lEVlIwUEFRSC9CQVFEQWdXZ01CTUdBMVVkSlFRTU1Bb0cKQ0NzR0FRVUZCd01DTUEwR0NTcUdTSWIzRFFFQkN3VUFBNElCQVFCU3pTaXBKaEFUZTNuNlk3QzUraXNhN3Y0UwphaStIRS9JYlZZcFFUY3c4YzVZTktlNVF1WmpaeVVuR2NUTzdxWmozUjVkSG9MLzNFSG9LRndqdGFSTUw0NENvCjNQaFhLOTRmWnNSTTJXWFdsVDU5dlNvUEhyaUV2MDQ4a2ZwZEV4ckVDUXZWRTlqM0R0ZytObk5qcGxOa1RSeWYKeExFaFpaM3VxRVpRS2VSU3Y2WWxySFZaTFNCQnZtMFZDNW0xNzIwV0NseWh2RUVTUFNnNnZFK3ROSXpNU2srWQpBOVNOQzVwNksvME9pQ2p2TGQyZ3RsZVhWOUdsOEU0b005VHZ5d2JuODFvNUtQZ0cyNTZUSjRHZHlQRDJ3TWlqCkFkWGR2MzBxTStHWHRQRC9RUFpSYWc2UjdKK09Nb0xKNUZ0YWxUWXJkR2lwdDJQOVV4VzFET1hmZms3UQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg== + etcd-key: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcEFJQkFBS0NBUUVBdCtxV08yVTVybjBXUW9HUnpiWS96UmEwdWNtTEdtL0hha2hXNy9NakU1ZTBOM3Y4ClZGYVdLaHNtS1orZXkvdTl3Wk9MT2o3K0NENVoyYTNkK1NqRXhKNDNBck95aTJVTkpodnJZSVVUT1ppR3FUT3YKbER1TExTdlpKVnBZaXhBR3ZsS3F6dmcveUlzK2ZqUHBweGEwRkpyMTU2RDIxVUt1b1FTTGhLWTZlUGZkdk1jTgpSbE5mUUxyNWdzYW9rdGc2czduN2tqVGFCOVdIOVlJZUFYZGc1UU0xUkovc1N0NDlsQXdrVkFlaFB4bGg1djJXCmpuUGN1OUk4VlFobndFaWNDcENjdmtKMS81UlpaZnVPamxCTlAvZkliVVVJWGVFREtvSnRDSDdZN3J2RTNVNzMKZDVwNjR5a01peWxtZ29wNlNIVzVlcGZxWkhsWlRrY20rZ1haOHdJREFRQUJBb0lCQUhrRmg4Z2J5d0lUMDdMOQp1ZWpvdFVFS1lQQWtQRUd3TGtPMHlHaHEwTGtTeVliOU1rUjVHYVVwYWtwWGU5SDBuS0FscTZjdlRsQTBYMEdMClZKYWhDaUhyam4xYnEvQm9GV2Z2VlVxVkp0cHVrS1lFbWRQci9xQkJ5MGoyRTIrbW94bFlJb2ZBK1kvSWVOM28KNFNhUEhQNjJIWHhIQWtYQTlGS0dRQnlRbWNlQkM4c3hKUGxoOTI1U0gzRzdBV1FGQlNrbXlGNXYybU9vaTcxVwpxcHdZS0JVbkQwekFOZDd6MStNUlpPcDIzMTBTeXJVRk05RUZoYURhM1F6eGFReHQzWXAyOHRzR05ETWJQQXJLCjM2eDhZdi9ZYkJYRTc2bTZhSUZiRndpVlp4dUtIeHlaN3RQblZralMzRkFSUDhFNmx5MFpOdWFlRTBnVlowRGIKYytldEF2a0NnWUVBd1N0MlFUVmF6dDhhbmZMV3lXTnFkU3AwU0hVeUREeXVrU0hhK01HclVuUjZHMGNsQmFlbgpTR3hYVkE1MU4wTnhXZ3lKcHhsTFNERDd3OSszRU43WnZBQjEybmtuUTY4VWZQQUhFL2xoZWNsU01YUjQybUgzCnA2ajR4ajBYdzloQ0sxcEVBSFFaWE5pcERtMHhRbmtsdTQ4N0U3Y2sydSs2NW5xVDJqRzQ5bmNDZ1lFQTg3eWcKY1V4VmFHTWpDSWgxNnNwYko0OXBJVVBGOGxpSks3c3M2Q3c0aGEzSTVVRDQxWnNFdUdMc3F1djlVSTc0RHU0dwovbE9hM0ZoQ0ZzdnBxY05pYU1SSkhPMmhLNGNKK29XTXl6a3RISzM0VXNzSStGS09ia2loSTQ3cWNuUUVTN3l0CmJOWkU4TTVVVjd5ZUlYZ3E0ZFVQejhsOG16OVdhSHdIcVVBV2kyVUNnWUE0My9NUmdBUWNwTlBSYlk2UC9SVjcKS2VUUzhLNnJxN0k2U1IyUDRIWHc4UnFDclkvWSttUG1qdituWUJwakN4aDB5dnc4bHRYemkzaVZVMmt6TG1vdApVSFZpdmdreGhIc2p6Z2hIZVVXWjlneWRRdzNTUHNZTU4xUUlDalRWRlBkbWpFMDVWUFdpd0tnRjkyQnBrZ0hxCkYySHRqQjd0MTJmUU5JY1QxMC8rUVFLQmdRQ0RPRk1jakI4VEl3UlNiTDBuR2FoM3BPTFJrTjQ1K2Vabmo4NisKZEVnOTEvRG5VOUpqbGFDMThEUkFWT3E4K3l1YlJpdEVVUmgzZG1DbVMwUFNMS21IZzkxazRKNDdnK2tnWWRRSgorUTlMZUhIUGlSV2NNejRSSzdMdEpOMGRuMDVNeEJpT0Z0Rm8zM3hTKys0YVVNcXRhSHFwd0cwQVc5b1dTR2dMCmU4Qm5iUUtCZ1FDNzd0ZndDNVl0QTRSR2pISjdmNURFMDZHa2F1QXpJTS83djZBTWxGZWVzcXl6OHpnNHc5SXgKZEk1RFJkcjBhRm5ISHNjeE82Ty9PU09OYkk2UHMrT0RNa3JLeWIyTkdMT0RlV1k0UWQ5RUNxZzVkcHdCcHhZWApMdldDWTFBc0lWVFM2eklQb284aWpCTFI1RjVUdEEyTTZaWEZwRDJUalN5VC9GbWJUWnh1ckE9PQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo= \ No newline at end of file diff --git a/config/mannual-crds/network.kubesphere.io_namespacenetworkpolicies.yaml b/config/mannual-crds/network.kubesphere.io_namespacenetworkpolicies.yaml new file mode 100644 index 000000000..0cfe4ebc3 --- /dev/null +++ b/config/mannual-crds/network.kubesphere.io_namespacenetworkpolicies.yaml @@ -0,0 +1,713 @@ + +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + creationTimestamp: null + name: namespacenetworkpolicies.network.kubesphere.io +spec: + group: network.kubesphere.io + names: + categories: + - networking + kind: NamespaceNetworkPolicy + plural: namespacenetworkpolicies + shortNames: + - nsnp + scope: Namespaced + validation: + openAPIV3Schema: + description: NamespaceNetworkPolicy is the Schema for the namespacenetworkpolicies + API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: NamespaceNetworkPolicySpec defines the desired state of NamespaceNetworkPolicy + properties: + egress: + description: The ordered set of egress rules. Each rule contains a + set of packet match criteria and a corresponding action to apply. + items: + description: "A Rule encapsulates a set of match criteria and an action. + \ Both selector-based security Policy and security Profiles reference + rules - separated out as a list of rules for both ingress and egress + packet matching. \n Each positive match criteria has a negated version, + prefixed with ”Not”. All the match criteria within a rule must be + satisfied for a packet to match. A single rule can contain the positive + and negative version of a match and both must be satisfied for the + rule to match." + properties: + action: + type: string + destination: + description: Destination contains the match criteria that apply + to destination entity. + properties: + namespaceSelector: + description: "NamespaceSelector is an optional field that + contains a selector expression. Only traffic that originates + from (or terminates at) endpoints within the selected namespaces + will be matched. When both NamespaceSelector and Selector + are defined on the same rule, then only workload endpoints + that are matched by both selectors will be selected by the + rule. \n For NetworkPolicy, an empty NamespaceSelector implies + that the Selector is limited to selecting only workload + endpoints in the same namespace as the NetworkPolicy. \n + For GlobalNetworkPolicy, an empty NamespaceSelector implies + the Selector applies to workload endpoints across all namespaces." + type: string + nets: + description: Nets is an optional field that restricts the + rule to only apply to traffic that originates from (or terminates + at) IP addresses in any of the given subnets. + items: + type: string + type: array + notNets: + description: NotNets is the negated version of the Nets field. + items: + type: string + type: array + notPorts: + items: + type: object + x-kubernetes-int-or-string: true + description: "Port represents either a range of numeric + ports or a named port. \n - For a named port, set + the PortName, leaving MinPort and MaxPort as 0. - + For a port range, set MinPort and MaxPort to the (inclusive) + port numbers. Set PortName to \"\". - For a + single port, set MinPort = MaxPort and PortName = \"\"." + description: NotPorts is the negated version of the Ports + field. Since only some protocols have ports, if any ports + are specified it requires the Protocol match in the Rule + to be set to "TCP" or "UDP". + type: array + notSelector: + description: NotSelector is the negated version of the Selector + field. See Selector field for subtleties with negated selectors. + type: string + ports: + description: "Ports is an optional field that restricts the + rule to only apply to traffic that has a source (destination) + port that matches one of these ranges/values. This value + is a list of integers or strings that represent ranges of + ports. \n Since only some protocols have ports, if any ports + are specified it requires the Protocol match in the Rule + to be set to \"TCP\" or \"UDP\"." + items: + description: "Port represents either a range of numeric + ports or a named port. \n - For a named port, set + the PortName, leaving MinPort and MaxPort as 0. - + For a port range, set MinPort and MaxPort to the (inclusive) + port numbers. Set PortName to \"\". - For a + single port, set MinPort = MaxPort and PortName = \"\"." + x-kubernetes-int-or-string: true + type: object + type: array + selector: + description: "Selector is an optional field that contains + a selector expression (see Policy for sample syntax). Only + traffic that originates from (terminates at) endpoints matching + the selector will be matched. \n Note that: in addition + to the negated version of the Selector (see NotSelector + below), the selector expression syntax itself supports negation. + \ The two types of negation are subtly different. One negates + the set of matched endpoints, the other negates the whole + match: \n \tSelector = \"!has(my_label)\" matches packets + that are from other Calico-controlled \tendpoints that do + not have the label “my_label”. \n \tNotSelector = \"has(my_label)\" + matches packets that are not from Calico-controlled \tendpoints + that do have the label “my_label”. \n The effect is that + the latter will accept packets from non-Calico sources whereas + the former is limited to packets from Calico-controlled + endpoints." + type: string + serviceAccounts: + description: ServiceAccounts is an optional field that restricts + the rule to only apply to traffic that originates from (or + terminates at) a pod running as a matching service account. + properties: + names: + description: Names is an optional field that restricts + the rule to only apply to traffic that originates from + (or terminates at) a pod running as a service account + whose name is in the list. + items: + type: string + type: array + selector: + description: Selector is an optional field that restricts + the rule to only apply to traffic that originates from + (or terminates at) a pod running as a service account + that matches the given label selector. If both Names + and Selector are specified then they are AND'ed. + type: string + type: object + type: object + http: + description: HTTP contains match criteria that apply to HTTP requests. + properties: + methods: + description: Methods is an optional field that restricts the + rule to apply only to HTTP requests that use one of the + listed HTTP Methods (e.g. GET, PUT, etc.) Multiple methods + are OR'd together. + items: + type: string + type: array + paths: + description: 'Paths is an optional field that restricts the + rule to apply to HTTP requests that use one of the listed + HTTP Paths. Multiple paths are OR''d together. e.g: - exact: + /foo - prefix: /bar NOTE: Each entry may ONLY specify either + a `exact` or a `prefix` match. The validator will check + for it.' + items: + description: 'HTTPPath specifies an HTTP path to match. + It may be either of the form: exact: : which matches + the path exactly or prefix: : which matches + the path prefix' + properties: + exact: + type: string + prefix: + type: string + type: object + type: array + type: object + icmp: + description: ICMP is an optional field that restricts the rule + to apply to a specific type and code of ICMP traffic. This + should only be specified if the Protocol field is set to "ICMP" + or "ICMPv6". + properties: + code: + description: Match on a specific ICMP code. If specified, + the Type value must also be specified. This is a technical + limitation imposed by the kernel’s iptables firewall, which + Calico uses to enforce the rule. + type: integer + type: + description: Match on a specific ICMP type. For example a + value of 8 refers to ICMP Echo Request (i.e. pings). + type: integer + type: object + ipVersion: + description: IPVersion is an optional field that restricts the + rule to only match a specific IP version. + type: integer + notICMP: + description: NotICMP is the negated version of the ICMP field. + properties: + code: + description: Match on a specific ICMP code. If specified, + the Type value must also be specified. This is a technical + limitation imposed by the kernel’s iptables firewall, which + Calico uses to enforce the rule. + type: integer + type: + description: Match on a specific ICMP type. For example a + value of 8 refers to ICMP Echo Request (i.e. pings). + type: integer + type: object + notProtocol: + description: NotProtocol is the negated version of the Protocol + field. + type: string + protocol: + description: "Protocol is an optional field that restricts the + rule to only apply to traffic of a specific IP protocol. Required + if any of the EntityRules contain Ports (because ports only + apply to certain protocols). \n Must be one of these string + values: \"TCP\", \"UDP\", \"ICMP\", \"ICMPv6\", \"SCTP\", \"UDPLite\" + or an integer in the range 1-255." + type: string + source: + description: Source contains the match criteria that apply to + source entity. + properties: + namespaceSelector: + description: "NamespaceSelector is an optional field that + contains a selector expression. Only traffic that originates + from (or terminates at) endpoints within the selected namespaces + will be matched. When both NamespaceSelector and Selector + are defined on the same rule, then only workload endpoints + that are matched by both selectors will be selected by the + rule. \n For NetworkPolicy, an empty NamespaceSelector implies + that the Selector is limited to selecting only workload + endpoints in the same namespace as the NetworkPolicy. \n + For GlobalNetworkPolicy, an empty NamespaceSelector implies + the Selector applies to workload endpoints across all namespaces." + type: string + nets: + description: Nets is an optional field that restricts the + rule to only apply to traffic that originates from (or terminates + at) IP addresses in any of the given subnets. + items: + type: string + type: array + notNets: + description: NotNets is the negated version of the Nets field. + items: + type: string + type: array + notPorts: + description: NotPorts is the negated version of the Ports + field. Since only some protocols have ports, if any ports + are specified it requires the Protocol match in the Rule + to be set to "TCP" or "UDP". + items: + description: "Port represents either a range of numeric + ports or a named port. \n - For a named port, set + the PortName, leaving MinPort and MaxPort as 0. - + For a port range, set MinPort and MaxPort to the (inclusive) + port numbers. Set PortName to \"\". - For a + single port, set MinPort = MaxPort and PortName = \"\"." + x-kubernetes-int-or-string: true + type: object + type: array + notSelector: + description: NotSelector is the negated version of the Selector + field. See Selector field for subtleties with negated selectors. + type: string + ports: + description: "Ports is an optional field that restricts the + rule to only apply to traffic that has a source (destination) + port that matches one of these ranges/values. This value + is a list of integers or strings that represent ranges of + ports. \n Since only some protocols have ports, if any ports + are specified it requires the Protocol match in the Rule + to be set to \"TCP\" or \"UDP\"." + items: + description: "Port represents either a range of numeric + ports or a named port. \n - For a named port, set + the PortName, leaving MinPort and MaxPort as 0. - + For a port range, set MinPort and MaxPort to the (inclusive) + port numbers. Set PortName to \"\". - For a + single port, set MinPort = MaxPort and PortName = \"\"." + x-kubernetes-int-or-string: true + type: object + type: array + selector: + description: "Selector is an optional field that contains + a selector expression (see Policy for sample syntax). Only + traffic that originates from (terminates at) endpoints matching + the selector will be matched. \n Note that: in addition + to the negated version of the Selector (see NotSelector + below), the selector expression syntax itself supports negation. + \ The two types of negation are subtly different. One negates + the set of matched endpoints, the other negates the whole + match: \n \tSelector = \"!has(my_label)\" matches packets + that are from other Calico-controlled \tendpoints that do + not have the label “my_label”. \n \tNotSelector = \"has(my_label)\" + matches packets that are not from Calico-controlled \tendpoints + that do have the label “my_label”. \n The effect is that + the latter will accept packets from non-Calico sources whereas + the former is limited to packets from Calico-controlled + endpoints." + type: string + serviceAccounts: + description: ServiceAccounts is an optional field that restricts + the rule to only apply to traffic that originates from (or + terminates at) a pod running as a matching service account. + properties: + names: + description: Names is an optional field that restricts + the rule to only apply to traffic that originates from + (or terminates at) a pod running as a service account + whose name is in the list. + items: + type: string + type: array + selector: + description: Selector is an optional field that restricts + the rule to only apply to traffic that originates from + (or terminates at) a pod running as a service account + that matches the given label selector. If both Names + and Selector are specified then they are AND'ed. + type: string + type: object + type: object + required: + - action + type: object + type: array + ingress: + description: The ordered set of ingress rules. Each rule contains a + set of packet match criteria and a corresponding action to apply. + items: + description: "A Rule encapsulates a set of match criteria and an action. + \ Both selector-based security Policy and security Profiles reference + rules - separated out as a list of rules for both ingress and egress + packet matching. \n Each positive match criteria has a negated version, + prefixed with ”Not”. All the match criteria within a rule must be + satisfied for a packet to match. A single rule can contain the positive + and negative version of a match and both must be satisfied for the + rule to match." + properties: + action: + type: string + destination: + description: Destination contains the match criteria that apply + to destination entity. + properties: + namespaceSelector: + description: "NamespaceSelector is an optional field that + contains a selector expression. Only traffic that originates + from (or terminates at) endpoints within the selected namespaces + will be matched. When both NamespaceSelector and Selector + are defined on the same rule, then only workload endpoints + that are matched by both selectors will be selected by the + rule. \n For NetworkPolicy, an empty NamespaceSelector implies + that the Selector is limited to selecting only workload + endpoints in the same namespace as the NetworkPolicy. \n + For GlobalNetworkPolicy, an empty NamespaceSelector implies + the Selector applies to workload endpoints across all namespaces." + type: string + nets: + description: Nets is an optional field that restricts the + rule to only apply to traffic that originates from (or terminates + at) IP addresses in any of the given subnets. + items: + type: string + type: array + notNets: + description: NotNets is the negated version of the Nets field. + items: + type: string + type: array + notPorts: + description: NotPorts is the negated version of the Ports + field. Since only some protocols have ports, if any ports + are specified it requires the Protocol match in the Rule + to be set to "TCP" or "UDP". + items: + description: "Port represents either a range of numeric + ports or a named port. \n - For a named port, set + the PortName, leaving MinPort and MaxPort as 0. - + For a port range, set MinPort and MaxPort to the (inclusive) + port numbers. Set PortName to \"\". - For a + single port, set MinPort = MaxPort and PortName = \"\"." + x-kubernetes-int-or-string: true + anyOf: + - type: integer + - type: string + type: array + notSelector: + description: NotSelector is the negated version of the Selector + field. See Selector field for subtleties with negated selectors. + type: string + ports: + description: "Ports is an optional field that restricts the + rule to only apply to traffic that has a source (destination) + port that matches one of these ranges/values. This value + is a list of integers or strings that represent ranges of + ports. \n Since only some protocols have ports, if any ports + are specified it requires the Protocol match in the Rule + to be set to \"TCP\" or \"UDP\"." + items: + description: "Port represents either a range of numeric + ports or a named port. \n - For a named port, set + the PortName, leaving MinPort and MaxPort as 0. - + For a port range, set MinPort and MaxPort to the (inclusive) + port numbers. Set PortName to \"\". - For a + single port, set MinPort = MaxPort and PortName = \"\"." + x-kubernetes-int-or-string: true + anyOf: + - type: integer + - type: string + type: array + selector: + description: "Selector is an optional field that contains + a selector expression (see Policy for sample syntax). Only + traffic that originates from (terminates at) endpoints matching + the selector will be matched. \n Note that: in addition + to the negated version of the Selector (see NotSelector + below), the selector expression syntax itself supports negation. + \ The two types of negation are subtly different. One negates + the set of matched endpoints, the other negates the whole + match: \n \tSelector = \"!has(my_label)\" matches packets + that are from other Calico-controlled \tendpoints that do + not have the label “my_label”. \n \tNotSelector = \"has(my_label)\" + matches packets that are not from Calico-controlled \tendpoints + that do have the label “my_label”. \n The effect is that + the latter will accept packets from non-Calico sources whereas + the former is limited to packets from Calico-controlled + endpoints." + type: string + serviceAccounts: + description: ServiceAccounts is an optional field that restricts + the rule to only apply to traffic that originates from (or + terminates at) a pod running as a matching service account. + properties: + names: + description: Names is an optional field that restricts + the rule to only apply to traffic that originates from + (or terminates at) a pod running as a service account + whose name is in the list. + items: + type: string + type: array + selector: + description: Selector is an optional field that restricts + the rule to only apply to traffic that originates from + (or terminates at) a pod running as a service account + that matches the given label selector. If both Names + and Selector are specified then they are AND'ed. + type: string + type: object + type: object + http: + description: HTTP contains match criteria that apply to HTTP requests. + properties: + methods: + description: Methods is an optional field that restricts the + rule to apply only to HTTP requests that use one of the + listed HTTP Methods (e.g. GET, PUT, etc.) Multiple methods + are OR'd together. + items: + type: string + type: array + paths: + description: 'Paths is an optional field that restricts the + rule to apply to HTTP requests that use one of the listed + HTTP Paths. Multiple paths are OR''d together. e.g: - exact: + /foo - prefix: /bar NOTE: Each entry may ONLY specify either + a `exact` or a `prefix` match. The validator will check + for it.' + items: + description: 'HTTPPath specifies an HTTP path to match. + It may be either of the form: exact: : which matches + the path exactly or prefix: : which matches + the path prefix' + properties: + exact: + type: string + prefix: + type: string + type: object + type: array + type: object + icmp: + description: ICMP is an optional field that restricts the rule + to apply to a specific type and code of ICMP traffic. This + should only be specified if the Protocol field is set to "ICMP" + or "ICMPv6". + properties: + code: + description: Match on a specific ICMP code. If specified, + the Type value must also be specified. This is a technical + limitation imposed by the kernel’s iptables firewall, which + Calico uses to enforce the rule. + type: integer + type: + description: Match on a specific ICMP type. For example a + value of 8 refers to ICMP Echo Request (i.e. pings). + type: integer + type: object + ipVersion: + description: IPVersion is an optional field that restricts the + rule to only match a specific IP version. + type: integer + notICMP: + description: NotICMP is the negated version of the ICMP field. + properties: + code: + description: Match on a specific ICMP code. If specified, + the Type value must also be specified. This is a technical + limitation imposed by the kernel’s iptables firewall, which + Calico uses to enforce the rule. + type: integer + type: + description: Match on a specific ICMP type. For example a + value of 8 refers to ICMP Echo Request (i.e. pings). + type: integer + type: object + notProtocol: + description: NotProtocol is the negated version of the Protocol + field. + type: string + protocol: + description: "Protocol is an optional field that restricts the + rule to only apply to traffic of a specific IP protocol. Required + if any of the EntityRules contain Ports (because ports only + apply to certain protocols). \n Must be one of these string + values: \"TCP\", \"UDP\", \"ICMP\", \"ICMPv6\", \"SCTP\", \"UDPLite\" + or an integer in the range 1-255." + type: string + source: + description: Source contains the match criteria that apply to + source entity. + properties: + namespaceSelector: + description: "NamespaceSelector is an optional field that + contains a selector expression. Only traffic that originates + from (or terminates at) endpoints within the selected namespaces + will be matched. When both NamespaceSelector and Selector + are defined on the same rule, then only workload endpoints + that are matched by both selectors will be selected by the + rule. \n For NetworkPolicy, an empty NamespaceSelector implies + that the Selector is limited to selecting only workload + endpoints in the same namespace as the NetworkPolicy. \n + For GlobalNetworkPolicy, an empty NamespaceSelector implies + the Selector applies to workload endpoints across all namespaces." + type: string + nets: + description: Nets is an optional field that restricts the + rule to only apply to traffic that originates from (or terminates + at) IP addresses in any of the given subnets. + items: + type: string + type: array + notNets: + description: NotNets is the negated version of the Nets field. + items: + type: string + type: array + notPorts: + description: NotPorts is the negated version of the Ports + field. Since only some protocols have ports, if any ports + are specified it requires the Protocol match in the Rule + to be set to "TCP" or "UDP". + items: + description: "Port represents either a range of numeric + ports or a named port. \n - For a named port, set + the PortName, leaving MinPort and MaxPort as 0. - + For a port range, set MinPort and MaxPort to the (inclusive) + port numbers. Set PortName to \"\". - For a + single port, set MinPort = MaxPort and PortName = \"\"." + x-kubernetes-int-or-string: true + type: object + type: array + notSelector: + description: NotSelector is the negated version of the Selector + field. See Selector field for subtleties with negated selectors. + type: string + ports: + description: "Ports is an optional field that restricts the + rule to only apply to traffic that has a source (destination) + port that matches one of these ranges/values. This value + is a list of integers or strings that represent ranges of + ports. \n Since only some protocols have ports, if any ports + are specified it requires the Protocol match in the Rule + to be set to \"TCP\" or \"UDP\"." + items: + description: "Port represents either a range of numeric + ports or a named port. \n - For a named port, set + the PortName, leaving MinPort and MaxPort as 0. - + For a port range, set MinPort and MaxPort to the (inclusive) + port numbers. Set PortName to \"\". - For a + single port, set MinPort = MaxPort and PortName = \"\"." + x-kubernetes-int-or-string: true + anyOf: + - type: integer + - type: string + type: object + type: array + selector: + description: "Selector is an optional field that contains + a selector expression (see Policy for sample syntax). Only + traffic that originates from (terminates at) endpoints matching + the selector will be matched. \n Note that: in addition + to the negated version of the Selector (see NotSelector + below), the selector expression syntax itself supports negation. + \ The two types of negation are subtly different. One negates + the set of matched endpoints, the other negates the whole + match: \n \tSelector = \"!has(my_label)\" matches packets + that are from other Calico-controlled \tendpoints that do + not have the label “my_label”. \n \tNotSelector = \"has(my_label)\" + matches packets that are not from Calico-controlled \tendpoints + that do have the label “my_label”. \n The effect is that + the latter will accept packets from non-Calico sources whereas + the former is limited to packets from Calico-controlled + endpoints." + type: string + serviceAccounts: + description: ServiceAccounts is an optional field that restricts + the rule to only apply to traffic that originates from (or + terminates at) a pod running as a matching service account. + properties: + names: + description: Names is an optional field that restricts + the rule to only apply to traffic that originates from + (or terminates at) a pod running as a service account + whose name is in the list. + items: + type: string + type: array + selector: + description: Selector is an optional field that restricts + the rule to only apply to traffic that originates from + (or terminates at) a pod running as a service account + that matches the given label selector. If both Names + and Selector are specified then they are AND'ed. + type: string + type: object + type: object + required: + - action + type: object + type: array + order: + description: Order is an optional field that specifies the order in + which the policy is applied. Policies with higher "order" are applied + after those with lower order. If the order is omitted, it may be + considered to be "infinite" - i.e. the policy will be applied last. Policies + with identical order will be applied in alphanumerical order based + on the Policy "Name". + type: integer + selector: + description: "The selector is an expression used to pick pick out the + endpoints that the policy should be applied to. \n Selector expressions + follow this syntax: \n \tlabel == \"string_literal\" -> comparison, + e.g. my_label == \"foo bar\" \tlabel != \"string_literal\" -> not + equal; also matches if label is not present \tlabel in { \"a\", \"b\", + \"c\", ... } -> true if the value of label X is one of \"a\", \"b\", + \"c\" \tlabel not in { \"a\", \"b\", \"c\", ... } -> true if the + value of label X is not one of \"a\", \"b\", \"c\" \thas(label_name) + \ -> True if that label is present \t! expr -> negation of expr \texpr + && expr -> Short-circuit and \texpr || expr -> Short-circuit or + \t( expr ) -> parens for grouping \tall() or the empty selector -> + matches all endpoints. \n Label names are allowed to contain alphanumerics, + -, _ and /. String literals are more permissive but they do not support + escape characters. \n Examples (with made-up labels): \n \ttype == + \"webserver\" && deployment == \"prod\" \ttype in {\"frontend\", \"backend\"} + \tdeployment != \"dev\" \t! has(label_name)" + type: string + types: + description: "Types indicates whether this policy applies to ingress, + or to egress, or to both. When not explicitly specified (and so the + value on creation is empty or nil), Calico defaults Types according + to what Ingress and Egress are present in the policy. The default + is: \n - [ PolicyTypeIngress ], if there are no Egress rules (including + the case where there are also no Ingress rules) \n - [ PolicyTypeEgress + ], if there are Egress rules but no Ingress rules \n - [ PolicyTypeIngress, + PolicyTypeEgress ], if there are both Ingress and Egress rules. \n + When the policy is read back again, Types will always be one of these + values, never empty or nil." + items: + type: string + type: array + required: + - selector + type: object + type: object + version: v1alpha1 +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] diff --git a/config/crds/network.kubesphere.io_workspacenetworkpolicies.yaml b/config/mannual-crds/network.kubesphere.io_workspacenetworkpolicies.yaml similarity index 99% rename from config/crds/network.kubesphere.io_workspacenetworkpolicies.yaml rename to config/mannual-crds/network.kubesphere.io_workspacenetworkpolicies.yaml index 584b56e83..1049339d9 100644 --- a/config/crds/network.kubesphere.io_workspacenetworkpolicies.yaml +++ b/config/mannual-crds/network.kubesphere.io_workspacenetworkpolicies.yaml @@ -1,3 +1,5 @@ + +--- apiVersion: apiextensions.k8s.io/v1beta1 kind: CustomResourceDefinition metadata: @@ -6,9 +8,13 @@ metadata: spec: group: network.kubesphere.io names: + categories: + - networking kind: WorkspaceNetworkPolicy plural: workspacenetworkpolicies - scope: "Cluster" + shortNames: + - wsnp + scope: Cluster validation: openAPIV3Schema: description: WorkspaceNetworkPolicy is a set of network policies applied to diff --git a/config/rbac/rbac_role_binding_network.yaml b/config/rbac/rbac_role_binding_network.yaml new file mode 100644 index 000000000..46e0e9615 --- /dev/null +++ b/config/rbac/rbac_role_binding_network.yaml @@ -0,0 +1,13 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + creationTimestamp: null + name: manager-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: net-manager-role +subjects: +- kind: ServiceAccount + name: default + namespace: network-system \ No newline at end of file diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml new file mode 100644 index 000000000..df1de8f4d --- /dev/null +++ b/config/rbac/role.yaml @@ -0,0 +1,31 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + creationTimestamp: null + name: net-manager-role +rules: +- apiGroups: + - network.kubesphere.io + resources: + - namespacenetworkpolicies + - workspacenetworkpolicies + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - tenant.kubesphere.io + resources: + - workspaces + verbs: + - create + - delete + - get + - list + - patch + - update + - watch diff --git a/config/samples/network_v1alpha1_namespacenetworkpolicy.yaml b/config/samples/network_v1alpha1_namespacenetworkpolicy.yaml new file mode 100644 index 000000000..a09872eab --- /dev/null +++ b/config/samples/network_v1alpha1_namespacenetworkpolicy.yaml @@ -0,0 +1,9 @@ +apiVersion: network.kubesphere.io/v1alpha1 +kind: NamespaceNetworkPolicy +metadata: + labels: + controller-tools.k8s.io: "1.0" + name: namespacenetworkpolicy-sample +spec: + # Add fields here + foo: bar diff --git a/config/webhook/manifests.yaml b/config/webhook/manifests.yaml new file mode 100644 index 000000000..e69de29bb diff --git a/go.mod b/go.mod index 4708ccaed..0e8c9d56d 100644 --- a/go.mod +++ b/go.mod @@ -5,6 +5,7 @@ go 1.12 require ( bitbucket.org/ww/goautoneg v0.0.0-20120707110453-75cd24fc2f2c // indirect github.com/Azure/go-ansiterm v0.0.0-20170929234023-d6e3b3328b78 // indirect + github.com/Azure/go-autorest/autorest v0.5.0 // indirect github.com/Microsoft/go-winio v0.4.12 // indirect github.com/NYTimes/gziphandler v0.0.0-20170623195520-56545f4a5d46 // indirect github.com/PuerkitoBio/goquery v1.5.0 @@ -37,12 +38,14 @@ require ( github.com/evanphx/json-patch v4.2.0+incompatible // indirect github.com/fatih/structs v1.1.0 github.com/go-ldap/ldap v3.0.3+incompatible - github.com/go-logr/logr v0.1.0 // indirect + github.com/go-logr/logr v0.1.0 github.com/go-logr/zapr v0.1.1 // indirect github.com/go-openapi/jsonpointer v0.19.0 // indirect github.com/go-openapi/jsonreference v0.19.0 // indirect github.com/go-openapi/spec v0.19.0 github.com/go-openapi/swag v0.19.0 // indirect + github.com/go-playground/locales v0.12.1 // indirect + github.com/go-playground/universal-translator v0.16.0 // indirect github.com/go-redis/redis v6.15.2+incompatible github.com/go-sql-driver/mysql v1.4.1 github.com/gocraft/dbr v0.0.0-20180507214907-a0fd650918f6 @@ -50,12 +53,12 @@ require ( github.com/golang/example v0.0.0-20170904185048-46695d81d1fa github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b github.com/golang/groupcache v0.0.0-20190129154638-5b532d6fd5ef // indirect - github.com/golang/protobuf v1.3.1 // indirect github.com/google/btree v1.0.0 // indirect github.com/google/go-querystring v1.0.0 // indirect github.com/google/gofuzz v1.0.0 // indirect github.com/google/uuid v1.1.1 github.com/googleapis/gnostic v0.2.0 // indirect + github.com/gophercloud/gophercloud v0.3.0 // indirect github.com/gorilla/mux v1.7.1 // indirect github.com/gregjones/httpcache v0.0.0-20190212212710-3befbb6ad0cc // indirect github.com/grpc-ecosystem/go-grpc-middleware v1.0.0 // indirect @@ -68,6 +71,7 @@ require ( github.com/inconshreveable/mousetrap v1.0.0 // indirect github.com/jonboulle/clockwork v0.1.0 // indirect github.com/json-iterator/go v1.1.6 + github.com/kelseyhightower/envconfig v1.4.0 // indirect github.com/kiali/kiali v1.1.0 github.com/klauspost/cpuid v1.2.1 // indirect github.com/knative/pkg v0.0.0-20190314204845-cd278f2d3394 @@ -75,9 +79,10 @@ require ( github.com/kubernetes-sigs/application v0.0.0-20190404151855-67ae7f915d4e github.com/kubesphere/s2ioperator v0.0.11 github.com/kubesphere/sonargo v0.0.2 + github.com/leodido/go-urn v1.1.0 // indirect github.com/lib/pq v1.2.0 // indirect github.com/lucas-clemente/quic-go v0.11.1 // indirect - github.com/mailru/easyjson v0.0.0-20190403194419-1ea4449da983 // indirect + github.com/mailru/easyjson v0.0.0-20190403194419-1ea4449da983 github.com/mattn/go-sqlite3 v1.11.0 // indirect github.com/mholt/caddy v1.0.0 github.com/mholt/certmagic v0.5.1 // indirect @@ -93,11 +98,15 @@ require ( github.com/pborman/uuid v0.0.0-20180906182336-adf5a7427709 // indirect github.com/peterbourgon/diskv v2.0.1+incompatible // indirect github.com/pkg/errors v0.8.1 // indirect - github.com/prometheus/client_golang v0.9.2 // indirect + github.com/projectcalico/go-json v0.0.0-20161128004156-6219dc7339ba // indirect + github.com/projectcalico/go-yaml v0.0.0-20161201183616-955bc3e451ef // indirect + github.com/projectcalico/go-yaml-wrapper v0.0.0-20161127220527-598e54215bee // indirect + github.com/projectcalico/libcalico-go v0.0.0-20190708183129-ac36d966132f github.com/prometheus/client_model v0.0.0-20190129233127-fd36f4220a90 // indirect github.com/prometheus/common v0.4.0 // indirect github.com/prometheus/procfs v0.0.0-20190507164030-5867b95ac084 // indirect github.com/russross/blackfriday v1.5.2 // indirect + github.com/satori/go.uuid v1.2.0 // indirect github.com/soheilhy/cmux v0.1.4 // indirect github.com/sony/sonyflake v0.0.0-20181109022403-6d5bd6181009 github.com/speps/go-hashids v2.0.0+incompatible @@ -121,11 +130,14 @@ require ( google.golang.org/appengine v1.5.0 // indirect google.golang.org/genproto v0.0.0-20190418145605-e7d98fc518a7 // indirect gopkg.in/asn1-ber.v1 v1.0.0-20181015200546-f715ec2f112d // indirect + gopkg.in/go-playground/validator.v8 v8.18.2 // indirect + gopkg.in/go-playground/validator.v9 v9.29.1 // indirect gopkg.in/igm/sockjs-go.v2 v2.0.0 gopkg.in/inf.v0 v0.9.1 // indirect gopkg.in/square/go-jose.v2 v2.3.1 // indirect gopkg.in/src-d/go-billy.v4 v4.3.0 // indirect gopkg.in/src-d/go-git.v4 v4.11.0 + gopkg.in/tchap/go-patricia.v2 v2.3.0 // indirect gopkg.in/yaml.v2 v2.2.2 k8s.io/api v0.0.0-20181213150558-05914d821849 k8s.io/apiextensions-apiserver v0.0.0-20181213153335-0fe22c71c476 diff --git a/go.sum b/go.sum index a851add92..c7fce8d32 100644 --- a/go.sum +++ b/go.sum @@ -1,9 +1,23 @@ bitbucket.org/ww/goautoneg v0.0.0-20120707110453-75cd24fc2f2c h1:t+Ra932MCC0eeyD/vigXqMbZTzgZjd4JOfBJWC6VSMI= bitbucket.org/ww/goautoneg v0.0.0-20120707110453-75cd24fc2f2c/go.mod h1:1vhO7Mn/FZMgOgDVGLy5X1mE6rq1HbkBdkF/yj8zkcg= cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw= +cloud.google.com/go v0.34.0 h1:eOI3/cP2VTU6uZLDYAoic+eyzzB9YyGmJ7eIjl8rOPg= cloud.google.com/go v0.34.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw= +contrib.go.opencensus.io/exporter/ocagent v0.4.12 h1:jGFvw3l57ViIVEPKKEUXPcLYIXJmQxLUh6ey1eJhwyc= +contrib.go.opencensus.io/exporter/ocagent v0.4.12/go.mod h1:450APlNTSR6FrvC3CTRqYosuDstRB9un7SOx2k/9ckA= github.com/Azure/go-ansiterm v0.0.0-20170929234023-d6e3b3328b78 h1:w+iIsaOQNcT7OZ575w+acHgRric5iCyQh+xv+KJ4HB8= github.com/Azure/go-ansiterm v0.0.0-20170929234023-d6e3b3328b78/go.mod h1:LmzpDX56iTiv29bbRTIsUNlaFfuhWRQBWjQdVyAevI8= +github.com/Azure/go-autorest/autorest v0.5.0 h1:Mlm9qy2fpQ9MvfyI41G2Zf5B4CsgjjNbLOWszfK6KrY= +github.com/Azure/go-autorest/autorest v0.5.0/go.mod h1:9HLKlQjVBH6U3oDfsXOeVc56THsLPw1L03yban4xThw= +github.com/Azure/go-autorest/autorest/adal v0.2.0 h1:7IBDu1jgh+ADHXnEYExkV9RE/ztOOlxdACkkPRthGKw= +github.com/Azure/go-autorest/autorest/adal v0.2.0/go.mod h1:MeS4XhScH55IST095THyTxElntu7WqB7pNbZo8Q5G3E= +github.com/Azure/go-autorest/autorest/date v0.1.0 h1:YGrhWfrgtFs84+h0o46rJrlmsZtyZRg470CqAXTZaGM= +github.com/Azure/go-autorest/autorest/date v0.1.0/go.mod h1:plvfp3oPSKwf2DNjlBjWF/7vwR+cUD/ELuzDCXwHUVA= +github.com/Azure/go-autorest/autorest/mocks v0.1.0/go.mod h1:OTyCOPRA2IgIlWxVYxBee2F5Gr4kF2zd2J5cFRaIDN0= +github.com/Azure/go-autorest/logger v0.1.0 h1:ruG4BSDXONFRrZZJ2GUXDiUyVpayPmb1GnWeHDdaNKY= +github.com/Azure/go-autorest/logger v0.1.0/go.mod h1:oExouG+K6PryycPJfVSxi/koC6LSNgds39diKLz7Vrc= +github.com/Azure/go-autorest/tracing v0.1.0 h1:TRBxC5Pj/fIuh4Qob0ZpkggbfT8RC0SubHbpV3p4/Vc= +github.com/Azure/go-autorest/tracing v0.1.0/go.mod h1:ROEEAFwXycQw7Sn3DXNtEedEvdeRAgDr0izn4z5Ij88= github.com/BurntSushi/toml v0.3.1 h1:WXkYYl6Yr3qBf1K79EBnL4mak0OimBfB0XUf9Vl28OQ= github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU= github.com/Microsoft/go-winio v0.4.12 h1:xAfWHN1IrQ0NJ9TBC0KBZoqLjzDTr1ML+4MywiUOryc= @@ -19,6 +33,8 @@ github.com/PuerkitoBio/purell v1.1.1/go.mod h1:c11w/QuzBsJSee3cPx9rAFu61PvFxuPbt github.com/PuerkitoBio/urlesc v0.0.0-20160726150825-5bd2802263f2/go.mod h1:uGdkoq3SwY9Y+13GIhn11/XLaGBb4BfwItxLd5jeuXE= github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578 h1:d+Bc7a5rLufV/sSk/8dngufqelfh6jnri85riMAaF/M= github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578/go.mod h1:uGdkoq3SwY9Y+13GIhn11/XLaGBb4BfwItxLd5jeuXE= +github.com/Shopify/sarama v1.19.0/go.mod h1:FVkBWblsNy7DGZRfXLU0O9RCGt5g3g3yEuWXgklEdEo= +github.com/Shopify/toxiproxy v2.1.4+incompatible/go.mod h1:OXgGpZ6Cli1/URJOF1DMxUHB2q5Ap20/P/eIdh4G0pI= github.com/alcortesm/tgz v0.0.0-20161220082320-9c5fe88206d7 h1:uSoVVbwJiQipAclBbw+8quDsfcvFjOpI5iCf4p/cqCs= github.com/alcortesm/tgz v0.0.0-20161220082320-9c5fe88206d7/go.mod h1:6zEj6s6u/ghQa61ZWa/C2Aw3RkjiTBOix7dkqa1VLIs= github.com/alecthomas/template v0.0.0-20160405071501-a0175ee3bccc/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc= @@ -27,6 +43,7 @@ github.com/andybalholm/cascadia v1.0.0 h1:hOCXnnZ5A+3eVDX8pvgl4kofXv2ELss0bKcqRy github.com/andybalholm/cascadia v1.0.0/go.mod h1:GsXiBklL0woXo1j/WYWtSYYC4ouU9PqHO0sqidkEA4Y= github.com/anmitsu/go-shlex v0.0.0-20161002113705-648efa622239 h1:kFOfPq6dUM1hTo4JG6LR5AXSUEsOjtdm0kw0FtQtMJA= github.com/anmitsu/go-shlex v0.0.0-20161002113705-648efa622239/go.mod h1:2FmKhYUyUczH0OGQWaF5ceTx0UBShxjsH6f8oGKYe2c= +github.com/apache/thrift v0.12.0/go.mod h1:cp2SuWMxlEZw2r+iP2GNCdIi4C1qmUzdZFSVb+bacwQ= github.com/appscode/jsonpatch v0.0.0-20190108182946-7c0e3b262f30 h1:Kn3rqvbUFqSepE2OqVu0Pn1CbDw9IuMlONapol0zuwk= github.com/appscode/jsonpatch v0.0.0-20190108182946-7c0e3b262f30/go.mod h1:4AJxUpXUhv4N+ziTvIcWWXgeorXpxPZOfk9HdEVr96M= github.com/asaskevich/govalidator v0.0.0-20180315120708-ccb8e960c48f h1:y2hSFdXeA1y5z5f0vfNO0Dg5qVY036qzlz3Pds0B92o= @@ -40,6 +57,8 @@ github.com/bifurcation/mint v0.0.0-20180715133206-93c51c6ce115/go.mod h1:zVt7zX3 github.com/cenkalti/backoff v2.1.1+incompatible/go.mod h1:90ReRw6GdpyfrHakVjL/QHaoyV4aDUVVkXQJJJ3NXXM= github.com/cenkalti/backoff v2.2.1+incompatible h1:tNowT99t7UNflLxfYYSlKYsBpXdEet03Pg2g16Swow4= github.com/cenkalti/backoff v2.2.1+incompatible/go.mod h1:90ReRw6GdpyfrHakVjL/QHaoyV4aDUVVkXQJJJ3NXXM= +github.com/census-instrumentation/opencensus-proto v0.2.0 h1:LzQXZOgg4CQfE6bFvXGM30YZL1WW/M337pXml+GrcZ4= +github.com/census-instrumentation/opencensus-proto v0.2.0/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU= github.com/cheekybits/genny v0.0.0-20170328200008-9127e812e1e9/go.mod h1:+tQajlRqAUrPI7DOSpB0XAqZYtQakVtB7wXkRAgjxjQ= github.com/cheekybits/genny v1.0.0 h1:uGGa4nei+j20rOSeDeP5Of12XVm7TGUd4dJA9RDitfE= github.com/cheekybits/genny v1.0.0/go.mod h1:+tQajlRqAUrPI7DOSpB0XAqZYtQakVtB7wXkRAgjxjQ= @@ -74,6 +93,9 @@ github.com/docker/spdystream v0.0.0-20181023171402-6480d4af844c h1:ZfSZ3P3BedhKG github.com/docker/spdystream v0.0.0-20181023171402-6480d4af844c/go.mod h1:Qh8CwZgvJUkLughtfhJv5dyTYa91l1fOUCrgjqmcifM= github.com/dustin/go-humanize v1.0.0 h1:VSnTsYCnlFHaM2/igO1h6X3HA71jcobQuxemgkq4zYo= github.com/dustin/go-humanize v1.0.0/go.mod h1:HtrtbFcZ19U5GC7JDqmcUSB87Iq5E25KnS6fMYU6eOk= +github.com/eapache/go-resiliency v1.1.0/go.mod h1:kFI+JgMyC7bLPUVY133qvEBtVayf5mFgVsvEsIPBvNs= +github.com/eapache/go-xerial-snappy v0.0.0-20180814174437-776d5712da21/go.mod h1:+020luEh2TKB4/GOp8oxxtq0Daoen/Cii55CzbTV6DU= +github.com/eapache/queue v1.1.0/go.mod h1:6eCeP0CKFpHLu8blIFXhExK/dRa7WDZfr6jVFPTqq+I= github.com/elazarl/go-bindata-assetfs v1.0.0 h1:G/bYguwHIzWq9ZoyUQqrjTmJbbYn3j3CKKpKinvZLFk= github.com/elazarl/go-bindata-assetfs v1.0.0/go.mod h1:v+YaWX3bdea5J/mo8dSETolEo7R71Vk1u8bnjau5yw4= github.com/elazarl/goproxy v0.0.0-20190711103511-473e67f1d7d2 h1:aZtFdDNWY/yH86JPR2WX/PN63635VsE/f/nXNPAbYxY= @@ -129,6 +151,10 @@ github.com/go-openapi/swag v0.0.0-20160704191624-1d0bd113de87/go.mod h1:DXUve3Dp github.com/go-openapi/swag v0.17.0/go.mod h1:AByQ+nYG6gQg71GINrmuDXCPWdL640yX49/kXLo40Tg= github.com/go-openapi/swag v0.19.0 h1:Kg7Wl7LkTPlmc393QZQ/5rQadPhi7pBVEMZxyTi0Ii8= github.com/go-openapi/swag v0.19.0/go.mod h1:AByQ+nYG6gQg71GINrmuDXCPWdL640yX49/kXLo40Tg= +github.com/go-playground/locales v0.12.1 h1:2FITxuFt/xuCNP1Acdhv62OzaCiviiE4kotfhkmOqEc= +github.com/go-playground/locales v0.12.1/go.mod h1:IUMDtCfWo/w/mtMfIE/IG2K+Ey3ygWanZIBtBW0W2TM= +github.com/go-playground/universal-translator v0.16.0 h1:X++omBR/4cE2MNg91AoC3rmGrCjJ8eAeUP/K/EKx4DM= +github.com/go-playground/universal-translator v0.16.0/go.mod h1:1AnU7NaIRDWWzGEKwgtJRd2xk99HeFyHw3yid4rvQIY= github.com/go-redis/redis v6.15.2+incompatible h1:9SpNVG76gr6InJGxoZ6IuuxaCOQwDAhzyXg+Bs+0Sb4= github.com/go-redis/redis v6.15.2+incompatible/go.mod h1:NAIEuMOZ/fxfXJIrKDQDz8wamY7mA7PouImQ2Jvg6kA= github.com/go-sql-driver/mysql v1.4.1 h1:g24URVg0OFbNUTx9qqY1IRZ9D9z3iPyi5zKhQZpNwpA= @@ -137,6 +163,7 @@ github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/me github.com/gocraft/dbr v0.0.0-20180507214907-a0fd650918f6 h1:kumyNm8Vr8cbVm/aLQYTbDE3SKCbbn5HEVoDp/Dyyfc= github.com/gocraft/dbr v0.0.0-20180507214907-a0fd650918f6/go.mod h1:K/9g3pPouf13kP5K7pdriQEJAy272R9yXuWuDIEWJTM= github.com/gogo/protobuf v1.1.1/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ= +github.com/gogo/protobuf v1.2.0/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ= github.com/gogo/protobuf v1.2.1 h1:/s5zKNz0uPFCZ5hddgPdo2TK2TVrUNMn0OOX8/aZMTE= github.com/gogo/protobuf v1.2.1/go.mod h1:hp+jE20tsWTFYpLwKvXlhS1hjn+gTNwPg2I6zVXpSg4= github.com/golang/example v0.0.0-20170904185048-46695d81d1fa h1:iqCQC2Z53KkwGgTN9szyL4q0OQHmuNjeoNnMT6lk66k= @@ -152,6 +179,7 @@ github.com/golang/protobuf v0.0.0-20161109072736-4bd1920723d7/go.mod h1:6lQm79b+ github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= github.com/golang/protobuf v1.3.1 h1:YF8+flBXS5eO826T4nzqPrxfhQThhXl0YzfuUPu4SBg= github.com/golang/protobuf v1.3.1/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= +github.com/golang/snappy v0.0.0-20180518054509-2e65f85255db/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q= github.com/google/btree v1.0.0 h1:0udJVsspx3VBr5FwtLhQQtuAsVc79tTq0ocGIPAU6qo= github.com/google/btree v1.0.0/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ= github.com/google/go-cmp v0.2.0 h1:+dTQ8DZQJz0Mb/HjFlkptS1FeQ4cWSnN941F8aEG4SQ= @@ -166,6 +194,10 @@ github.com/google/uuid v1.1.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+ github.com/googleapis/gnostic v0.0.0-20170426233943-68f4ded48ba9/go.mod h1:sJBsCZ4ayReDTBIg8b9dl28c5xFWyhBTVRp3pOg5EKY= github.com/googleapis/gnostic v0.2.0 h1:l6N3VoaVzTncYYW+9yOz2LJJammFZGBO13sqgEhpy9g= github.com/googleapis/gnostic v0.2.0/go.mod h1:sJBsCZ4ayReDTBIg8b9dl28c5xFWyhBTVRp3pOg5EKY= +github.com/gophercloud/gophercloud v0.3.0 h1:6sjpKIpVwRIIwmcEGp+WwNovNsem+c+2vm6oxshRpL8= +github.com/gophercloud/gophercloud v0.3.0/go.mod h1:vxM41WHh5uqHVBMZHzuwNOHh8XEoIEcSTewFxm1c5g8= +github.com/gorilla/context v1.1.1/go.mod h1:kBGZzfjB9CEq2AlWe17Uuf7NDRt0dE0s8S51q0aT7Yg= +github.com/gorilla/mux v1.6.2/go.mod h1:1lud6UwP+6orDFRuTfBEV8e9/aOM/c4fVVCaMa2zaAs= github.com/gorilla/mux v1.7.1 h1:Dw4jY2nghMMRsh1ol8dv1axHkDwMQK2DHerMNJsIpJU= github.com/gorilla/mux v1.7.1/go.mod h1:1lud6UwP+6orDFRuTfBEV8e9/aOM/c4fVVCaMa2zaAs= github.com/gorilla/websocket v1.4.0 h1:WDFjx/TMzVgy9VdMMQi2K2Emtwi2QcUQsztZ/zLaH/Q= @@ -176,6 +208,7 @@ github.com/grpc-ecosystem/go-grpc-middleware v1.0.0 h1:Iju5GlWwrvL6UBg4zJJt3btmo github.com/grpc-ecosystem/go-grpc-middleware v1.0.0/go.mod h1:FiyG127CGDf3tlThmgyCl78X/SZQqEOJBCDaAfeWzPs= github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0 h1:Ovs26xHkKqVztRpIrF/92BcuyuQ/YW4NSIpoGtfXNho= github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0/go.mod h1:8NvIoxWQoOIhqOTXgfV/d3M/q6VIi02HzZEHgUlZvzk= +github.com/grpc-ecosystem/grpc-gateway v1.8.5/go.mod h1:vNeuVxBJEsws4ogUvrchl83t/GYV9WGTSLVdBhOQFDY= github.com/grpc-ecosystem/grpc-gateway v1.9.5 h1:UImYN5qQ8tuGpGE16ZmjvcTtTw24zw1QAp/SlnNrZhI= github.com/grpc-ecosystem/grpc-gateway v1.9.5/go.mod h1:vNeuVxBJEsws4ogUvrchl83t/GYV9WGTSLVdBhOQFDY= github.com/hashicorp/go-syslog v1.0.0 h1:KaodqZuhUoZereWVIYmpUgZysurB1kBLX2j0MwMrUAE= @@ -183,6 +216,7 @@ github.com/hashicorp/go-syslog v1.0.0/go.mod h1:qPfqrKkXGihmCqbJM2mZgkZGvKG1dFdv github.com/hashicorp/go-version v1.2.0 h1:3vNe/fWF5CBgRIguda1meWhsZHy3m8gCJ5wx+dIzX/E= github.com/hashicorp/go-version v1.2.0/go.mod h1:fltr4n8CU8Ke44wwGCBoEymUuxUHl09ZGVZPK5anwXA= github.com/hashicorp/golang-lru v0.0.0-20180201235237-0fb14efe8c47/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8= +github.com/hashicorp/golang-lru v0.5.0/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8= github.com/hashicorp/golang-lru v0.5.1 h1:0hERBMJE1eitiLkihrMvRVBYAkpHzc/J3QdDN+dAcgU= github.com/hashicorp/golang-lru v0.5.1/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8= github.com/hpcloud/tail v1.0.0 h1:nfCOvKYfkgYP8hkirhJocXT2+zOD8yUNjXaWfTlyFKI= @@ -204,6 +238,8 @@ github.com/json-iterator/go v0.0.0-20180612202835-f2b4162afba3/go.mod h1:+SdeFBv github.com/json-iterator/go v1.1.6 h1:MrUvLMLTMxbqFJ9kzlvat/rYZqZnW3u4wkLzWTaFwKs= github.com/json-iterator/go v1.1.6/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCVDaaPEHmU= github.com/julienschmidt/httprouter v1.2.0/go.mod h1:SYymIcj16QtmaHHD7aYtjjsJG7VTCxuUUipMqKk8s4w= +github.com/kelseyhightower/envconfig v1.4.0 h1:Im6hONhd3pLkfDFsbRgu68RDNkGF1r3dvMUtDTo2cv8= +github.com/kelseyhightower/envconfig v1.4.0/go.mod h1:cccZRl6mQpaq41TPp5QxidR+Sa3axMbJDNb//FQX6Gg= github.com/kevinburke/ssh_config v0.0.0-20180830205328-81db2a75821e h1:RgQk53JHp/Cjunrr1WlsXSZpqXn+uREuHvUVcK82CV8= github.com/kevinburke/ssh_config v0.0.0-20180830205328-81db2a75821e/go.mod h1:CT57kijsi8u/K/BOFA39wgDQJ9CxiF4nAY/ojJ6r6mM= github.com/kisielk/errcheck v1.1.0/go.mod h1:EZBBE59ingxPouuu3KfxchcWSUPOHkagtvWXihfKN4Q= @@ -234,6 +270,8 @@ github.com/kubesphere/sonargo v0.0.2 h1:hsSRE3sv3mkPcUAeSABdp7rtfcNW2zzeHXzFa01C github.com/kubesphere/sonargo v0.0.2/go.mod h1:ww8n9ANlDXhX5PBZ18iaRnCgEkXN0GMml3/KZXOZ11w= github.com/kylelemons/godebug v0.0.0-20170820004349-d65d576e9348 h1:MtvEpTB6LX3vkb4ax0b5D2DHbNAUsen0Gx5wZoq3lV4= github.com/kylelemons/godebug v0.0.0-20170820004349-d65d576e9348/go.mod h1:B69LEHPfb2qLo0BaaOLcbitczOKLWTsrBG9LczfCD4k= +github.com/leodido/go-urn v1.1.0 h1:Sm1gr51B1kKyfD2BlRcLSiEkffoG96g6TPv6eRoEiB8= +github.com/leodido/go-urn v1.1.0/go.mod h1:+cyI34gQWZcE1eQU7NVgKkkzdXDQHr1dBMtdAPozLkw= github.com/lib/pq v1.2.0 h1:LXpIM/LZ5xGFhOpXAQUIMM1HdyqzVYM13zNdjCEEcA0= github.com/lib/pq v1.2.0/go.mod h1:5WUZQaWbwv1U+lTReE5YruASi9Al49XbQIvNi/34Woo= github.com/lucas-clemente/aes12 v0.0.0-20171027163421-cd47fb39b79f/go.mod h1:JpH9J1c9oX6otFSgdUHwUBUizmKlrMjxWnIAjff4m04= @@ -288,38 +326,59 @@ github.com/opencontainers/go-digest v1.0.0-rc1 h1:WzifXhOVOEOuFYOJAW6aQqW0TooG2i github.com/opencontainers/go-digest v1.0.0-rc1/go.mod h1:cMLVZDEM3+U2I4VmLI6N8jQYUd2OVphdqWwCJHrFt2s= github.com/openshift/api v3.9.0+incompatible h1:fJ/KsefYuZAjmrr3+5U9yZIZbTOpVkDDLDLFresAeYs= github.com/openshift/api v3.9.0+incompatible/go.mod h1:dh9o4Fs58gpFXGSYfnVxGR9PnV53I8TW84pQaJDdGiY= +github.com/openzipkin/zipkin-go v0.1.6/go.mod h1:QgAqvLzwWbR/WpD4A3cGpPtJrZXNIiJc5AZX7/PBEpw= github.com/pborman/uuid v0.0.0-20180906182336-adf5a7427709 h1:zNBQb37RGLmJybyMcs983HfUfpkw9OTFD9tbBfAViHE= github.com/pborman/uuid v0.0.0-20180906182336-adf5a7427709/go.mod h1:VyrYX9gd7irzKovcSS6BIIEwPRkP2Wm2m9ufcdFSJ34= github.com/pelletier/go-buffruneio v0.2.0 h1:U4t4R6YkofJ5xHm3dJzuRpPZ0mr5MMCoAWooScCR7aA= github.com/pelletier/go-buffruneio v0.2.0/go.mod h1:JkE26KsDizTr40EUHkXVtNPvgGtbSNq5BcowyYOWdKo= github.com/peterbourgon/diskv v2.0.1+incompatible h1:UBdAOUP5p4RWqPBg048CAvpKN+vxiaj6gdUUzhl4XmI= github.com/peterbourgon/diskv v2.0.1+incompatible/go.mod h1:uqqh8zWWbv1HBMNONnaR/tNboyR3/BZd58JJSHlUSCU= +github.com/pierrec/lz4 v2.0.5+incompatible/go.mod h1:pdkljMzZIN41W+lC3N2tnIh5sFi+IEE17M5jbnwPHcY= github.com/pkg/errors v0.8.0/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= github.com/pkg/errors v0.8.1 h1:iURUrRGxPUNPdy5/HRSm+Yj6okJ6UtLINN0Q9M4+h3I= github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= github.com/pmezard/go-difflib v0.0.0-20151028094244-d8ed2627bdf0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= +github.com/projectcalico/go-json v0.0.0-20161128004156-6219dc7339ba h1:aaF2byUCZhzszHsfPEr2M3qcU4ibtD/yk/il2R7T1PU= +github.com/projectcalico/go-json v0.0.0-20161128004156-6219dc7339ba/go.mod h1:q8EdCgBdMQzgiX/uk4GXLWLk+gIHd1a7mWUAamJKDb4= +github.com/projectcalico/go-yaml v0.0.0-20161201183616-955bc3e451ef h1:Di9BaA9apb6DEstin8RdhKmlzQG76UMbmjPzjCVkMpc= +github.com/projectcalico/go-yaml v0.0.0-20161201183616-955bc3e451ef/go.mod h1:1Ra2BftSa7Go38Gbq1q0bfmBFSSgUv+Cdc3SY8IL/C0= +github.com/projectcalico/go-yaml-wrapper v0.0.0-20161127220527-598e54215bee h1:yVWsNSlAuYoJ0CznHsYRPiFgsotoj07k00k5rQvGlHM= +github.com/projectcalico/go-yaml-wrapper v0.0.0-20161127220527-598e54215bee/go.mod h1:UgC0aTQ2KMDxlX3lU/stndk7DMUBJqzN40yFiILHgxc= +github.com/projectcalico/libcalico-go v0.0.0-20190708183129-ac36d966132f h1:ccdS7T4NhdlHx8nXe6GiS7TAJUg6Gu/qEDJf1IJvcy8= +github.com/projectcalico/libcalico-go v0.0.0-20190708183129-ac36d966132f/go.mod h1:0b/n/rPzNXjhn4ywFcEJuQdA/5olt9UxFIATz57xkbc= +github.com/projectcalico/libcalico-go v1.7.3 h1:qcbxAhsq/5zqZqpHE24VqMHfmoBVdXZV0Kf82+5rbqU= +github.com/projectcalico/libcalico-go v1.7.3/go.mod h1:0b/n/rPzNXjhn4ywFcEJuQdA/5olt9UxFIATz57xkbc= github.com/prometheus/client_golang v0.9.1/go.mod h1:7SWBe2y4D6OKWSNQJUaRYU/AaXPKyh/dDVn+NZz0KFw= github.com/prometheus/client_golang v0.9.2 h1:awm861/B8OKDd2I/6o1dy3ra4BamzKhYOiGItCeZ740= github.com/prometheus/client_golang v0.9.2/go.mod h1:OsXs2jCmiKlQ1lTBmv21f2mNfw4xf/QclQDMrYNZzcM= +github.com/prometheus/client_golang v0.9.3-0.20190127221311-3c4408c8b829 h1:D+CiwcpGTW6pL6bv6KI3KbyEyCKyS+1JWS2h8PNDnGA= +github.com/prometheus/client_golang v0.9.3-0.20190127221311-3c4408c8b829/go.mod h1:p2iRAGwDERtqlqzRXnrOVns+ignqQo//hLXqYxZYVNs= github.com/prometheus/client_model v0.0.0-20180712105110-5c3871d89910/go.mod h1:MbSGuTsp3dbXC40dX6PRTWyKYBIrTGTE9sqQNg2J8bo= +github.com/prometheus/client_model v0.0.0-20190115171406-56726106282f/go.mod h1:MbSGuTsp3dbXC40dX6PRTWyKYBIrTGTE9sqQNg2J8bo= github.com/prometheus/client_model v0.0.0-20190129233127-fd36f4220a90 h1:S/YWwWx/RA8rT8tKFRuGUZhuA90OyIBpPCXkcbwU8DE= github.com/prometheus/client_model v0.0.0-20190129233127-fd36f4220a90/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= github.com/prometheus/common v0.0.0-20181126121408-4724e9255275/go.mod h1:daVV7qP5qjZbuso7PdcryaAu0sAZbrN9i7WWcTMWvro= +github.com/prometheus/common v0.2.0/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y86RQel1bk4= github.com/prometheus/common v0.4.0 h1:7etb9YClo3a6HjLzfl6rIQaU+FDfi0VSX39io3aQ+DM= github.com/prometheus/common v0.4.0/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y86RQel1bk4= github.com/prometheus/procfs v0.0.0-20181005140218-185b4288413d/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk= github.com/prometheus/procfs v0.0.0-20181204211112-1dc9a6cbc91a/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk= +github.com/prometheus/procfs v0.0.0-20190117184657-bf6a532e95b1/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk= github.com/prometheus/procfs v0.0.0-20190507164030-5867b95ac084 h1:sofwID9zm4tzrgykg80hfFph1mryUeLRsUfoocVVmRY= github.com/prometheus/procfs v0.0.0-20190507164030-5867b95ac084/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA= +github.com/rcrowley/go-metrics v0.0.0-20181016184325-3113b8401b8a/go.mod h1:bCqnVzQkZxMG4s8nGwiZ5l3QUCyqpo9Y+/ZMZ9VjZe4= github.com/rogpeppe/fastuuid v0.0.0-20150106093220-6724a57986af/go.mod h1:XWv6SoW27p1b0cqNHllgS5HIMJraePCO15w5zCzIWYg= github.com/rogpeppe/go-charset v0.0.0-20180617210344-2471d30d28b4/go.mod h1:qgYeAmZ5ZIpBWTGllZSQnw97Dj+woV0toclVaRGI8pc= github.com/russross/blackfriday v0.0.0-20170610170232-067529f716f4/go.mod h1:JO/DiYxRf+HjHt06OyowR9PTA263kcR/rfWxYHBV53g= github.com/russross/blackfriday v1.5.2 h1:HyvC0ARfnZBqnXwABFeSZHpKvJHJJfPz81GNueLj0oo= github.com/russross/blackfriday v1.5.2/go.mod h1:JO/DiYxRf+HjHt06OyowR9PTA263kcR/rfWxYHBV53g= +github.com/satori/go.uuid v1.2.0 h1:0uYX9dsZ2yD7q2RtLRtPSdGDWzjeM3TbMJP9utgA0ww= +github.com/satori/go.uuid v1.2.0/go.mod h1:dA0hQrYB0VpLJoorglMZABFdXlWrHn1NEOzdhQKdks0= github.com/sergi/go-diff v1.0.0 h1:Kpca3qRNrduNnOQeazBd0ysaKrUJiIuISHxogkT9RPQ= github.com/sergi/go-diff v1.0.0/go.mod h1:0CfEIISq7TuYL3j771MWULgwwjU+GofnZX9QAmXWZgo= +github.com/sirupsen/logrus v1.2.0 h1:juTguoYk5qI21pwyTXY3B3Y5cOTH3ZUyZCg1v/mihuo= github.com/sirupsen/logrus v1.2.0/go.mod h1:LxeOpSwHxABJmUn/MG1IvRgCAasNZTLOkJPxbbu5VWo= github.com/sirupsen/logrus v1.4.1 h1:GL2rEmy6nsikmW0r8opw9JIRScdMF5hA8cOYLH7In1k= github.com/sirupsen/logrus v1.4.1/go.mod h1:ni0Sbl8bgC9z8RoU9G6nDWqqs/fq4eDPysMBDgk/93Q= @@ -353,6 +412,9 @@ github.com/xiang90/probing v0.0.0-20190116061207-43a291ad63a2 h1:eY9dn8+vbi4tKz5 github.com/xiang90/probing v0.0.0-20190116061207-43a291ad63a2/go.mod h1:UETIi67q53MR2AWcXfiuqkDkRtnGDLqkBTpCHuJHxtU= go.etcd.io/bbolt v1.3.3 h1:MUGmc65QhB3pIlaQ5bB4LwqSj6GIonVJXpZiaKNyaKk= go.etcd.io/bbolt v1.3.3/go.mod h1:IbVyRI1SCnLcuJnV2u8VeU0CEYM7e686BmAb1XKL+uU= +go.opencensus.io v0.20.1/go.mod h1:6WKK9ahsWS3RSO+PY9ZHZUfv2irvY6gN279GOPZjmmk= +go.opencensus.io v0.20.2 h1:NAfh7zF0/3/HqtMvJNZ/RFrSlCE6ZTlHmKfhL/Dm1Jk= +go.opencensus.io v0.20.2/go.mod h1:6WKK9ahsWS3RSO+PY9ZHZUfv2irvY6gN279GOPZjmmk= go.uber.org/atomic v1.4.0 h1:cxzIVoETapQEqDhQu3QfnvXAV4AlzcvUCxkVUFw3+EU= go.uber.org/atomic v1.4.0/go.mod h1:gD2HeocX3+yG+ygLZcrzQJaqmWj9AIm7n08wl/qW/PE= go.uber.org/multierr v1.1.0 h1:HoEmRHQPVSqub6w2z2d2EOVs2fjyFRGyofhKuyDq0QI= @@ -361,6 +423,7 @@ go.uber.org/zap v1.10.0 h1:ORx85nbTijNz8ljznvCMR1ZBIPKFn3jQrag10X2AsuM= go.uber.org/zap v1.10.0/go.mod h1:vwi/ZaCAaUcBkycHslxD9B2zi4UTXhF60s6SWpuDF0Q= golang.org/x/crypto v0.0.0-20180904163835-0709b304e793/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4= golang.org/x/crypto v0.0.0-20190123085648-057139ce5d2b/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4= +golang.org/x/crypto v0.0.0-20190211182817-74369b46fc67/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4= golang.org/x/crypto v0.0.0-20190219172222-a4c6cb3142f2/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4= golang.org/x/crypto v0.0.0-20190228161510-8dd112bcdc25/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= @@ -369,6 +432,7 @@ golang.org/x/crypto v0.0.0-20190510104115-cbcb75029529/go.mod h1:yigFU9vqHzYiE8U golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE= golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU= +golang.org/x/lint v0.0.0-20190301231843-5614ed5bae6f/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE= golang.org/x/net v0.0.0-20170114055629-f2499483f923/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20180218175443-cbe0f9307d01/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= @@ -381,11 +445,13 @@ golang.org/x/net v0.0.0-20181220203305-927f97764cc3/go.mod h1:mL1N/T3taQHkDXs73r golang.org/x/net v0.0.0-20190108225652-1e06a53dbb7e/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20190125091013-d26f9f9a57f3/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20190213061140-3a22650c66bd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= golang.org/x/net v0.0.0-20190328230028-74de082e2cca/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= golang.org/x/net v0.0.0-20190509222800-a4d6f7feada5 h1:6M3SDHlHHDCx2PcQw3S4KsR170vGqDhJDOmpVd4Hjak= golang.org/x/net v0.0.0-20190509222800-a4d6f7feada5/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= +golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= golang.org/x/oauth2 v0.0.0-20190402181905-9f3314589c9a h1:tImsplftrFpALCYumobsd0K86vlAs/eXGFms2txfJfA= golang.org/x/oauth2 v0.0.0-20190402181905-9f3314589c9a/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= @@ -401,7 +467,9 @@ golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5h golang.org/x/sys v0.0.0-20180909124046-d0be0721c37e/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20181107165924-66b7b1311ac8/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20181116152217-5ac8a444bdc5/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20181122145206-62eef0e2fa9b/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20190124100055-b90733256f2e/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20190209173611-3b5209105503/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20190221075227-b4e8571b14e0/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20190228124157-a34e9553db1e/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= @@ -415,6 +483,7 @@ golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk= golang.org/x/time v0.0.0-20190308202827-9d24e82272b4 h1:SvFZT6jyqRaOeXpc5h/JSfZenJ2O330aBsf7JfSUXmQ= golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/tools v0.0.0-20180221164845-07fd8470d635/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= +golang.org/x/tools v0.0.0-20180828015842-6cd1fcedba52/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= golang.org/x/tools v0.0.0-20181011042414-1f849cf54d09/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= @@ -423,16 +492,22 @@ golang.org/x/tools v0.0.0-20190226205152-f727befe758c/go.mod h1:9Yl7xja0Znq3iFh3 golang.org/x/tools v0.0.0-20190312170243-e65039ee4138/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs= golang.org/x/tools v0.0.0-20190511041617-99f201b6807e h1:wTxRxdzKt8fn3IQa3+kVlPJMxK2hJj2Orm+M2Mzw9eg= golang.org/x/tools v0.0.0-20190511041617-99f201b6807e/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q= +google.golang.org/api v0.3.1 h1:oJra/lMfmtm13/rgY/8i3MzjFWYXvQIAKjQ3HqofMk8= +google.golang.org/api v0.3.1/go.mod h1:6wY9I6uQWHQ8EM57III9mq/AjF+i8G65rmVagqKMtkk= google.golang.org/api v0.4.0/go.mod h1:8k5glujaEP+g9n7WNsDg8QP6cUVNI86fCNMcbazEtwE= google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM= google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= google.golang.org/appengine v1.5.0 h1:KxkO13IPW4Lslp2bz+KHP2E3gtFlrIGNThxkZQ3g+4c= google.golang.org/appengine v1.5.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc= +google.golang.org/genproto v0.0.0-20190307195333-5fe7a883aa19/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE= google.golang.org/genproto v0.0.0-20190418145605-e7d98fc518a7 h1:ZUjXAXmrAyrmmCPHgCA/vChHcpsX27MZ3yBonD/z1KE= google.golang.org/genproto v0.0.0-20190418145605-e7d98fc518a7/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE= +google.golang.org/grpc v1.17.0/go.mod h1:6QZJwpn2B+Zp71q/5VxRsJ6NXXVCE5NRUHRo+f3cWCs= google.golang.org/grpc v1.19.0 h1:cfg4PD8YEdSFnm7qLV4++93WcmhH2nIUhMjhdCvl3j8= google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c= +google.golang.org/grpc v1.19.1 h1:TrBcJ1yqAl1G++wO39nD/qtgpsW9/1+QGrluyMGEYgM= +google.golang.org/grpc v1.19.1/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c= gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLkstjWtayDeSgw= gopkg.in/asn1-ber.v1 v1.0.0-20181015200546-f715ec2f112d h1:TxyelI5cVkbREznMhfzycHdkp5cLA7DpE+GKjSslYhM= gopkg.in/asn1-ber.v1 v1.0.0-20181015200546-f715ec2f112d/go.mod h1:cuepJuh7vyXfUyUwEgHQXw849cJrilpS5NeIjOWESAw= @@ -441,6 +516,10 @@ gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127 h1:qIbj1fsPNlZgppZ+VLlY7N33 gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/fsnotify.v1 v1.4.7 h1:xOHLXZwVvI9hhs+cLKq5+I5onOuwQLhQwiu63xxlHs4= gopkg.in/fsnotify.v1 v1.4.7/go.mod h1:Tz8NjZHkW78fSQdbUxIjBTcgA1z1m8ZHf0WmKUhAMys= +gopkg.in/go-playground/validator.v8 v8.18.2 h1:lFB4DoMU6B626w8ny76MV7VX6W2VHct2GVOI3xgiMrQ= +gopkg.in/go-playground/validator.v8 v8.18.2/go.mod h1:RX2a/7Ha8BgOhfk7j780h4/u/RRjR0eouCJSH80/M2Y= +gopkg.in/go-playground/validator.v9 v9.29.1 h1:SvGtYmN60a5CVKTOzMSyfzWDeZRxRuGvRQyEAKbw1xc= +gopkg.in/go-playground/validator.v9 v9.29.1/go.mod h1:+c9/zcJMFNgbLvly1L1V+PpxWdVbfP1avr/N00E2vyQ= gopkg.in/igm/sockjs-go.v2 v2.0.0 h1:NfDyi1jrF9v2VOPESefhKH1NRqpoE9tp4v6kxVR3ubs= gopkg.in/igm/sockjs-go.v2 v2.0.0/go.mod h1:xvdpHZ3OpjP0TzQzl+174DglrrnYZKVd6qHPIX20Z1Q= gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc= @@ -460,6 +539,8 @@ gopkg.in/src-d/go-git-fixtures.v3 v3.1.1 h1:XWW/s5W18RaJpmo1l0IYGqXKuJITWRFuA45i gopkg.in/src-d/go-git-fixtures.v3 v3.1.1/go.mod h1:dLBcvytrw/TYZsNTWCnkNF2DSIlzWYqTe3rJR56Ac7g= gopkg.in/src-d/go-git.v4 v4.11.0 h1:cJwWgJ0DXifrNrXM6RGN1Y2yR60Rr1zQ9Q5DX5S9qgU= gopkg.in/src-d/go-git.v4 v4.11.0/go.mod h1:Vtut8izDyrM8BUVQnzJ+YvmNcem2J89EmfZYCkLokZk= +gopkg.in/tchap/go-patricia.v2 v2.3.0 h1:91+P1/cDHK4WDP7gGDSbFM7a0p/Vr9K91a+m3rwFbNk= +gopkg.in/tchap/go-patricia.v2 v2.3.0/go.mod h1:GjlIhdM7u6RWBtv58iEuqTR4NOShCtHo2EeySnNeNfs= gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 h1:uRGJdciOHaEIrze2W8Q3AKkepLTh2hOroT7a+7czfdQ= gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7/go.mod h1:dt/ZhP58zS4L8KSrWDmTeBkI65Dw0HsyUHuEVlX15mw= gopkg.in/warnings.v0 v0.1.2 h1:wFXVbFY8DY5/xOe1ECiWdKCzZlxgshcYVNkBHstARME= @@ -468,6 +549,7 @@ gopkg.in/yaml.v2 v2.0.0-20170812160011-eb3733d160e7/go.mod h1:JAlM8MvJe8wmxCU4Bl gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.2.2 h1:ZCJp+EgiOT7lHqUV2J862kp8Qj64Jo6az82+3Td9dZw= gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= +honnef.co/go/tools v0.0.0-20180728063816-88497007e858/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= k8s.io/api v0.0.0-20181213150558-05914d821849 h1:WZFcFPXmLR7g5CxQNmjWv0mg8qulJLxDghbzS4pQtzY= k8s.io/api v0.0.0-20181213150558-05914d821849/go.mod h1:iuAfoD4hCxJ8Onx9kaTIt30j7jUFS00AXQi6QMi99vA= @@ -485,6 +567,7 @@ k8s.io/client-go v0.0.0-20181204000744-e64494209f55 h1:tPn3ZVhHaUmQhSMtAIYY9roG+ k8s.io/client-go v0.0.0-20181204000744-e64494209f55/go.mod h1:7vJpHMYJwNQCWgzmNV+VYUl1zCObLyodBc8nIyt8L5s= k8s.io/client-go v0.0.0-20181213151034-8d9ed539ba31 h1:OH3z6khCtxnJBAc0C5CMYWLl1CoK5R5fngX7wrwdN5c= k8s.io/client-go v0.0.0-20181213151034-8d9ed539ba31/go.mod h1:7vJpHMYJwNQCWgzmNV+VYUl1zCObLyodBc8nIyt8L5s= +k8s.io/client-go v12.0.0+incompatible h1:YlJxncpeVUC98/WMZKC3JZGk/OXQWCZjAB4Xr3B17RY= k8s.io/code-generator v0.0.0-20181117043124-c2090bec4d9b h1:KH0fUlgdFZH8UMxJ/FDCYHpczfSQKefetq5NjL6BVF0= k8s.io/code-generator v0.0.0-20181117043124-c2090bec4d9b/go.mod h1:MYiN+ZJZ9HkETbgVZdWw2AsuAi9PZ4V80cwfuf2axe8= k8s.io/gengo v0.0.0-20190128074634-0689ccc1d7d6 h1:4s3/R4+OYYYUKptXPhZKjQ04WJ6EhQQVFdjOFvCazDk= diff --git a/hack/generate_client.sh b/hack/generate_client.sh index bdc575905..29b36c633 100755 --- a/hack/generate_client.sh +++ b/hack/generate_client.sh @@ -4,6 +4,6 @@ set -e GV="network:v1alpha1 servicemesh:v1alpha2 tenant:v1alpha1" rm -rf ./pkg/client -./hack/generate_group.sh "client,lister,informer" kubesphere.io/kubesphere/pkg/client kubesphere.io/kubesphere/pkg/apis "$GV" --output-base=./ -mv kubesphere.io/kubesphere/pkg/client ./pkg/ +./hack/generate_group.sh "client,lister,informer" kubesphere.io/kubesphere/pkg/client kubesphere.io/kubesphere/pkg/apis "$GV" --output-base=./ -h=./hack/boilerplate.go.txt +mv kubesphere.io/kubesphere/pkg/client ./pkg/ rm -rf ./kubesphere.io \ No newline at end of file diff --git a/hack/generate_group.sh b/hack/generate_group.sh index 29eb647bb..90a0c0baf 100755 --- a/hack/generate_group.sh +++ b/hack/generate_group.sh @@ -18,6 +18,7 @@ set -o errexit set -o nounset set -o pipefail +GOPATH="${HOME}/go" # generate-groups generates everything for a project with external types only, e.g. a project based # on CustomResourceDefinitions. diff --git a/hack/network-test.sh b/hack/network-test.sh new file mode 100755 index 000000000..4993bfa7b --- /dev/null +++ b/hack/network-test.sh @@ -0,0 +1,57 @@ +#!/bin/bash + +#this script must invoked in the root directory of this repo + + +tag=`git rev-parse --short HEAD` +IMG=magicsong/ks-network:$tag +DEST=/tmp/manager.yaml +SKIP_BUILD=no + +echo "try to delete old yaml" +kubectl delete -f $DEST +set -e +while [[ $# -gt 0 ]] +do +key="$1" + +case $key in + -s|--skip-build) + SKIP_BUILD=yes + shift # past argument + ;; + -n|--NAMESPACE) + TEST_NS=$2 + shift # past argument + shift # past value + ;; + -t|--tag) + tag="$2" + shift # past argument + shift # past value + ;; + --default) + DEFAULT=YES + shift # past argument + ;; + *) # unknown option + POSITIONAL+=("$1") # save it in an array for later + shift # past argument + ;; +esac +done + +if [ $SKIP_BUILD == "no" ]; then + echo "Building binary" + hack/gobuild.sh cmd/ks-network + docker build -f build/ks-network/Dockerfile -t $IMG bin/cmd + echo "Push images" + docker push $IMG +fi + +echo "Generating yaml" +sed -e 's@image: .*@image: '"${IMG}"'@' config/manager/network.yaml > $DEST +kubectl apply -f $DEST +kubectl apply -f config/rbac/rbac_role_binding_network.yaml + + diff --git a/pkg/apis/network/v1alpha1/common.go b/pkg/apis/network/v1alpha1/common.go new file mode 100644 index 000000000..d19a03710 --- /dev/null +++ b/pkg/apis/network/v1alpha1/common.go @@ -0,0 +1,170 @@ +package v1alpha1 + +import ( + "kubesphere.io/kubesphere/pkg/apis/network/v1alpha1/numorstring" + corev1 "k8s.io/api/core/v1" +) + +// A Rule encapsulates a set of match criteria and an action. Both selector-based security Policy +// and security Profiles reference rules - separated out as a list of rules for both +// ingress and egress packet matching. +// +// Each positive match criteria has a negated version, prefixed with ”Not”. All the match +// criteria within a rule must be satisfied for a packet to match. A single rule can contain +// the positive and negative version of a match and both must be satisfied for the rule to match. +type Rule struct { + Action Action `json:"action" validate:"action"` + // IPVersion is an optional field that restricts the rule to only match a specific IP + // version. + IPVersion *int `json:"ipVersion,omitempty" validate:"omitempty,ipVersion"` + // Protocol is an optional field that restricts the rule to only apply to traffic of + // a specific IP protocol. Required if any of the EntityRules contain Ports + // (because ports only apply to certain protocols). + // + // Must be one of these string values: "TCP", "UDP", "ICMP", "ICMPv6", "SCTP", "UDPLite" + // or an integer in the range 1-255. + Protocol *corev1.Protocol `json:"protocol,omitempty" validate:"omitempty"` + // ICMP is an optional field that restricts the rule to apply to a specific type and + // code of ICMP traffic. This should only be specified if the Protocol field is set to + // "ICMP" or "ICMPv6". + ICMP *ICMPFields `json:"icmp,omitempty" validate:"omitempty"` + // NotProtocol is the negated version of the Protocol field. + NotProtocol *corev1.Protocol `json:"notProtocol,omitempty" validate:"omitempty"` + // NotICMP is the negated version of the ICMP field. + NotICMP *ICMPFields `json:"notICMP,omitempty" validate:"omitempty"` + // Source contains the match criteria that apply to source entity. + Source EntityRule `json:"source,omitempty" validate:"omitempty"` + // Destination contains the match criteria that apply to destination entity. + Destination EntityRule `json:"destination,omitempty" validate:"omitempty"` + + // HTTP contains match criteria that apply to HTTP requests. + HTTP *HTTPMatch `json:"http,omitempty" validate:"omitempty"` +} + +// HTTPPath specifies an HTTP path to match. It may be either of the form: +// exact: : which matches the path exactly or +// prefix: : which matches the path prefix +type HTTPPath struct { + Exact string `json:"exact,omitempty" validate:"omitempty"` + Prefix string `json:"prefix,omitempty" validate:"omitempty"` +} + +// HTTPMatch is an optional field that apply only to HTTP requests +// The Methods and Path fields are joined with AND +type HTTPMatch struct { + // Methods is an optional field that restricts the rule to apply only to HTTP requests that use one of the listed + // HTTP Methods (e.g. GET, PUT, etc.) + // Multiple methods are OR'd together. + Methods []string `json:"methods,omitempty" validate:"omitempty"` + // Paths is an optional field that restricts the rule to apply to HTTP requests that use one of the listed + // HTTP Paths. + // Multiple paths are OR'd together. + // e.g: + // - exact: /foo + // - prefix: /bar + // NOTE: Each entry may ONLY specify either a `exact` or a `prefix` match. The validator will check for it. + Paths []HTTPPath `json:"paths,omitempty" validate:"omitempty"` +} + +// ICMPFields defines structure for ICMP and NotICMP sub-struct for ICMP code and type +type ICMPFields struct { + // Match on a specific ICMP type. For example a value of 8 refers to ICMP Echo Request + // (i.e. pings). + Type *int `json:"type,omitempty" validate:"omitempty,gte=0,lte=254"` + // Match on a specific ICMP code. If specified, the Type value must also be specified. + // This is a technical limitation imposed by the kernel’s iptables firewall, which + // Calico uses to enforce the rule. + Code *int `json:"code,omitempty" validate:"omitempty,gte=0,lte=255"` +} + +// An EntityRule is a sub-component of a Rule comprising the match criteria specific +// to a particular entity (that is either the source or destination). +// +// A source EntityRule matches the source endpoint and originating traffic. +// A destination EntityRule matches the destination endpoint and terminating traffic. +type EntityRule struct { + // Nets is an optional field that restricts the rule to only apply to traffic that + // originates from (or terminates at) IP addresses in any of the given subnets. + Nets []string `json:"nets,omitempty" validate:"omitempty,dive,net"` + + // Selector is an optional field that contains a selector expression (see Policy for + // sample syntax). Only traffic that originates from (terminates at) endpoints matching + // the selector will be matched. + // + // Note that: in addition to the negated version of the Selector (see NotSelector below), the + // selector expression syntax itself supports negation. The two types of negation are subtly + // different. One negates the set of matched endpoints, the other negates the whole match: + // + // Selector = "!has(my_label)" matches packets that are from other Calico-controlled + // endpoints that do not have the label “my_label”. + // + // NotSelector = "has(my_label)" matches packets that are not from Calico-controlled + // endpoints that do have the label “my_label”. + // + // The effect is that the latter will accept packets from non-Calico sources whereas the + // former is limited to packets from Calico-controlled endpoints. + Selector string `json:"selector,omitempty" validate:"omitempty,selector"` + + // NamespaceSelector is an optional field that contains a selector expression. Only traffic + // that originates from (or terminates at) endpoints within the selected namespaces will be + // matched. When both NamespaceSelector and Selector are defined on the same rule, then only + // workload endpoints that are matched by both selectors will be selected by the rule. + // + // For NetworkPolicy, an empty NamespaceSelector implies that the Selector is limited to selecting + // only workload endpoints in the same namespace as the NetworkPolicy. + // + // For GlobalNetworkPolicy, an empty NamespaceSelector implies the Selector applies to workload + // endpoints across all namespaces. + NamespaceSelector string `json:"namespaceSelector,omitempty" validate:"omitempty,selector"` + + // Ports is an optional field that restricts the rule to only apply to traffic that has a + // source (destination) port that matches one of these ranges/values. This value is a + // list of integers or strings that represent ranges of ports. + // + // Since only some protocols have ports, if any ports are specified it requires the + // Protocol match in the Rule to be set to "TCP" or "UDP". + Ports []numorstring.Port `json:"ports,omitempty" validate:"omitempty,dive"` + + // NotNets is the negated version of the Nets field. + NotNets []string `json:"notNets,omitempty" validate:"omitempty,dive,net"` + + // NotSelector is the negated version of the Selector field. See Selector field for + // subtleties with negated selectors. + NotSelector string `json:"notSelector,omitempty" validate:"omitempty,selector"` + + // NotPorts is the negated version of the Ports field. + // Since only some protocols have ports, if any ports are specified it requires the + // Protocol match in the Rule to be set to "TCP" or "UDP". + NotPorts []numorstring.Port `json:"notPorts,omitempty" validate:"omitempty,dive"` + + // ServiceAccounts is an optional field that restricts the rule to only apply to traffic that originates from (or + // terminates at) a pod running as a matching service account. + ServiceAccounts *ServiceAccountMatch `json:"serviceAccounts,omitempty" validate:"omitempty"` +} + +type ServiceAccountMatch struct { + // Names is an optional field that restricts the rule to only apply to traffic that originates from (or terminates + // at) a pod running as a service account whose name is in the list. + Names []string `json:"names,omitempty" validate:"omitempty"` + + // Selector is an optional field that restricts the rule to only apply to traffic that originates from + // (or terminates at) a pod running as a service account that matches the given label selector. + // If both Names and Selector are specified then they are AND'ed. + Selector string `json:"selector,omitempty" validate:"omitempty,selector"` +} + +type Action string + +const ( + Allow Action = "Allow" + Deny = "Deny" + Log = "Log" + Pass = "Pass" +) + +type PolicyType string + +const ( + PolicyTypeIngress PolicyType = "Ingress" + PolicyTypeEgress PolicyType = "Egress" +) diff --git a/pkg/apis/network/v1alpha1/namespacenetworkpolicy_types.go b/pkg/apis/network/v1alpha1/namespacenetworkpolicy_types.go new file mode 100644 index 000000000..d8ab00bb6 --- /dev/null +++ b/pkg/apis/network/v1alpha1/namespacenetworkpolicy_types.go @@ -0,0 +1,108 @@ +/* +Copyright 2019 The KubeSphere authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package v1alpha1 + +import ( + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" +) + +// All types in this file is copy from calicoapi as we use calico to policy + +// NamespaceNetworkPolicySpec defines the desired state of NamespaceNetworkPolicy +type NamespaceNetworkPolicySpec struct { + // Order is an optional field that specifies the order in which the policy is applied. + // Policies with higher "order" are applied after those with lower + // order. If the order is omitted, it may be considered to be "infinite" - i.e. the + // policy will be applied last. Policies with identical order will be applied in + // alphanumerical order based on the Policy "Name". + Order *int `json:"order,omitempty"` + // The ordered set of ingress rules. Each rule contains a set of packet match criteria and + // a corresponding action to apply. + Ingress []Rule `json:"ingress,omitempty" validate:"omitempty,dive"` + // The ordered set of egress rules. Each rule contains a set of packet match criteria and + // a corresponding action to apply. + Egress []Rule `json:"egress,omitempty" validate:"omitempty,dive"` + // The selector is an expression used to pick pick out the endpoints that the policy should + // be applied to. + // + // Selector expressions follow this syntax: + // + // label == "string_literal" -> comparison, e.g. my_label == "foo bar" + // label != "string_literal" -> not equal; also matches if label is not present + // label in { "a", "b", "c", ... } -> true if the value of label X is one of "a", "b", "c" + // label not in { "a", "b", "c", ... } -> true if the value of label X is not one of "a", "b", "c" + // has(label_name) -> True if that label is present + // ! expr -> negation of expr + // expr && expr -> Short-circuit and + // expr || expr -> Short-circuit or + // ( expr ) -> parens for grouping + // all() or the empty selector -> matches all endpoints. + // + // Label names are allowed to contain alphanumerics, -, _ and /. String literals are more permissive + // but they do not support escape characters. + // + // Examples (with made-up labels): + // + // type == "webserver" && deployment == "prod" + // type in {"frontend", "backend"} + // deployment != "dev" + // ! has(label_name) + Selector string `json:"selector" validate:"selector"` + // Types indicates whether this policy applies to ingress, or to egress, or to both. When + // not explicitly specified (and so the value on creation is empty or nil), Calico defaults + // Types according to what Ingress and Egress are present in the policy. The + // default is: + // + // - [ PolicyTypeIngress ], if there are no Egress rules (including the case where there are + // also no Ingress rules) + // + // - [ PolicyTypeEgress ], if there are Egress rules but no Ingress rules + // + // - [ PolicyTypeIngress, PolicyTypeEgress ], if there are both Ingress and Egress rules. + // + // When the policy is read back again, Types will always be one of these values, never empty + // or nil. + Types []PolicyType `json:"types,omitempty" validate:"omitempty,dive,policyType"` + // INSERT ADDITIONAL SPEC FIELDS - desired state of cluster + // Important: Run "make" to regenerate code after modifying this file +} + +// +genclient +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object + +// NamespaceNetworkPolicy is the Schema for the namespacenetworkpolicies API +// +k8s:openapi-gen=true +// +kubebuilder:resource:categories="networking",shortName="nsnp" +type NamespaceNetworkPolicy struct { + metav1.TypeMeta `json:",inline"` + metav1.ObjectMeta `json:"metadata,omitempty"` + + Spec NamespaceNetworkPolicySpec `json:"spec,omitempty"` +} + +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object + +// NamespaceNetworkPolicyList contains a list of NamespaceNetworkPolicy +type NamespaceNetworkPolicyList struct { + metav1.TypeMeta `json:",inline"` + metav1.ListMeta `json:"metadata,omitempty"` + Items []NamespaceNetworkPolicy `json:"items"` +} + +func init() { + SchemeBuilder.Register(&NamespaceNetworkPolicy{}, &NamespaceNetworkPolicyList{}) +} diff --git a/pkg/apis/network/v1alpha1/namespacenetworkpolicy_types_test.go b/pkg/apis/network/v1alpha1/namespacenetworkpolicy_types_test.go new file mode 100644 index 000000000..1a61695b1 --- /dev/null +++ b/pkg/apis/network/v1alpha1/namespacenetworkpolicy_types_test.go @@ -0,0 +1,58 @@ +/* +Copyright 2019 The KubeSphere authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package v1alpha1 + +import ( + "testing" + + "github.com/onsi/gomega" + "golang.org/x/net/context" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/types" +) + +func TestStorageNamespaceNetworkPolicy(t *testing.T) { + key := types.NamespacedName{ + Name: "foo", + Namespace: "default", + } + created := &NamespaceNetworkPolicy{ + ObjectMeta: metav1.ObjectMeta{ + Name: "foo", + Namespace: "default", + }} + g := gomega.NewGomegaWithT(t) + + // Test Create + fetched := &NamespaceNetworkPolicy{} + g.Expect(c.Create(context.TODO(), created)).To(gomega.Succeed()) + + g.Expect(c.Get(context.TODO(), key, fetched)).To(gomega.Succeed()) + g.Expect(fetched).To(gomega.Equal(created)) + + // Test Updating the Labels + updated := fetched.DeepCopy() + updated.Labels = map[string]string{"hello": "world"} + g.Expect(c.Update(context.TODO(), updated)).To(gomega.Succeed()) + + g.Expect(c.Get(context.TODO(), key, fetched)).To(gomega.Succeed()) + g.Expect(fetched).To(gomega.Equal(updated)) + + // Test Delete + g.Expect(c.Delete(context.TODO(), fetched)).To(gomega.Succeed()) + g.Expect(c.Get(context.TODO(), key, fetched)).ToNot(gomega.Succeed()) +} diff --git a/pkg/apis/network/v1alpha1/numorstring/asnumber.go b/pkg/apis/network/v1alpha1/numorstring/asnumber.go new file mode 100644 index 000000000..9ff706d62 --- /dev/null +++ b/pkg/apis/network/v1alpha1/numorstring/asnumber.go @@ -0,0 +1,73 @@ +// Copyright (c) 2016 Tigera, Inc. All rights reserved. + +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package numorstring + +import ( + "encoding/json" + "errors" + "fmt" + "strconv" + "strings" +) + +type ASNumber uint32 + +// ASNumberFromString creates an ASNumber struct from a string value. The +// string value may simply be a number or may be the ASN in dotted notation. +func ASNumberFromString(s string) (ASNumber, error) { + if num, err := strconv.ParseUint(s, 10, 32); err == nil { + return ASNumber(num), nil + } + + parts := strings.Split(s, ".") + if len(parts) != 2 { + msg := fmt.Sprintf("invalid AS Number format (%s)", s) + return 0, errors.New(msg) + } + + if num1, err := strconv.ParseUint(parts[0], 10, 16); err != nil { + msg := fmt.Sprintf("invalid AS Number format (%s)", s) + return 0, errors.New(msg) + } else if num2, err := strconv.ParseUint(parts[1], 10, 16); err != nil { + msg := fmt.Sprintf("invalid AS Number format (%s)", s) + return 0, errors.New(msg) + } else { + return ASNumber((num1 << 16) + num2), nil + } +} + +// UnmarshalJSON implements the json.Unmarshaller uinterface. +func (a *ASNumber) UnmarshalJSON(b []byte) error { + if err := json.Unmarshal(b, (*uint32)(a)); err == nil { + return nil + } else { + var s string + if err := json.Unmarshal(b, &s); err != nil { + return err + } + + if v, err := ASNumberFromString(s); err != nil { + return err + } else { + *a = v + return nil + } + } +} + +// String returns the string value, or the Itoa of the uint value. +func (a ASNumber) String() string { + return strconv.FormatUint(uint64(a), 10) +} diff --git a/pkg/apis/network/v1alpha1/numorstring/doc.go b/pkg/apis/network/v1alpha1/numorstring/doc.go new file mode 100644 index 000000000..f37ce6efc --- /dev/null +++ b/pkg/apis/network/v1alpha1/numorstring/doc.go @@ -0,0 +1,19 @@ +// Copyright (c) 2016 Tigera, Inc. All rights reserved. + +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +/* +Package numorstring implements a set of type definitions that in YAML or JSON +format may be represented by either a number or a string. +*/ +package numorstring diff --git a/pkg/apis/network/v1alpha1/numorstring/numorstring_suite_test.go b/pkg/apis/network/v1alpha1/numorstring/numorstring_suite_test.go new file mode 100644 index 000000000..68a29fd72 --- /dev/null +++ b/pkg/apis/network/v1alpha1/numorstring/numorstring_suite_test.go @@ -0,0 +1,26 @@ +// Copyright (c) 2016,2018 Tigera, Inc. All rights reserved. + +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +package numorstring_test + +import ( + . "github.com/onsi/ginkgo" + . "github.com/onsi/gomega" + + "testing" +) + +func TestNumorstring(t *testing.T) { + RegisterFailHandler(Fail) + RunSpecs(t, "Numorstring Suite") +} diff --git a/pkg/apis/network/v1alpha1/numorstring/numorstring_test.go b/pkg/apis/network/v1alpha1/numorstring/numorstring_test.go new file mode 100644 index 000000000..c12270db0 --- /dev/null +++ b/pkg/apis/network/v1alpha1/numorstring/numorstring_test.go @@ -0,0 +1,204 @@ +// Copyright (c) 2016-2017 Tigera, Inc. All rights reserved. + +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package numorstring_test + +import ( + "encoding/json" + "fmt" + "reflect" + + . "github.com/onsi/ginkgo/extensions/table" + . "github.com/onsi/gomega" + "github.com/projectcalico/libcalico-go/lib/numorstring" +) + +func init() { + + asNumberType := reflect.TypeOf(numorstring.ASNumber(0)) + protocolType := reflect.TypeOf(numorstring.Protocol{}) + portType := reflect.TypeOf(numorstring.Port{}) + + // Perform tests of JSON unmarshaling of the various field types. + DescribeTable("NumOrStringJSONUnmarshaling", + func(jtext string, typ reflect.Type, expected interface{}) { + // Create a new field type and invoke the unmarshaller interface + // directly (this covers a couple more error cases than calling + // through json.Unmarshal. + new := reflect.New(typ) + u := new.Interface().(json.Unmarshaler) + err := u.UnmarshalJSON([]byte(jtext)) + + if expected != nil { + Expect(err).To(BeNil(), + "expected json unmarshal to not error") + Expect(new.Elem().Interface()).To(Equal(expected), + "expected value not same as json unmarshalled value") + } else { + Expect(err).ToNot(BeNil(), + "expected json unmarshal to error") + } + }, + // ASNumber tests. + Entry("should accept 0 AS number as int", "0", asNumberType, numorstring.ASNumber(0)), + Entry("should accept 4294967295 AS number as int", "4294967295", asNumberType, numorstring.ASNumber(4294967295)), + Entry("should accept 0 AS number as string", "\"0\"", asNumberType, numorstring.ASNumber(0)), + Entry("should accept 4294967295 AS number as string", "\"4294967295\"", asNumberType, numorstring.ASNumber(4294967295)), + Entry("should accept 1.10 AS number as string", "\"1.10\"", asNumberType, numorstring.ASNumber(65546)), + Entry("should accept 00.00 AS number as string", "\"00.00\"", asNumberType, numorstring.ASNumber(0)), + Entry("should accept 00.01 AS number as string", "\"00.01\"", asNumberType, numorstring.ASNumber(1)), + Entry("should accept 65535.65535 AS number as string", "\"65535.65535\"", asNumberType, numorstring.ASNumber(4294967295)), + Entry("should reject 1.1.1 AS number as string", "\"1.1.1\"", asNumberType, nil), + Entry("should reject 65536.65535 AS number as string", "\"65536.65535\"", asNumberType, nil), + Entry("should reject 65535.65536 AS number as string", "\"65535.65536\"", asNumberType, nil), + Entry("should reject 0.-1 AS number as string", "\"0.-1\"", asNumberType, nil), + Entry("should reject -1 AS number as int", "-1", asNumberType, nil), + Entry("should reject 4294967296 AS number as int", "4294967296", asNumberType, nil), + + // Port tests. + Entry("should accept 0 port as int", "0", portType, numorstring.SinglePort(0)), + Entry("should accept 65535 port as int", "65535", portType, numorstring.SinglePort(65535)), + Entry("should accept 0:65535 port range as string", "\"0:65535\"", portType, portFromRange(0, 65535)), + Entry("should accept 1:10 port range as string", "\"1:10\"", portType, portFromRange(1, 10)), + Entry("should accept foo-bar as named port", "\"foo-bar\"", portType, numorstring.NamedPort("foo-bar")), + Entry("should reject -1 port as int", "-1", portType, nil), + Entry("should reject 65536 port as int", "65536", portType, nil), + Entry("should reject 0:65536 port range as string", "\"0:65536\"", portType, nil), + Entry("should reject -1:65535 port range as string", "\"-1:65535\"", portType, nil), + Entry("should reject 10:1 port range as string", "\"10:1\"", portType, nil), + Entry("should reject 1:2:3 port range as string", "\"1:2:3\"", portType, nil), + Entry("should reject bad named port string", "\"*\"", portType, nil), + Entry("should reject bad port string", "\"1:2", portType, nil), + + // Protocol tests. Invalid integer values will be stored as strings. + Entry("should accept 0 protocol as int", "0", protocolType, numorstring.ProtocolFromInt(0)), + Entry("should accept 255 protocol as int", "255", protocolType, numorstring.ProtocolFromInt(255)), + Entry("should accept tcp protocol as string", "\"TCP\"", protocolType, numorstring.ProtocolFromString("TCP")), + Entry("should accept tcp protocol as string", "\"TCP\"", protocolType, numorstring.ProtocolFromString("TCP")), + Entry("should accept 0 protocol as string", "\"0\"", protocolType, numorstring.ProtocolFromInt(0)), + Entry("should accept 0 protocol as string", "\"255\"", protocolType, numorstring.ProtocolFromInt(255)), + Entry("should accept 256 protocol as string", "\"256\"", protocolType, numorstring.ProtocolFromString("256")), + Entry("should reject bad protocol string", "\"25", protocolType, nil), + ) + + // Perform tests of JSON marshaling of the various field types. + DescribeTable("NumOrStringJSONMarshaling", + func(field interface{}, jtext string) { + b, err := json.Marshal(field) + if jtext != "" { + Expect(err).To(BeNil(), + "expected json marshal to not error") + Expect(string(b)).To(Equal(jtext), + "expected json not same as marshalled value") + } else { + Expect(err).ToNot(BeNil(), + "expected json marshal to error") + } + }, + // ASNumber tests. + Entry("should marshal ASN of 0", numorstring.ASNumber(0), "0"), + Entry("should marshal ASN of 4294967295", numorstring.ASNumber(4294967295), "4294967295"), + + // Port tests. + Entry("should marshal port of 0", numorstring.SinglePort(0), "0"), + Entry("should marshal port of 65535", portFromRange(65535, 65535), "65535"), + Entry("should marshal port of 10", portFromString("10"), "10"), + Entry("should marshal port range of 10:20", portFromRange(10, 20), "\"10:20\""), + Entry("should marshal port range of 20:30", portFromRange(20, 30), "\"20:30\""), + Entry("should marshal named port", numorstring.NamedPort("foobar"), `"foobar"`), + + // Protocol tests. + Entry("should marshal protocol of 0", numorstring.ProtocolFromInt(0), "0"), + Entry("should marshal protocol of udp", numorstring.ProtocolFromString("UDP"), "\"UDP\""), + ) + + // Perform tests of Stringer interface various field types. + DescribeTable("NumOrStringStringify", + func(field interface{}, s string) { + a := fmt.Sprint(field) + Expect(a).To(Equal(s), + "expected String() value to match") + }, + // ASNumber tests. + Entry("should stringify ASN of 0", numorstring.ASNumber(0), "0"), + Entry("should stringify ASN of 4294967295", numorstring.ASNumber(4294967295), "4294967295"), + + // Port tests. + Entry("should stringify port of 20", numorstring.SinglePort(20), "20"), + Entry("should stringify port range of 10:20", portFromRange(10, 20), "10:20"), + + // Protocol tests. + Entry("should stringify protocol of 0", numorstring.ProtocolFromInt(0), "0"), + Entry("should stringify protocol of udp", numorstring.ProtocolFromString("UDP"), "UDP"), + ) + + // Perform tests of Protocols supporting ports. + DescribeTable("NumOrStringProtocolsSupportingPorts", + func(protocol numorstring.Protocol, supportsPorts bool) { + Expect(protocol.SupportsPorts()).To(Equal(supportsPorts), + "expected protocol port support to match") + }, + Entry("protocol 6 supports ports", numorstring.ProtocolFromInt(6), true), + Entry("protocol 17 supports ports", numorstring.ProtocolFromInt(17), true), + Entry("protocol udp supports ports", numorstring.ProtocolFromString("UDP"), true), + Entry("protocol udp supports ports", numorstring.ProtocolFromString("TCP"), true), + Entry("protocol foo does not support ports", numorstring.ProtocolFromString("foo"), false), + Entry("protocol 2 does not support ports", numorstring.ProtocolFromInt(2), false), + ) + + // Perform tests of Protocols FromString method. + DescribeTable("NumOrStringProtocols FromString is not case sensitive", + func(input, expected string) { + Expect(numorstring.ProtocolFromString(input).StrVal).To(Equal(expected), + "expected parsed protocol to match") + }, + Entry("protocol udp -> UDP", "udp", "UDP"), + Entry("protocol tcp -> TCP", "tcp", "TCP"), + Entry("protocol updlite -> UDPLite", "udplite", "UDPLite"), + Entry("unknown protocol xxxXXX", "xxxXXX", "xxxXXX"), + ) + + // Perform tests of Protocols FromStringV1 method. + DescribeTable("NumOrStringProtocols FromStringV1 is lowercase", + func(input, expected string) { + Expect(numorstring.ProtocolFromStringV1(input).StrVal).To(Equal(expected), + "expected parsed protocol to match") + }, + Entry("protocol udp -> UDP", "UDP", "udp"), + Entry("protocol tcp -> TCP", "TCP", "tcp"), + Entry("protocol updlite -> UDPLite", "UDPLite", "udplite"), + Entry("unknown protocol xxxXXX", "xxxXXX", "xxxxxx"), + ) + + // Perform tests of Protocols ToV1 method. + DescribeTable("NumOrStringProtocols FromStringV1 is lowercase", + func(input, expected numorstring.Protocol) { + Expect(input.ToV1()).To(Equal(expected), + "expected parsed protocol to match") + }, + // Protocol tests. + Entry("protocol udp -> UDP", numorstring.ProtocolFromInt(2), numorstring.ProtocolFromInt(2)), + Entry("protocol tcp -> TCP", numorstring.ProtocolFromString("TCP"), numorstring.ProtocolFromStringV1("TCP")), + ) +} + +func portFromRange(minPort, maxPort uint16) numorstring.Port { + p, _ := numorstring.PortFromRange(minPort, maxPort) + return p +} + +func portFromString(s string) numorstring.Port { + p, _ := numorstring.PortFromString(s) + return p +} diff --git a/pkg/apis/network/v1alpha1/numorstring/port.go b/pkg/apis/network/v1alpha1/numorstring/port.go new file mode 100644 index 000000000..9d737ff83 --- /dev/null +++ b/pkg/apis/network/v1alpha1/numorstring/port.go @@ -0,0 +1,144 @@ +// Copyright (c) 2016-2017 Tigera, Inc. All rights reserved. +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package numorstring + +import ( + "encoding/json" + "errors" + "fmt" + "regexp" + "strconv" +) + +// Port represents either a range of numeric ports or a named port. +// +// - For a named port, set the PortName, leaving MinPort and MaxPort as 0. +// - For a port range, set MinPort and MaxPort to the (inclusive) port numbers. Set +// PortName to "". +// - For a single port, set MinPort = MaxPort and PortName = "". +type Port struct { + MinPort uint16 `json:"minPort,omitempty"` + MaxPort uint16 `json:"maxPort,omitempty"` + PortName string `validate:"omitempty,portName" json:"portName,omitempty"` +} + +// SinglePort creates a Port struct representing a single port. +func SinglePort(port uint16) Port { + return Port{MinPort: port, MaxPort: port} +} + +func NamedPort(name string) Port { + return Port{PortName: name} +} + +// PortFromRange creates a Port struct representing a range of ports. +func PortFromRange(minPort, maxPort uint16) (Port, error) { + port := Port{MinPort: minPort, MaxPort: maxPort} + if minPort > maxPort { + msg := fmt.Sprintf("minimum port number (%d) is greater than maximum port number (%d) in port range", minPort, maxPort) + return port, errors.New(msg) + } + return port, nil +} + +var ( + allDigits = regexp.MustCompile(`^\d+$`) + portRange = regexp.MustCompile(`^(\d+):(\d+)$`) + nameRegex = regexp.MustCompile("^[a-zA-Z0-9_.-]{1,128}$") +) + +// PortFromString creates a Port struct from its string representation. A port +// may either be single value "1234", a range of values "100:200" or a named port: "name". +func PortFromString(s string) (Port, error) { + if allDigits.MatchString(s) { + // Port is all digits, it should parse as a single port. + num, err := strconv.ParseUint(s, 10, 16) + if err != nil { + msg := fmt.Sprintf("invalid port format (%s)", s) + return Port{}, errors.New(msg) + } + return SinglePort(uint16(num)), nil + } + + if groups := portRange.FindStringSubmatch(s); len(groups) > 0 { + // Port matches :, it should parse as a range of ports. + if pmin, err := strconv.ParseUint(groups[1], 10, 16); err != nil { + msg := fmt.Sprintf("invalid minimum port number in range (%s)", s) + return Port{}, errors.New(msg) + } else if pmax, err := strconv.ParseUint(groups[2], 10, 16); err != nil { + msg := fmt.Sprintf("invalid maximum port number in range (%s)", s) + return Port{}, errors.New(msg) + } else { + return PortFromRange(uint16(pmin), uint16(pmax)) + } + } + + if !nameRegex.MatchString(s) { + msg := fmt.Sprintf("invalid name for named port (%s)", s) + return Port{}, errors.New(msg) + } + + return NamedPort(s), nil +} + +// UnmarshalJSON implements the json.Unmarshaller interface. +func (p *Port) UnmarshalJSON(b []byte) error { + if b[0] == '"' { + var s string + if err := json.Unmarshal(b, &s); err != nil { + return err + } + + if v, err := PortFromString(s); err != nil { + return err + } else { + *p = v + return nil + } + } + + // It's not a string, it must be a single int. + var i uint16 + if err := json.Unmarshal(b, &i); err != nil { + return err + } + v := SinglePort(i) + *p = v + return nil +} + +// MarshalJSON implements the json.Marshaller interface. +func (p Port) MarshalJSON() ([]byte, error) { + if p.PortName != "" { + return json.Marshal(p.PortName) + } else if p.MinPort == p.MaxPort { + return json.Marshal(p.MinPort) + } else { + return json.Marshal(p.String()) + } +} + +// String returns the string value. If the min and max port are the same +// this returns a single string representation of the port number, otherwise +// if returns a colon separated range of ports. +func (p Port) String() string { + if p.PortName != "" { + return p.PortName + } else if p.MinPort == p.MaxPort { + return strconv.FormatUint(uint64(p.MinPort), 10) + } else { + return fmt.Sprintf("%d:%d", p.MinPort, p.MaxPort) + } +} diff --git a/pkg/apis/network/v1alpha1/numorstring/protocol.go b/pkg/apis/network/v1alpha1/numorstring/protocol.go new file mode 100644 index 000000000..d700a21c6 --- /dev/null +++ b/pkg/apis/network/v1alpha1/numorstring/protocol.go @@ -0,0 +1,134 @@ +// Copyright (c) 2016 Tigera, Inc. All rights reserved. + +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package numorstring + +import "strings" + +const ( + ProtocolUDP = "UDP" + ProtocolTCP = "TCP" + ProtocolICMP = "ICMP" + ProtocolICMPv6 = "ICMPv6" + ProtocolSCTP = "SCTP" + ProtocolUDPLite = "UDPLite" + + ProtocolUDPV1 = "udp" + ProtocolTCPV1 = "tcp" +) + +var ( + allProtocolNames = []string{ + ProtocolUDP, + ProtocolTCP, + ProtocolICMP, + ProtocolICMPv6, + ProtocolSCTP, + ProtocolUDPLite, + } +) + +type Protocol Uint8OrString + +// ProtocolFromInt creates a Protocol struct from an integer value. +func ProtocolFromInt(p uint8) Protocol { + return Protocol( + Uint8OrString{Type: NumOrStringNum, NumVal: p}, + ) +} + +// ProtocolV3FromProtocolV1 creates a v3 Protocol from a v1 Protocol, +// while handling case conversion. +func ProtocolV3FromProtocolV1(p Protocol) Protocol { + if p.Type == NumOrStringNum { + return p + } + + for _, n := range allProtocolNames { + if strings.ToLower(n) == strings.ToLower(p.StrVal) { + return Protocol( + Uint8OrString{Type: NumOrStringString, StrVal: n}, + ) + } + } + + return p +} + +// ProtocolFromString creates a Protocol struct from a string value. +func ProtocolFromString(p string) Protocol { + for _, n := range allProtocolNames { + if strings.ToLower(n) == strings.ToLower(p) { + return Protocol( + Uint8OrString{Type: NumOrStringString, StrVal: n}, + ) + } + } + + // Unknown protocol - return the value unchanged. Validation should catch this. + return Protocol( + Uint8OrString{Type: NumOrStringString, StrVal: p}, + ) +} + +// ProtocolFromStringV1 creates a Protocol struct from a string value (for the v1 API) +func ProtocolFromStringV1(p string) Protocol { + return Protocol( + Uint8OrString{Type: NumOrStringString, StrVal: strings.ToLower(p)}, + ) +} + +// UnmarshalJSON implements the json.Unmarshaller interface. +func (p *Protocol) UnmarshalJSON(b []byte) error { + return (*Uint8OrString)(p).UnmarshalJSON(b) +} + +// MarshalJSON implements the json.Marshaller interface. +func (p Protocol) MarshalJSON() ([]byte, error) { + return Uint8OrString(p).MarshalJSON() +} + +// String returns the string value, or the Itoa of the int value. +func (p Protocol) String() string { + return (Uint8OrString)(p).String() +} + +// String returns the string value, or the Itoa of the int value. +func (p Protocol) ToV1() Protocol { + if p.Type == NumOrStringNum { + return p + } + return ProtocolFromStringV1(p.StrVal) +} + +// NumValue returns the NumVal if type Int, or if +// it is a String, will attempt a conversion to int. +func (p Protocol) NumValue() (uint8, error) { + return (Uint8OrString)(p).NumValue() +} + +// SupportsProtocols returns whether this protocol supports ports. This returns true if +// the numerical or string verion of the protocol indicates TCP (6) or UDP (17). +func (p Protocol) SupportsPorts() bool { + num, err := p.NumValue() + if err == nil { + return num == 6 || num == 17 + } else { + switch p.StrVal { + case ProtocolTCP, ProtocolUDP, ProtocolTCPV1, ProtocolUDPV1: + return true + } + return false + } +} diff --git a/pkg/apis/network/v1alpha1/numorstring/type.go b/pkg/apis/network/v1alpha1/numorstring/type.go new file mode 100644 index 000000000..ae50cba43 --- /dev/null +++ b/pkg/apis/network/v1alpha1/numorstring/type.go @@ -0,0 +1,23 @@ +// Copyright (c) 2016 Tigera, Inc. All rights reserved. + +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package numorstring + +// Type represents the stored type of Int32OrString. +type NumOrStringType int + +const ( + NumOrStringNum NumOrStringType = iota // The structure holds a number. + NumOrStringString // The structure holds a string. +) diff --git a/pkg/apis/network/v1alpha1/numorstring/uint8orstring.go b/pkg/apis/network/v1alpha1/numorstring/uint8orstring.go new file mode 100644 index 000000000..626a904b6 --- /dev/null +++ b/pkg/apis/network/v1alpha1/numorstring/uint8orstring.go @@ -0,0 +1,80 @@ +// Copyright (c) 2016 Tigera, Inc. All rights reserved. + +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package numorstring + +import ( + "encoding/json" + "strconv" +) + +// UInt8OrString is a type that can hold an uint8 or a string. When used in +// JSON or YAML marshalling and unmarshalling, it produces or consumes the +// inner type. This allows you to have, for example, a JSON field that can +// accept a name or number. +type Uint8OrString struct { + Type NumOrStringType + NumVal uint8 + StrVal string +} + +// UnmarshalJSON implements the json.Unmarshaller interface. +func (i *Uint8OrString) UnmarshalJSON(b []byte) error { + if b[0] == '"' { + var s string + if err := json.Unmarshal(b, &s); err != nil { + return err + } + + num, err := strconv.ParseUint(s, 10, 8) + if err == nil { + i.Type = NumOrStringNum + i.NumVal = uint8(num) + } else { + i.Type = NumOrStringString + i.StrVal = s + } + + return nil + } + i.Type = NumOrStringNum + return json.Unmarshal(b, &i.NumVal) +} + +// MarshalJSON implements the json.Marshaller interface. +func (i Uint8OrString) MarshalJSON() ([]byte, error) { + if num, err := i.NumValue(); err == nil { + return json.Marshal(num) + } else { + return json.Marshal(i.StrVal) + } +} + +// String returns the string value, or the Itoa of the int value. +func (i Uint8OrString) String() string { + if i.Type == NumOrStringString { + return i.StrVal + } + return strconv.FormatUint(uint64(i.NumVal), 10) +} + +// NumValue returns the NumVal if type Int, or if +// it is a String, will attempt a conversion to int. +func (i Uint8OrString) NumValue() (uint8, error) { + if i.Type == NumOrStringString { + num, err := strconv.ParseUint(i.StrVal, 10, 8) + return uint8(num), err + } + return i.NumVal, nil +} diff --git a/pkg/apis/network/v1alpha1/v1alpha1_suite_test.go b/pkg/apis/network/v1alpha1/v1alpha1_suite_test.go index 2206160be..89259b456 100644 --- a/pkg/apis/network/v1alpha1/v1alpha1_suite_test.go +++ b/pkg/apis/network/v1alpha1/v1alpha1_suite_test.go @@ -33,7 +33,7 @@ var c client.Client func TestMain(m *testing.M) { t := &envtest.Environment{ - CRDDirectoryPaths: []string{filepath.Join("..", "..", "..", "..", "config", "crds")}, + CRDDirectoryPaths: []string{filepath.Join("..", "..", "..", "..", "config", "mannual-crds")}, } err := SchemeBuilder.AddToScheme(scheme.Scheme) diff --git a/pkg/apis/network/v1alpha1/workspacenetworkpolicy_types.go b/pkg/apis/network/v1alpha1/workspacenetworkpolicy_types.go index c27b3bdad..ba37f7df2 100644 --- a/pkg/apis/network/v1alpha1/workspacenetworkpolicy_types.go +++ b/pkg/apis/network/v1alpha1/workspacenetworkpolicy_types.go @@ -75,6 +75,7 @@ type WorkspaceNetworkPolicyStatus struct { // WorkspaceNetworkPolicy is a set of network policies applied to the scope to workspace // +k8s:openapi-gen=true +// +kubebuilder:resource:categories="networking",scope="Cluster",shortName="wsnp" type WorkspaceNetworkPolicy struct { metav1.TypeMeta `json:",inline"` metav1.ObjectMeta `json:"metadata,omitempty"` diff --git a/pkg/apis/network/v1alpha1/zz_generated.deepcopy.go b/pkg/apis/network/v1alpha1/zz_generated.deepcopy.go index d01da1d0a..c5165f75c 100644 --- a/pkg/apis/network/v1alpha1/zz_generated.deepcopy.go +++ b/pkg/apis/network/v1alpha1/zz_generated.deepcopy.go @@ -21,11 +21,282 @@ limitations under the License. package v1alpha1 import ( - "k8s.io/api/networking/v1" + "k8s.io/api/core/v1" + networkingv1 "k8s.io/api/networking/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" runtime "k8s.io/apimachinery/pkg/runtime" + "kubesphere.io/kubesphere/pkg/apis/network/v1alpha1/numorstring" ) +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *EntityRule) DeepCopyInto(out *EntityRule) { + *out = *in + if in.Nets != nil { + in, out := &in.Nets, &out.Nets + *out = make([]string, len(*in)) + copy(*out, *in) + } + if in.Ports != nil { + in, out := &in.Ports, &out.Ports + *out = make([]numorstring.Port, len(*in)) + copy(*out, *in) + } + if in.NotNets != nil { + in, out := &in.NotNets, &out.NotNets + *out = make([]string, len(*in)) + copy(*out, *in) + } + if in.NotPorts != nil { + in, out := &in.NotPorts, &out.NotPorts + *out = make([]numorstring.Port, len(*in)) + copy(*out, *in) + } + if in.ServiceAccounts != nil { + in, out := &in.ServiceAccounts, &out.ServiceAccounts + *out = new(ServiceAccountMatch) + (*in).DeepCopyInto(*out) + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new EntityRule. +func (in *EntityRule) DeepCopy() *EntityRule { + if in == nil { + return nil + } + out := new(EntityRule) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *HTTPMatch) DeepCopyInto(out *HTTPMatch) { + *out = *in + if in.Methods != nil { + in, out := &in.Methods, &out.Methods + *out = make([]string, len(*in)) + copy(*out, *in) + } + if in.Paths != nil { + in, out := &in.Paths, &out.Paths + *out = make([]HTTPPath, len(*in)) + copy(*out, *in) + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new HTTPMatch. +func (in *HTTPMatch) DeepCopy() *HTTPMatch { + if in == nil { + return nil + } + out := new(HTTPMatch) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *HTTPPath) DeepCopyInto(out *HTTPPath) { + *out = *in +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new HTTPPath. +func (in *HTTPPath) DeepCopy() *HTTPPath { + if in == nil { + return nil + } + out := new(HTTPPath) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ICMPFields) DeepCopyInto(out *ICMPFields) { + *out = *in + if in.Type != nil { + in, out := &in.Type, &out.Type + *out = new(int) + **out = **in + } + if in.Code != nil { + in, out := &in.Code, &out.Code + *out = new(int) + **out = **in + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ICMPFields. +func (in *ICMPFields) DeepCopy() *ICMPFields { + if in == nil { + return nil + } + out := new(ICMPFields) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *NamespaceNetworkPolicy) DeepCopyInto(out *NamespaceNetworkPolicy) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) + in.Spec.DeepCopyInto(&out.Spec) +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NamespaceNetworkPolicy. +func (in *NamespaceNetworkPolicy) DeepCopy() *NamespaceNetworkPolicy { + if in == nil { + return nil + } + out := new(NamespaceNetworkPolicy) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *NamespaceNetworkPolicy) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *NamespaceNetworkPolicyList) DeepCopyInto(out *NamespaceNetworkPolicyList) { + *out = *in + out.TypeMeta = in.TypeMeta + out.ListMeta = in.ListMeta + if in.Items != nil { + in, out := &in.Items, &out.Items + *out = make([]NamespaceNetworkPolicy, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NamespaceNetworkPolicyList. +func (in *NamespaceNetworkPolicyList) DeepCopy() *NamespaceNetworkPolicyList { + if in == nil { + return nil + } + out := new(NamespaceNetworkPolicyList) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *NamespaceNetworkPolicyList) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *NamespaceNetworkPolicySpec) DeepCopyInto(out *NamespaceNetworkPolicySpec) { + *out = *in + if in.Order != nil { + in, out := &in.Order, &out.Order + *out = new(int) + **out = **in + } + if in.Ingress != nil { + in, out := &in.Ingress, &out.Ingress + *out = make([]Rule, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + if in.Egress != nil { + in, out := &in.Egress, &out.Egress + *out = make([]Rule, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + if in.Types != nil { + in, out := &in.Types, &out.Types + *out = make([]PolicyType, len(*in)) + copy(*out, *in) + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NamespaceNetworkPolicySpec. +func (in *NamespaceNetworkPolicySpec) DeepCopy() *NamespaceNetworkPolicySpec { + if in == nil { + return nil + } + out := new(NamespaceNetworkPolicySpec) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *Rule) DeepCopyInto(out *Rule) { + *out = *in + if in.IPVersion != nil { + in, out := &in.IPVersion, &out.IPVersion + *out = new(int) + **out = **in + } + if in.Protocol != nil { + in, out := &in.Protocol, &out.Protocol + *out = new(v1.Protocol) + **out = **in + } + if in.ICMP != nil { + in, out := &in.ICMP, &out.ICMP + *out = new(ICMPFields) + (*in).DeepCopyInto(*out) + } + if in.NotProtocol != nil { + in, out := &in.NotProtocol, &out.NotProtocol + *out = new(v1.Protocol) + **out = **in + } + if in.NotICMP != nil { + in, out := &in.NotICMP, &out.NotICMP + *out = new(ICMPFields) + (*in).DeepCopyInto(*out) + } + in.Source.DeepCopyInto(&out.Source) + in.Destination.DeepCopyInto(&out.Destination) + if in.HTTP != nil { + in, out := &in.HTTP, &out.HTTP + *out = new(HTTPMatch) + (*in).DeepCopyInto(*out) + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Rule. +func (in *Rule) DeepCopy() *Rule { + if in == nil { + return nil + } + out := new(Rule) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ServiceAccountMatch) DeepCopyInto(out *ServiceAccountMatch) { + *out = *in + if in.Names != nil { + in, out := &in.Names, &out.Names + *out = make([]string, len(*in)) + copy(*out, *in) + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ServiceAccountMatch. +func (in *ServiceAccountMatch) DeepCopy() *ServiceAccountMatch { + if in == nil { + return nil + } + out := new(ServiceAccountMatch) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *WorkspaceNetworkPolicy) DeepCopyInto(out *WorkspaceNetworkPolicy) { *out = *in @@ -58,7 +329,7 @@ func (in *WorkspaceNetworkPolicyEgressRule) DeepCopyInto(out *WorkspaceNetworkPo *out = *in if in.Ports != nil { in, out := &in.Ports, &out.Ports - *out = make([]v1.NetworkPolicyPort, len(*in)) + *out = make([]networkingv1.NetworkPolicyPort, len(*in)) for i := range *in { (*in)[i].DeepCopyInto(&(*out)[i]) } @@ -87,7 +358,7 @@ func (in *WorkspaceNetworkPolicyIngressRule) DeepCopyInto(out *WorkspaceNetworkP *out = *in if in.Ports != nil { in, out := &in.Ports, &out.Ports - *out = make([]v1.NetworkPolicyPort, len(*in)) + *out = make([]networkingv1.NetworkPolicyPort, len(*in)) for i := range *in { (*in)[i].DeepCopyInto(&(*out)[i]) } @@ -169,7 +440,7 @@ func (in *WorkspaceNetworkPolicySpec) DeepCopyInto(out *WorkspaceNetworkPolicySp *out = *in if in.PolicyTypes != nil { in, out := &in.PolicyTypes, &out.PolicyTypes - *out = make([]v1.PolicyType, len(*in)) + *out = make([]networkingv1.PolicyType, len(*in)) copy(*out, *in) } if in.Ingress != nil { diff --git a/pkg/client/clientset/versioned/clientset.go b/pkg/client/clientset/versioned/clientset.go index 4ae271d29..e31f50f9a 100644 --- a/pkg/client/clientset/versioned/clientset.go +++ b/pkg/client/clientset/versioned/clientset.go @@ -1,5 +1,5 @@ /* -Copyright The Kubernetes Authors. +Copyright 2019 The KubeSphere authors. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. @@ -13,7 +13,6 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. */ - // Code generated by client-gen. DO NOT EDIT. package versioned diff --git a/pkg/client/clientset/versioned/doc.go b/pkg/client/clientset/versioned/doc.go index 41721ca52..8be386a88 100644 --- a/pkg/client/clientset/versioned/doc.go +++ b/pkg/client/clientset/versioned/doc.go @@ -1,5 +1,5 @@ /* -Copyright The Kubernetes Authors. +Copyright 2019 The KubeSphere authors. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. @@ -13,7 +13,6 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. */ - // Code generated by client-gen. DO NOT EDIT. // This package has the automatically generated clientset. diff --git a/pkg/client/clientset/versioned/fake/clientset_generated.go b/pkg/client/clientset/versioned/fake/clientset_generated.go index 6e063c05c..80631ec79 100644 --- a/pkg/client/clientset/versioned/fake/clientset_generated.go +++ b/pkg/client/clientset/versioned/fake/clientset_generated.go @@ -1,5 +1,5 @@ /* -Copyright The Kubernetes Authors. +Copyright 2019 The KubeSphere authors. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. @@ -13,7 +13,6 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. */ - // Code generated by client-gen. DO NOT EDIT. package fake diff --git a/pkg/client/clientset/versioned/fake/doc.go b/pkg/client/clientset/versioned/fake/doc.go index 9b99e7167..9e063a013 100644 --- a/pkg/client/clientset/versioned/fake/doc.go +++ b/pkg/client/clientset/versioned/fake/doc.go @@ -1,5 +1,5 @@ /* -Copyright The Kubernetes Authors. +Copyright 2019 The KubeSphere authors. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. @@ -13,7 +13,6 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. */ - // Code generated by client-gen. DO NOT EDIT. // This package has the automatically generated fake clientset. diff --git a/pkg/client/clientset/versioned/fake/register.go b/pkg/client/clientset/versioned/fake/register.go index 6602ca986..8b9472e64 100644 --- a/pkg/client/clientset/versioned/fake/register.go +++ b/pkg/client/clientset/versioned/fake/register.go @@ -1,5 +1,5 @@ /* -Copyright The Kubernetes Authors. +Copyright 2019 The KubeSphere authors. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. @@ -13,7 +13,6 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. */ - // Code generated by client-gen. DO NOT EDIT. package fake diff --git a/pkg/client/clientset/versioned/scheme/doc.go b/pkg/client/clientset/versioned/scheme/doc.go index 7dc375616..2f8af7120 100644 --- a/pkg/client/clientset/versioned/scheme/doc.go +++ b/pkg/client/clientset/versioned/scheme/doc.go @@ -1,5 +1,5 @@ /* -Copyright The Kubernetes Authors. +Copyright 2019 The KubeSphere authors. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. @@ -13,7 +13,6 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. */ - // Code generated by client-gen. DO NOT EDIT. // This package contains the scheme of the automatically generated clientset. diff --git a/pkg/client/clientset/versioned/scheme/register.go b/pkg/client/clientset/versioned/scheme/register.go index c8d08cb3b..fbdf40984 100644 --- a/pkg/client/clientset/versioned/scheme/register.go +++ b/pkg/client/clientset/versioned/scheme/register.go @@ -1,5 +1,5 @@ /* -Copyright The Kubernetes Authors. +Copyright 2019 The KubeSphere authors. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. @@ -13,7 +13,6 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. */ - // Code generated by client-gen. DO NOT EDIT. package scheme diff --git a/pkg/client/clientset/versioned/typed/network/v1alpha1/doc.go b/pkg/client/clientset/versioned/typed/network/v1alpha1/doc.go index df51baa4d..0758fe107 100644 --- a/pkg/client/clientset/versioned/typed/network/v1alpha1/doc.go +++ b/pkg/client/clientset/versioned/typed/network/v1alpha1/doc.go @@ -1,5 +1,5 @@ /* -Copyright The Kubernetes Authors. +Copyright 2019 The KubeSphere authors. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. @@ -13,7 +13,6 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. */ - // Code generated by client-gen. DO NOT EDIT. // This package has the automatically generated typed clients. diff --git a/pkg/client/clientset/versioned/typed/network/v1alpha1/fake/doc.go b/pkg/client/clientset/versioned/typed/network/v1alpha1/fake/doc.go index 16f443990..c0deba18d 100644 --- a/pkg/client/clientset/versioned/typed/network/v1alpha1/fake/doc.go +++ b/pkg/client/clientset/versioned/typed/network/v1alpha1/fake/doc.go @@ -1,5 +1,5 @@ /* -Copyright The Kubernetes Authors. +Copyright 2019 The KubeSphere authors. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. @@ -13,7 +13,6 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. */ - // Code generated by client-gen. DO NOT EDIT. // Package fake has the automatically generated clients. diff --git a/pkg/client/clientset/versioned/typed/network/v1alpha1/fake/fake_namespacenetworkpolicy.go b/pkg/client/clientset/versioned/typed/network/v1alpha1/fake/fake_namespacenetworkpolicy.go new file mode 100644 index 000000000..b123a8cc0 --- /dev/null +++ b/pkg/client/clientset/versioned/typed/network/v1alpha1/fake/fake_namespacenetworkpolicy.go @@ -0,0 +1,127 @@ +/* +Copyright 2019 The KubeSphere authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ +// Code generated by client-gen. DO NOT EDIT. + +package fake + +import ( + v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + labels "k8s.io/apimachinery/pkg/labels" + schema "k8s.io/apimachinery/pkg/runtime/schema" + types "k8s.io/apimachinery/pkg/types" + watch "k8s.io/apimachinery/pkg/watch" + testing "k8s.io/client-go/testing" + v1alpha1 "kubesphere.io/kubesphere/pkg/apis/network/v1alpha1" +) + +// FakeNamespaceNetworkPolicies implements NamespaceNetworkPolicyInterface +type FakeNamespaceNetworkPolicies struct { + Fake *FakeNetworkV1alpha1 + ns string +} + +var namespacenetworkpoliciesResource = schema.GroupVersionResource{Group: "network.kubesphere.io", Version: "v1alpha1", Resource: "namespacenetworkpolicies"} + +var namespacenetworkpoliciesKind = schema.GroupVersionKind{Group: "network.kubesphere.io", Version: "v1alpha1", Kind: "NamespaceNetworkPolicy"} + +// Get takes name of the namespaceNetworkPolicy, and returns the corresponding namespaceNetworkPolicy object, and an error if there is any. +func (c *FakeNamespaceNetworkPolicies) Get(name string, options v1.GetOptions) (result *v1alpha1.NamespaceNetworkPolicy, err error) { + obj, err := c.Fake. + Invokes(testing.NewGetAction(namespacenetworkpoliciesResource, c.ns, name), &v1alpha1.NamespaceNetworkPolicy{}) + + if obj == nil { + return nil, err + } + return obj.(*v1alpha1.NamespaceNetworkPolicy), err +} + +// List takes label and field selectors, and returns the list of NamespaceNetworkPolicies that match those selectors. +func (c *FakeNamespaceNetworkPolicies) List(opts v1.ListOptions) (result *v1alpha1.NamespaceNetworkPolicyList, err error) { + obj, err := c.Fake. + Invokes(testing.NewListAction(namespacenetworkpoliciesResource, namespacenetworkpoliciesKind, c.ns, opts), &v1alpha1.NamespaceNetworkPolicyList{}) + + if obj == nil { + return nil, err + } + + label, _, _ := testing.ExtractFromListOptions(opts) + if label == nil { + label = labels.Everything() + } + list := &v1alpha1.NamespaceNetworkPolicyList{ListMeta: obj.(*v1alpha1.NamespaceNetworkPolicyList).ListMeta} + for _, item := range obj.(*v1alpha1.NamespaceNetworkPolicyList).Items { + if label.Matches(labels.Set(item.Labels)) { + list.Items = append(list.Items, item) + } + } + return list, err +} + +// Watch returns a watch.Interface that watches the requested namespaceNetworkPolicies. +func (c *FakeNamespaceNetworkPolicies) Watch(opts v1.ListOptions) (watch.Interface, error) { + return c.Fake. + InvokesWatch(testing.NewWatchAction(namespacenetworkpoliciesResource, c.ns, opts)) + +} + +// Create takes the representation of a namespaceNetworkPolicy and creates it. Returns the server's representation of the namespaceNetworkPolicy, and an error, if there is any. +func (c *FakeNamespaceNetworkPolicies) Create(namespaceNetworkPolicy *v1alpha1.NamespaceNetworkPolicy) (result *v1alpha1.NamespaceNetworkPolicy, err error) { + obj, err := c.Fake. + Invokes(testing.NewCreateAction(namespacenetworkpoliciesResource, c.ns, namespaceNetworkPolicy), &v1alpha1.NamespaceNetworkPolicy{}) + + if obj == nil { + return nil, err + } + return obj.(*v1alpha1.NamespaceNetworkPolicy), err +} + +// Update takes the representation of a namespaceNetworkPolicy and updates it. Returns the server's representation of the namespaceNetworkPolicy, and an error, if there is any. +func (c *FakeNamespaceNetworkPolicies) Update(namespaceNetworkPolicy *v1alpha1.NamespaceNetworkPolicy) (result *v1alpha1.NamespaceNetworkPolicy, err error) { + obj, err := c.Fake. + Invokes(testing.NewUpdateAction(namespacenetworkpoliciesResource, c.ns, namespaceNetworkPolicy), &v1alpha1.NamespaceNetworkPolicy{}) + + if obj == nil { + return nil, err + } + return obj.(*v1alpha1.NamespaceNetworkPolicy), err +} + +// Delete takes name of the namespaceNetworkPolicy and deletes it. Returns an error if one occurs. +func (c *FakeNamespaceNetworkPolicies) Delete(name string, options *v1.DeleteOptions) error { + _, err := c.Fake. + Invokes(testing.NewDeleteAction(namespacenetworkpoliciesResource, c.ns, name), &v1alpha1.NamespaceNetworkPolicy{}) + + return err +} + +// DeleteCollection deletes a collection of objects. +func (c *FakeNamespaceNetworkPolicies) DeleteCollection(options *v1.DeleteOptions, listOptions v1.ListOptions) error { + action := testing.NewDeleteCollectionAction(namespacenetworkpoliciesResource, c.ns, listOptions) + + _, err := c.Fake.Invokes(action, &v1alpha1.NamespaceNetworkPolicyList{}) + return err +} + +// Patch applies the patch and returns the patched namespaceNetworkPolicy. +func (c *FakeNamespaceNetworkPolicies) Patch(name string, pt types.PatchType, data []byte, subresources ...string) (result *v1alpha1.NamespaceNetworkPolicy, err error) { + obj, err := c.Fake. + Invokes(testing.NewPatchSubresourceAction(namespacenetworkpoliciesResource, c.ns, name, pt, data, subresources...), &v1alpha1.NamespaceNetworkPolicy{}) + + if obj == nil { + return nil, err + } + return obj.(*v1alpha1.NamespaceNetworkPolicy), err +} diff --git a/pkg/client/clientset/versioned/typed/network/v1alpha1/fake/fake_network_client.go b/pkg/client/clientset/versioned/typed/network/v1alpha1/fake/fake_network_client.go index 0588efd8e..52430ee99 100644 --- a/pkg/client/clientset/versioned/typed/network/v1alpha1/fake/fake_network_client.go +++ b/pkg/client/clientset/versioned/typed/network/v1alpha1/fake/fake_network_client.go @@ -1,5 +1,5 @@ /* -Copyright The Kubernetes Authors. +Copyright 2019 The KubeSphere authors. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. @@ -13,7 +13,6 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. */ - // Code generated by client-gen. DO NOT EDIT. package fake @@ -28,6 +27,10 @@ type FakeNetworkV1alpha1 struct { *testing.Fake } +func (c *FakeNetworkV1alpha1) NamespaceNetworkPolicies(namespace string) v1alpha1.NamespaceNetworkPolicyInterface { + return &FakeNamespaceNetworkPolicies{c, namespace} +} + func (c *FakeNetworkV1alpha1) WorkspaceNetworkPolicies() v1alpha1.WorkspaceNetworkPolicyInterface { return &FakeWorkspaceNetworkPolicies{c} } diff --git a/pkg/client/clientset/versioned/typed/network/v1alpha1/fake/fake_workspacenetworkpolicy.go b/pkg/client/clientset/versioned/typed/network/v1alpha1/fake/fake_workspacenetworkpolicy.go index 499c730fa..98082e909 100644 --- a/pkg/client/clientset/versioned/typed/network/v1alpha1/fake/fake_workspacenetworkpolicy.go +++ b/pkg/client/clientset/versioned/typed/network/v1alpha1/fake/fake_workspacenetworkpolicy.go @@ -1,5 +1,5 @@ /* -Copyright The Kubernetes Authors. +Copyright 2019 The KubeSphere authors. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. @@ -13,7 +13,6 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. */ - // Code generated by client-gen. DO NOT EDIT. package fake diff --git a/pkg/client/clientset/versioned/typed/network/v1alpha1/generated_expansion.go b/pkg/client/clientset/versioned/typed/network/v1alpha1/generated_expansion.go index 526e35bb5..aef56f99d 100644 --- a/pkg/client/clientset/versioned/typed/network/v1alpha1/generated_expansion.go +++ b/pkg/client/clientset/versioned/typed/network/v1alpha1/generated_expansion.go @@ -1,5 +1,5 @@ /* -Copyright The Kubernetes Authors. +Copyright 2019 The KubeSphere authors. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. @@ -13,9 +13,10 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. */ - // Code generated by client-gen. DO NOT EDIT. package v1alpha1 +type NamespaceNetworkPolicyExpansion interface{} + type WorkspaceNetworkPolicyExpansion interface{} diff --git a/pkg/client/clientset/versioned/typed/network/v1alpha1/namespacenetworkpolicy.go b/pkg/client/clientset/versioned/typed/network/v1alpha1/namespacenetworkpolicy.go new file mode 100644 index 000000000..235708b25 --- /dev/null +++ b/pkg/client/clientset/versioned/typed/network/v1alpha1/namespacenetworkpolicy.go @@ -0,0 +1,173 @@ +/* +Copyright 2019 The KubeSphere authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ +// Code generated by client-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + "time" + + v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + types "k8s.io/apimachinery/pkg/types" + watch "k8s.io/apimachinery/pkg/watch" + rest "k8s.io/client-go/rest" + v1alpha1 "kubesphere.io/kubesphere/pkg/apis/network/v1alpha1" + scheme "kubesphere.io/kubesphere/pkg/client/clientset/versioned/scheme" +) + +// NamespaceNetworkPoliciesGetter has a method to return a NamespaceNetworkPolicyInterface. +// A group's client should implement this interface. +type NamespaceNetworkPoliciesGetter interface { + NamespaceNetworkPolicies(namespace string) NamespaceNetworkPolicyInterface +} + +// NamespaceNetworkPolicyInterface has methods to work with NamespaceNetworkPolicy resources. +type NamespaceNetworkPolicyInterface interface { + Create(*v1alpha1.NamespaceNetworkPolicy) (*v1alpha1.NamespaceNetworkPolicy, error) + Update(*v1alpha1.NamespaceNetworkPolicy) (*v1alpha1.NamespaceNetworkPolicy, error) + Delete(name string, options *v1.DeleteOptions) error + DeleteCollection(options *v1.DeleteOptions, listOptions v1.ListOptions) error + Get(name string, options v1.GetOptions) (*v1alpha1.NamespaceNetworkPolicy, error) + List(opts v1.ListOptions) (*v1alpha1.NamespaceNetworkPolicyList, error) + Watch(opts v1.ListOptions) (watch.Interface, error) + Patch(name string, pt types.PatchType, data []byte, subresources ...string) (result *v1alpha1.NamespaceNetworkPolicy, err error) + NamespaceNetworkPolicyExpansion +} + +// namespaceNetworkPolicies implements NamespaceNetworkPolicyInterface +type namespaceNetworkPolicies struct { + client rest.Interface + ns string +} + +// newNamespaceNetworkPolicies returns a NamespaceNetworkPolicies +func newNamespaceNetworkPolicies(c *NetworkV1alpha1Client, namespace string) *namespaceNetworkPolicies { + return &namespaceNetworkPolicies{ + client: c.RESTClient(), + ns: namespace, + } +} + +// Get takes name of the namespaceNetworkPolicy, and returns the corresponding namespaceNetworkPolicy object, and an error if there is any. +func (c *namespaceNetworkPolicies) Get(name string, options v1.GetOptions) (result *v1alpha1.NamespaceNetworkPolicy, err error) { + result = &v1alpha1.NamespaceNetworkPolicy{} + err = c.client.Get(). + Namespace(c.ns). + Resource("namespacenetworkpolicies"). + Name(name). + VersionedParams(&options, scheme.ParameterCodec). + Do(). + Into(result) + return +} + +// List takes label and field selectors, and returns the list of NamespaceNetworkPolicies that match those selectors. +func (c *namespaceNetworkPolicies) List(opts v1.ListOptions) (result *v1alpha1.NamespaceNetworkPolicyList, err error) { + var timeout time.Duration + if opts.TimeoutSeconds != nil { + timeout = time.Duration(*opts.TimeoutSeconds) * time.Second + } + result = &v1alpha1.NamespaceNetworkPolicyList{} + err = c.client.Get(). + Namespace(c.ns). + Resource("namespacenetworkpolicies"). + VersionedParams(&opts, scheme.ParameterCodec). + Timeout(timeout). + Do(). + Into(result) + return +} + +// Watch returns a watch.Interface that watches the requested namespaceNetworkPolicies. +func (c *namespaceNetworkPolicies) Watch(opts v1.ListOptions) (watch.Interface, error) { + var timeout time.Duration + if opts.TimeoutSeconds != nil { + timeout = time.Duration(*opts.TimeoutSeconds) * time.Second + } + opts.Watch = true + return c.client.Get(). + Namespace(c.ns). + Resource("namespacenetworkpolicies"). + VersionedParams(&opts, scheme.ParameterCodec). + Timeout(timeout). + Watch() +} + +// Create takes the representation of a namespaceNetworkPolicy and creates it. Returns the server's representation of the namespaceNetworkPolicy, and an error, if there is any. +func (c *namespaceNetworkPolicies) Create(namespaceNetworkPolicy *v1alpha1.NamespaceNetworkPolicy) (result *v1alpha1.NamespaceNetworkPolicy, err error) { + result = &v1alpha1.NamespaceNetworkPolicy{} + err = c.client.Post(). + Namespace(c.ns). + Resource("namespacenetworkpolicies"). + Body(namespaceNetworkPolicy). + Do(). + Into(result) + return +} + +// Update takes the representation of a namespaceNetworkPolicy and updates it. Returns the server's representation of the namespaceNetworkPolicy, and an error, if there is any. +func (c *namespaceNetworkPolicies) Update(namespaceNetworkPolicy *v1alpha1.NamespaceNetworkPolicy) (result *v1alpha1.NamespaceNetworkPolicy, err error) { + result = &v1alpha1.NamespaceNetworkPolicy{} + err = c.client.Put(). + Namespace(c.ns). + Resource("namespacenetworkpolicies"). + Name(namespaceNetworkPolicy.Name). + Body(namespaceNetworkPolicy). + Do(). + Into(result) + return +} + +// Delete takes name of the namespaceNetworkPolicy and deletes it. Returns an error if one occurs. +func (c *namespaceNetworkPolicies) Delete(name string, options *v1.DeleteOptions) error { + return c.client.Delete(). + Namespace(c.ns). + Resource("namespacenetworkpolicies"). + Name(name). + Body(options). + Do(). + Error() +} + +// DeleteCollection deletes a collection of objects. +func (c *namespaceNetworkPolicies) DeleteCollection(options *v1.DeleteOptions, listOptions v1.ListOptions) error { + var timeout time.Duration + if listOptions.TimeoutSeconds != nil { + timeout = time.Duration(*listOptions.TimeoutSeconds) * time.Second + } + return c.client.Delete(). + Namespace(c.ns). + Resource("namespacenetworkpolicies"). + VersionedParams(&listOptions, scheme.ParameterCodec). + Timeout(timeout). + Body(options). + Do(). + Error() +} + +// Patch applies the patch and returns the patched namespaceNetworkPolicy. +func (c *namespaceNetworkPolicies) Patch(name string, pt types.PatchType, data []byte, subresources ...string) (result *v1alpha1.NamespaceNetworkPolicy, err error) { + result = &v1alpha1.NamespaceNetworkPolicy{} + err = c.client.Patch(pt). + Namespace(c.ns). + Resource("namespacenetworkpolicies"). + SubResource(subresources...). + Name(name). + Body(data). + Do(). + Into(result) + return +} diff --git a/pkg/client/clientset/versioned/typed/network/v1alpha1/network_client.go b/pkg/client/clientset/versioned/typed/network/v1alpha1/network_client.go index 9319c616b..dd23a5aa5 100644 --- a/pkg/client/clientset/versioned/typed/network/v1alpha1/network_client.go +++ b/pkg/client/clientset/versioned/typed/network/v1alpha1/network_client.go @@ -1,5 +1,5 @@ /* -Copyright The Kubernetes Authors. +Copyright 2019 The KubeSphere authors. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. @@ -13,7 +13,6 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. */ - // Code generated by client-gen. DO NOT EDIT. package v1alpha1 @@ -27,6 +26,7 @@ import ( type NetworkV1alpha1Interface interface { RESTClient() rest.Interface + NamespaceNetworkPoliciesGetter WorkspaceNetworkPoliciesGetter } @@ -35,6 +35,10 @@ type NetworkV1alpha1Client struct { restClient rest.Interface } +func (c *NetworkV1alpha1Client) NamespaceNetworkPolicies(namespace string) NamespaceNetworkPolicyInterface { + return newNamespaceNetworkPolicies(c, namespace) +} + func (c *NetworkV1alpha1Client) WorkspaceNetworkPolicies() WorkspaceNetworkPolicyInterface { return newWorkspaceNetworkPolicies(c) } diff --git a/pkg/client/clientset/versioned/typed/network/v1alpha1/workspacenetworkpolicy.go b/pkg/client/clientset/versioned/typed/network/v1alpha1/workspacenetworkpolicy.go index 3b4f29f80..da5da8e41 100644 --- a/pkg/client/clientset/versioned/typed/network/v1alpha1/workspacenetworkpolicy.go +++ b/pkg/client/clientset/versioned/typed/network/v1alpha1/workspacenetworkpolicy.go @@ -1,5 +1,5 @@ /* -Copyright The Kubernetes Authors. +Copyright 2019 The KubeSphere authors. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. @@ -13,7 +13,6 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. */ - // Code generated by client-gen. DO NOT EDIT. package v1alpha1 diff --git a/pkg/client/clientset/versioned/typed/servicemesh/v1alpha2/doc.go b/pkg/client/clientset/versioned/typed/servicemesh/v1alpha2/doc.go index baaf2d985..1aafde275 100644 --- a/pkg/client/clientset/versioned/typed/servicemesh/v1alpha2/doc.go +++ b/pkg/client/clientset/versioned/typed/servicemesh/v1alpha2/doc.go @@ -1,5 +1,5 @@ /* -Copyright The Kubernetes Authors. +Copyright 2019 The KubeSphere authors. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. @@ -13,7 +13,6 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. */ - // Code generated by client-gen. DO NOT EDIT. // This package has the automatically generated typed clients. diff --git a/pkg/client/clientset/versioned/typed/servicemesh/v1alpha2/fake/doc.go b/pkg/client/clientset/versioned/typed/servicemesh/v1alpha2/fake/doc.go index 16f443990..c0deba18d 100644 --- a/pkg/client/clientset/versioned/typed/servicemesh/v1alpha2/fake/doc.go +++ b/pkg/client/clientset/versioned/typed/servicemesh/v1alpha2/fake/doc.go @@ -1,5 +1,5 @@ /* -Copyright The Kubernetes Authors. +Copyright 2019 The KubeSphere authors. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. @@ -13,7 +13,6 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. */ - // Code generated by client-gen. DO NOT EDIT. // Package fake has the automatically generated clients. diff --git a/pkg/client/clientset/versioned/typed/servicemesh/v1alpha2/fake/fake_servicemesh_client.go b/pkg/client/clientset/versioned/typed/servicemesh/v1alpha2/fake/fake_servicemesh_client.go index ec4457300..b3b9bf5ed 100644 --- a/pkg/client/clientset/versioned/typed/servicemesh/v1alpha2/fake/fake_servicemesh_client.go +++ b/pkg/client/clientset/versioned/typed/servicemesh/v1alpha2/fake/fake_servicemesh_client.go @@ -1,5 +1,5 @@ /* -Copyright The Kubernetes Authors. +Copyright 2019 The KubeSphere authors. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. @@ -13,7 +13,6 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. */ - // Code generated by client-gen. DO NOT EDIT. package fake diff --git a/pkg/client/clientset/versioned/typed/servicemesh/v1alpha2/fake/fake_servicepolicy.go b/pkg/client/clientset/versioned/typed/servicemesh/v1alpha2/fake/fake_servicepolicy.go index 8f87ef5d2..5070b2d2c 100644 --- a/pkg/client/clientset/versioned/typed/servicemesh/v1alpha2/fake/fake_servicepolicy.go +++ b/pkg/client/clientset/versioned/typed/servicemesh/v1alpha2/fake/fake_servicepolicy.go @@ -1,5 +1,5 @@ /* -Copyright The Kubernetes Authors. +Copyright 2019 The KubeSphere authors. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. @@ -13,7 +13,6 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. */ - // Code generated by client-gen. DO NOT EDIT. package fake diff --git a/pkg/client/clientset/versioned/typed/servicemesh/v1alpha2/fake/fake_strategy.go b/pkg/client/clientset/versioned/typed/servicemesh/v1alpha2/fake/fake_strategy.go index bd0e35db0..fbeaf97db 100644 --- a/pkg/client/clientset/versioned/typed/servicemesh/v1alpha2/fake/fake_strategy.go +++ b/pkg/client/clientset/versioned/typed/servicemesh/v1alpha2/fake/fake_strategy.go @@ -1,5 +1,5 @@ /* -Copyright The Kubernetes Authors. +Copyright 2019 The KubeSphere authors. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. @@ -13,7 +13,6 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. */ - // Code generated by client-gen. DO NOT EDIT. package fake diff --git a/pkg/client/clientset/versioned/typed/servicemesh/v1alpha2/generated_expansion.go b/pkg/client/clientset/versioned/typed/servicemesh/v1alpha2/generated_expansion.go index 6a004902e..f1a82f0a2 100644 --- a/pkg/client/clientset/versioned/typed/servicemesh/v1alpha2/generated_expansion.go +++ b/pkg/client/clientset/versioned/typed/servicemesh/v1alpha2/generated_expansion.go @@ -1,5 +1,5 @@ /* -Copyright The Kubernetes Authors. +Copyright 2019 The KubeSphere authors. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. @@ -13,7 +13,6 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. */ - // Code generated by client-gen. DO NOT EDIT. package v1alpha2 diff --git a/pkg/client/clientset/versioned/typed/servicemesh/v1alpha2/servicemesh_client.go b/pkg/client/clientset/versioned/typed/servicemesh/v1alpha2/servicemesh_client.go index 706f88184..65251f36d 100644 --- a/pkg/client/clientset/versioned/typed/servicemesh/v1alpha2/servicemesh_client.go +++ b/pkg/client/clientset/versioned/typed/servicemesh/v1alpha2/servicemesh_client.go @@ -1,5 +1,5 @@ /* -Copyright The Kubernetes Authors. +Copyright 2019 The KubeSphere authors. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. @@ -13,7 +13,6 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. */ - // Code generated by client-gen. DO NOT EDIT. package v1alpha2 diff --git a/pkg/client/clientset/versioned/typed/servicemesh/v1alpha2/servicepolicy.go b/pkg/client/clientset/versioned/typed/servicemesh/v1alpha2/servicepolicy.go index fcf600c82..d9535e7c3 100644 --- a/pkg/client/clientset/versioned/typed/servicemesh/v1alpha2/servicepolicy.go +++ b/pkg/client/clientset/versioned/typed/servicemesh/v1alpha2/servicepolicy.go @@ -1,5 +1,5 @@ /* -Copyright The Kubernetes Authors. +Copyright 2019 The KubeSphere authors. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. @@ -13,7 +13,6 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. */ - // Code generated by client-gen. DO NOT EDIT. package v1alpha2 diff --git a/pkg/client/clientset/versioned/typed/servicemesh/v1alpha2/strategy.go b/pkg/client/clientset/versioned/typed/servicemesh/v1alpha2/strategy.go index 3865d3945..42aad3724 100644 --- a/pkg/client/clientset/versioned/typed/servicemesh/v1alpha2/strategy.go +++ b/pkg/client/clientset/versioned/typed/servicemesh/v1alpha2/strategy.go @@ -1,5 +1,5 @@ /* -Copyright The Kubernetes Authors. +Copyright 2019 The KubeSphere authors. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. @@ -13,7 +13,6 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. */ - // Code generated by client-gen. DO NOT EDIT. package v1alpha2 diff --git a/pkg/client/clientset/versioned/typed/tenant/v1alpha1/doc.go b/pkg/client/clientset/versioned/typed/tenant/v1alpha1/doc.go index df51baa4d..0758fe107 100644 --- a/pkg/client/clientset/versioned/typed/tenant/v1alpha1/doc.go +++ b/pkg/client/clientset/versioned/typed/tenant/v1alpha1/doc.go @@ -1,5 +1,5 @@ /* -Copyright The Kubernetes Authors. +Copyright 2019 The KubeSphere authors. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. @@ -13,7 +13,6 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. */ - // Code generated by client-gen. DO NOT EDIT. // This package has the automatically generated typed clients. diff --git a/pkg/client/clientset/versioned/typed/tenant/v1alpha1/fake/doc.go b/pkg/client/clientset/versioned/typed/tenant/v1alpha1/fake/doc.go index 16f443990..c0deba18d 100644 --- a/pkg/client/clientset/versioned/typed/tenant/v1alpha1/fake/doc.go +++ b/pkg/client/clientset/versioned/typed/tenant/v1alpha1/fake/doc.go @@ -1,5 +1,5 @@ /* -Copyright The Kubernetes Authors. +Copyright 2019 The KubeSphere authors. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. @@ -13,7 +13,6 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. */ - // Code generated by client-gen. DO NOT EDIT. // Package fake has the automatically generated clients. diff --git a/pkg/client/clientset/versioned/typed/tenant/v1alpha1/fake/fake_tenant_client.go b/pkg/client/clientset/versioned/typed/tenant/v1alpha1/fake/fake_tenant_client.go index d03420083..63a46f7b9 100644 --- a/pkg/client/clientset/versioned/typed/tenant/v1alpha1/fake/fake_tenant_client.go +++ b/pkg/client/clientset/versioned/typed/tenant/v1alpha1/fake/fake_tenant_client.go @@ -1,5 +1,5 @@ /* -Copyright The Kubernetes Authors. +Copyright 2019 The KubeSphere authors. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. @@ -13,7 +13,6 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. */ - // Code generated by client-gen. DO NOT EDIT. package fake diff --git a/pkg/client/clientset/versioned/typed/tenant/v1alpha1/fake/fake_workspace.go b/pkg/client/clientset/versioned/typed/tenant/v1alpha1/fake/fake_workspace.go index 8fa605f1e..212ab20c9 100644 --- a/pkg/client/clientset/versioned/typed/tenant/v1alpha1/fake/fake_workspace.go +++ b/pkg/client/clientset/versioned/typed/tenant/v1alpha1/fake/fake_workspace.go @@ -1,5 +1,5 @@ /* -Copyright The Kubernetes Authors. +Copyright 2019 The KubeSphere authors. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. @@ -13,7 +13,6 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. */ - // Code generated by client-gen. DO NOT EDIT. package fake diff --git a/pkg/client/clientset/versioned/typed/tenant/v1alpha1/generated_expansion.go b/pkg/client/clientset/versioned/typed/tenant/v1alpha1/generated_expansion.go index 1a06574e0..5e43bc6be 100644 --- a/pkg/client/clientset/versioned/typed/tenant/v1alpha1/generated_expansion.go +++ b/pkg/client/clientset/versioned/typed/tenant/v1alpha1/generated_expansion.go @@ -1,5 +1,5 @@ /* -Copyright The Kubernetes Authors. +Copyright 2019 The KubeSphere authors. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. @@ -13,7 +13,6 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. */ - // Code generated by client-gen. DO NOT EDIT. package v1alpha1 diff --git a/pkg/client/clientset/versioned/typed/tenant/v1alpha1/tenant_client.go b/pkg/client/clientset/versioned/typed/tenant/v1alpha1/tenant_client.go index a58e5cc8c..65e813017 100644 --- a/pkg/client/clientset/versioned/typed/tenant/v1alpha1/tenant_client.go +++ b/pkg/client/clientset/versioned/typed/tenant/v1alpha1/tenant_client.go @@ -1,5 +1,5 @@ /* -Copyright The Kubernetes Authors. +Copyright 2019 The KubeSphere authors. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. @@ -13,7 +13,6 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. */ - // Code generated by client-gen. DO NOT EDIT. package v1alpha1 diff --git a/pkg/client/clientset/versioned/typed/tenant/v1alpha1/workspace.go b/pkg/client/clientset/versioned/typed/tenant/v1alpha1/workspace.go index 4c5722c43..d0d08e572 100644 --- a/pkg/client/clientset/versioned/typed/tenant/v1alpha1/workspace.go +++ b/pkg/client/clientset/versioned/typed/tenant/v1alpha1/workspace.go @@ -1,5 +1,5 @@ /* -Copyright The Kubernetes Authors. +Copyright 2019 The KubeSphere authors. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. @@ -13,7 +13,6 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. */ - // Code generated by client-gen. DO NOT EDIT. package v1alpha1 diff --git a/pkg/client/informers/externalversions/factory.go b/pkg/client/informers/externalversions/factory.go index dc0a9de93..a4f7bbf00 100644 --- a/pkg/client/informers/externalversions/factory.go +++ b/pkg/client/informers/externalversions/factory.go @@ -1,5 +1,5 @@ /* -Copyright The Kubernetes Authors. +Copyright 2019 The KubeSphere authors. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. @@ -13,7 +13,6 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. */ - // Code generated by informer-gen. DO NOT EDIT. package externalversions diff --git a/pkg/client/informers/externalversions/generic.go b/pkg/client/informers/externalversions/generic.go index a0317ce7a..b71c15b43 100644 --- a/pkg/client/informers/externalversions/generic.go +++ b/pkg/client/informers/externalversions/generic.go @@ -1,5 +1,5 @@ /* -Copyright The Kubernetes Authors. +Copyright 2019 The KubeSphere authors. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. @@ -13,7 +13,6 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. */ - // Code generated by informer-gen. DO NOT EDIT. package externalversions @@ -55,6 +54,8 @@ func (f *genericInformer) Lister() cache.GenericLister { func (f *sharedInformerFactory) ForResource(resource schema.GroupVersionResource) (GenericInformer, error) { switch resource { // Group=network.kubesphere.io, Version=v1alpha1 + case v1alpha1.SchemeGroupVersion.WithResource("namespacenetworkpolicies"): + return &genericInformer{resource: resource.GroupResource(), informer: f.Network().V1alpha1().NamespaceNetworkPolicies().Informer()}, nil case v1alpha1.SchemeGroupVersion.WithResource("workspacenetworkpolicies"): return &genericInformer{resource: resource.GroupResource(), informer: f.Network().V1alpha1().WorkspaceNetworkPolicies().Informer()}, nil diff --git a/pkg/client/informers/externalversions/internalinterfaces/factory_interfaces.go b/pkg/client/informers/externalversions/internalinterfaces/factory_interfaces.go index bc3f8aec1..43be13cfa 100644 --- a/pkg/client/informers/externalversions/internalinterfaces/factory_interfaces.go +++ b/pkg/client/informers/externalversions/internalinterfaces/factory_interfaces.go @@ -1,5 +1,5 @@ /* -Copyright The Kubernetes Authors. +Copyright 2019 The KubeSphere authors. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. @@ -13,7 +13,6 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. */ - // Code generated by informer-gen. DO NOT EDIT. package internalinterfaces diff --git a/pkg/client/informers/externalversions/network/interface.go b/pkg/client/informers/externalversions/network/interface.go index 83232bcd6..f501d957a 100644 --- a/pkg/client/informers/externalversions/network/interface.go +++ b/pkg/client/informers/externalversions/network/interface.go @@ -1,5 +1,5 @@ /* -Copyright The Kubernetes Authors. +Copyright 2019 The KubeSphere authors. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. @@ -13,7 +13,6 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. */ - // Code generated by informer-gen. DO NOT EDIT. package network diff --git a/pkg/client/informers/externalversions/network/v1alpha1/interface.go b/pkg/client/informers/externalversions/network/v1alpha1/interface.go index 34158dc3c..6e6260f87 100644 --- a/pkg/client/informers/externalversions/network/v1alpha1/interface.go +++ b/pkg/client/informers/externalversions/network/v1alpha1/interface.go @@ -1,5 +1,5 @@ /* -Copyright The Kubernetes Authors. +Copyright 2019 The KubeSphere authors. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. @@ -13,7 +13,6 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. */ - // Code generated by informer-gen. DO NOT EDIT. package v1alpha1 @@ -24,6 +23,8 @@ import ( // Interface provides access to all the informers in this group version. type Interface interface { + // NamespaceNetworkPolicies returns a NamespaceNetworkPolicyInformer. + NamespaceNetworkPolicies() NamespaceNetworkPolicyInformer // WorkspaceNetworkPolicies returns a WorkspaceNetworkPolicyInformer. WorkspaceNetworkPolicies() WorkspaceNetworkPolicyInformer } @@ -39,6 +40,11 @@ func New(f internalinterfaces.SharedInformerFactory, namespace string, tweakList return &version{factory: f, namespace: namespace, tweakListOptions: tweakListOptions} } +// NamespaceNetworkPolicies returns a NamespaceNetworkPolicyInformer. +func (v *version) NamespaceNetworkPolicies() NamespaceNetworkPolicyInformer { + return &namespaceNetworkPolicyInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions} +} + // WorkspaceNetworkPolicies returns a WorkspaceNetworkPolicyInformer. func (v *version) WorkspaceNetworkPolicies() WorkspaceNetworkPolicyInformer { return &workspaceNetworkPolicyInformer{factory: v.factory, tweakListOptions: v.tweakListOptions} diff --git a/pkg/client/informers/externalversions/network/v1alpha1/namespacenetworkpolicy.go b/pkg/client/informers/externalversions/network/v1alpha1/namespacenetworkpolicy.go new file mode 100644 index 000000000..a64184225 --- /dev/null +++ b/pkg/client/informers/externalversions/network/v1alpha1/namespacenetworkpolicy.go @@ -0,0 +1,88 @@ +/* +Copyright 2019 The KubeSphere authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ +// Code generated by informer-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + time "time" + + v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + runtime "k8s.io/apimachinery/pkg/runtime" + watch "k8s.io/apimachinery/pkg/watch" + cache "k8s.io/client-go/tools/cache" + networkv1alpha1 "kubesphere.io/kubesphere/pkg/apis/network/v1alpha1" + versioned "kubesphere.io/kubesphere/pkg/client/clientset/versioned" + internalinterfaces "kubesphere.io/kubesphere/pkg/client/informers/externalversions/internalinterfaces" + v1alpha1 "kubesphere.io/kubesphere/pkg/client/listers/network/v1alpha1" +) + +// NamespaceNetworkPolicyInformer provides access to a shared informer and lister for +// NamespaceNetworkPolicies. +type NamespaceNetworkPolicyInformer interface { + Informer() cache.SharedIndexInformer + Lister() v1alpha1.NamespaceNetworkPolicyLister +} + +type namespaceNetworkPolicyInformer struct { + factory internalinterfaces.SharedInformerFactory + tweakListOptions internalinterfaces.TweakListOptionsFunc + namespace string +} + +// NewNamespaceNetworkPolicyInformer constructs a new informer for NamespaceNetworkPolicy type. +// Always prefer using an informer factory to get a shared informer instead of getting an independent +// one. This reduces memory footprint and number of connections to the server. +func NewNamespaceNetworkPolicyInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers) cache.SharedIndexInformer { + return NewFilteredNamespaceNetworkPolicyInformer(client, namespace, resyncPeriod, indexers, nil) +} + +// NewFilteredNamespaceNetworkPolicyInformer constructs a new informer for NamespaceNetworkPolicy type. +// Always prefer using an informer factory to get a shared informer instead of getting an independent +// one. This reduces memory footprint and number of connections to the server. +func NewFilteredNamespaceNetworkPolicyInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer { + return cache.NewSharedIndexInformer( + &cache.ListWatch{ + ListFunc: func(options v1.ListOptions) (runtime.Object, error) { + if tweakListOptions != nil { + tweakListOptions(&options) + } + return client.NetworkV1alpha1().NamespaceNetworkPolicies(namespace).List(options) + }, + WatchFunc: func(options v1.ListOptions) (watch.Interface, error) { + if tweakListOptions != nil { + tweakListOptions(&options) + } + return client.NetworkV1alpha1().NamespaceNetworkPolicies(namespace).Watch(options) + }, + }, + &networkv1alpha1.NamespaceNetworkPolicy{}, + resyncPeriod, + indexers, + ) +} + +func (f *namespaceNetworkPolicyInformer) defaultInformer(client versioned.Interface, resyncPeriod time.Duration) cache.SharedIndexInformer { + return NewFilteredNamespaceNetworkPolicyInformer(client, f.namespace, resyncPeriod, cache.Indexers{cache.NamespaceIndex: cache.MetaNamespaceIndexFunc}, f.tweakListOptions) +} + +func (f *namespaceNetworkPolicyInformer) Informer() cache.SharedIndexInformer { + return f.factory.InformerFor(&networkv1alpha1.NamespaceNetworkPolicy{}, f.defaultInformer) +} + +func (f *namespaceNetworkPolicyInformer) Lister() v1alpha1.NamespaceNetworkPolicyLister { + return v1alpha1.NewNamespaceNetworkPolicyLister(f.Informer().GetIndexer()) +} diff --git a/pkg/client/informers/externalversions/network/v1alpha1/workspacenetworkpolicy.go b/pkg/client/informers/externalversions/network/v1alpha1/workspacenetworkpolicy.go index b75a52125..945436b6e 100644 --- a/pkg/client/informers/externalversions/network/v1alpha1/workspacenetworkpolicy.go +++ b/pkg/client/informers/externalversions/network/v1alpha1/workspacenetworkpolicy.go @@ -1,5 +1,5 @@ /* -Copyright The Kubernetes Authors. +Copyright 2019 The KubeSphere authors. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. @@ -13,7 +13,6 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. */ - // Code generated by informer-gen. DO NOT EDIT. package v1alpha1 diff --git a/pkg/client/informers/externalversions/servicemesh/interface.go b/pkg/client/informers/externalversions/servicemesh/interface.go index eacae4816..513dd6845 100644 --- a/pkg/client/informers/externalversions/servicemesh/interface.go +++ b/pkg/client/informers/externalversions/servicemesh/interface.go @@ -1,5 +1,5 @@ /* -Copyright The Kubernetes Authors. +Copyright 2019 The KubeSphere authors. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. @@ -13,7 +13,6 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. */ - // Code generated by informer-gen. DO NOT EDIT. package servicemesh diff --git a/pkg/client/informers/externalversions/servicemesh/v1alpha2/interface.go b/pkg/client/informers/externalversions/servicemesh/v1alpha2/interface.go index b36a77d9b..88d463f6b 100644 --- a/pkg/client/informers/externalversions/servicemesh/v1alpha2/interface.go +++ b/pkg/client/informers/externalversions/servicemesh/v1alpha2/interface.go @@ -1,5 +1,5 @@ /* -Copyright The Kubernetes Authors. +Copyright 2019 The KubeSphere authors. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. @@ -13,7 +13,6 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. */ - // Code generated by informer-gen. DO NOT EDIT. package v1alpha2 diff --git a/pkg/client/informers/externalversions/servicemesh/v1alpha2/servicepolicy.go b/pkg/client/informers/externalversions/servicemesh/v1alpha2/servicepolicy.go index 5da94163a..e073d54b9 100644 --- a/pkg/client/informers/externalversions/servicemesh/v1alpha2/servicepolicy.go +++ b/pkg/client/informers/externalversions/servicemesh/v1alpha2/servicepolicy.go @@ -1,5 +1,5 @@ /* -Copyright The Kubernetes Authors. +Copyright 2019 The KubeSphere authors. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. @@ -13,7 +13,6 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. */ - // Code generated by informer-gen. DO NOT EDIT. package v1alpha2 diff --git a/pkg/client/informers/externalversions/servicemesh/v1alpha2/strategy.go b/pkg/client/informers/externalversions/servicemesh/v1alpha2/strategy.go index 1d92ed5fe..02efb7abd 100644 --- a/pkg/client/informers/externalversions/servicemesh/v1alpha2/strategy.go +++ b/pkg/client/informers/externalversions/servicemesh/v1alpha2/strategy.go @@ -1,5 +1,5 @@ /* -Copyright The Kubernetes Authors. +Copyright 2019 The KubeSphere authors. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. @@ -13,7 +13,6 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. */ - // Code generated by informer-gen. DO NOT EDIT. package v1alpha2 diff --git a/pkg/client/informers/externalversions/tenant/interface.go b/pkg/client/informers/externalversions/tenant/interface.go index b797c763a..8cd4c4973 100644 --- a/pkg/client/informers/externalversions/tenant/interface.go +++ b/pkg/client/informers/externalversions/tenant/interface.go @@ -1,5 +1,5 @@ /* -Copyright The Kubernetes Authors. +Copyright 2019 The KubeSphere authors. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. @@ -13,7 +13,6 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. */ - // Code generated by informer-gen. DO NOT EDIT. package tenant diff --git a/pkg/client/informers/externalversions/tenant/v1alpha1/interface.go b/pkg/client/informers/externalversions/tenant/v1alpha1/interface.go index 53f3a7a29..413436448 100644 --- a/pkg/client/informers/externalversions/tenant/v1alpha1/interface.go +++ b/pkg/client/informers/externalversions/tenant/v1alpha1/interface.go @@ -1,5 +1,5 @@ /* -Copyright The Kubernetes Authors. +Copyright 2019 The KubeSphere authors. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. @@ -13,7 +13,6 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. */ - // Code generated by informer-gen. DO NOT EDIT. package v1alpha1 diff --git a/pkg/client/informers/externalversions/tenant/v1alpha1/workspace.go b/pkg/client/informers/externalversions/tenant/v1alpha1/workspace.go index 13452c962..dcd627acf 100644 --- a/pkg/client/informers/externalversions/tenant/v1alpha1/workspace.go +++ b/pkg/client/informers/externalversions/tenant/v1alpha1/workspace.go @@ -1,5 +1,5 @@ /* -Copyright The Kubernetes Authors. +Copyright 2019 The KubeSphere authors. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. @@ -13,7 +13,6 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. */ - // Code generated by informer-gen. DO NOT EDIT. package v1alpha1 diff --git a/pkg/client/listers/network/v1alpha1/expansion_generated.go b/pkg/client/listers/network/v1alpha1/expansion_generated.go index 19e12fd3d..ec4c78c13 100644 --- a/pkg/client/listers/network/v1alpha1/expansion_generated.go +++ b/pkg/client/listers/network/v1alpha1/expansion_generated.go @@ -1,5 +1,5 @@ /* -Copyright The Kubernetes Authors. +Copyright 2019 The KubeSphere authors. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. @@ -13,11 +13,18 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. */ - // Code generated by lister-gen. DO NOT EDIT. package v1alpha1 +// NamespaceNetworkPolicyListerExpansion allows custom methods to be added to +// NamespaceNetworkPolicyLister. +type NamespaceNetworkPolicyListerExpansion interface{} + +// NamespaceNetworkPolicyNamespaceListerExpansion allows custom methods to be added to +// NamespaceNetworkPolicyNamespaceLister. +type NamespaceNetworkPolicyNamespaceListerExpansion interface{} + // WorkspaceNetworkPolicyListerExpansion allows custom methods to be added to // WorkspaceNetworkPolicyLister. type WorkspaceNetworkPolicyListerExpansion interface{} diff --git a/pkg/client/listers/network/v1alpha1/namespacenetworkpolicy.go b/pkg/client/listers/network/v1alpha1/namespacenetworkpolicy.go new file mode 100644 index 000000000..95f3af0ac --- /dev/null +++ b/pkg/client/listers/network/v1alpha1/namespacenetworkpolicy.go @@ -0,0 +1,93 @@ +/* +Copyright 2019 The KubeSphere authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ +// Code generated by lister-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + "k8s.io/apimachinery/pkg/api/errors" + "k8s.io/apimachinery/pkg/labels" + "k8s.io/client-go/tools/cache" + v1alpha1 "kubesphere.io/kubesphere/pkg/apis/network/v1alpha1" +) + +// NamespaceNetworkPolicyLister helps list NamespaceNetworkPolicies. +type NamespaceNetworkPolicyLister interface { + // List lists all NamespaceNetworkPolicies in the indexer. + List(selector labels.Selector) (ret []*v1alpha1.NamespaceNetworkPolicy, err error) + // NamespaceNetworkPolicies returns an object that can list and get NamespaceNetworkPolicies. + NamespaceNetworkPolicies(namespace string) NamespaceNetworkPolicyNamespaceLister + NamespaceNetworkPolicyListerExpansion +} + +// namespaceNetworkPolicyLister implements the NamespaceNetworkPolicyLister interface. +type namespaceNetworkPolicyLister struct { + indexer cache.Indexer +} + +// NewNamespaceNetworkPolicyLister returns a new NamespaceNetworkPolicyLister. +func NewNamespaceNetworkPolicyLister(indexer cache.Indexer) NamespaceNetworkPolicyLister { + return &namespaceNetworkPolicyLister{indexer: indexer} +} + +// List lists all NamespaceNetworkPolicies in the indexer. +func (s *namespaceNetworkPolicyLister) List(selector labels.Selector) (ret []*v1alpha1.NamespaceNetworkPolicy, err error) { + err = cache.ListAll(s.indexer, selector, func(m interface{}) { + ret = append(ret, m.(*v1alpha1.NamespaceNetworkPolicy)) + }) + return ret, err +} + +// NamespaceNetworkPolicies returns an object that can list and get NamespaceNetworkPolicies. +func (s *namespaceNetworkPolicyLister) NamespaceNetworkPolicies(namespace string) NamespaceNetworkPolicyNamespaceLister { + return namespaceNetworkPolicyNamespaceLister{indexer: s.indexer, namespace: namespace} +} + +// NamespaceNetworkPolicyNamespaceLister helps list and get NamespaceNetworkPolicies. +type NamespaceNetworkPolicyNamespaceLister interface { + // List lists all NamespaceNetworkPolicies in the indexer for a given namespace. + List(selector labels.Selector) (ret []*v1alpha1.NamespaceNetworkPolicy, err error) + // Get retrieves the NamespaceNetworkPolicy from the indexer for a given namespace and name. + Get(name string) (*v1alpha1.NamespaceNetworkPolicy, error) + NamespaceNetworkPolicyNamespaceListerExpansion +} + +// namespaceNetworkPolicyNamespaceLister implements the NamespaceNetworkPolicyNamespaceLister +// interface. +type namespaceNetworkPolicyNamespaceLister struct { + indexer cache.Indexer + namespace string +} + +// List lists all NamespaceNetworkPolicies in the indexer for a given namespace. +func (s namespaceNetworkPolicyNamespaceLister) List(selector labels.Selector) (ret []*v1alpha1.NamespaceNetworkPolicy, err error) { + err = cache.ListAllByNamespace(s.indexer, s.namespace, selector, func(m interface{}) { + ret = append(ret, m.(*v1alpha1.NamespaceNetworkPolicy)) + }) + return ret, err +} + +// Get retrieves the NamespaceNetworkPolicy from the indexer for a given namespace and name. +func (s namespaceNetworkPolicyNamespaceLister) Get(name string) (*v1alpha1.NamespaceNetworkPolicy, error) { + obj, exists, err := s.indexer.GetByKey(s.namespace + "/" + name) + if err != nil { + return nil, err + } + if !exists { + return nil, errors.NewNotFound(v1alpha1.Resource("namespacenetworkpolicy"), name) + } + return obj.(*v1alpha1.NamespaceNetworkPolicy), nil +} diff --git a/pkg/client/listers/network/v1alpha1/workspacenetworkpolicy.go b/pkg/client/listers/network/v1alpha1/workspacenetworkpolicy.go index c062a4d14..cd06a1c76 100644 --- a/pkg/client/listers/network/v1alpha1/workspacenetworkpolicy.go +++ b/pkg/client/listers/network/v1alpha1/workspacenetworkpolicy.go @@ -1,5 +1,5 @@ /* -Copyright The Kubernetes Authors. +Copyright 2019 The KubeSphere authors. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. @@ -13,7 +13,6 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. */ - // Code generated by lister-gen. DO NOT EDIT. package v1alpha1 diff --git a/pkg/client/listers/servicemesh/v1alpha2/expansion_generated.go b/pkg/client/listers/servicemesh/v1alpha2/expansion_generated.go index 3583a02d2..8cc0c508f 100644 --- a/pkg/client/listers/servicemesh/v1alpha2/expansion_generated.go +++ b/pkg/client/listers/servicemesh/v1alpha2/expansion_generated.go @@ -1,5 +1,5 @@ /* -Copyright The Kubernetes Authors. +Copyright 2019 The KubeSphere authors. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. @@ -13,7 +13,6 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. */ - // Code generated by lister-gen. DO NOT EDIT. package v1alpha2 diff --git a/pkg/client/listers/servicemesh/v1alpha2/servicepolicy.go b/pkg/client/listers/servicemesh/v1alpha2/servicepolicy.go index e46c41e58..dbfea984c 100644 --- a/pkg/client/listers/servicemesh/v1alpha2/servicepolicy.go +++ b/pkg/client/listers/servicemesh/v1alpha2/servicepolicy.go @@ -1,5 +1,5 @@ /* -Copyright The Kubernetes Authors. +Copyright 2019 The KubeSphere authors. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. @@ -13,7 +13,6 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. */ - // Code generated by lister-gen. DO NOT EDIT. package v1alpha2 diff --git a/pkg/client/listers/servicemesh/v1alpha2/strategy.go b/pkg/client/listers/servicemesh/v1alpha2/strategy.go index d2a9a86b0..3d9075257 100644 --- a/pkg/client/listers/servicemesh/v1alpha2/strategy.go +++ b/pkg/client/listers/servicemesh/v1alpha2/strategy.go @@ -1,5 +1,5 @@ /* -Copyright The Kubernetes Authors. +Copyright 2019 The KubeSphere authors. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. @@ -13,7 +13,6 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. */ - // Code generated by lister-gen. DO NOT EDIT. package v1alpha2 diff --git a/pkg/client/listers/tenant/v1alpha1/expansion_generated.go b/pkg/client/listers/tenant/v1alpha1/expansion_generated.go index 19b736571..c4f9e8d19 100644 --- a/pkg/client/listers/tenant/v1alpha1/expansion_generated.go +++ b/pkg/client/listers/tenant/v1alpha1/expansion_generated.go @@ -1,5 +1,5 @@ /* -Copyright The Kubernetes Authors. +Copyright 2019 The KubeSphere authors. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. @@ -13,7 +13,6 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. */ - // Code generated by lister-gen. DO NOT EDIT. package v1alpha1 diff --git a/pkg/client/listers/tenant/v1alpha1/workspace.go b/pkg/client/listers/tenant/v1alpha1/workspace.go index 1369888c2..9e8b08e3a 100644 --- a/pkg/client/listers/tenant/v1alpha1/workspace.go +++ b/pkg/client/listers/tenant/v1alpha1/workspace.go @@ -1,5 +1,5 @@ /* -Copyright The Kubernetes Authors. +Copyright 2019 The KubeSphere authors. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. @@ -13,7 +13,6 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. */ - // Code generated by lister-gen. DO NOT EDIT. package v1alpha1 diff --git a/pkg/controller/network/controllerapi/interface.go b/pkg/controller/network/controllerapi/interface.go new file mode 100644 index 000000000..1c93094f4 --- /dev/null +++ b/pkg/controller/network/controllerapi/interface.go @@ -0,0 +1,6 @@ +package controllerapi + +// Controller expose Run method +type Controller interface { + Run(threadiness int, stopCh <-chan struct{}) error +} diff --git a/pkg/controller/network/doc.go b/pkg/controller/network/doc.go new file mode 100644 index 000000000..5aa1ac406 --- /dev/null +++ b/pkg/controller/network/doc.go @@ -0,0 +1,5 @@ +package network + +// +kubebuilder:rbac:groups=network.kubesphere.io,resources=workspacenetworkpolicies;namespacenetworkpolicies,verbs=get;list;watch;create;update;patch;delete +// +kubebuilder:rbac:groups:core,resource=namespaces,verbs=get;list;watch;create;update;patch +// +kubebuilder:rbac:groups=tenant.kubesphere.io,resources=workspaces,verbs=get;list;watch;create;update;patch;delete diff --git a/pkg/controller/network/nsnetworkpolicy/controller.go b/pkg/controller/network/nsnetworkpolicy/controller.go new file mode 100644 index 000000000..7b380aa41 --- /dev/null +++ b/pkg/controller/network/nsnetworkpolicy/controller.go @@ -0,0 +1,177 @@ +package nsnetworkpolicy + +import ( + "fmt" + "time" + + corev1 "k8s.io/api/core/v1" + utilruntime "k8s.io/apimachinery/pkg/util/runtime" + "k8s.io/apimachinery/pkg/util/wait" + "k8s.io/client-go/kubernetes" + "k8s.io/client-go/kubernetes/scheme" + typedcorev1 "k8s.io/client-go/kubernetes/typed/core/v1" + "k8s.io/client-go/tools/cache" + "k8s.io/client-go/tools/record" + "k8s.io/client-go/util/workqueue" + "k8s.io/klog" + "k8s.io/klog/klogr" + kubesphereclient "kubesphere.io/kubesphere/pkg/client/clientset/versioned" + kubespherescheme "kubesphere.io/kubesphere/pkg/client/clientset/versioned/scheme" + networkinformer "kubesphere.io/kubesphere/pkg/client/informers/externalversions/network/v1alpha1" + networklister "kubesphere.io/kubesphere/pkg/client/listers/network/v1alpha1" + "kubesphere.io/kubesphere/pkg/controller/network/controllerapi" + "kubesphere.io/kubesphere/pkg/controller/network/provider" +) + +const controllerAgentName = "nsnp-controller" + +type controller struct { + kubeClientset kubernetes.Interface + kubesphereClientset kubesphereclient.Interface + + nsnpInformer networkinformer.NamespaceNetworkPolicyInformer + nsnpLister networklister.NamespaceNetworkPolicyLister + nsnpSynced cache.InformerSynced + // workqueue is a rate limited work queue. This is used to queue work to be + // processed instead of performing it as soon as a change happens. This + // means we can ensure we only process a fixed amount of resources at a + // time, and makes it easy to ensure we are never processing the same item + // simultaneously in two different workers. + workqueue workqueue.RateLimitingInterface + // recorder is an event recorder for recording Event resources to the + // Kubernetes API. + recorder record.EventRecorder + nsNetworkPolicyProvider provider.NsNetworkPolicyProvider +} + +var ( + log = klogr.New().WithName("Controller").WithValues("Component", controllerAgentName) + errCount = 0 +) + +func NewController(kubeclientset kubernetes.Interface, + kubesphereclientset kubesphereclient.Interface, + nsnpInformer networkinformer.NamespaceNetworkPolicyInformer, + nsNetworkPolicyProvider provider.NsNetworkPolicyProvider) controllerapi.Controller { + utilruntime.Must(kubespherescheme.AddToScheme(scheme.Scheme)) + log.V(4).Info("Creating event broadcaster") + eventBroadcaster := record.NewBroadcaster() + eventBroadcaster.StartLogging(klog.Infof) + eventBroadcaster.StartRecordingToSink(&typedcorev1.EventSinkImpl{Interface: kubeclientset.CoreV1().Events("")}) + recorder := eventBroadcaster.NewRecorder(scheme.Scheme, corev1.EventSource{Component: controllerAgentName}) + ctl := &controller{ + kubeClientset: kubeclientset, + kubesphereClientset: kubesphereclientset, + nsnpInformer: nsnpInformer, + nsnpLister: nsnpInformer.Lister(), + nsnpSynced: nsnpInformer.Informer().HasSynced, + nsNetworkPolicyProvider: nsNetworkPolicyProvider, + + workqueue: workqueue.NewNamedRateLimitingQueue(workqueue.DefaultControllerRateLimiter(), "NamespaceNetworkPolicies"), + recorder: recorder, + } + log.Info("Setting up event handlers") + nsnpInformer.Informer().AddEventHandler(cache.ResourceEventHandlerFuncs{ + AddFunc: ctl.enqueueNSNP, + UpdateFunc: func(old, new interface{}) { + ctl.enqueueNSNP(new) + }, + DeleteFunc: ctl.enqueueNSNP, + }) + return ctl +} + +func (c *controller) Run(threadiness int, stopCh <-chan struct{}) error { + defer utilruntime.HandleCrash() + defer c.workqueue.ShutDown() + + //init client + + // Start the informer factories to begin populating the informer caches + log.V(1).Info("Starting WSNP controller") + + // Wait for the caches to be synced before starting workers + log.V(2).Info("Waiting for informer caches to sync") + if ok := cache.WaitForCacheSync(stopCh, c.nsnpSynced); !ok { + return fmt.Errorf("failed to wait for caches to sync") + } + + log.Info("Starting workers") + // Launch two workers to process Foo resources + for i := 0; i < threadiness; i++ { + go wait.Until(c.runWorker, time.Second, stopCh) + } + + klog.V(2).Info("Started workers") + <-stopCh + log.V(2).Info("Shutting down workers") + return nil +} + +func (c *controller) enqueueNSNP(obj interface{}) { + var key string + var err error + if key, err = cache.MetaNamespaceKeyFunc(obj); err != nil { + utilruntime.HandleError(err) + return + } + c.workqueue.Add(key) +} + +func (c *controller) runWorker() { + for c.processNextWorkItem() { + } +} + +func (c *controller) processNextWorkItem() bool { + obj, shutdown := c.workqueue.Get() + + if shutdown { + return false + } + + // We wrap this block in a func so we can defer c.workqueue.Done. + err := func(obj interface{}) error { + // We call Done here so the workqueue knows we have finished + // processing this item. We also must remember to call Forget if we + // do not want this work item being re-queued. For example, we do + // not call Forget if a transient error occurs, instead the item is + // put back on the workqueue and attempted again after a back-off + // period. + defer c.workqueue.Done(obj) + var key string + var ok bool + // We expect strings to come off the workqueue. These are of the + // form namespace/name. We do this as the delayed nature of the + // workqueue means the items in the informer cache may actually be + // more up to date that when the item was initially put onto the + // workqueue. + if key, ok = obj.(string); !ok { + // As the item in the workqueue is actually invalid, we call + // Forget here else we'd go into a loop of attempting to + // process a work item that is invalid. + c.workqueue.Forget(obj) + utilruntime.HandleError(fmt.Errorf("expected string in workqueue but got %#v", obj)) + return nil + } + // Run the reconcile, passing it the namespace/name string of the + // Foo resource to be synced. + if err := c.reconcile(key); err != nil { + // Put the item back on the workqueue to handle any transient errors. + c.workqueue.AddRateLimited(key) + return fmt.Errorf("error syncing '%s': %s, requeuing", key, err.Error()) + } + // Finally, if no error occurs we Forget this item so it does not + // get queued again until another change happens. + c.workqueue.Forget(obj) + log.Info("Successfully synced", "key", key) + return nil + }(obj) + + if err != nil { + utilruntime.HandleError(err) + return true + } + + return true +} diff --git a/pkg/controller/network/nsnetworkpolicy/nsnetworkpolicy_suite_test.go b/pkg/controller/network/nsnetworkpolicy/nsnetworkpolicy_suite_test.go new file mode 100644 index 000000000..23e1eda18 --- /dev/null +++ b/pkg/controller/network/nsnetworkpolicy/nsnetworkpolicy_suite_test.go @@ -0,0 +1,21 @@ +package nsnetworkpolicy + +import ( + "flag" + "testing" + + . "github.com/onsi/ginkgo" + . "github.com/onsi/gomega" + "k8s.io/klog" +) + +func TestNsnetworkpolicy(t *testing.T) { + klog.InitFlags(nil) + flag.Set("logtostderr", "false") + flag.Set("alsologtostderr", "false") + flag.Set("v", "4") + flag.Parse() + klog.SetOutput(GinkgoWriter) + RegisterFailHandler(Fail) + RunSpecs(t, "Nsnetworkpolicy Suite") +} diff --git a/pkg/controller/network/nsnetworkpolicy/nsnetworkpolicy_test.go b/pkg/controller/network/nsnetworkpolicy/nsnetworkpolicy_test.go new file mode 100644 index 000000000..101fa29ce --- /dev/null +++ b/pkg/controller/network/nsnetworkpolicy/nsnetworkpolicy_test.go @@ -0,0 +1,93 @@ +package nsnetworkpolicy + +import ( + . "github.com/onsi/ginkgo" + . "github.com/onsi/gomega" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/client-go/tools/record" + "kubesphere.io/kubesphere/pkg/apis/network/v1alpha1" + nsnplister "kubesphere.io/kubesphere/pkg/client/listers/network/v1alpha1" + "kubesphere.io/kubesphere/pkg/controller/network/controllerapi" + "kubesphere.io/kubesphere/pkg/controller/network/provider" + controllertesting "kubesphere.io/kubesphere/pkg/controller/network/testing" +) + +var ( + fakeControllerBuilder *controllertesting.FakeControllerBuilder + c controllerapi.Controller + stopCh chan struct{} + calicoProvider *provider.FakeCalicoNetworkProvider + nsnpLister nsnplister.NamespaceNetworkPolicyLister +) + +var _ = Describe("Nsnetworkpolicy", func() { + BeforeEach(func() { + fakeControllerBuilder = controllertesting.NewFakeControllerBuilder() + stopCh = make(chan struct{}) + informer, _ := fakeControllerBuilder.NewControllerInformer() + calicoProvider = provider.NewFakeCalicoNetworkProvider() + c = NewController(fakeControllerBuilder.KubeClient, fakeControllerBuilder.KsClient, informer.Network().V1alpha1().NamespaceNetworkPolicies(), calicoProvider) + go informer.Network().V1alpha1().NamespaceNetworkPolicies().Informer().Run(stopCh) + originalController := c.(*controller) + originalController.recorder = &record.FakeRecorder{} + go c.Run(1, stopCh) + nsnpLister = informer.Network().V1alpha1().NamespaceNetworkPolicies().Lister() + }) + + It("Should create a new calico object", func() { + objSrt := `{ + "apiVersion": "network.kubesphere.io/v1alpha1", + "kind": "NetworkPolicy", + "metadata": { + "name": "allow-tcp-6379", + "namespace": "production" + }, + "spec": { + "selector": "color == 'red'", + "ingress": [ + { + "action": "Allow", + "protocol": "TCP", + "source": { + "selector": "color == 'blue'" + }, + "destination": { + "ports": [ + 6379 + ] + } + } + ] + } + }` + obj := &v1alpha1.NamespaceNetworkPolicy{} + Expect(controllertesting.StringToObject(objSrt, obj)).ShouldNot(HaveOccurred()) + _, err := fakeControllerBuilder.KsClient.NetworkV1alpha1().NamespaceNetworkPolicies(obj.Namespace).Create(obj) + Expect(err).ShouldNot(HaveOccurred()) + Eventually(func() bool { + exist, _ := calicoProvider.CheckExist(obj) + return exist + }).Should(BeTrue()) + obj, _ = fakeControllerBuilder.KsClient.NetworkV1alpha1().NamespaceNetworkPolicies(obj.Namespace).Get(obj.Name, metav1.GetOptions{}) + Expect(obj.Finalizers).To(HaveLen(1)) + // TestUpdate + newStr := "color == 'green'" + obj.Spec.Selector = newStr + _, err = fakeControllerBuilder.KsClient.NetworkV1alpha1().NamespaceNetworkPolicies(obj.Namespace).Update(obj) + Expect(err).ShouldNot(HaveOccurred()) + Eventually(func() string { + o, err := calicoProvider.Get(obj) + if err != nil { + return err.Error() + } + n := o.(*v1alpha1.NamespaceNetworkPolicy) + return n.Spec.Selector + }).Should(Equal(newStr)) + // TestDelete + Expect(fakeControllerBuilder.KsClient.NetworkV1alpha1().NamespaceNetworkPolicies(obj.Namespace).Delete(obj.Name, &metav1.DeleteOptions{})).ShouldNot(HaveOccurred()) + }) + + AfterEach(func() { + close(stopCh) + }) +}) diff --git a/pkg/controller/network/nsnetworkpolicy/reconcile.go b/pkg/controller/network/nsnetworkpolicy/reconcile.go new file mode 100644 index 000000000..1b65e9c7c --- /dev/null +++ b/pkg/controller/network/nsnetworkpolicy/reconcile.go @@ -0,0 +1,119 @@ +package nsnetworkpolicy + +import ( + "github.com/go-logr/logr" + "k8s.io/apimachinery/pkg/api/errors" + "k8s.io/client-go/tools/cache" + "k8s.io/client-go/util/retry" + "kubesphere.io/kubesphere/pkg/apis/network/v1alpha1" + "kubesphere.io/kubesphere/pkg/controller/network/utils" +) + +const ( + controllerFinalizier = "nsnp.finalizers.networking.kubesphere.io" +) + +var clog logr.Logger + +func (c *controller) reconcile(key string) error { + namespace, name, err := cache.SplitMetaNamespaceKey(key) + if err != nil { + return err + } + clog = log.WithValues("name", name, "namespace", namespace) + clog.V(1).Info("---------Begin to reconcile--------") + defer clog.V(1).Info("---------Reconcile done--------") + obj, err := c.nsnpLister.NamespaceNetworkPolicies(namespace).Get(name) + if err != nil { + if errors.IsNotFound(err) { + clog.V(2).Info("Object is removed") + return nil + } + clog.Error(err, "Failed to get resource") + return err + } + stop, err := c.addOrRemoveFinalizer(obj) + if err != nil { + return err + } + if stop { + return nil + } + clog.V(2).Info("Check if we need a create or update") + ok, err := c.nsNetworkPolicyProvider.CheckExist(obj) + if err != nil { + clog.Error(err, "Failed to check exist of network policy") + return err + } + if !ok { + clog.V(1).Info("Create a new object in backend") + err = c.nsNetworkPolicyProvider.Add(obj) + if err != nil { + clog.Error(err, "Failed to create np") + return err + } + return nil + } + + needUpdate, err := c.nsNetworkPolicyProvider.NeedUpdate(obj) + if err != nil { + clog.Error(err, "Failed to check if object need a update") + return err + } + if needUpdate { + clog.V(1).Info("Update object in backend") + err = c.nsNetworkPolicyProvider.Update(obj) + if err != nil { + clog.Error(err, "Failed to update object") + return err + } + } + return nil +} + +func (c *controller) addOrRemoveFinalizer(obj *v1alpha1.NamespaceNetworkPolicy) (bool, error) { + if obj.ObjectMeta.DeletionTimestamp.IsZero() { + if !utils.ContainsString(obj.ObjectMeta.Finalizers, controllerFinalizier) { + clog.V(2).Info("Detect no finalizer") + obj.ObjectMeta.Finalizers = append(obj.ObjectMeta.Finalizers, controllerFinalizier) + err := retry.RetryOnConflict(retry.DefaultBackoff, func() error { + _, err := c.kubesphereClientset.NetworkV1alpha1().NamespaceNetworkPolicies(obj.Namespace).Update(obj) + return err + }) + if err != nil { + clog.Error(err, "Failed to add finalizer") + return false, err + } + return false, nil + } + } else { + // The object is being deleted + if utils.ContainsString(obj.ObjectMeta.Finalizers, controllerFinalizier) { + // our finalizer is present, so lets handle any external dependency + if err := c.deleteProviderNSNP(obj); err != nil { + // if fail to delete the external dependency here, return with error + // so that it can be retried + return false, err + } + clog.V(2).Info("Removing finalizer") + // remove our finalizer from the list and update it. + obj.ObjectMeta.Finalizers = utils.RemoveString(obj.ObjectMeta.Finalizers, controllerFinalizier) + err := retry.RetryOnConflict(retry.DefaultBackoff, func() error { + _, err := c.kubesphereClientset.NetworkV1alpha1().NamespaceNetworkPolicies(obj.Namespace).Update(obj) + return err + }) + if err != nil { + clog.Error(err, "Failed to remove finalizer") + return false, err + } + return true, nil + } + } + return false, nil +} + +// deleteProviderNSNP delete network policy in the backend +func (c *controller) deleteProviderNSNP(obj *v1alpha1.NamespaceNetworkPolicy) error { + clog.V(2).Info("Deleting backend network policy") + return c.nsNetworkPolicyProvider.Delete(obj) +} diff --git a/pkg/controller/network/provider/fake_ns_calico.go b/pkg/controller/network/provider/fake_ns_calico.go new file mode 100644 index 000000000..973343a21 --- /dev/null +++ b/pkg/controller/network/provider/fake_ns_calico.go @@ -0,0 +1,66 @@ +package provider + +import ( + "reflect" + + "github.com/projectcalico/libcalico-go/lib/errors" + "k8s.io/client-go/tools/cache" + api "kubesphere.io/kubesphere/pkg/apis/network/v1alpha1" +) + +func NewFakeCalicoNetworkProvider() *FakeCalicoNetworkProvider { + f := new(FakeCalicoNetworkProvider) + f.NSNPData = make(map[string]*api.NamespaceNetworkPolicy) + return f +} + +type FakeCalicoNetworkProvider struct { + NSNPData map[string]*api.NamespaceNetworkPolicy +} + +func (f *FakeCalicoNetworkProvider) Get(o *api.NamespaceNetworkPolicy) (interface{}, error) { + namespacename, _ := cache.MetaNamespaceKeyFunc(o) + obj, ok := f.NSNPData[namespacename] + if !ok { + return nil, errors.ErrorResourceDoesNotExist{} + } + return obj, nil +} + +func (f *FakeCalicoNetworkProvider) Add(o *api.NamespaceNetworkPolicy) error { + namespacename, _ := cache.MetaNamespaceKeyFunc(o) + if _, ok := f.NSNPData[namespacename]; ok { + return errors.ErrorResourceAlreadyExists{} + } + f.NSNPData[namespacename] = o + return nil +} + +func (f *FakeCalicoNetworkProvider) CheckExist(o *api.NamespaceNetworkPolicy) (bool, error) { + namespacename, _ := cache.MetaNamespaceKeyFunc(o) + if _, ok := f.NSNPData[namespacename]; ok { + return true, nil + } + return false, nil +} + +func (f *FakeCalicoNetworkProvider) NeedUpdate(o *api.NamespaceNetworkPolicy) (bool, error) { + namespacename, _ := cache.MetaNamespaceKeyFunc(o) + store := f.NSNPData[namespacename] + if !reflect.DeepEqual(store, o) { + return true, nil + } + return false, nil +} + +func (f *FakeCalicoNetworkProvider) Update(o *api.NamespaceNetworkPolicy) error { + namespacename, _ := cache.MetaNamespaceKeyFunc(o) + f.NSNPData[namespacename] = o + return nil +} + +func (f *FakeCalicoNetworkProvider) Delete(o *api.NamespaceNetworkPolicy) error { + namespacename, _ := cache.MetaNamespaceKeyFunc(o) + delete(f.NSNPData, namespacename) + return nil +} diff --git a/pkg/controller/network/provider/global_np.go b/pkg/controller/network/provider/global_np.go new file mode 100644 index 000000000..4f504f668 --- /dev/null +++ b/pkg/controller/network/provider/global_np.go @@ -0,0 +1 @@ +package provider diff --git a/pkg/controller/network/provider/namespace_np.go b/pkg/controller/network/provider/namespace_np.go new file mode 100644 index 000000000..5d63e4a1a --- /dev/null +++ b/pkg/controller/network/provider/namespace_np.go @@ -0,0 +1,35 @@ +package provider + +import ( + k8snetworkinformer "k8s.io/client-go/informers/networking/v1" + k8snetworklister "k8s.io/client-go/listers/networking/v1" + api "kubesphere.io/kubesphere/pkg/apis/network/v1alpha1" +) + +// NsNetworkPolicyProvider is a interface to let different cnis to implement our api +type NsNetworkPolicyProvider interface { + Add(*api.NamespaceNetworkPolicy) error + CheckExist(*api.NamespaceNetworkPolicy) (bool, error) + NeedUpdate(*api.NamespaceNetworkPolicy) (bool, error) + Update(*api.NamespaceNetworkPolicy) error + Delete(*api.NamespaceNetworkPolicy) error + Get(*api.NamespaceNetworkPolicy) (interface{}, error) +} + +// TODO: support no-calico CNI +type k8sNetworkProvider struct { + networkPolicyInformer k8snetworkinformer.NetworkPolicyInformer + networkPolicyLister k8snetworklister.NetworkPolicyLister +} + +func (k *k8sNetworkProvider) Add(o *api.NamespaceNetworkPolicy) error { + return nil +} + +func (k *k8sNetworkProvider) CheckExist(o *api.NamespaceNetworkPolicy) (bool, error) { + return false, nil +} + +func (k *k8sNetworkProvider) Delete(o *api.NamespaceNetworkPolicy) error { + return nil +} diff --git a/pkg/controller/network/provider/ns_calico.go b/pkg/controller/network/provider/ns_calico.go new file mode 100644 index 000000000..fa7a24bba --- /dev/null +++ b/pkg/controller/network/provider/ns_calico.go @@ -0,0 +1,144 @@ +package provider + +import ( + "context" + "encoding/json" + "reflect" + "time" + + v3 "github.com/projectcalico/libcalico-go/lib/apis/v3" + "github.com/projectcalico/libcalico-go/lib/clientv3" + "github.com/projectcalico/libcalico-go/lib/errors" + "github.com/projectcalico/libcalico-go/lib/options" + "k8s.io/apimachinery/pkg/util/wait" + "k8s.io/klog/klogr" + api "kubesphere.io/kubesphere/pkg/apis/network/v1alpha1" +) + +var log = klogr.New().WithName("calico-client") +var defaultBackoff = wait.Backoff{ + Steps: 4, + Duration: 10 * time.Millisecond, + Factor: 5.0, + Jitter: 0.1, +} + +type calicoNetworkProvider struct { + np clientv3.NetworkPolicyInterface +} + +func NewCalicoNetworkProvider(np clientv3.NetworkPolicyInterface) NsNetworkPolicyProvider { + return &calicoNetworkProvider{ + np: np, + } +} +func convertSpec(n *api.NamespaceNetworkPolicySpec) *v3.NetworkPolicySpec { + bytes, err := json.Marshal(&n) + if err != nil { + panic(err) + } + m := new(v3.NetworkPolicySpec) + err = json.Unmarshal(bytes, m) + if err != nil { + panic(err) + } + return m +} + +// ConvertAPIToCalico convert our api to calico api +func ConvertAPIToCalico(n *api.NamespaceNetworkPolicy) *v3.NetworkPolicy { + output := v3.NewNetworkPolicy() + //Object Metadata + output.ObjectMeta.Name = n.Name + output.Namespace = n.Namespace + output.Annotations = n.Annotations + output.Labels = n.Labels + //spec + output.Spec = *(convertSpec(&n.Spec)) + return output +} + +func (k *calicoNetworkProvider) Get(o *api.NamespaceNetworkPolicy) (interface{}, error) { + return k.np.Get(context.TODO(), o.Namespace, o.Name, options.GetOptions{}) +} + +func (k *calicoNetworkProvider) Add(o *api.NamespaceNetworkPolicy) error { + log.V(3).Info("Creating network policy", "name", o.Name, "namespace", o.Namespace) + obj := ConvertAPIToCalico(o) + log.V(4).Info("Show object spe detail", "name", o.Name, "namespace", o.Namespace, "Spec", obj.Spec) + _, err := k.np.Create(context.TODO(), obj, options.SetOptions{}) + return err +} + +func (k *calicoNetworkProvider) CheckExist(o *api.NamespaceNetworkPolicy) (bool, error) { + log.V(3).Info("Checking network policy whether exsits or not", "name", o.Name, "namespace", o.Namespace) + out, err := k.np.Get(context.Background(), o.Namespace, o.Name, options.GetOptions{}) + if err != nil { + if _, ok := err.(errors.ErrorResourceDoesNotExist); ok { + return false, nil + } + return false, err + } + if out != nil { + return true, nil + } + return false, nil +} + +func (k *calicoNetworkProvider) Delete(o *api.NamespaceNetworkPolicy) error { + log.V(3).Info("Deleting network policy", "name", o.Name, "namespace", o.Namespace) + _, err := k.np.Delete(context.Background(), o.Namespace, o.Name, options.DeleteOptions{}) + return err +} + +func (k *calicoNetworkProvider) NeedUpdate(o *api.NamespaceNetworkPolicy) (bool, error) { + store, err := k.np.Get(context.Background(), o.Namespace, o.Name, options.GetOptions{}) + if err != nil { + log.Error(err, "Failed to get resource", "name", o.Name, "namespace", o.Namespace) + } + expected := ConvertAPIToCalico(o) + log.V(4).Info("Comparing Spec", "store", store.Spec, "current", expected.Spec) + if !reflect.DeepEqual(store.Spec, expected.Spec) { + return true, nil + } + return false, nil +} + +func (k *calicoNetworkProvider) Update(o *api.NamespaceNetworkPolicy) error { + log.V(3).Info("Updating network policy", "name", o.Name, "namespace", o.Namespace) + updateObject, err := k.Get(o) + if err != nil { + log.Error(err, "Failed to get resource in store") + return err + } + up := updateObject.(*v3.NetworkPolicy) + up.Spec = *convertSpec(&o.Spec) + err = RetryOnConflict(defaultBackoff, func() error { + _, err := k.np.Update(context.Background(), up, options.SetOptions{}) + return err + }) + if err != nil { + log.Error(err, "Failed to update resource", "name", o.Name, "namespace", o.Namespace) + } + return err +} + +// RetryOnConflict is same as the function in k8s, but replaced with error in calico +func RetryOnConflict(backoff wait.Backoff, fn func() error) error { + var lastConflictErr error + err := wait.ExponentialBackoff(backoff, func() (bool, error) { + err := fn() + if err == nil { + return true, nil + } + if _, ok := err.(errors.ErrorResourceUpdateConflict); ok { + lastConflictErr = err + return false, nil + } + return false, err + }) + if err == wait.ErrWaitTimeout { + err = lastConflictErr + } + return err +} diff --git a/pkg/controller/network/utils/strings.go b/pkg/controller/network/utils/strings.go new file mode 100644 index 000000000..86ffcf542 --- /dev/null +++ b/pkg/controller/network/utils/strings.go @@ -0,0 +1,22 @@ +package utils + +// ContainsString report if s is in a slice +func ContainsString(slice []string, s string) bool { + for _, item := range slice { + if item == s { + return true + } + } + return false +} + +// RemoveString remove s from slice if exists +func RemoveString(slice []string, s string) (result []string) { + for _, item := range slice { + if item == s { + continue + } + result = append(result, item) + } + return +} diff --git a/pkg/controller/network/wsnetworkpolicy/controller.go b/pkg/controller/network/wsnetworkpolicy/controller.go index 3c358c8df..21fd6e3c9 100644 --- a/pkg/controller/network/wsnetworkpolicy/controller.go +++ b/pkg/controller/network/wsnetworkpolicy/controller.go @@ -29,6 +29,7 @@ import ( workspaceinformer "kubesphere.io/kubesphere/pkg/client/informers/externalversions/tenant/v1alpha1" networklister "kubesphere.io/kubesphere/pkg/client/listers/network/v1alpha1" workspacelister "kubesphere.io/kubesphere/pkg/client/listers/tenant/v1alpha1" + "kubesphere.io/kubesphere/pkg/controller/network/controllerapi" ) const controllerAgentName = "wsnp-controller" @@ -38,10 +39,6 @@ var ( errCount = 0 ) -// Controller expose Run method -type Controller interface { - Run(threadiness int, stopCh <-chan struct{}) error -} type controller struct { kubeClientset kubernetes.Interface kubesphereClientset kubesphereclient.Interface @@ -77,7 +74,7 @@ func NewController(kubeclientset kubernetes.Interface, wsnpInformer networkinformer.WorkspaceNetworkPolicyInformer, networkPolicyInformer k8snetworkinformer.NetworkPolicyInformer, namespaceInformer corev1informer.NamespaceInformer, - workspaceInformer workspaceinformer.WorkspaceInformer) Controller { + workspaceInformer workspaceinformer.WorkspaceInformer) controllerapi.Controller { utilruntime.Must(kubespherescheme.AddToScheme(scheme.Scheme)) log.V(4).Info("Creating event broadcaster") eventBroadcaster := record.NewBroadcaster() diff --git a/pkg/controller/network/wsnetworkpolicy/wsnetworkpolicy_test.go b/pkg/controller/network/wsnetworkpolicy/wsnetworkpolicy_test.go index fc493dc2b..6e9905de1 100644 --- a/pkg/controller/network/wsnetworkpolicy/wsnetworkpolicy_test.go +++ b/pkg/controller/network/wsnetworkpolicy/wsnetworkpolicy_test.go @@ -16,12 +16,13 @@ import ( "k8s.io/klog" "kubesphere.io/kubesphere/pkg/apis/network/v1alpha1" tenant "kubesphere.io/kubesphere/pkg/apis/tenant/v1alpha1" + "kubesphere.io/kubesphere/pkg/controller/network/controllerapi" controllertesting "kubesphere.io/kubesphere/pkg/controller/network/testing" ) var ( fakeControllerBuilder *controllertesting.FakeControllerBuilder - c Controller + c controllerapi.Controller npLister netv1lister.NetworkPolicyLister stopCh chan struct{} deletePolicy metav1.DeletionPropagation diff --git a/test/network/OWNERS b/test/network/OWNERS new file mode 100644 index 000000000..73876c5ab --- /dev/null +++ b/test/network/OWNERS @@ -0,0 +1,13 @@ +approvers: + - magicsong + - zryfish + - zheng1 + +reviewers: + - magicsong + - zheng1 + - zryfish + +labels: + - area/controller + - area/networking \ No newline at end of file diff --git a/test/network/manifests/sample1.yaml b/test/network/manifests/sample1.yaml new file mode 100644 index 000000000..86824155d --- /dev/null +++ b/test/network/manifests/sample1.yaml @@ -0,0 +1,57 @@ +apiVersion: network.kubesphere.io/v1alpha1 +kind: NamespaceNetworkPolicy +metadata: + name: allow-tcp-80 + namespace: production +spec: + selector: color == 'red' + ingress: + - action: Allow + protocol: TCP + source: + selector: color == 'blue' + # destination: + # ports: + # - 80 + +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: nginx + namespace: production + labels: + name: nginx + app: nginx +spec: + replicas: 1 + selector: + matchLabels: + app: nginx + strategy: + rollingUpdate: + maxSurge: 1 + maxUnavailable: 1 + type: RollingUpdate + template: + metadata: + labels: + name: nginx + app: nginx + color : red + spec: + containers: + - image: nginx:alpine + name: nginx + imagePullPolicy: IfNotPresent + resources: + requests: + cpu: "20m" + memory: "55M" + env: + - name: ENVVARNAME + value: ENVVARVALUE + ports: + - containerPort: 80 + name: http + restartPolicy: Always \ No newline at end of file diff --git a/test/network/manifests/test-job.yaml b/test/network/manifests/test-job.yaml new file mode 100644 index 000000000..17f4fc21c --- /dev/null +++ b/test/network/manifests/test-job.yaml @@ -0,0 +1,17 @@ +apiVersion: batch/v1 +kind: Job +metadata: + name: test-connect + namespace: production +spec: + template: + metadata: + labels: + color : blue + spec: + containers: + - name: test-connect + image: alpine + command: ["ping", "10.17.30.131"] + restartPolicy: Never + backoffLimit: 1 \ No newline at end of file