kuryr-kubernetes/kubernetes_crds/kuryr_crds/kuryrnetpolicy.yaml
Michał Dulko a1708e1c76 KuryrNetworkPolicy CRD
This commit is a huge refactoring of how we handle network policies. In
general:

* KuryrNetPolicy is replaced by KuryrNetworkPolicy. The upgrade path
  is handled in the constructor of KuryrNetworkPolicyHandler.
* New CRD has spec and status properties. spec is always populated by
  NetworkPolicyHandler. status is handled by KuryrNetworkPolicyHandler.
  This means that in order to trigger SG rules recalculation on Pod ang
  Service events, the NetworkPolicy is "bumped" with a dummy annotation.
* NetworkPolicyHandler injects finalizers onto NetworkPolicy and
  KuryrNetworkPolicy objects, so that objects cannot get removed before
  KuryrNetworkPolicyHandler won't process deletion correctly.

Depends-On: https://review.opendev.org/742209
Change-Id: Iafc982e590ada0cd9d82e922c103583e4304e9ce
2020-07-31 14:44:15 +02:00

134 lines
4.3 KiB
YAML

apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: kuryrnetpolicies.openstack.org
spec:
group: openstack.org
scope: Namespaced
names:
plural: kuryrnetpolicies
singular: kuryrnetpolicy
kind: KuryrNetPolicy
versions:
- name: v1
served: true
storage: true
additionalPrinterColumns:
- name: SG-ID
type: string
description: The ID of the SG associated to the policy
jsonPath: .spec.securityGroupId
- name: Age
type: date
jsonPath: .metadata.creationTimestamp
schema:
openAPIV3Schema:
type: object
properties:
spec:
type: object
required:
- egressSgRules
- ingressSgRules
- networkpolicy_spec
- podSelector
- securityGroupId
properties:
egressSgRules:
type: array
items:
type: object
required:
- security_group_rule
properties:
remote_ip_prefixes:
type: object
x-kubernetes-preserve-unknown-fields: true
namespace:
type: string
security_group_rule:
type: object
required:
- id
properties:
description:
type: string
direction:
type: string
ethertype:
type: string
id:
type: string
port_range_max:
type: integer
port_range_min:
type: integer
protocol:
type: string
remote_ip_prefix:
type: string
security_group_id:
type: string
ingressSgRules:
type: array
items:
type: object
required:
- security_group_rule
properties:
remote_ip_prefixes:
x-kubernetes-preserve-unknown-fields: true
type: object
namespace:
type: string
security_group_rule:
type: object
required:
- id
properties:
description:
type: string
direction:
type: string
ethertype:
type: string
id:
type: string
port_range_max:
type: integer
port_range_min:
type: integer
protocol:
type: string
remote_ip_prefix:
type: string
security_group_id:
type: string
networkpolicy_spec:
type: object
properties:
podSelector:
x-kubernetes-preserve-unknown-fields: true
type: object
policyTypes:
type: array
items:
type: string
ingress:
type: array
items:
x-kubernetes-preserve-unknown-fields: true
type: object
egress:
type: array
items:
x-kubernetes-preserve-unknown-fields: true
type: object
podSelector:
x-kubernetes-preserve-unknown-fields: true
type: object
securityGroupId:
type: string
securityGroupName:
type: string