Merge pull request #6 from cybozu-go/ccnp

add support for CiliumClusterwideNetworkPolicies
cybozu-go · Feb 25, 2022 · 32e9e6c · 32e9e6c
2 parents ec91705 + cb2b5f6
commit 32e9e6c
Show file tree

Hide file tree

Showing 33 changed files with 345 additions and 113 deletions.
diff --git a/Makefile b/Makefile
@@ -68,6 +68,7 @@ lint:
 crds:
 	mkdir -p test/crd/
 	curl -fsL -o test/crd/ciliumnetworkpolicies.yaml https://github.com/cilium/cilium/raw/$(CILIUM_VERSION)/pkg/k8s/apis/cilium.io/client/crds/v2/ciliumnetworkpolicies.yaml
+	curl -fsL -o test/crd/ciliumclusterwidenetworkpolicies.yaml https://github.com/cilium/cilium/raw/$(CILIUM_VERSION)/pkg/k8s/apis/cilium.io/client/crds/v2/ciliumclusterwidenetworkpolicies.yaml
 
 .PHONY: test
 test: manifests generate fmt vet crds setup-envtest ## Run tests.

diff --git a/PROJECT b/PROJECT
@@ -6,13 +6,13 @@ repo: github.com/cybozu-go/tenet
 resources:
 - api:
     crdVersion: v1
-    namespaced: true
+    namespaced: false
   controller: true
   domain: cybozu.io
   group: tenet
   kind: NetworkPolicyTemplate
-  path: github.com/cybozu-go/tenet/api/v1beta1
-  version: v1beta1
+  path: github.com/cybozu-go/tenet/api/v1beta2
+  version: v1beta2
 - api:
     crdVersion: v1
     namespaced: true

diff --git a/api/v1beta1/groupversion_info.go → api/v1beta2/groupversion_info.go b/api/v1beta1/groupversion_info.go → api/v1beta2/groupversion_info.go
@@ -17,7 +17,7 @@ limitations under the License.
 // Package v1beta1 contains API Schema definitions for the tenet v1beta1 API group
 //+kubebuilder:object:generate=true
 //+groupName=tenet.cybozu.io
-package v1beta1
+package v1beta2
 
 import (
 	"k8s.io/apimachinery/pkg/runtime/schema"
@@ -26,7 +26,7 @@ import (
 
 var (
 	// GroupVersion is group version used to register these objects.
-	GroupVersion = schema.GroupVersion{Group: "tenet.cybozu.io", Version: "v1beta1"}
+	GroupVersion = schema.GroupVersion{Group: "tenet.cybozu.io", Version: "v1beta2"}
 
 	// SchemeBuilder is used to add go types to the GroupVersionKind scheme.
 	SchemeBuilder = &scheme.Builder{GroupVersion: GroupVersion}

diff --git a/...beta1/networkpolicyadmissionrule_types.go → ...beta2/networkpolicyadmissionrule_types.go b/...beta1/networkpolicyadmissionrule_types.go → ...beta2/networkpolicyadmissionrule_types.go
@@ -14,7 +14,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
-package v1beta1
+package v1beta2
 
 import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -62,6 +62,7 @@ type NetworkPolicyAdmissionRuleForbiddenIPRanges struct {
 //+kubebuilder:object:root=true
 //+kubebuilder:resource:scope=Cluster
 //+kubebuilder:subresource:status
+//+kubebuilder:storageversion
 
 // NetworkPolicyAdmissionRule is the Schema for the networkpolicyadmissionrules API.
 type NetworkPolicyAdmissionRule struct {

diff --git a/api/v1beta1/networkpolicytemplate_types.go → api/v1beta2/networkpolicytemplate_types.go b/api/v1beta1/networkpolicytemplate_types.go → api/v1beta2/networkpolicytemplate_types.go
@@ -14,7 +14,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
-package v1beta1
+package v1beta2
 
 import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -31,13 +31,17 @@ const (
 
 // NetworkPolicyTemplateSpec defines the desired state of NetworkPolicyTemplate.
 type NetworkPolicyTemplateSpec struct {
+	// ClusterWide indicates whether the generated templates are clusterwide templates
+	//+kubebuilder:default=false
+	ClusterWide bool `json:"clusterwide,omitempty"`
 	// PolicyTemplate is a template for creating NetworkPolicies
 	PolicyTemplate string `json:"policyTemplate"`
 }
 
 //+kubebuilder:object:root=true
 //+kubebuilder:resource:scope=Cluster
 //+kubebuilder:subresource:status
+//+kubebuilder:storageversion
 
 // NetworkPolicyTemplate is the Schema for the networkpolicytemplates API.
 type NetworkPolicyTemplate struct {

diff --git a/api/v1beta1/zz_generated.deepcopy.go → api/v1beta2/zz_generated.deepcopy.go b/api/v1beta1/zz_generated.deepcopy.go → api/v1beta2/zz_generated.deepcopy.go
diff --git a/charts/tenet/templates/generated/crds/tenet.cybozu.io_crds.yaml b/charts/tenet/templates/generated/crds/tenet.cybozu.io_crds.yaml
@@ -30,7 +30,7 @@ spec:
     singular: networkpolicyadmissionrule
   scope: Cluster
   versions:
-  - name: v1beta1
+  - name: v1beta2
     schema:
       openAPIV3Schema:
         description: NetworkPolicyAdmissionRule is the Schema for the networkpolicyadmissionrules
@@ -136,7 +136,7 @@ spec:
     singular: networkpolicytemplate
   scope: Cluster
   versions:
-  - name: v1beta1
+  - name: v1beta2
     schema:
       openAPIV3Schema:
         description: NetworkPolicyTemplate is the Schema for the networkpolicytemplates
@@ -157,6 +157,11 @@ spec:
           spec:
             description: Spec is the spec for the NetworkPolicyTemplate
             properties:
+              clusterwide:
+                default: false
+                description: ClusterWide indicates whether the generated templates
+                  are clusterwide templates
+                type: boolean
               policyTemplate:
                 description: PolicyTemplate is a template for creating NetworkPolicies
                 type: string

diff --git a/charts/tenet/templates/generated/generated.yaml b/charts/tenet/templates/generated/generated.yaml
@@ -71,6 +71,17 @@ rules:
   - get
   - list
   - watch
+- apiGroups:
+  - cilium.io
+  resources:
+  - ciliumclusterwidenetworkpolicies
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - update
+  - watch
 - apiGroups:
   - cilium.io
   resources:
@@ -274,14 +285,14 @@ webhooks:
     service:
       name: '{{ template "tenet.fullname" . }}-webhook-service'
       namespace: '{{ .Release.Namespace }}'
-      path: /validate-tenet-cybozu-io-v1beta1-networkpolicyadmissionrule
+      path: /validate-tenet-cybozu-io-v1beta2-networkpolicyadmissionrule
   failurePolicy: Fail
   name: vnetworkpolicyadmissionrule.kb.io
   rules:
   - apiGroups:
     - tenet.cybozu.io
     apiVersions:
-    - v1beta1
+    - v1beta2
     operations:
     - CREATE
     - UPDATE

diff --git a/cmd/tenet-controller/main.go b/cmd/tenet-controller/main.go
@@ -33,7 +33,7 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/log/zap"
 	"sigs.k8s.io/controller-runtime/pkg/webhook/admission"
 
-	tenetv1beta1 "github.com/cybozu-go/tenet/api/v1beta1"
+	tenetv1beta2 "github.com/cybozu-go/tenet/api/v1beta2"
 	"github.com/cybozu-go/tenet/controllers"
 	"github.com/cybozu-go/tenet/hooks"
 	//+kubebuilder:scaffold:imports
@@ -46,7 +46,7 @@ var (
 
 func init() {
 	utilruntime.Must(clientgoscheme.AddToScheme(scheme))
-	utilruntime.Must(tenetv1beta1.AddToScheme(scheme))
+	utilruntime.Must(tenetv1beta2.AddToScheme(scheme))
 	//+kubebuilder:scaffold:scheme
 }
 

diff --git a/config/crd/bases/tenet.cybozu.io_networkpolicyadmissionrules.yaml b/config/crd/bases/tenet.cybozu.io_networkpolicyadmissionrules.yaml
@@ -16,7 +16,7 @@ spec:
     singular: networkpolicyadmissionrule
   scope: Cluster
   versions:
-  - name: v1beta1
+  - name: v1beta2
     schema:
       openAPIV3Schema:
         description: NetworkPolicyAdmissionRule is the Schema for the networkpolicyadmissionrules

diff --git a/config/crd/bases/tenet.cybozu.io_networkpolicytemplates.yaml b/config/crd/bases/tenet.cybozu.io_networkpolicytemplates.yaml
@@ -16,7 +16,7 @@ spec:
     singular: networkpolicytemplate
   scope: Cluster
   versions:
-  - name: v1beta1
+  - name: v1beta2
     schema:
       openAPIV3Schema:
         description: NetworkPolicyTemplate is the Schema for the networkpolicytemplates
@@ -37,6 +37,11 @@ spec:
           spec:
             description: Spec is the spec for the NetworkPolicyTemplate
             properties:
+              clusterwide:
+                default: false
+                description: ClusterWide indicates whether the generated templates
+                  are clusterwide templates
+                type: boolean
               policyTemplate:
                 description: PolicyTemplate is a template for creating NetworkPolicies
                 type: string

diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml
@@ -14,6 +14,17 @@ rules:
   - get
   - list
   - watch
+- apiGroups:
+  - cilium.io
+  resources:
+  - ciliumclusterwidenetworkpolicies
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - update
+  - watch
 - apiGroups:
   - cilium.io
   resources:

diff --git a/config/webhook/manifests.yaml b/config/webhook/manifests.yaml
@@ -33,14 +33,14 @@ webhooks:
     service:
       name: webhook-service
       namespace: system
-      path: /validate-tenet-cybozu-io-v1beta1-networkpolicyadmissionrule
+      path: /validate-tenet-cybozu-io-v1beta2-networkpolicyadmissionrule
   failurePolicy: Fail
   name: vnetworkpolicyadmissionrule.kb.io
   rules:
   - apiGroups:
     - tenet.cybozu.io
     apiVersions:
-    - v1beta1
+    - v1beta2
     operations:
     - CREATE
     - UPDATE