a1708e1c76
This commit is a huge refactoring of how we handle network policies. In general: * KuryrNetPolicy is replaced by KuryrNetworkPolicy. The upgrade path is handled in the constructor of KuryrNetworkPolicyHandler. * New CRD has spec and status properties. spec is always populated by NetworkPolicyHandler. status is handled by KuryrNetworkPolicyHandler. This means that in order to trigger SG rules recalculation on Pod ang Service events, the NetworkPolicy is "bumped" with a dummy annotation. * NetworkPolicyHandler injects finalizers onto NetworkPolicy and KuryrNetworkPolicy objects, so that objects cannot get removed before KuryrNetworkPolicyHandler won't process deletion correctly. Depends-On: https://review.opendev.org/742209 Change-Id: Iafc982e590ada0cd9d82e922c103583e4304e9ce
134 lines
4.3 KiB
YAML
134 lines
4.3 KiB
YAML
apiVersion: apiextensions.k8s.io/v1
|
|
kind: CustomResourceDefinition
|
|
metadata:
|
|
name: kuryrnetpolicies.openstack.org
|
|
spec:
|
|
group: openstack.org
|
|
scope: Namespaced
|
|
names:
|
|
plural: kuryrnetpolicies
|
|
singular: kuryrnetpolicy
|
|
kind: KuryrNetPolicy
|
|
versions:
|
|
- name: v1
|
|
served: true
|
|
storage: true
|
|
additionalPrinterColumns:
|
|
- name: SG-ID
|
|
type: string
|
|
description: The ID of the SG associated to the policy
|
|
jsonPath: .spec.securityGroupId
|
|
- name: Age
|
|
type: date
|
|
jsonPath: .metadata.creationTimestamp
|
|
schema:
|
|
openAPIV3Schema:
|
|
type: object
|
|
properties:
|
|
spec:
|
|
type: object
|
|
required:
|
|
- egressSgRules
|
|
- ingressSgRules
|
|
- networkpolicy_spec
|
|
- podSelector
|
|
- securityGroupId
|
|
properties:
|
|
egressSgRules:
|
|
type: array
|
|
items:
|
|
type: object
|
|
required:
|
|
- security_group_rule
|
|
properties:
|
|
remote_ip_prefixes:
|
|
type: object
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
namespace:
|
|
type: string
|
|
security_group_rule:
|
|
type: object
|
|
required:
|
|
- id
|
|
properties:
|
|
description:
|
|
type: string
|
|
direction:
|
|
type: string
|
|
ethertype:
|
|
type: string
|
|
id:
|
|
type: string
|
|
port_range_max:
|
|
type: integer
|
|
port_range_min:
|
|
type: integer
|
|
protocol:
|
|
type: string
|
|
remote_ip_prefix:
|
|
type: string
|
|
security_group_id:
|
|
type: string
|
|
ingressSgRules:
|
|
type: array
|
|
items:
|
|
type: object
|
|
required:
|
|
- security_group_rule
|
|
properties:
|
|
remote_ip_prefixes:
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
type: object
|
|
namespace:
|
|
type: string
|
|
security_group_rule:
|
|
type: object
|
|
required:
|
|
- id
|
|
properties:
|
|
description:
|
|
type: string
|
|
direction:
|
|
type: string
|
|
ethertype:
|
|
type: string
|
|
id:
|
|
type: string
|
|
port_range_max:
|
|
type: integer
|
|
port_range_min:
|
|
type: integer
|
|
protocol:
|
|
type: string
|
|
remote_ip_prefix:
|
|
type: string
|
|
security_group_id:
|
|
type: string
|
|
networkpolicy_spec:
|
|
type: object
|
|
properties:
|
|
podSelector:
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
type: object
|
|
policyTypes:
|
|
type: array
|
|
items:
|
|
type: string
|
|
ingress:
|
|
type: array
|
|
items:
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
type: object
|
|
egress:
|
|
type: array
|
|
items:
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
type: object
|
|
podSelector:
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
type: object
|
|
securityGroupId:
|
|
type: string
|
|
securityGroupName:
|
|
type: string
|