Add support for selecting external destinations as egress peers

tssurya · tssurya · commit 43ef2d349a9f · 2023-10-26T16:49:07.000+02:00
Some FTR things:

    1) As an egress peer a user can selector either namespaces, or pods or
       nodes or externalNetworks.
    In a given rule more than 1 type of selection is not allowed.
    2) An empty externalNetworks selector means it selects all externalNetworkSets in the cluster.
    3) externalNetworks can be set only from to.Peer

Signed-off-by: Surya Seetharaman &lt;suryaseetharaman.9@gmail.com&gt;
diff --git a/apis/v1alpha1/shared_types.go b/apis/v1alpha1/shared_types.go
@@ -170,6 +170,19 @@ type AdminNetworkPolicyEgressPeer struct {
 	//
 	// +optional
 	Nodes *metav1.LabelSelector `json:"nodes,omitempty"`
+	// ExternalNetworks defines a way to select ExternalNetworkSets
+	// that consist of network CIDRs that live outside the cluster as a peer.
+	// It is the list of NetworkCIDR (both v4 & v6) that can be used to define
+	// external destinations.
+	// This field follows standard label selector semantics; if present
+	// but empty, it selects all ExternalNetworkSets defined in the cluster.
+	//
+	// Support: Core
+	//
+	// +optional
+	// +kubebuilder:validation:MinItems=1
+	// +kubebuilder:validation:MaxItems=100
+	ExternalNetworks []string `json:"externalNetworks,omitempty" validate:"omitempty,dive,cidr"`
 }
 
 // NamespacedPeer defines a flexible way to select Namespaces in a cluster.
diff --git a/apis/v1alpha1/zz_generated.deepcopy.go b/apis/v1alpha1/zz_generated.deepcopy.go
diff --git a/config/crd/experimental/policy.networking.k8s.io_adminnetworkpolicies.yaml b/config/crd/experimental/policy.networking.k8s.io_adminnetworkpolicies.yaml
@@ -164,6 +164,20 @@ spec:
                         maxProperties: 1
                         minProperties: 1
                         properties:
+                          externalNetworks:
+                            description: "ExternalNetworks defines a way to select
+                              ExternalNetworkSets that consist of network CIDRs that
+                              live outside the cluster as a peer. It is the list of
+                              NetworkCIDR (both v4 & v6) that can be used to define
+                              external destinations. This field follows standard label
+                              selector semantics; if present but empty, it selects
+                              all ExternalNetworkSets defined in the cluster. \n Support:
+                              Core"
+                            items:
+                              type: string
+                            maxItems: 100
+                            minItems: 1
+                            type: array
                           namespaces:
                             description: "Namespaces defines a way to select a set
                               of Namespaces. \n Support: Core"
diff --git a/config/crd/experimental/policy.networking.k8s.io_baselineadminnetworkpolicies.yaml b/config/crd/experimental/policy.networking.k8s.io_baselineadminnetworkpolicies.yaml
@@ -156,6 +156,20 @@ spec:
                         maxProperties: 1
                         minProperties: 1
                         properties:
+                          externalNetworks:
+                            description: "ExternalNetworks defines a way to select
+                              ExternalNetworkSets that consist of network CIDRs that
+                              live outside the cluster as a peer. It is the list of
+                              NetworkCIDR (both v4 & v6) that can be used to define
+                              external destinations. This field follows standard label
+                              selector semantics; if present but empty, it selects
+                              all ExternalNetworkSets defined in the cluster. \n Support:
+                              Core"
+                            items:
+                              type: string
+                            maxItems: 100
+                            minItems: 1
+                            type: array
                           namespaces:
                             description: "Namespaces defines a way to select a set
                               of Namespaces. \n Support: Core"
diff --git a/config/crd/standard/policy.networking.k8s.io_adminnetworkpolicies.yaml b/config/crd/standard/policy.networking.k8s.io_adminnetworkpolicies.yaml
@@ -160,6 +160,20 @@ spec:
                         maxProperties: 1
                         minProperties: 1
                         properties:
+                          externalNetworks:
+                            description: "ExternalNetworks defines a way to select
+                              ExternalNetworkSets that consist of network CIDRs that
+                              live outside the cluster as a peer. It is the list of
+                              NetworkCIDR (both v4 & v6) that can be used to define
+                              external destinations. This field follows standard label
+                              selector semantics; if present but empty, it selects
+                              all ExternalNetworkSets defined in the cluster. \n Support:
+                              Core"
+                            items:
+                              type: string
+                            maxItems: 100
+                            minItems: 1
+                            type: array
                           namespaces:
                             description: "Namespaces defines a way to select a set
                               of Namespaces. \n Support: Core"
diff --git a/config/crd/standard/policy.networking.k8s.io_baselineadminnetworkpolicies.yaml b/config/crd/standard/policy.networking.k8s.io_baselineadminnetworkpolicies.yaml
@@ -152,6 +152,20 @@ spec:
                         maxProperties: 1
                         minProperties: 1
                         properties:
+                          externalNetworks:
+                            description: "ExternalNetworks defines a way to select
+                              ExternalNetworkSets that consist of network CIDRs that
+                              live outside the cluster as a peer. It is the list of
+                              NetworkCIDR (both v4 & v6) that can be used to define
+                              external destinations. This field follows standard label
+                              selector semantics; if present but empty, it selects
+                              all ExternalNetworkSets defined in the cluster. \n Support:
+                              Core"
+                            items:
+                              type: string
+                            maxItems: 100
+                            minItems: 1
+                            type: array
                           namespaces:
                             description: "Namespaces defines a way to select a set
                               of Namespaces. \n Support: Core"
