Merge pull request #2 from aws/main

Adding Cluster Network Policy change (#496)

Author: m00lecule

.go-version

@@ -1 +1 @@
-1.24
+1.25

Makefile

@@ -2,7 +2,7 @@
 # Image URL to use all building/pushing image targets
 IMAGE ?= amazon/aws-network-policy-agent
 VERSION ?= $(shell git describe --tags --always --dirty || echo "unknown")
-IMAGE_NAME = $(IMAGE)$(IMAGE_ARCH_SUFFIX):$(VERSION)
+IMAGE_NAME ?= $(IMAGE)$(IMAGE_ARCH_SUFFIX):$(VERSION)
 GOLANG_VERSION ?= $(shell cat .go-version)
 GOLANG_IMAGE ?= public.ecr.aws/eks-distro-build-tooling/golang:$(GOLANG_VERSION)-gcc-al2
 # TEST_IMAGE is the testing environment container image.
@@ -84,7 +84,7 @@ vet: setup-ebpf-sdk-override # Run go vet against code.
 
 .PHONY: test
 test: manifests generate fmt vet envtest ## Run tests.
-	KUBEBUILDER_ASSETS="$(shell $(ENVTEST) use $(ENVTEST_K8S_VERSION) --bin-dir $(LOCALBIN) -p path)" go test ./cmd/... ./controllers/... ./pkg/... -coverprofile cover.out -v -coverprofile=coverage.txt
+	KUBEBUILDER_ASSETS="$(shell $(ENVTEST) use $(ENVTEST_K8S_VERSION) --bin-dir $(LOCALBIN) -p path)" go test ./controllers ./pkg/ebpf ./pkg/fwruleprocessor ./pkg/rpc ./pkg/types ./pkg/utils -v -coverprofile=coverage.txt -covermode=atomic
 
 ##@ Build
 

api/v1alpha1/clusterpolicyendpoints_types.go

@@ -0,0 +1,120 @@
+/*
+Copyright Amazon.com Inc. or its affiliates. All Rights Reserved.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1alpha1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+// Tier defines the tier of the admin policy
+// +kubebuilder:validation:Enum={"Admin", "Baseline"}
+type Tier string
+
+const (
+	// AdminTier
+	AdminTier Tier = "Admin"
+	// BaselineTier
+	BaselineTier Tier = "Baseline"
+)
+
+// ClusterPolicyAction defines the action to be applied by the admin policy
+// +kubebuilder:validation:Enum={"Accept", "Deny", "Pass"}
+
+type ClusterNetworkPolicyRuleAction string
+
+const (
+	ClusterNetworkPolicyRuleActionAccept ClusterNetworkPolicyRuleAction = "Accept"
+	ClusterNetworkPolicyRuleActionDeny   ClusterNetworkPolicyRuleAction = "Deny"
+	ClusterNetworkPolicyRuleActionPass   ClusterNetworkPolicyRuleAction = "Pass"
+)
+
+// ClusterPolicyReference is the reference to the admin network policy resource
+type ClusterPolicyReference struct {
+	// Name is the name of the ClusterNetworkPolicy
+	Name string `json:"name"`
+}
+
+// EndpointInfo defines the network endpoint information for the policy ingress/egress
+type ClusterEndpointInfo struct {
+
+	// CIDR is the network address(s) of the endpoint
+	CIDR NetworkAddress `json:"cidr,omitempty"`
+
+	// Ports is the list of ports
+	Ports []Port `json:"ports,omitempty"`
+
+	// DomainName is the FQDN for the endpoint (egress-only)
+	DomainName DomainName `json:"domainName,omitempty"`
+
+	// Action from the CNP rule
+	Action ClusterNetworkPolicyRuleAction `json:"action"`
+}
+
+// ClusterPolicyEndpointSpec defines the desired state of ClusterPolicyEndpoint
+type ClusterPolicyEndpointSpec struct {
+
+	// PolicyRef is a reference to the Kubernetes AdminNetworkPolicy resource.
+	PolicyRef ClusterPolicyReference `json:"policyRef"`
+
+	// Tier defines the type of admin policy
+	Tier Tier `json:"tier"`
+
+	// Priority is the priority of the admin policy endpoint
+	Priority int32 `json:"priority"`
+
+	// PodSelectorEndpoints contains information about the pods
+	// matching the podSelector
+	PodSelectorEndpoints []PodEndpoint `json:"podSelectorEndpoints,omitempty"`
+
+	// Ingress is the list of ingress rules containing resolved network addresses
+	Ingress []ClusterEndpointInfo `json:"ingress,omitempty"`
+
+	// Egress is the list of egress rules containing resolved network addresses
+	Egress []ClusterEndpointInfo `json:"egress,omitempty"`
+}
+
+// ClusterPolicyEndpointStatus defines the observed state of ClusterPolicyEndpoint
+type ClusterPolicyEndpointStatus struct {
+	// INSERT ADDITIONAL STATUS FIELD - define observed state of cluster
+	// Important: Run "make" to regenerate code after modifying this file
+}
+
+//+kubebuilder:object:root=true
+//+kubebuilder:subresource:status
+//+kubebuilder:resource:scope=Cluster
+
+// ClusterPolicyEndpoint is the Schema for the ClusterPolicyendpoints API
+type ClusterPolicyEndpoint struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	Spec   ClusterPolicyEndpointSpec   `json:"spec,omitempty"`
+	Status ClusterPolicyEndpointStatus `json:"status,omitempty"`
+}
+
+//+kubebuilder:object:root=true
+
+// ClusterPolicyEndpointList contains a list of ClusterPolicyEndpoint
+type ClusterPolicyEndpointList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata,omitempty"`
+	Items           []ClusterPolicyEndpoint `json:"items"`
+}
+
+func init() {
+	SchemeBuilder.Register(&ClusterPolicyEndpoint{}, &ClusterPolicyEndpointList{})
+}

api/v1alpha1/policyendpoints_types.go

@@ -33,6 +33,28 @@ type PolicyReference struct {
 
 type NetworkAddress string
 
+// DomainName describes one or more domain names to be used as a peer.
+//
+// DomainName can be an exact match, or use the wildcard specifier '*' to match
+// one or more labels.
+//
+// '*', the wildcard specifier, matches one or more entire labels. It does not
+// support partial matches. '*' may only be specified as a prefix.
+//
+//	Examples:
+//	  - `kubernetes.io` matches only `kubernetes.io`.
+//	    It does not match "www.kubernetes.io", "blog.kubernetes.io",
+//	    "my-kubernetes.io", or "wikipedia.org".
+//	  - `blog.kubernetes.io` matches only "blog.kubernetes.io".
+//	    It does not match "www.kubernetes.io" or "kubernetes.io".
+//	  - `*.kubernetes.io` matches subdomains of kubernetes.io.
+//	    "www.kubernetes.io", "blog.kubernetes.io", and
+//	    "latest.blog.kubernetes.io" match, however "kubernetes.io", and
+//	    "wikipedia.org" do not.
+//
+// +kubebuilder:validation:Pattern=`^(\*\.)?([a-zA-z0-9]([-a-zA-Z0-9_]*[a-zA-Z0-9])?\.)+[a-zA-z0-9]([-a-zA-Z0-9_]*[a-zA-Z0-9])?\.?$`
+type DomainName string
+
 // Port contains information about the transport port/protocol
 type Port struct {
 	// Protocol specifies the transport protocol, default TCP
@@ -49,7 +71,11 @@ type Port struct {
 // EndpointInfo defines the network endpoint information for the policy ingress/egress
 type EndpointInfo struct {
 	// CIDR is the network address(s) of the endpoint
-	CIDR NetworkAddress `json:"cidr"`
+	CIDR NetworkAddress `json:"cidr,omitempty"`
+
+	// DomainName is the FQDN for the endpoint (mutually exclusive with CIDR, egress-only)
+	// Note: This field should only be used in egress rules, not ingress
+	DomainName DomainName `json:"domainName,omitempty"`
 
 	// Except is the exceptions to the CIDR ranges mentioned above.
 	Except []NetworkAddress `json:"except,omitempty"`

api/v1alpha1/zz_generated.deepcopy.go

@@ -64,7 +64,22 @@ var mapWalkCmd = &cobra.Command{
 	Run: func(cmd *cobra.Command, args []string) {
 		mapID := args[0]
 		strMapID, _ := strconv.Atoi(mapID)
-		err := clihelper.MapWalk(strMapID)
+		err := clihelper.MapWalk(strMapID, "")
+		if err != nil {
+			fmt.Println("Failed to execute the cmd - ", err)
+		}
+	},
+}
+
+var mapWalkCPCmd = &cobra.Command{
+	Use:     "dump-cp-maps",
+	Aliases: []string{"dcp"},
+	Short:   "Dump all ebpf maps related data",
+	Args:    cobra.ExactArgs(1),
+	Run: func(cmd *cobra.Command, args []string) {
+		mapID := args[0]
+		strMapID, _ := strconv.Atoi(mapID)
+		err := clihelper.MapWalkCP(strMapID)
 		if err != nil {
 			fmt.Println("Failed to execute the cmd - ", err)
 		}
@@ -77,4 +92,5 @@ func init() {
 	subCmd.AddCommand(mapCmd)
 	subCmd.AddCommand(ebpfdataCmd)
 	subCmd.AddCommand(mapWalkCmd)
+	subCmd.AddCommand(mapWalkCPCmd)
 }