add ns networkpolicy

pkg/apis/network/v1alpha1/common.go

@@ -0,0 +1,170 @@
+package v1alpha1
+
+import (
+	"kubesphere.io/kubesphere/pkg/apis/network/v1alpha1/numorstring"
+	corev1 "k8s.io/api/core/v1"
+)
+
+// A Rule encapsulates a set of match criteria and an action.  Both selector-based security Policy
+// and security Profiles reference rules - separated out as a list of rules for both
+// ingress and egress packet matching.
+//
+// Each positive match criteria has a negated version, prefixed with ”Not”. All the match
+// criteria within a rule must be satisfied for a packet to match. A single rule can contain
+// the positive and negative version of a match and both must be satisfied for the rule to match.
+type Rule struct {
+	Action Action `json:"action" validate:"action"`
+	// IPVersion is an optional field that restricts the rule to only match a specific IP
+	// version.
+	IPVersion *int `json:"ipVersion,omitempty" validate:"omitempty,ipVersion"`
+	// Protocol is an optional field that restricts the rule to only apply to traffic of
+	// a specific IP protocol. Required if any of the EntityRules contain Ports
+	// (because ports only apply to certain protocols).
+	//
+	// Must be one of these string values: "TCP", "UDP", "ICMP", "ICMPv6", "SCTP", "UDPLite"
+	// or an integer in the range 1-255.
+	Protocol *corev1.Protocol `json:"protocol,omitempty" validate:"omitempty"`
+	// ICMP is an optional field that restricts the rule to apply to a specific type and
+	// code of ICMP traffic.  This should only be specified if the Protocol field is set to
+	// "ICMP" or "ICMPv6".
+	ICMP *ICMPFields `json:"icmp,omitempty" validate:"omitempty"`
+	// NotProtocol is the negated version of the Protocol field.
+	NotProtocol *corev1.Protocol `json:"notProtocol,omitempty" validate:"omitempty"`
+	// NotICMP is the negated version of the ICMP field.
+	NotICMP *ICMPFields `json:"notICMP,omitempty" validate:"omitempty"`
+	// Source contains the match criteria that apply to source entity.
+	Source EntityRule `json:"source,omitempty" validate:"omitempty"`
+	// Destination contains the match criteria that apply to destination entity.
+	Destination EntityRule `json:"destination,omitempty" validate:"omitempty"`
+
+	// HTTP contains match criteria that apply to HTTP requests.
+	HTTP *HTTPMatch `json:"http,omitempty" validate:"omitempty"`
+}
+
+// HTTPPath specifies an HTTP path to match. It may be either of the form:
+// exact: <path>: which matches the path exactly or
+// prefix: <path-prefix>: which matches the path prefix
+type HTTPPath struct {
+	Exact  string `json:"exact,omitempty" validate:"omitempty"`
+	Prefix string `json:"prefix,omitempty" validate:"omitempty"`
+}
+
+// HTTPMatch is an optional field that apply only to HTTP requests
+// The Methods and Path fields are joined with AND
+type HTTPMatch struct {
+	// Methods is an optional field that restricts the rule to apply only to HTTP requests that use one of the listed
+	// HTTP Methods (e.g. GET, PUT, etc.)
+	// Multiple methods are OR'd together.
+	Methods []string `json:"methods,omitempty" validate:"omitempty"`
+	// Paths is an optional field that restricts the rule to apply to HTTP requests that use one of the listed
+	// HTTP Paths.
+	// Multiple paths are OR'd together.
+	// e.g:
+	// - exact: /foo
+	// - prefix: /bar
+	// NOTE: Each entry may ONLY specify either a `exact` or a `prefix` match. The validator will check for it.
+	Paths []HTTPPath `json:"paths,omitempty" validate:"omitempty"`
+}
+
+// ICMPFields defines structure for ICMP and NotICMP sub-struct for ICMP code and type
+type ICMPFields struct {
+	// Match on a specific ICMP type.  For example a value of 8 refers to ICMP Echo Request
+	// (i.e. pings).
+	Type *int `json:"type,omitempty" validate:"omitempty,gte=0,lte=254"`
+	// Match on a specific ICMP code.  If specified, the Type value must also be specified.
+	// This is a technical limitation imposed by the kernel’s iptables firewall, which
+	// Calico uses to enforce the rule.
+	Code *int `json:"code,omitempty" validate:"omitempty,gte=0,lte=255"`
+}
+
+// An EntityRule is a sub-component of a Rule comprising the match criteria specific
+// to a particular entity (that is either the source or destination).
+//
+// A source EntityRule matches the source endpoint and originating traffic.
+// A destination EntityRule matches the destination endpoint and terminating traffic.
+type EntityRule struct {
+	// Nets is an optional field that restricts the rule to only apply to traffic that
+	// originates from (or terminates at) IP addresses in any of the given subnets.
+	Nets []string `json:"nets,omitempty" validate:"omitempty,dive,net"`
+
+	// Selector is an optional field that contains a selector expression (see Policy for
+	// sample syntax).  Only traffic that originates from (terminates at) endpoints matching
+	// the selector will be matched.
+	//
+	// Note that: in addition to the negated version of the Selector (see NotSelector below), the
+	// selector expression syntax itself supports negation.  The two types of negation are subtly
+	// different. One negates the set of matched endpoints, the other negates the whole match:
+	//
+	//	Selector = "!has(my_label)" matches packets that are from other Calico-controlled
+	// 	endpoints that do not have the label “my_label”.
+	//
+	// 	NotSelector = "has(my_label)" matches packets that are not from Calico-controlled
+	// 	endpoints that do have the label “my_label”.
+	//
+	// The effect is that the latter will accept packets from non-Calico sources whereas the
+	// former is limited to packets from Calico-controlled endpoints.
+	Selector string `json:"selector,omitempty" validate:"omitempty,selector"`
+
+	// NamespaceSelector is an optional field that contains a selector expression. Only traffic
+	// that originates from (or terminates at) endpoints within the selected namespaces will be
+	// matched. When both NamespaceSelector and Selector are defined on the same rule, then only
+	// workload endpoints that are matched by both selectors will be selected by the rule.
+	//
+	// For NetworkPolicy, an empty NamespaceSelector implies that the Selector is limited to selecting
+	// only workload endpoints in the same namespace as the NetworkPolicy.
+	//
+	// For GlobalNetworkPolicy, an empty NamespaceSelector implies the Selector applies to workload
+	// endpoints across all namespaces.
+	NamespaceSelector string `json:"namespaceSelector,omitempty" validate:"omitempty,selector"`
+
+	// Ports is an optional field that restricts the rule to only apply to traffic that has a
+	// source (destination) port that matches one of these ranges/values. This value is a
+	// list of integers or strings that represent ranges of ports.
+	//
+	// Since only some protocols have ports, if any ports are specified it requires the
+	// Protocol match in the Rule to be set to "TCP" or "UDP".
+	Ports []numorstring.Port `json:"ports,omitempty" validate:"omitempty,dive"`
+
+	// NotNets is the negated version of the Nets field.
+	NotNets []string `json:"notNets,omitempty" validate:"omitempty,dive,net"`
+
+	// NotSelector is the negated version of the Selector field.  See Selector field for
+	// subtleties with negated selectors.
+	NotSelector string `json:"notSelector,omitempty" validate:"omitempty,selector"`
+
+	// NotPorts is the negated version of the Ports field.
+	// Since only some protocols have ports, if any ports are specified it requires the
+	// Protocol match in the Rule to be set to "TCP" or "UDP".
+	NotPorts []numorstring.Port `json:"notPorts,omitempty" validate:"omitempty,dive"`
+
+	// ServiceAccounts is an optional field that restricts the rule to only apply to traffic that originates from (or
+	// terminates at) a pod running as a matching service account.
+	ServiceAccounts *ServiceAccountMatch `json:"serviceAccounts,omitempty" validate:"omitempty"`
+}
+
+type ServiceAccountMatch struct {
+	// Names is an optional field that restricts the rule to only apply to traffic that originates from (or terminates
+	// at) a pod running as a service account whose name is in the list.
+	Names []string `json:"names,omitempty" validate:"omitempty"`
+
+	// Selector is an optional field that restricts the rule to only apply to traffic that originates from
+	// (or terminates at) a pod running as a service account that matches the given label selector.
+	// If both Names and Selector are specified then they are AND'ed.
+	Selector string `json:"selector,omitempty" validate:"omitempty,selector"`
+}
+
+type Action string
+
+const (
+	Allow Action = "Allow"
+	Deny         = "Deny"
+	Log          = "Log"
+	Pass         = "Pass"
+)
+
+type PolicyType string
+
+const (
+	PolicyTypeIngress PolicyType = "Ingress"
+	PolicyTypeEgress  PolicyType = "Egress"
+)

pkg/apis/network/v1alpha1/namespacenetworkpolicy_types.go

@@ -0,0 +1,108 @@
+/*
+Copyright 2019 The KubeSphere authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1alpha1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+// All types in this file is copy from calicoapi as we use calico to policy
+
+// NamespaceNetworkPolicySpec defines the desired state of NamespaceNetworkPolicy
+type NamespaceNetworkPolicySpec struct {
+	// Order is an optional field that specifies the order in which the policy is applied.
+	// Policies with higher "order" are applied after those with lower
+	// order.  If the order is omitted, it may be considered to be "infinite" - i.e. the
+	// policy will be applied last.  Policies with identical order will be applied in
+	// alphanumerical order based on the Policy "Name".
+	Order *int `json:"order,omitempty"`
+	// The ordered set of ingress rules.  Each rule contains a set of packet match criteria and
+	// a corresponding action to apply.
+	Ingress []Rule `json:"ingress,omitempty" validate:"omitempty,dive"`
+	// The ordered set of egress rules.  Each rule contains a set of packet match criteria and
+	// a corresponding action to apply.
+	Egress []Rule `json:"egress,omitempty" validate:"omitempty,dive"`
+	// The selector is an expression used to pick pick out the endpoints that the policy should
+	// be applied to.
+	//
+	// Selector expressions follow this syntax:
+	//
+	// 	label == "string_literal"  ->  comparison, e.g. my_label == "foo bar"
+	// 	label != "string_literal"   ->  not equal; also matches if label is not present
+	// 	label in { "a", "b", "c", ... }  ->  true if the value of label X is one of "a", "b", "c"
+	// 	label not in { "a", "b", "c", ... }  ->  true if the value of label X is not one of "a", "b", "c"
+	// 	has(label_name)  -> True if that label is present
+	// 	! expr -> negation of expr
+	// 	expr && expr  -> Short-circuit and
+	// 	expr || expr  -> Short-circuit or
+	// 	( expr ) -> parens for grouping
+	// 	all() or the empty selector -> matches all endpoints.
+	//
+	// Label names are allowed to contain alphanumerics, -, _ and /. String literals are more permissive
+	// but they do not support escape characters.
+	//
+	// Examples (with made-up labels):
+	//
+	// 	type == "webserver" && deployment == "prod"
+	// 	type in {"frontend", "backend"}
+	// 	deployment != "dev"
+	// 	! has(label_name)
+	Selector string `json:"selector" validate:"selector"`
+	// Types indicates whether this policy applies to ingress, or to egress, or to both.  When
+	// not explicitly specified (and so the value on creation is empty or nil), Calico defaults
+	// Types according to what Ingress and Egress are present in the policy.  The
+	// default is:
+	//
+	// - [ PolicyTypeIngress ], if there are no Egress rules (including the case where there are
+	//   also no Ingress rules)
+	//
+	// - [ PolicyTypeEgress ], if there are Egress rules but no Ingress rules
+	//
+	// - [ PolicyTypeIngress, PolicyTypeEgress ], if there are both Ingress and Egress rules.
+	//
+	// When the policy is read back again, Types will always be one of these values, never empty
+	// or nil.
+	Types []PolicyType `json:"types,omitempty" validate:"omitempty,dive,policyType"`
+	// INSERT ADDITIONAL SPEC FIELDS - desired state of cluster
+	// Important: Run "make" to regenerate code after modifying this file
+}
+
+// +genclient
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// NamespaceNetworkPolicy is the Schema for the namespacenetworkpolicies API
+// +k8s:openapi-gen=true
+// +kubebuilder:resource:categories="networking",shortName="nsnp"
+type NamespaceNetworkPolicy struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	Spec NamespaceNetworkPolicySpec `json:"spec,omitempty"`
+}
+
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// NamespaceNetworkPolicyList contains a list of NamespaceNetworkPolicy
+type NamespaceNetworkPolicyList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata,omitempty"`
+	Items           []NamespaceNetworkPolicy `json:"items"`
+}
+
+func init() {
+	SchemeBuilder.Register(&NamespaceNetworkPolicy{}, &NamespaceNetworkPolicyList{})
+}

pkg/apis/network/v1alpha1/namespacenetworkpolicy_types_test.go

@@ -0,0 +1,58 @@
+/*
+Copyright 2019 The KubeSphere authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1alpha1
+
+import (
+	"testing"
+
+	"github.com/onsi/gomega"
+	"golang.org/x/net/context"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/types"
+)
+
+func TestStorageNamespaceNetworkPolicy(t *testing.T) {
+	key := types.NamespacedName{
+		Name:      "foo",
+		Namespace: "default",
+	}
+	created := &NamespaceNetworkPolicy{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "foo",
+			Namespace: "default",
+		}}
+	g := gomega.NewGomegaWithT(t)
+
+	// Test Create
+	fetched := &NamespaceNetworkPolicy{}
+	g.Expect(c.Create(context.TODO(), created)).To(gomega.Succeed())
+
+	g.Expect(c.Get(context.TODO(), key, fetched)).To(gomega.Succeed())
+	g.Expect(fetched).To(gomega.Equal(created))
+
+	// Test Updating the Labels
+	updated := fetched.DeepCopy()
+	updated.Labels = map[string]string{"hello": "world"}
+	g.Expect(c.Update(context.TODO(), updated)).To(gomega.Succeed())
+
+	g.Expect(c.Get(context.TODO(), key, fetched)).To(gomega.Succeed())
+	g.Expect(fetched).To(gomega.Equal(updated))
+
+	// Test Delete
+	g.Expect(c.Delete(context.TODO(), fetched)).To(gomega.Succeed())
+	g.Expect(c.Get(context.TODO(), key, fetched)).ToNot(gomega.Succeed())
+}

pkg/apis/network/v1alpha1/numorstring/asnumber.go

@@ -0,0 +1,73 @@
+// Copyright (c) 2016 Tigera, Inc. All rights reserved.
+
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package numorstring
+
+import (
+	"encoding/json"
+	"errors"
+	"fmt"
+	"strconv"
+	"strings"
+)
+
+type ASNumber uint32
+
+// ASNumberFromString creates an ASNumber struct from a string value.  The
+// string value may simply be a number or may be the ASN in dotted notation.
+func ASNumberFromString(s string) (ASNumber, error) {
+	if num, err := strconv.ParseUint(s, 10, 32); err == nil {
+		return ASNumber(num), nil
+	}
+
+	parts := strings.Split(s, ".")
+	if len(parts) != 2 {
+		msg := fmt.Sprintf("invalid AS Number format (%s)", s)
+		return 0, errors.New(msg)
+	}
+
+	if num1, err := strconv.ParseUint(parts[0], 10, 16); err != nil {
+		msg := fmt.Sprintf("invalid AS Number format (%s)", s)
+		return 0, errors.New(msg)
+	} else if num2, err := strconv.ParseUint(parts[1], 10, 16); err != nil {
+		msg := fmt.Sprintf("invalid AS Number format (%s)", s)
+		return 0, errors.New(msg)
+	} else {
+		return ASNumber((num1 << 16) + num2), nil
+	}
+}
+
+// UnmarshalJSON implements the json.Unmarshaller uinterface.
+func (a *ASNumber) UnmarshalJSON(b []byte) error {
+	if err := json.Unmarshal(b, (*uint32)(a)); err == nil {
+		return nil
+	} else {
+		var s string
+		if err := json.Unmarshal(b, &s); err != nil {
+			return err
+		}
+
+		if v, err := ASNumberFromString(s); err != nil {
+			return err
+		} else {
+			*a = v
+			return nil
+		}
+	}
+}
+
+// String returns the string value, or the Itoa of the uint value.
+func (a ASNumber) String() string {
+	return strconv.FormatUint(uint64(a), 10)
+}

pkg/apis/network/v1alpha1/numorstring/doc.go

@@ -0,0 +1,19 @@
+// Copyright (c) 2016 Tigera, Inc. All rights reserved.
+
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+/*
+Package numorstring implements a set of type definitions that in YAML or JSON
+format may be represented by either a number or a string.
+*/
+package numorstring

pkg/apis/network/v1alpha1/numorstring/numorstring_suite_test.go

@@ -0,0 +1,26 @@
+// Copyright (c) 2016,2018 Tigera, Inc. All rights reserved.
+
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+package numorstring_test
+
+import (
+	. "github.com/onsi/ginkgo"
+	. "github.com/onsi/gomega"
+
+	"testing"
+)
+
+func TestNumorstring(t *testing.T) {
+	RegisterFailHandler(Fail)
+	RunSpecs(t, "Numorstring Suite")
+}

pkg/apis/network/v1alpha1/numorstring/numorstring_test.go

@@ -0,0 +1,204 @@
+// Copyright (c) 2016-2017 Tigera, Inc. All rights reserved.
+
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package numorstring_test
+
+import (
+	"encoding/json"
+	"fmt"
+	"reflect"
+
+	. "github.com/onsi/ginkgo/extensions/table"
+	. "github.com/onsi/gomega"
+	"github.com/projectcalico/libcalico-go/lib/numorstring"
+)
+
+func init() {
+
+	asNumberType := reflect.TypeOf(numorstring.ASNumber(0))
+	protocolType := reflect.TypeOf(numorstring.Protocol{})
+	portType := reflect.TypeOf(numorstring.Port{})
+
+	// Perform tests of JSON unmarshaling of the various field types.
+	DescribeTable("NumOrStringJSONUnmarshaling",
+		func(jtext string, typ reflect.Type, expected interface{}) {
+			// Create a new field type and invoke the unmarshaller interface
+			// directly (this covers a couple more error cases than calling
+			// through json.Unmarshal.
+			new := reflect.New(typ)
+			u := new.Interface().(json.Unmarshaler)
+			err := u.UnmarshalJSON([]byte(jtext))
+
+			if expected != nil {
+				Expect(err).To(BeNil(),
+					"expected json unmarshal to not error")
+				Expect(new.Elem().Interface()).To(Equal(expected),
+					"expected value not same as json unmarshalled value")
+			} else {
+				Expect(err).ToNot(BeNil(),
+					"expected json unmarshal to error")
+			}
+		},
+		// ASNumber tests.
+		Entry("should accept 0 AS number as int", "0", asNumberType, numorstring.ASNumber(0)),
+		Entry("should accept 4294967295 AS number as int", "4294967295", asNumberType, numorstring.ASNumber(4294967295)),
+		Entry("should accept 0 AS number as string", "\"0\"", asNumberType, numorstring.ASNumber(0)),
+		Entry("should accept 4294967295 AS number as string", "\"4294967295\"", asNumberType, numorstring.ASNumber(4294967295)),
+		Entry("should accept 1.10 AS number as string", "\"1.10\"", asNumberType, numorstring.ASNumber(65546)),
+		Entry("should accept 00.00 AS number as string", "\"00.00\"", asNumberType, numorstring.ASNumber(0)),
+		Entry("should accept 00.01 AS number as string", "\"00.01\"", asNumberType, numorstring.ASNumber(1)),
+		Entry("should accept 65535.65535 AS number as string", "\"65535.65535\"", asNumberType, numorstring.ASNumber(4294967295)),
+		Entry("should reject 1.1.1 AS number as string", "\"1.1.1\"", asNumberType, nil),
+		Entry("should reject 65536.65535 AS number as string", "\"65536.65535\"", asNumberType, nil),
+		Entry("should reject 65535.65536 AS number as string", "\"65535.65536\"", asNumberType, nil),
+		Entry("should reject 0.-1 AS number as string", "\"0.-1\"", asNumberType, nil),
+		Entry("should reject -1 AS number as int", "-1", asNumberType, nil),
+		Entry("should reject 4294967296 AS number as int", "4294967296", asNumberType, nil),
+
+		// Port tests.
+		Entry("should accept 0 port as int", "0", portType, numorstring.SinglePort(0)),
+		Entry("should accept 65535 port as int", "65535", portType, numorstring.SinglePort(65535)),
+		Entry("should accept 0:65535 port range as string", "\"0:65535\"", portType, portFromRange(0, 65535)),
+		Entry("should accept 1:10 port range as string", "\"1:10\"", portType, portFromRange(1, 10)),
+		Entry("should accept foo-bar as named port", "\"foo-bar\"", portType, numorstring.NamedPort("foo-bar")),
+		Entry("should reject -1 port as int", "-1", portType, nil),
+		Entry("should reject 65536 port as int", "65536", portType, nil),
+		Entry("should reject 0:65536 port range as string", "\"0:65536\"", portType, nil),
+		Entry("should reject -1:65535 port range as string", "\"-1:65535\"", portType, nil),
+		Entry("should reject 10:1 port range as string", "\"10:1\"", portType, nil),
+		Entry("should reject 1:2:3 port range as string", "\"1:2:3\"", portType, nil),
+		Entry("should reject bad named port string", "\"*\"", portType, nil),
+		Entry("should reject bad port string", "\"1:2", portType, nil),
+
+		// Protocol tests.  Invalid integer values will be stored as strings.
+		Entry("should accept 0 protocol as int", "0", protocolType, numorstring.ProtocolFromInt(0)),
+		Entry("should accept 255 protocol as int", "255", protocolType, numorstring.ProtocolFromInt(255)),
+		Entry("should accept tcp protocol as string", "\"TCP\"", protocolType, numorstring.ProtocolFromString("TCP")),
+		Entry("should accept tcp protocol as string", "\"TCP\"", protocolType, numorstring.ProtocolFromString("TCP")),
+		Entry("should accept 0 protocol as string", "\"0\"", protocolType, numorstring.ProtocolFromInt(0)),
+		Entry("should accept 0 protocol as string", "\"255\"", protocolType, numorstring.ProtocolFromInt(255)),
+		Entry("should accept 256 protocol as string", "\"256\"", protocolType, numorstring.ProtocolFromString("256")),
+		Entry("should reject bad protocol string", "\"25", protocolType, nil),
+	)
+
+	// Perform tests of JSON marshaling of the various field types.
+	DescribeTable("NumOrStringJSONMarshaling",
+		func(field interface{}, jtext string) {
+			b, err := json.Marshal(field)
+			if jtext != "" {
+				Expect(err).To(BeNil(),
+					"expected json marshal to not error")
+				Expect(string(b)).To(Equal(jtext),
+					"expected json not same as marshalled value")
+			} else {
+				Expect(err).ToNot(BeNil(),
+					"expected json marshal to error")
+			}
+		},
+		// ASNumber tests.
+		Entry("should marshal ASN of 0", numorstring.ASNumber(0), "0"),
+		Entry("should marshal ASN of 4294967295", numorstring.ASNumber(4294967295), "4294967295"),
+
+		// Port tests.
+		Entry("should marshal port of 0", numorstring.SinglePort(0), "0"),
+		Entry("should marshal port of 65535", portFromRange(65535, 65535), "65535"),
+		Entry("should marshal port of 10", portFromString("10"), "10"),
+		Entry("should marshal port range of 10:20", portFromRange(10, 20), "\"10:20\""),
+		Entry("should marshal port range of 20:30", portFromRange(20, 30), "\"20:30\""),
+		Entry("should marshal named port", numorstring.NamedPort("foobar"), `"foobar"`),
+
+		// Protocol tests.
+		Entry("should marshal protocol of 0", numorstring.ProtocolFromInt(0), "0"),
+		Entry("should marshal protocol of udp", numorstring.ProtocolFromString("UDP"), "\"UDP\""),
+	)
+
+	// Perform tests of Stringer interface various field types.
+	DescribeTable("NumOrStringStringify",
+		func(field interface{}, s string) {
+			a := fmt.Sprint(field)
+			Expect(a).To(Equal(s),
+				"expected String() value to match")
+		},
+		// ASNumber tests.
+		Entry("should stringify ASN of 0", numorstring.ASNumber(0), "0"),
+		Entry("should stringify ASN of 4294967295", numorstring.ASNumber(4294967295), "4294967295"),
+
+		// Port tests.
+		Entry("should stringify port of 20", numorstring.SinglePort(20), "20"),
+		Entry("should stringify port range of 10:20", portFromRange(10, 20), "10:20"),
+
+		// Protocol tests.
+		Entry("should stringify protocol of 0", numorstring.ProtocolFromInt(0), "0"),
+		Entry("should stringify protocol of udp", numorstring.ProtocolFromString("UDP"), "UDP"),
+	)
+
+	// Perform tests of Protocols supporting ports.
+	DescribeTable("NumOrStringProtocolsSupportingPorts",
+		func(protocol numorstring.Protocol, supportsPorts bool) {
+			Expect(protocol.SupportsPorts()).To(Equal(supportsPorts),
+				"expected protocol port support to match")
+		},
+		Entry("protocol 6 supports ports", numorstring.ProtocolFromInt(6), true),
+		Entry("protocol 17 supports ports", numorstring.ProtocolFromInt(17), true),
+		Entry("protocol udp supports ports", numorstring.ProtocolFromString("UDP"), true),
+		Entry("protocol udp supports ports", numorstring.ProtocolFromString("TCP"), true),
+		Entry("protocol foo does not support ports", numorstring.ProtocolFromString("foo"), false),
+		Entry("protocol 2 does not support ports", numorstring.ProtocolFromInt(2), false),
+	)
+
+	// Perform tests of Protocols FromString method.
+	DescribeTable("NumOrStringProtocols FromString is not case sensitive",
+		func(input, expected string) {
+			Expect(numorstring.ProtocolFromString(input).StrVal).To(Equal(expected),
+				"expected parsed protocol to match")
+		},
+		Entry("protocol udp -> UDP", "udp", "UDP"),
+		Entry("protocol tcp -> TCP", "tcp", "TCP"),
+		Entry("protocol updlite -> UDPLite", "udplite", "UDPLite"),
+		Entry("unknown protocol xxxXXX", "xxxXXX", "xxxXXX"),
+	)
+
+	// Perform tests of Protocols FromStringV1 method.
+	DescribeTable("NumOrStringProtocols FromStringV1 is lowercase",
+		func(input, expected string) {
+			Expect(numorstring.ProtocolFromStringV1(input).StrVal).To(Equal(expected),
+				"expected parsed protocol to match")
+		},
+		Entry("protocol udp -> UDP", "UDP", "udp"),
+		Entry("protocol tcp -> TCP", "TCP", "tcp"),
+		Entry("protocol updlite -> UDPLite", "UDPLite", "udplite"),
+		Entry("unknown protocol xxxXXX", "xxxXXX", "xxxxxx"),
+	)
+
+	// Perform tests of Protocols ToV1 method.
+	DescribeTable("NumOrStringProtocols FromStringV1 is lowercase",
+		func(input, expected numorstring.Protocol) {
+			Expect(input.ToV1()).To(Equal(expected),
+				"expected parsed protocol to match")
+		},
+		// Protocol tests.
+		Entry("protocol udp -> UDP", numorstring.ProtocolFromInt(2), numorstring.ProtocolFromInt(2)),
+		Entry("protocol tcp -> TCP", numorstring.ProtocolFromString("TCP"), numorstring.ProtocolFromStringV1("TCP")),
+	)
+}
+
+func portFromRange(minPort, maxPort uint16) numorstring.Port {
+	p, _ := numorstring.PortFromRange(minPort, maxPort)
+	return p
+}
+
+func portFromString(s string) numorstring.Port {
+	p, _ := numorstring.PortFromString(s)
+	return p
+}

pkg/apis/network/v1alpha1/numorstring/port.go

@@ -0,0 +1,144 @@
+// Copyright (c) 2016-2017 Tigera, Inc. All rights reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package numorstring
+
+import (
+	"encoding/json"
+	"errors"
+	"fmt"
+	"regexp"
+	"strconv"
+)
+
+// Port represents either a range of numeric ports or a named port.
+//
+//     - For a named port, set the PortName, leaving MinPort and MaxPort as 0.
+//     - For a port range, set MinPort and MaxPort to the (inclusive) port numbers.  Set
+//       PortName to "".
+//     - For a single port, set MinPort = MaxPort and PortName = "".
+type Port struct {
+	MinPort  uint16 `json:"minPort,omitempty"`
+	MaxPort  uint16 `json:"maxPort,omitempty"`
+	PortName string `validate:"omitempty,portName" json:"portName,omitempty"`
+}
+
+// SinglePort creates a Port struct representing a single port.
+func SinglePort(port uint16) Port {
+	return Port{MinPort: port, MaxPort: port}
+}
+
+func NamedPort(name string) Port {
+	return Port{PortName: name}
+}
+
+// PortFromRange creates a Port struct representing a range of ports.
+func PortFromRange(minPort, maxPort uint16) (Port, error) {
+	port := Port{MinPort: minPort, MaxPort: maxPort}
+	if minPort > maxPort {
+		msg := fmt.Sprintf("minimum port number (%d) is greater than maximum port number (%d) in port range", minPort, maxPort)
+		return port, errors.New(msg)
+	}
+	return port, nil
+}
+
+var (
+	allDigits = regexp.MustCompile(`^\d+$`)
+	portRange = regexp.MustCompile(`^(\d+):(\d+)$`)
+	nameRegex = regexp.MustCompile("^[a-zA-Z0-9_.-]{1,128}$")
+)
+
+// PortFromString creates a Port struct from its string representation.  A port
+// may either be single value "1234", a range of values "100:200" or a named port: "name".
+func PortFromString(s string) (Port, error) {
+	if allDigits.MatchString(s) {
+		// Port is all digits, it should parse as a single port.
+		num, err := strconv.ParseUint(s, 10, 16)
+		if err != nil {
+			msg := fmt.Sprintf("invalid port format (%s)", s)
+			return Port{}, errors.New(msg)
+		}
+		return SinglePort(uint16(num)), nil
+	}
+
+	if groups := portRange.FindStringSubmatch(s); len(groups) > 0 {
+		// Port matches <digits>:<digits>, it should parse as a range of ports.
+		if pmin, err := strconv.ParseUint(groups[1], 10, 16); err != nil {
+			msg := fmt.Sprintf("invalid minimum port number in range (%s)", s)
+			return Port{}, errors.New(msg)
+		} else if pmax, err := strconv.ParseUint(groups[2], 10, 16); err != nil {
+			msg := fmt.Sprintf("invalid maximum port number in range (%s)", s)
+			return Port{}, errors.New(msg)
+		} else {
+			return PortFromRange(uint16(pmin), uint16(pmax))
+		}
+	}
+
+	if !nameRegex.MatchString(s) {
+		msg := fmt.Sprintf("invalid name for named port (%s)", s)
+		return Port{}, errors.New(msg)
+	}
+
+	return NamedPort(s), nil
+}
+
+// UnmarshalJSON implements the json.Unmarshaller interface.
+func (p *Port) UnmarshalJSON(b []byte) error {
+	if b[0] == '"' {
+		var s string
+		if err := json.Unmarshal(b, &s); err != nil {
+			return err
+		}
+
+		if v, err := PortFromString(s); err != nil {
+			return err
+		} else {
+			*p = v
+			return nil
+		}
+	}
+
+	// It's not a string, it must be a single int.
+	var i uint16
+	if err := json.Unmarshal(b, &i); err != nil {
+		return err
+	}
+	v := SinglePort(i)
+	*p = v
+	return nil
+}
+
+// MarshalJSON implements the json.Marshaller interface.
+func (p Port) MarshalJSON() ([]byte, error) {
+	if p.PortName != "" {
+		return json.Marshal(p.PortName)
+	} else if p.MinPort == p.MaxPort {
+		return json.Marshal(p.MinPort)
+	} else {
+		return json.Marshal(p.String())
+	}
+}
+
+// String returns the string value.  If the min and max port are the same
+// this returns a single string representation of the port number, otherwise
+// if returns a colon separated range of ports.
+func (p Port) String() string {
+	if p.PortName != "" {
+		return p.PortName
+	} else if p.MinPort == p.MaxPort {
+		return strconv.FormatUint(uint64(p.MinPort), 10)
+	} else {
+		return fmt.Sprintf("%d:%d", p.MinPort, p.MaxPort)
+	}
+}

pkg/apis/network/v1alpha1/numorstring/protocol.go

@@ -0,0 +1,134 @@
+// Copyright (c) 2016 Tigera, Inc. All rights reserved.
+
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package numorstring
+
+import "strings"
+
+const (
+	ProtocolUDP     = "UDP"
+	ProtocolTCP     = "TCP"
+	ProtocolICMP    = "ICMP"
+	ProtocolICMPv6  = "ICMPv6"
+	ProtocolSCTP    = "SCTP"
+	ProtocolUDPLite = "UDPLite"
+
+	ProtocolUDPV1 = "udp"
+	ProtocolTCPV1 = "tcp"
+)
+
+var (
+	allProtocolNames = []string{
+		ProtocolUDP,
+		ProtocolTCP,
+		ProtocolICMP,
+		ProtocolICMPv6,
+		ProtocolSCTP,
+		ProtocolUDPLite,
+	}
+)
+
+type Protocol Uint8OrString
+
+// ProtocolFromInt creates a Protocol struct from an integer value.
+func ProtocolFromInt(p uint8) Protocol {
+	return Protocol(
+		Uint8OrString{Type: NumOrStringNum, NumVal: p},
+	)
+}
+
+// ProtocolV3FromProtocolV1 creates a v3 Protocol from a v1 Protocol,
+// while handling case conversion.
+func ProtocolV3FromProtocolV1(p Protocol) Protocol {
+	if p.Type == NumOrStringNum {
+		return p
+	}
+
+	for _, n := range allProtocolNames {
+		if strings.ToLower(n) == strings.ToLower(p.StrVal) {
+			return Protocol(
+				Uint8OrString{Type: NumOrStringString, StrVal: n},
+			)
+		}
+	}
+
+	return p
+}
+
+// ProtocolFromString creates a Protocol struct from a string value.
+func ProtocolFromString(p string) Protocol {
+	for _, n := range allProtocolNames {
+		if strings.ToLower(n) == strings.ToLower(p) {
+			return Protocol(
+				Uint8OrString{Type: NumOrStringString, StrVal: n},
+			)
+		}
+	}
+
+	// Unknown protocol - return the value unchanged.  Validation should catch this.
+	return Protocol(
+		Uint8OrString{Type: NumOrStringString, StrVal: p},
+	)
+}
+
+// ProtocolFromStringV1 creates a Protocol struct from a string value (for the v1 API)
+func ProtocolFromStringV1(p string) Protocol {
+	return Protocol(
+		Uint8OrString{Type: NumOrStringString, StrVal: strings.ToLower(p)},
+	)
+}
+
+// UnmarshalJSON implements the json.Unmarshaller interface.
+func (p *Protocol) UnmarshalJSON(b []byte) error {
+	return (*Uint8OrString)(p).UnmarshalJSON(b)
+}
+
+// MarshalJSON implements the json.Marshaller interface.
+func (p Protocol) MarshalJSON() ([]byte, error) {
+	return Uint8OrString(p).MarshalJSON()
+}
+
+// String returns the string value, or the Itoa of the int value.
+func (p Protocol) String() string {
+	return (Uint8OrString)(p).String()
+}
+
+// String returns the string value, or the Itoa of the int value.
+func (p Protocol) ToV1() Protocol {
+	if p.Type == NumOrStringNum {
+		return p
+	}
+	return ProtocolFromStringV1(p.StrVal)
+}
+
+// NumValue returns the NumVal if type Int, or if
+// it is a String, will attempt a conversion to int.
+func (p Protocol) NumValue() (uint8, error) {
+	return (Uint8OrString)(p).NumValue()
+}
+
+// SupportsProtocols returns whether this protocol supports ports.  This returns true if
+// the numerical or string verion of the protocol indicates TCP (6) or UDP (17).
+func (p Protocol) SupportsPorts() bool {
+	num, err := p.NumValue()
+	if err == nil {
+		return num == 6 || num == 17
+	} else {
+		switch p.StrVal {
+		case ProtocolTCP, ProtocolUDP, ProtocolTCPV1, ProtocolUDPV1:
+			return true
+		}
+		return false
+	}
+}

pkg/apis/network/v1alpha1/numorstring/type.go

@@ -0,0 +1,23 @@
+// Copyright (c) 2016 Tigera, Inc. All rights reserved.
+
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package numorstring
+
+// Type represents the stored type of Int32OrString.
+type NumOrStringType int
+
+const (
+	NumOrStringNum    NumOrStringType = iota // The structure holds a number.
+	NumOrStringString                        // The structure holds a string.
+)

pkg/apis/network/v1alpha1/numorstring/uint8orstring.go

@@ -0,0 +1,80 @@
+// Copyright (c) 2016 Tigera, Inc. All rights reserved.
+
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package numorstring
+
+import (
+	"encoding/json"
+	"strconv"
+)
+
+// UInt8OrString is a type that can hold an uint8 or a string.  When used in
+// JSON or YAML marshalling and unmarshalling, it produces or consumes the
+// inner type.  This allows you to have, for example, a JSON field that can
+// accept a name or number.
+type Uint8OrString struct {
+	Type   NumOrStringType
+	NumVal uint8
+	StrVal string
+}
+
+// UnmarshalJSON implements the json.Unmarshaller interface.
+func (i *Uint8OrString) UnmarshalJSON(b []byte) error {
+	if b[0] == '"' {
+		var s string
+		if err := json.Unmarshal(b, &s); err != nil {
+			return err
+		}
+
+		num, err := strconv.ParseUint(s, 10, 8)
+		if err == nil {
+			i.Type = NumOrStringNum
+			i.NumVal = uint8(num)
+		} else {
+			i.Type = NumOrStringString
+			i.StrVal = s
+		}
+
+		return nil
+	}
+	i.Type = NumOrStringNum
+	return json.Unmarshal(b, &i.NumVal)
+}
+
+// MarshalJSON implements the json.Marshaller interface.
+func (i Uint8OrString) MarshalJSON() ([]byte, error) {
+	if num, err := i.NumValue(); err == nil {
+		return json.Marshal(num)
+	} else {
+		return json.Marshal(i.StrVal)
+	}
+}
+
+// String returns the string value, or the Itoa of the int value.
+func (i Uint8OrString) String() string {
+	if i.Type == NumOrStringString {
+		return i.StrVal
+	}
+	return strconv.FormatUint(uint64(i.NumVal), 10)
+}
+
+// NumValue returns the NumVal if type Int, or if
+// it is a String, will attempt a conversion to int.
+func (i Uint8OrString) NumValue() (uint8, error) {
+	if i.Type == NumOrStringString {
+		num, err := strconv.ParseUint(i.StrVal, 10, 8)
+		return uint8(num), err
+	}
+	return i.NumVal, nil
+}

pkg/apis/network/v1alpha1/v1alpha1_suite_test.go

@@ -33,7 +33,7 @@ var c client.Client
 
 func TestMain(m *testing.M) {
 	t := &envtest.Environment{
-		CRDDirectoryPaths: []string{filepath.Join("..", "..", "..", "..", "config", "crds")},
+		CRDDirectoryPaths: []string{filepath.Join("..", "..", "..", "..", "config", "mannual-crds")},
 	}
 
 	err := SchemeBuilder.AddToScheme(scheme.Scheme)

pkg/apis/network/v1alpha1/workspacenetworkpolicy_types.go

@@ -75,6 +75,7 @@ type WorkspaceNetworkPolicyStatus struct {
 
 // WorkspaceNetworkPolicy is a set of network policies applied to the scope to workspace
 // +k8s:openapi-gen=true
+// +kubebuilder:resource:categories="networking",scope="Cluster",shortName="wsnp"
 type WorkspaceNetworkPolicy struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`

pkg/apis/network/v1alpha1/zz_generated.deepcopy.go

@@ -21,11 +21,282 @@ limitations under the License.
 package v1alpha1
 
 import (
-	"k8s.io/api/networking/v1"
+	"k8s.io/api/core/v1"
+	networkingv1 "k8s.io/api/networking/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	runtime "k8s.io/apimachinery/pkg/runtime"
+	"kubesphere.io/kubesphere/pkg/apis/network/v1alpha1/numorstring"
 )
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *EntityRule) DeepCopyInto(out *EntityRule) {
+	*out = *in
+	if in.Nets != nil {
+		in, out := &in.Nets, &out.Nets
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
+	if in.Ports != nil {
+		in, out := &in.Ports, &out.Ports
+		*out = make([]numorstring.Port, len(*in))
+		copy(*out, *in)
+	}
+	if in.NotNets != nil {
+		in, out := &in.NotNets, &out.NotNets
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
+	if in.NotPorts != nil {
+		in, out := &in.NotPorts, &out.NotPorts
+		*out = make([]numorstring.Port, len(*in))
+		copy(*out, *in)
+	}
+	if in.ServiceAccounts != nil {
+		in, out := &in.ServiceAccounts, &out.ServiceAccounts
+		*out = new(ServiceAccountMatch)
+		(*in).DeepCopyInto(*out)
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new EntityRule.
+func (in *EntityRule) DeepCopy() *EntityRule {
+	if in == nil {
+		return nil
+	}
+	out := new(EntityRule)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *HTTPMatch) DeepCopyInto(out *HTTPMatch) {
+	*out = *in
+	if in.Methods != nil {
+		in, out := &in.Methods, &out.Methods
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
+	if in.Paths != nil {
+		in, out := &in.Paths, &out.Paths
+		*out = make([]HTTPPath, len(*in))
+		copy(*out, *in)
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new HTTPMatch.
+func (in *HTTPMatch) DeepCopy() *HTTPMatch {
+	if in == nil {
+		return nil
+	}
+	out := new(HTTPMatch)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *HTTPPath) DeepCopyInto(out *HTTPPath) {
+	*out = *in
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new HTTPPath.
+func (in *HTTPPath) DeepCopy() *HTTPPath {
+	if in == nil {
+		return nil
+	}
+	out := new(HTTPPath)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ICMPFields) DeepCopyInto(out *ICMPFields) {
+	*out = *in
+	if in.Type != nil {
+		in, out := &in.Type, &out.Type
+		*out = new(int)
+		**out = **in
+	}
+	if in.Code != nil {
+		in, out := &in.Code, &out.Code
+		*out = new(int)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ICMPFields.
+func (in *ICMPFields) DeepCopy() *ICMPFields {
+	if in == nil {
+		return nil
+	}
+	out := new(ICMPFields)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *NamespaceNetworkPolicy) DeepCopyInto(out *NamespaceNetworkPolicy) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	in.Spec.DeepCopyInto(&out.Spec)
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NamespaceNetworkPolicy.
+func (in *NamespaceNetworkPolicy) DeepCopy() *NamespaceNetworkPolicy {
+	if in == nil {
+		return nil
+	}
+	out := new(NamespaceNetworkPolicy)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *NamespaceNetworkPolicy) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *NamespaceNetworkPolicyList) DeepCopyInto(out *NamespaceNetworkPolicyList) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	out.ListMeta = in.ListMeta
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]NamespaceNetworkPolicy, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NamespaceNetworkPolicyList.
+func (in *NamespaceNetworkPolicyList) DeepCopy() *NamespaceNetworkPolicyList {
+	if in == nil {
+		return nil
+	}
+	out := new(NamespaceNetworkPolicyList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *NamespaceNetworkPolicyList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *NamespaceNetworkPolicySpec) DeepCopyInto(out *NamespaceNetworkPolicySpec) {
+	*out = *in
+	if in.Order != nil {
+		in, out := &in.Order, &out.Order
+		*out = new(int)
+		**out = **in
+	}
+	if in.Ingress != nil {
+		in, out := &in.Ingress, &out.Ingress
+		*out = make([]Rule, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Egress != nil {
+		in, out := &in.Egress, &out.Egress
+		*out = make([]Rule, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Types != nil {
+		in, out := &in.Types, &out.Types
+		*out = make([]PolicyType, len(*in))
+		copy(*out, *in)
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NamespaceNetworkPolicySpec.
+func (in *NamespaceNetworkPolicySpec) DeepCopy() *NamespaceNetworkPolicySpec {
+	if in == nil {
+		return nil
+	}
+	out := new(NamespaceNetworkPolicySpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *Rule) DeepCopyInto(out *Rule) {
+	*out = *in
+	if in.IPVersion != nil {
+		in, out := &in.IPVersion, &out.IPVersion
+		*out = new(int)
+		**out = **in
+	}
+	if in.Protocol != nil {
+		in, out := &in.Protocol, &out.Protocol
+		*out = new(v1.Protocol)
+		**out = **in
+	}
+	if in.ICMP != nil {
+		in, out := &in.ICMP, &out.ICMP
+		*out = new(ICMPFields)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.NotProtocol != nil {
+		in, out := &in.NotProtocol, &out.NotProtocol
+		*out = new(v1.Protocol)
+		**out = **in
+	}
+	if in.NotICMP != nil {
+		in, out := &in.NotICMP, &out.NotICMP
+		*out = new(ICMPFields)
+		(*in).DeepCopyInto(*out)
+	}
+	in.Source.DeepCopyInto(&out.Source)
+	in.Destination.DeepCopyInto(&out.Destination)
+	if in.HTTP != nil {
+		in, out := &in.HTTP, &out.HTTP
+		*out = new(HTTPMatch)
+		(*in).DeepCopyInto(*out)
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Rule.
+func (in *Rule) DeepCopy() *Rule {
+	if in == nil {
+		return nil
+	}
+	out := new(Rule)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ServiceAccountMatch) DeepCopyInto(out *ServiceAccountMatch) {
+	*out = *in
+	if in.Names != nil {
+		in, out := &in.Names, &out.Names
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ServiceAccountMatch.
+func (in *ServiceAccountMatch) DeepCopy() *ServiceAccountMatch {
+	if in == nil {
+		return nil
+	}
+	out := new(ServiceAccountMatch)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *WorkspaceNetworkPolicy) DeepCopyInto(out *WorkspaceNetworkPolicy) {
 	*out = *in
@@ -58,7 +329,7 @@ func (in *WorkspaceNetworkPolicyEgressRule) DeepCopyInto(out *WorkspaceNetworkPo
 	*out = *in
 	if in.Ports != nil {
 		in, out := &in.Ports, &out.Ports
-		*out = make([]v1.NetworkPolicyPort, len(*in))
+		*out = make([]networkingv1.NetworkPolicyPort, len(*in))
 		for i := range *in {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
@@ -87,7 +358,7 @@ func (in *WorkspaceNetworkPolicyIngressRule) DeepCopyInto(out *WorkspaceNetworkP
 	*out = *in
 	if in.Ports != nil {
 		in, out := &in.Ports, &out.Ports
-		*out = make([]v1.NetworkPolicyPort, len(*in))
+		*out = make([]networkingv1.NetworkPolicyPort, len(*in))
 		for i := range *in {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
@@ -169,7 +440,7 @@ func (in *WorkspaceNetworkPolicySpec) DeepCopyInto(out *WorkspaceNetworkPolicySp
 	*out = *in
 	if in.PolicyTypes != nil {
 		in, out := &in.PolicyTypes, &out.PolicyTypes
-		*out = make([]v1.PolicyType, len(*in))
+		*out = make([]networkingv1.PolicyType, len(*in))
 		copy(*out, *in)
 	}
 	if in.Ingress != nil {