diff --git a/README.md b/README.md index 3d43290cb1a..d6d6f95831a 100644 --- a/README.md +++ b/README.md @@ -106,10 +106,10 @@ Also check out [@ProjectAntrea](https://twitter.com/ProjectAntrea) on Twitter! enable fine-grained visibility into the communication among Kubernetes workloads. Theia provides visualization for Antrea network flows in Grafana dashboards, and recommends Network Policies to secure the workloads. -* **Network Policies for virtual machines**: Antrea native policies can be +* **Network Policies for virtual machines**: Antrea-native policies can be enforced on non-Kubernetes Nodes including VMs and baremetal servers. Project [Nephe](https://github.com/antrea-io/nephe) implements security policies for - VMs across clouds, leveraging Antrea native policies. + VMs across clouds, leveraging Antrea-native policies. * **Encryption**: Encryption of inter-Node Pod traffic with IPsec or WireGuard tunnels. * **Easy deployment**: Antrea is deployed by applying a single YAML manifest diff --git a/docs/antctl.md b/docs/antctl.md index cc8e84e9b55..f0e966c26eb 100644 --- a/docs/antctl.md +++ b/docs/antctl.md @@ -25,7 +25,7 @@ running in three different modes: - [controllerinfo and agentinfo commands](#controllerinfo-and-agentinfo-commands) - [NetworkPolicy commands](#networkpolicy-commands) - [Mapping endpoints to NetworkPolicies](#mapping-endpoints-to-networkpolicies) - - [Analyzing expected NetworkPolicies behavior](#analyzing-expected-networkpolicies-behavior) + - [Analyzing expected NetworkPolicy behavior](#analyzing-expected-networkpolicy-behavior) - [Dumping Pod network interface information](#dumping-pod-network-interface-information) - [Dumping OVS flows](#dumping-ovs-flows) - [OVS packet tracing](#ovs-packet-tracing) @@ -264,14 +264,14 @@ Namespace. This command only works in "controller mode" and **as of now it can only be run from inside the Antrea Controller Pod, and not from out-of-cluster**. -#### Analyzing expected NetworkPolicies behavior +#### Analyzing expected NetworkPolicy behavior -`antctl` supports analyzing all the existing Antrea Native NetworkPolicies, +`antctl` supports analyzing all the existing Antrea-native NetworkPolicies, Kubernetes NetworkPolicies and AdminNetworkPolicies to predict the effective policy rule for traffic between source and destination Pods. ```bash -antctl query networkpolicyanalysis -S NAMESPACE/POD -D NAMESPACE/POD +antctl query effectivepolicyrule -S NAMESPACE/POD -D NAMESPACE/POD ``` If only Pod name is provided, the command will default to the "default" Namespace. diff --git a/docs/feature-gates.md b/docs/feature-gates.md index 79008d60430..20de5037fe7 100644 --- a/docs/feature-gates.md +++ b/docs/feature-gates.md @@ -173,7 +173,7 @@ This feature is currently only supported for Nodes running Linux. Windows suppor Stats API, which can be accessed by kubectl get commands, e.g. `kubectl get networkpolicystats`. The statistical data includes total number of sessions, packets, and bytes allowed or denied by a NetworkPolicy. It is collected asynchronously so there may be a delay of up to 1 minute for changes to be reflected in API responses. The feature -supports K8s NetworkPolicies and Antrea native policies, the latter of which requires +supports K8s NetworkPolicies and Antrea-native policies, the latter of which requires `AntreaPolicy` to be enabled. Usage examples: ```bash diff --git a/docs/multicluster/user-guide.md b/docs/multicluster/user-guide.md index 6673f6ec657..025dc198dc0 100644 --- a/docs/multicluster/user-guide.md +++ b/docs/multicluster/user-guide.md @@ -31,7 +31,7 @@ Antrea Multi-cluster implements [Multi-cluster Service API](https://github.com/kubernetes/enhancements/tree/master/keps/sig-multicluster/1645-multi-cluster-services-api), which allows users to create multi-cluster Services that can be accessed cross -clusters in a ClusterSet. Antrea Multi-cluster also extends Antrea native +clusters in a ClusterSet. Antrea Multi-cluster also extends Antrea-native NetworkPolicy to support Multi-cluster NetworkPolicy rules that apply to cross-cluster traffic, and ClusterNetworkPolicy replication that allows a ClusterSet admin to create ClusterNetworkPolicies which are replicated across diff --git a/docs/traceflow-guide.md b/docs/traceflow-guide.md index 5cf8b5d4782..7b555082f5d 100644 --- a/docs/traceflow-guide.md +++ b/docs/traceflow-guide.md @@ -140,7 +140,7 @@ will fail. But you can specify a different timeout value, by adding `timeout: ` to the Traceflow `spec`. In some cases, it might be useful to capture the packets dropped by -NetworkPolicies (inc. K8s NetworkPolicies or Antrea native policies). You can +NetworkPolicies (inc. K8s NetworkPolicies or Antrea-native policies). You can add `droppedOnly: true` to the live-traffic Traceflow `spec`, then the first packet that matches the Traceflow spec and is dropped by a NetworkPolicy will be captured and traced. diff --git a/hack/update-codegen-dockerized.sh b/hack/update-codegen-dockerized.sh index 33ff175fb2d..16a4e291ace 100755 --- a/hack/update-codegen-dockerized.sh +++ b/hack/update-codegen-dockerized.sh @@ -59,7 +59,7 @@ MOCKGEN_TARGETS=( "pkg/agent/util/netlink Interface testing mock_netlink_linux.go" "pkg/agent/wireguard Interface testing mock_wireguard.go" "pkg/antctl AntctlClient ." - "pkg/controller/networkpolicy EndpointQuerier testing" + "pkg/controller/networkpolicy EndpointQuerier,PolicyRuleQuerier testing" "pkg/controller/querier ControllerQuerier testing" "pkg/flowaggregator/exporter Interface testing" "pkg/ipfix IPFIXExportingProcess,IPFIXRegistry,IPFIXCollectingProcess,IPFIXAggregationProcess testing" diff --git a/pkg/agent/controller/networkpolicy/audit_logging.go b/pkg/agent/controller/networkpolicy/audit_logging.go index 841d2986209..3dd3a82695b 100644 --- a/pkg/agent/controller/networkpolicy/audit_logging.go +++ b/pkg/agent/controller/networkpolicy/audit_logging.go @@ -281,7 +281,7 @@ func getNetworkPolicyInfo(pktIn *ofctrl.PacketIn, packet *binding.Packet, c *Con ob.ofPriority = ofPriority ob.ruleName = ruleName ob.logLabel = logLabel - // Fill in placeholders for Antrea native policies without log labels, + // Fill in placeholders for Antrea-native policies without log labels, // K8s NetworkPolicies without rule names or log labels. fillLogInfoPlaceholders([]*string{&ob.ruleName, &ob.logLabel, &ob.ofPriority}) return nil diff --git a/pkg/antctl/antctl.go b/pkg/antctl/antctl.go index 5c89f3cc8e7..7f485b71965 100644 --- a/pkg/antctl/antctl.go +++ b/pkg/antctl/antctl.go @@ -222,7 +222,7 @@ $ antctl get podmulticaststats pod -n namespace`, }, { name: "type", - usage: "Get NetworkPolicies with specific type. Type means the type of its source network policy: K8sNP, ACNP, ANNP", + usage: "Get NetworkPolicies with specific type. Type means the type of its source NetworkPolicy: K8sNP, ACNP, ANNP", shorthand: "T", }, }, getSortByFlag()), @@ -509,17 +509,18 @@ $ antctl get podmulticaststats pod -n namespace`, }, transformedResponse: reflect.TypeOf(endpointServer.EndpointQueryResponse{}), }, - {use: "networkpolicyanalysis", - aliases: []string{"npanalysis"}, - short: "Analyze network policy rules.", + { + use: "effectivepolicyrule", + aliases: []string{"effectiverule"}, + short: "Analyze effective NetworkPolicy rules.", long: "Analyze network policies in the cluster and return the rule expected to be effective on the source and destination endpoints provided.", - example: ` Query effective network policy rule between two pods - $ antctl query networkpolicyanalysis -S ns1/pod1 -D ns2/pod2 + example: ` Query effective NetworkPolicy rule between two Pods + $ antctl query effectivepolicyrule -S ns1/pod1 -D ns2/pod2 `, commandGroup: query, controllerEndpoint: &endpoint{ - nonResourceEndpoint: &nonResourceEndpoint{ - path: "/networkpolicyanalysis", + resourceEndpoint: &resourceEndpoint{ + groupVersionResource: &cpv1beta.NetworkPolicyAccessReviewVersionResource, params: []flagInfo{ { name: "source", @@ -532,10 +533,12 @@ $ antctl get podmulticaststats pod -n namespace`, shorthand: "D", }, }, - outputType: single, + paramsFormatter: networkpolicy.NewNetworkPolicyAccessReview, + restMethod: restPost, }, + addonTransform: networkpolicy.AccessTransform, }, - transformedResponse: reflect.TypeOf(endpointServer.Rule{}), + transformedResponse: reflect.TypeOf(networkpolicy.AccessResponse{}), }, { use: "flowrecords", diff --git a/pkg/antctl/client.go b/pkg/antctl/client.go index 31f544185cd..9b0b4583c16 100644 --- a/pkg/antctl/client.go +++ b/pkg/antctl/client.go @@ -161,22 +161,38 @@ func (c *client) resourceRequest(e *resourceEndpoint, opt *requestOption) (io.Re // If timeout is zero, there will be no timeout. restClient.Client.Timeout = opt.timeout - resGetter := restClient.Get(). + var restRequest *rest.Request + if e.restMethod == restGet { + restRequest = restClient.Get() + } else if e.restMethod == restPost { + restRequest = restClient.Post() + } + + restRequest = restRequest. NamespaceIfScoped(opt.args["namespace"], e.namespaced). Resource(e.groupVersionResource.Resource) if len(e.resourceName) != 0 { - resGetter = resGetter.Name(e.resourceName) + restRequest = restRequest.Name(e.resourceName) } else if name, ok := opt.args["name"]; ok { - resGetter = resGetter.Name(name) + restRequest = restRequest.Name(name) } for arg, val := range opt.args { if arg != "name" && arg != "namespace" { - resGetter = resGetter.Param(arg, val) + restRequest = restRequest.Param(arg, val) } } - result := resGetter.Do(context.TODO()) + + if e.paramsFormatter != nil { + obj, err := e.paramsFormatter(opt.args) + if err != nil { + return nil, err + } + restRequest = restRequest.Body(obj) + } + + result := restRequest.Do(context.TODO()) if result.Error() != nil { return nil, generateMessage(opt.commandDefinition, opt.args, true /* isResourceRequest */, result.Error()) } diff --git a/pkg/antctl/command_definition.go b/pkg/antctl/command_definition.go index c7abcd34743..09b7aea78af 100644 --- a/pkg/antctl/command_definition.go +++ b/pkg/antctl/command_definition.go @@ -26,12 +26,13 @@ import ( "github.com/spf13/cobra" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + apiRuntime "k8s.io/apimachinery/pkg/runtime" "k8s.io/apimachinery/pkg/runtime/schema" "k8s.io/klog/v2" "antrea.io/antrea/pkg/antctl/output" "antrea.io/antrea/pkg/antctl/runtime" - "antrea.io/antrea/pkg/apis/controlplane/v1beta2" + "antrea.io/antrea/pkg/apis/controlplane" endpointServer "antrea.io/antrea/pkg/apiserver/handlers/endpoint" ) @@ -108,6 +109,9 @@ type resourceEndpoint struct { resourceName string namespaced bool supportSorting bool + params []flagInfo + paramsFormatter func(args map[string]string) (apiRuntime.Object, error) + restMethod restMethod } func (e *resourceEndpoint) OutputType() OutputType { @@ -138,6 +142,7 @@ func (e *resourceEndpoint) flags() []flagInfo { if e.supportSorting { flags = append(flags, getSortByFlag()) } + flags = append(flags, e.params...) return flags } @@ -149,6 +154,13 @@ func getSortByFlag() flagInfo { } } +type restMethod uint + +const ( + restGet restMethod = iota + restPost +) + type nonResourceEndpoint struct { path string params []flagInfo @@ -455,10 +467,10 @@ func (cd *commandDefinition) tableOutputForQueryEndpoint(obj interface{}, writer // transform egress and ingress rules to string representation egress, ingress := make([][]string, 0), make([][]string, 0) for _, rule := range endpoint.Rules { - ruleStr := []string{rule.Name, rule.Namespace, strconv.Itoa(rule.RuleIndex), string(rule.UID)} - if rule.Direction == v1beta2.DirectionIn { + ruleStr := []string{rule.PolicyRef.Name, rule.PolicyRef.Namespace, strconv.Itoa(rule.RuleIndex), string(rule.PolicyRef.UID)} + if rule.Direction == controlplane.DirectionIn { ingress = append(ingress, ruleStr) - } else if rule.Direction == v1beta2.DirectionOut { + } else if rule.Direction == controlplane.DirectionOut { egress = append(egress, ruleStr) } } @@ -497,27 +509,6 @@ func (cd *commandDefinition) tableOutputForQueryEndpoint(obj interface{}, writer return nil } -// tableOutputForQueryNetworkPolicyAnalysis implements printing rule as query result -func (cd *commandDefinition) tableOutputForQueryNetworkPolicyAnalysis(obj interface{}, writer io.Writer) error { - constructTable := func(header []string, body []string) error { - rows := [][]string{header, body} - numRows, numCol := len(rows), len(rows[0]) - widths := output.GetColumnWidths(numRows, numCol, rows) - if err := output.ConstructTable(numRows, numCol, widths, rows, writer); err != nil { - return err - } - return nil - } - queryResponse := obj.(*endpointServer.Rule) - if queryResponse.Name != "" { - ruleStr := []string{queryResponse.Name, queryResponse.Namespace, string(queryResponse.Type), strconv.Itoa(queryResponse.RuleIndex), string(queryResponse.Direction)} - if err := constructTable([]string{"Name", "Namespace", "PolicyType", "RuleIndex", "Direction"}, ruleStr); err != nil { - return err - } - } - return nil -} - // output reads bytes from the resp and outputs the data to the writer in desired // format. If the AddonTransform is set, it will use the function to transform // the data first. It will try to output the resp in the format ft specified after @@ -560,12 +551,10 @@ func (cd *commandDefinition) output(resp io.Reader, writer io.Writer, ft formatt if cd.commandGroup == get { return output.TableOutputForGetCommands(obj, writer) } else if cd.commandGroup == query { - if cd.controllerEndpoint.nonResourceEndpoint.path == "/endpoint" { + if cd.controllerEndpoint.nonResourceEndpoint != nil && cd.controllerEndpoint.nonResourceEndpoint.path == "/endpoint" { return cd.tableOutputForQueryEndpoint(obj, writer) } - if cd.controllerEndpoint.nonResourceEndpoint.path == "/networkpolicyanalysis" { - return cd.tableOutputForQueryNetworkPolicyAnalysis(obj, writer) - } + return output.TableOutputForGetCommands(obj, writer) } else { return output.TableOutput(obj, writer) } @@ -574,7 +563,6 @@ func (cd *commandDefinition) output(resp io.Reader, writer io.Writer, ft formatt default: return fmt.Errorf("unsupported format type: %v", ft) } - return nil } func (cd *commandDefinition) collectFlags(cmd *cobra.Command, args []string) (map[string]string, error) { diff --git a/pkg/antctl/command_definition_test.go b/pkg/antctl/command_definition_test.go index 826a6fcd3c8..d522351ae7d 100644 --- a/pkg/antctl/command_definition_test.go +++ b/pkg/antctl/command_definition_test.go @@ -910,8 +910,8 @@ func TestGetRequestErrorFallback(t *testing.T) { } func TestTableOutputForQueryEndpoint(t *testing.T) { - policyRef0 := endpointServer.PolicyRef{Namespace: "testNamespace", Name: "test-ingress-egress", UID: "uid-1"} - policyRef1 := endpointServer.PolicyRef{Namespace: "testNamespace", Name: "default-deny-egress", UID: "uid-2"} + policyRef0 := controlplane.NetworkPolicyReference{Namespace: "testNamespace", Name: "test-ingress-egress", UID: "uid-1", Type: controlplane.AntreaNetworkPolicy} + policyRef1 := controlplane.NetworkPolicyReference{Namespace: "testNamespace", Name: "default-deny-egress", UID: "uid-2", Type: controlplane.AntreaNetworkPolicy} tc := []struct { name string rawResponseData interface{} @@ -921,7 +921,7 @@ func TestTableOutputForQueryEndpoint(t *testing.T) { name: "Pod selected by no policy", rawResponseData: &endpointServer.EndpointQueryResponse{ Endpoints: []endpointServer.Endpoint{ - {Namespace: "testNamespace", Name: "podA", Policies: []endpointServer.Policy{}, Rules: []endpointServer.Rule{}}, + {Namespace: "testNamespace", Name: "podA", Policies: []controlplane.NetworkPolicyReference{}, Rules: []endpointServer.Rule{}}, }, }, expected: `Endpoint testNamespace/podA @@ -940,10 +940,10 @@ Ingress Rules: None { Namespace: "testNamespace", Name: "podA", - Policies: []endpointServer.Policy{{PolicyRef: policyRef0}}, + Policies: []controlplane.NetworkPolicyReference{policyRef0}, Rules: []endpointServer.Rule{ - {PolicyRef: policyRef0, Direction: cpv1beta.DirectionOut, RuleIndex: 0}, - {PolicyRef: policyRef0, Direction: cpv1beta.DirectionIn, RuleIndex: 0}, + {PolicyRef: policyRef0, Direction: controlplane.DirectionOut, RuleIndex: 0}, + {PolicyRef: policyRef0, Direction: controlplane.DirectionIn, RuleIndex: 0}, }, }, }, @@ -970,13 +970,12 @@ test-ingress-egress testNamespace 0 uid-1 { Namespace: "testNamespace", Name: "podA", - Policies: []endpointServer.Policy{ - {PolicyRef: policyRef0}, - {PolicyRef: policyRef1}, + Policies: []controlplane.NetworkPolicyReference{ + policyRef0, policyRef1, }, Rules: []endpointServer.Rule{ - {PolicyRef: policyRef0, Direction: cpv1beta.DirectionOut, RuleIndex: 0}, - {PolicyRef: policyRef0, Direction: cpv1beta.DirectionIn, RuleIndex: 0}, + {PolicyRef: policyRef0, Direction: controlplane.DirectionOut, RuleIndex: 0}, + {PolicyRef: policyRef0, Direction: controlplane.DirectionIn, RuleIndex: 0}, }, }, }, @@ -1009,41 +1008,6 @@ test-ingress-egress testNamespace 0 uid-1 } } -func TestTableOutputForQueryNetworkPolicyAnalysis(t *testing.T) { - policyRef0 := endpointServer.PolicyRef{Type: controlplane.K8sNetworkPolicy, Namespace: "testNamespace", Name: "test-default-deny", UID: "uid-1"} - tc := []struct { - name string - rawResponseData interface{} - expected string - }{ - { - name: "No matching rule", - rawResponseData: &endpointServer.Rule{}, - expected: ``, - }, - { - name: "Matched KNP default drop rule", - rawResponseData: &endpointServer.Rule{ - PolicyRef: policyRef0, - Direction: cpv1beta.DirectionIn, - RuleIndex: -1, - }, - expected: `Name Namespace PolicyType RuleIndex Direction -test-default-deny testNamespace K8sNetworkPolicy -1 In -`, - }, - } - for _, tt := range tc { - t.Run(tt.name, func(t *testing.T) { - cd := &commandDefinition{} - var outputBuf bytes.Buffer - err := cd.tableOutputForQueryNetworkPolicyAnalysis(tt.rawResponseData, &outputBuf) - assert.Nil(t, err) - assert.Equal(t, tt.expected, outputBuf.String()) - }) - } -} - func TestCollectFlags(t *testing.T) { tc := []struct { name string diff --git a/pkg/antctl/transform/networkpolicy/transform.go b/pkg/antctl/transform/networkpolicy/transform.go index b290a7b1986..29a9fb0dc92 100644 --- a/pkg/antctl/transform/networkpolicy/transform.go +++ b/pkg/antctl/transform/networkpolicy/transform.go @@ -15,12 +15,16 @@ package networkpolicy import ( + "encoding/json" + "fmt" "io" "reflect" "sort" "strconv" + "strings" "k8s.io/apimachinery/pkg/api/meta" + "k8s.io/apimachinery/pkg/runtime" "k8s.io/kubectl/pkg/cmd/get" "k8s.io/kubectl/pkg/scheme" "k8s.io/utils/strings/slices" @@ -161,3 +165,71 @@ func (r Response) GetTableRow(maxColumnLength int) []string { func (r Response) SortRows() bool { return false } + +type AccessResponse struct { + *cpv1beta.NetworkPolicyAccessReview +} + +func AccessTransform(reader io.Reader, _ bool, _ map[string]string) (interface{}, error) { + refVal := reflect.New(reflect.TypeOf(cpv1beta.NetworkPolicyAccessReview{})) + if err := json.NewDecoder(reader).Decode(refVal.Interface()); err != nil { + return nil, err + } + return AccessResponse{refVal.Interface().(*cpv1beta.NetworkPolicyAccessReview)}, nil +} + +var _ common.TableOutput = new(AccessResponse) + +func (r AccessResponse) GetTableHeader() []string { + return []string{"NAME", "NAMESPACE", "POLICY-TYPE", "RULE-INDEX", "DIRECTION"} +} + +func (r AccessResponse) GetTableRow(maxColumnLength int) []string { + if r.Response != nil { + return []string{ + r.Response.NetworkPolicy.Name, + r.Response.NetworkPolicy.Namespace, + string(r.Response.NetworkPolicy.Type), + strconv.Itoa(int(r.Response.RuleIndex)), + string(r.Response.Rule.Direction), + } + } + return make([]string, 5) +} + +func (r AccessResponse) SortRows() bool { + return false +} + +// parsePeer parses Namespace/Pod name, empty string is returned if the argument is not of a +// valid Namespace/Pod reference (missing pod name or invalid format). Namespace will be set +// as default if missing, string without separator will be considered as pod name. +func parsePeer(str string) (string, string) { + parts := strings.Split(str, "/") + ns, pod := "", "" + if len(parts) == 1 { + ns, pod = "default", parts[0] + } else if len(parts) == 2 { + ns, pod = parts[0], parts[1] + } + return ns, pod +} + +func NewNetworkPolicyAccessReview(args map[string]string) (runtime.Object, error) { + var ns1, pod1, ns2, pod2 string + if val, ok := args["source"]; ok { + ns1, pod1 = parsePeer(val) + } + if val, ok := args["destination"]; ok { + ns2, pod2 = parsePeer(val) + } + if pod1 == "" || pod2 == "" { + return nil, fmt.Errorf("missing entities for NetworkPolicyAccessReview request: %v", args) + } + return &cpv1beta.NetworkPolicyAccessReview{ + Request: &cpv1beta.NetworkPolicyAccessRequest{ + Source: cpv1beta.Entity{Pod: &cpv1beta.PodReference{Namespace: ns1, Name: pod1}}, + Destination: cpv1beta.Entity{Pod: &cpv1beta.PodReference{Namespace: ns2, Name: pod2}}, + }, + }, nil +} diff --git a/pkg/antctl/transform/networkpolicy/transform_test.go b/pkg/antctl/transform/networkpolicy/transform_test.go index b5fcdb411fe..36b5d7d7cce 100644 --- a/pkg/antctl/transform/networkpolicy/transform_test.go +++ b/pkg/antctl/transform/networkpolicy/transform_test.go @@ -20,6 +20,7 @@ import ( "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/runtime" "k8s.io/utils/pointer" cpv1beta "antrea.io/antrea/pkg/apis/controlplane/v1beta2" @@ -130,3 +131,58 @@ func TestListTransform(t *testing.T) { }) } } + +func TestNewNetworkPolicyAccessReview(t *testing.T) { + tests := []struct { + name string + args map[string]string + expectedObject runtime.Object + expectedError string + }{ + { + name: "Successful parsing", + args: map[string]string{ + "source": "ns/pod1", + "destination": "ns/pod2", + }, + expectedObject: &cpv1beta.NetworkPolicyAccessReview{ + Request: &cpv1beta.NetworkPolicyAccessRequest{ + Source: cpv1beta.Entity{Pod: &cpv1beta.PodReference{Namespace: "ns", Name: "pod1"}}, + Destination: cpv1beta.Entity{Pod: &cpv1beta.PodReference{Namespace: "ns", Name: "pod2"}}, + }, + }, + }, + { + name: "Invalid format", + args: map[string]string{ + "destination": "ns", + }, + expectedError: "missing entities for NetworkPolicyAccessReview request", + }, + { + name: "Default namespaces", + args: map[string]string{ + "source": "pod1", + "destination": "pod2", + }, + expectedObject: &cpv1beta.NetworkPolicyAccessReview{ + Request: &cpv1beta.NetworkPolicyAccessRequest{ + Source: cpv1beta.Entity{Pod: &cpv1beta.PodReference{Namespace: "default", Name: "pod1"}}, + Destination: cpv1beta.Entity{Pod: &cpv1beta.PodReference{Namespace: "default", Name: "pod2"}}, + }, + }, + }, + } + + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + gotObject, err := NewNetworkPolicyAccessReview(tt.args) + if tt.expectedError == "" { + require.NoError(t, err) + assert.Equal(t, tt.expectedObject, gotObject) + } else { + assert.ErrorContains(t, err, tt.expectedError) + } + }) + } +} diff --git a/pkg/apis/controlplane/register.go b/pkg/apis/controlplane/register.go index 42a27ddeab8..e1bcb6f0729 100644 --- a/pkg/apis/controlplane/register.go +++ b/pkg/apis/controlplane/register.go @@ -54,6 +54,7 @@ func addKnownTypes(scheme *runtime.Scheme) error { &NetworkPolicy{}, &NetworkPolicyList{}, &NetworkPolicyStatus{}, + &NetworkPolicyAccessReview{}, &NodeStatsSummary{}, &ClusterGroupMembers{}, &GroupMembers{}, diff --git a/pkg/apis/controlplane/types.go b/pkg/apis/controlplane/types.go index fdfa7624451..1298aa75120 100644 --- a/pkg/apis/controlplane/types.go +++ b/pkg/apis/controlplane/types.go @@ -448,6 +448,42 @@ type NetworkPolicyNodeStatus struct { Message string } +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object + +// NetworkPolicyAccessReview contains the request and response for a NetworkPolicy access review. +type NetworkPolicyAccessReview struct { + metav1.TypeMeta + Request *NetworkPolicyAccessRequest + Response *NetworkPolicyAccessResponse +} + +// Entity contains Namespace and Pod name as a request parameter. +type Entity struct { + Pod *PodReference +} + +// NetworkPolicyAccessRequest is the request body of NetworkPolicy access review. +type NetworkPolicyAccessRequest struct { + Source Entity + Destination Entity +} + +// RuleRef contains basic information for the rule. +type RuleRef struct { + Direction Direction + Name string + Action *crdv1beta1.RuleAction +} + +// NetworkPolicyAccessResponse is the response of NetworkPolicy access review. +type NetworkPolicyAccessResponse struct { + // The reference of the effective NetworkPolicy. + NetworkPolicy NetworkPolicyReference + RuleIndex int32 + // The content of the effective rule. + Rule RuleRef +} + type GroupReference struct { // Namespace of the Group. Empty for ClusterGroup. Namespace string diff --git a/pkg/apis/controlplane/v1beta2/generated.pb.go b/pkg/apis/controlplane/v1beta2/generated.pb.go index 3247f1e1ff7..b9fcc2a5c7e 100644 --- a/pkg/apis/controlplane/v1beta2/generated.pb.go +++ b/pkg/apis/controlplane/v1beta2/generated.pb.go @@ -1,4 +1,4 @@ -// Copyright 2023 Antrea Authors +// Copyright 2024 Antrea Authors // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. @@ -411,10 +411,38 @@ func (m *EgressGroupPatch) XXX_DiscardUnknown() { var xxx_messageInfo_EgressGroupPatch proto.InternalMessageInfo +func (m *Entity) Reset() { *m = Entity{} } +func (*Entity) ProtoMessage() {} +func (*Entity) Descriptor() ([]byte, []int) { + return fileDescriptor_fbaa7d016762fa1d, []int{13} +} +func (m *Entity) XXX_Unmarshal(b []byte) error { + return m.Unmarshal(b) +} +func (m *Entity) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) { + b = b[:cap(b)] + n, err := m.MarshalToSizedBuffer(b) + if err != nil { + return nil, err + } + return b[:n], nil +} +func (m *Entity) XXX_Merge(src proto.Message) { + xxx_messageInfo_Entity.Merge(m, src) +} +func (m *Entity) XXX_Size() int { + return m.Size() +} +func (m *Entity) XXX_DiscardUnknown() { + xxx_messageInfo_Entity.DiscardUnknown(m) +} + +var xxx_messageInfo_Entity proto.InternalMessageInfo + func (m *ExternalEntityReference) Reset() { *m = ExternalEntityReference{} } func (*ExternalEntityReference) ProtoMessage() {} func (*ExternalEntityReference) Descriptor() ([]byte, []int) { - return fileDescriptor_fbaa7d016762fa1d, []int{13} + return fileDescriptor_fbaa7d016762fa1d, []int{14} } func (m *ExternalEntityReference) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) @@ -442,7 +470,7 @@ var xxx_messageInfo_ExternalEntityReference proto.InternalMessageInfo func (m *GroupAssociation) Reset() { *m = GroupAssociation{} } func (*GroupAssociation) ProtoMessage() {} func (*GroupAssociation) Descriptor() ([]byte, []int) { - return fileDescriptor_fbaa7d016762fa1d, []int{14} + return fileDescriptor_fbaa7d016762fa1d, []int{15} } func (m *GroupAssociation) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) @@ -470,7 +498,7 @@ var xxx_messageInfo_GroupAssociation proto.InternalMessageInfo func (m *GroupMember) Reset() { *m = GroupMember{} } func (*GroupMember) ProtoMessage() {} func (*GroupMember) Descriptor() ([]byte, []int) { - return fileDescriptor_fbaa7d016762fa1d, []int{15} + return fileDescriptor_fbaa7d016762fa1d, []int{16} } func (m *GroupMember) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) @@ -498,7 +526,7 @@ var xxx_messageInfo_GroupMember proto.InternalMessageInfo func (m *GroupMembers) Reset() { *m = GroupMembers{} } func (*GroupMembers) ProtoMessage() {} func (*GroupMembers) Descriptor() ([]byte, []int) { - return fileDescriptor_fbaa7d016762fa1d, []int{16} + return fileDescriptor_fbaa7d016762fa1d, []int{17} } func (m *GroupMembers) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) @@ -526,7 +554,7 @@ var xxx_messageInfo_GroupMembers proto.InternalMessageInfo func (m *GroupReference) Reset() { *m = GroupReference{} } func (*GroupReference) ProtoMessage() {} func (*GroupReference) Descriptor() ([]byte, []int) { - return fileDescriptor_fbaa7d016762fa1d, []int{17} + return fileDescriptor_fbaa7d016762fa1d, []int{18} } func (m *GroupReference) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) @@ -554,7 +582,7 @@ var xxx_messageInfo_GroupReference proto.InternalMessageInfo func (m *HTTPProtocol) Reset() { *m = HTTPProtocol{} } func (*HTTPProtocol) ProtoMessage() {} func (*HTTPProtocol) Descriptor() ([]byte, []int) { - return fileDescriptor_fbaa7d016762fa1d, []int{18} + return fileDescriptor_fbaa7d016762fa1d, []int{19} } func (m *HTTPProtocol) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) @@ -582,7 +610,7 @@ var xxx_messageInfo_HTTPProtocol proto.InternalMessageInfo func (m *IPBlock) Reset() { *m = IPBlock{} } func (*IPBlock) ProtoMessage() {} func (*IPBlock) Descriptor() ([]byte, []int) { - return fileDescriptor_fbaa7d016762fa1d, []int{19} + return fileDescriptor_fbaa7d016762fa1d, []int{20} } func (m *IPBlock) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) @@ -610,7 +638,7 @@ var xxx_messageInfo_IPBlock proto.InternalMessageInfo func (m *IPGroupAssociation) Reset() { *m = IPGroupAssociation{} } func (*IPGroupAssociation) ProtoMessage() {} func (*IPGroupAssociation) Descriptor() ([]byte, []int) { - return fileDescriptor_fbaa7d016762fa1d, []int{20} + return fileDescriptor_fbaa7d016762fa1d, []int{21} } func (m *IPGroupAssociation) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) @@ -638,7 +666,7 @@ var xxx_messageInfo_IPGroupAssociation proto.InternalMessageInfo func (m *IPNet) Reset() { *m = IPNet{} } func (*IPNet) ProtoMessage() {} func (*IPNet) Descriptor() ([]byte, []int) { - return fileDescriptor_fbaa7d016762fa1d, []int{21} + return fileDescriptor_fbaa7d016762fa1d, []int{22} } func (m *IPNet) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) @@ -666,7 +694,7 @@ var xxx_messageInfo_IPNet proto.InternalMessageInfo func (m *L7Protocol) Reset() { *m = L7Protocol{} } func (*L7Protocol) ProtoMessage() {} func (*L7Protocol) Descriptor() ([]byte, []int) { - return fileDescriptor_fbaa7d016762fa1d, []int{22} + return fileDescriptor_fbaa7d016762fa1d, []int{23} } func (m *L7Protocol) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) @@ -694,7 +722,7 @@ var xxx_messageInfo_L7Protocol proto.InternalMessageInfo func (m *MulticastGroupInfo) Reset() { *m = MulticastGroupInfo{} } func (*MulticastGroupInfo) ProtoMessage() {} func (*MulticastGroupInfo) Descriptor() ([]byte, []int) { - return fileDescriptor_fbaa7d016762fa1d, []int{23} + return fileDescriptor_fbaa7d016762fa1d, []int{24} } func (m *MulticastGroupInfo) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) @@ -722,7 +750,7 @@ var xxx_messageInfo_MulticastGroupInfo proto.InternalMessageInfo func (m *NamedPort) Reset() { *m = NamedPort{} } func (*NamedPort) ProtoMessage() {} func (*NamedPort) Descriptor() ([]byte, []int) { - return fileDescriptor_fbaa7d016762fa1d, []int{24} + return fileDescriptor_fbaa7d016762fa1d, []int{25} } func (m *NamedPort) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) @@ -750,7 +778,7 @@ var xxx_messageInfo_NamedPort proto.InternalMessageInfo func (m *NetworkPolicy) Reset() { *m = NetworkPolicy{} } func (*NetworkPolicy) ProtoMessage() {} func (*NetworkPolicy) Descriptor() ([]byte, []int) { - return fileDescriptor_fbaa7d016762fa1d, []int{25} + return fileDescriptor_fbaa7d016762fa1d, []int{26} } func (m *NetworkPolicy) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) @@ -775,10 +803,94 @@ func (m *NetworkPolicy) XXX_DiscardUnknown() { var xxx_messageInfo_NetworkPolicy proto.InternalMessageInfo +func (m *NetworkPolicyAccessRequest) Reset() { *m = NetworkPolicyAccessRequest{} } +func (*NetworkPolicyAccessRequest) ProtoMessage() {} +func (*NetworkPolicyAccessRequest) Descriptor() ([]byte, []int) { + return fileDescriptor_fbaa7d016762fa1d, []int{27} +} +func (m *NetworkPolicyAccessRequest) XXX_Unmarshal(b []byte) error { + return m.Unmarshal(b) +} +func (m *NetworkPolicyAccessRequest) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) { + b = b[:cap(b)] + n, err := m.MarshalToSizedBuffer(b) + if err != nil { + return nil, err + } + return b[:n], nil +} +func (m *NetworkPolicyAccessRequest) XXX_Merge(src proto.Message) { + xxx_messageInfo_NetworkPolicyAccessRequest.Merge(m, src) +} +func (m *NetworkPolicyAccessRequest) XXX_Size() int { + return m.Size() +} +func (m *NetworkPolicyAccessRequest) XXX_DiscardUnknown() { + xxx_messageInfo_NetworkPolicyAccessRequest.DiscardUnknown(m) +} + +var xxx_messageInfo_NetworkPolicyAccessRequest proto.InternalMessageInfo + +func (m *NetworkPolicyAccessResponse) Reset() { *m = NetworkPolicyAccessResponse{} } +func (*NetworkPolicyAccessResponse) ProtoMessage() {} +func (*NetworkPolicyAccessResponse) Descriptor() ([]byte, []int) { + return fileDescriptor_fbaa7d016762fa1d, []int{28} +} +func (m *NetworkPolicyAccessResponse) XXX_Unmarshal(b []byte) error { + return m.Unmarshal(b) +} +func (m *NetworkPolicyAccessResponse) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) { + b = b[:cap(b)] + n, err := m.MarshalToSizedBuffer(b) + if err != nil { + return nil, err + } + return b[:n], nil +} +func (m *NetworkPolicyAccessResponse) XXX_Merge(src proto.Message) { + xxx_messageInfo_NetworkPolicyAccessResponse.Merge(m, src) +} +func (m *NetworkPolicyAccessResponse) XXX_Size() int { + return m.Size() +} +func (m *NetworkPolicyAccessResponse) XXX_DiscardUnknown() { + xxx_messageInfo_NetworkPolicyAccessResponse.DiscardUnknown(m) +} + +var xxx_messageInfo_NetworkPolicyAccessResponse proto.InternalMessageInfo + +func (m *NetworkPolicyAccessReview) Reset() { *m = NetworkPolicyAccessReview{} } +func (*NetworkPolicyAccessReview) ProtoMessage() {} +func (*NetworkPolicyAccessReview) Descriptor() ([]byte, []int) { + return fileDescriptor_fbaa7d016762fa1d, []int{29} +} +func (m *NetworkPolicyAccessReview) XXX_Unmarshal(b []byte) error { + return m.Unmarshal(b) +} +func (m *NetworkPolicyAccessReview) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) { + b = b[:cap(b)] + n, err := m.MarshalToSizedBuffer(b) + if err != nil { + return nil, err + } + return b[:n], nil +} +func (m *NetworkPolicyAccessReview) XXX_Merge(src proto.Message) { + xxx_messageInfo_NetworkPolicyAccessReview.Merge(m, src) +} +func (m *NetworkPolicyAccessReview) XXX_Size() int { + return m.Size() +} +func (m *NetworkPolicyAccessReview) XXX_DiscardUnknown() { + xxx_messageInfo_NetworkPolicyAccessReview.DiscardUnknown(m) +} + +var xxx_messageInfo_NetworkPolicyAccessReview proto.InternalMessageInfo + func (m *NetworkPolicyList) Reset() { *m = NetworkPolicyList{} } func (*NetworkPolicyList) ProtoMessage() {} func (*NetworkPolicyList) Descriptor() ([]byte, []int) { - return fileDescriptor_fbaa7d016762fa1d, []int{26} + return fileDescriptor_fbaa7d016762fa1d, []int{30} } func (m *NetworkPolicyList) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) @@ -806,7 +918,7 @@ var xxx_messageInfo_NetworkPolicyList proto.InternalMessageInfo func (m *NetworkPolicyNodeStatus) Reset() { *m = NetworkPolicyNodeStatus{} } func (*NetworkPolicyNodeStatus) ProtoMessage() {} func (*NetworkPolicyNodeStatus) Descriptor() ([]byte, []int) { - return fileDescriptor_fbaa7d016762fa1d, []int{27} + return fileDescriptor_fbaa7d016762fa1d, []int{31} } func (m *NetworkPolicyNodeStatus) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) @@ -834,7 +946,7 @@ var xxx_messageInfo_NetworkPolicyNodeStatus proto.InternalMessageInfo func (m *NetworkPolicyPeer) Reset() { *m = NetworkPolicyPeer{} } func (*NetworkPolicyPeer) ProtoMessage() {} func (*NetworkPolicyPeer) Descriptor() ([]byte, []int) { - return fileDescriptor_fbaa7d016762fa1d, []int{28} + return fileDescriptor_fbaa7d016762fa1d, []int{32} } func (m *NetworkPolicyPeer) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) @@ -862,7 +974,7 @@ var xxx_messageInfo_NetworkPolicyPeer proto.InternalMessageInfo func (m *NetworkPolicyReference) Reset() { *m = NetworkPolicyReference{} } func (*NetworkPolicyReference) ProtoMessage() {} func (*NetworkPolicyReference) Descriptor() ([]byte, []int) { - return fileDescriptor_fbaa7d016762fa1d, []int{29} + return fileDescriptor_fbaa7d016762fa1d, []int{33} } func (m *NetworkPolicyReference) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) @@ -890,7 +1002,7 @@ var xxx_messageInfo_NetworkPolicyReference proto.InternalMessageInfo func (m *NetworkPolicyRule) Reset() { *m = NetworkPolicyRule{} } func (*NetworkPolicyRule) ProtoMessage() {} func (*NetworkPolicyRule) Descriptor() ([]byte, []int) { - return fileDescriptor_fbaa7d016762fa1d, []int{30} + return fileDescriptor_fbaa7d016762fa1d, []int{34} } func (m *NetworkPolicyRule) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) @@ -918,7 +1030,7 @@ var xxx_messageInfo_NetworkPolicyRule proto.InternalMessageInfo func (m *NetworkPolicyStats) Reset() { *m = NetworkPolicyStats{} } func (*NetworkPolicyStats) ProtoMessage() {} func (*NetworkPolicyStats) Descriptor() ([]byte, []int) { - return fileDescriptor_fbaa7d016762fa1d, []int{31} + return fileDescriptor_fbaa7d016762fa1d, []int{35} } func (m *NetworkPolicyStats) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) @@ -946,7 +1058,7 @@ var xxx_messageInfo_NetworkPolicyStats proto.InternalMessageInfo func (m *NetworkPolicyStatus) Reset() { *m = NetworkPolicyStatus{} } func (*NetworkPolicyStatus) ProtoMessage() {} func (*NetworkPolicyStatus) Descriptor() ([]byte, []int) { - return fileDescriptor_fbaa7d016762fa1d, []int{32} + return fileDescriptor_fbaa7d016762fa1d, []int{36} } func (m *NetworkPolicyStatus) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) @@ -974,7 +1086,7 @@ var xxx_messageInfo_NetworkPolicyStatus proto.InternalMessageInfo func (m *NodeReference) Reset() { *m = NodeReference{} } func (*NodeReference) ProtoMessage() {} func (*NodeReference) Descriptor() ([]byte, []int) { - return fileDescriptor_fbaa7d016762fa1d, []int{33} + return fileDescriptor_fbaa7d016762fa1d, []int{37} } func (m *NodeReference) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) @@ -1002,7 +1114,7 @@ var xxx_messageInfo_NodeReference proto.InternalMessageInfo func (m *NodeStatsSummary) Reset() { *m = NodeStatsSummary{} } func (*NodeStatsSummary) ProtoMessage() {} func (*NodeStatsSummary) Descriptor() ([]byte, []int) { - return fileDescriptor_fbaa7d016762fa1d, []int{34} + return fileDescriptor_fbaa7d016762fa1d, []int{38} } func (m *NodeStatsSummary) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) @@ -1030,7 +1142,7 @@ var xxx_messageInfo_NodeStatsSummary proto.InternalMessageInfo func (m *PaginationGetOptions) Reset() { *m = PaginationGetOptions{} } func (*PaginationGetOptions) ProtoMessage() {} func (*PaginationGetOptions) Descriptor() ([]byte, []int) { - return fileDescriptor_fbaa7d016762fa1d, []int{35} + return fileDescriptor_fbaa7d016762fa1d, []int{39} } func (m *PaginationGetOptions) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) @@ -1058,7 +1170,7 @@ var xxx_messageInfo_PaginationGetOptions proto.InternalMessageInfo func (m *PodReference) Reset() { *m = PodReference{} } func (*PodReference) ProtoMessage() {} func (*PodReference) Descriptor() ([]byte, []int) { - return fileDescriptor_fbaa7d016762fa1d, []int{36} + return fileDescriptor_fbaa7d016762fa1d, []int{40} } func (m *PodReference) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) @@ -1083,10 +1195,38 @@ func (m *PodReference) XXX_DiscardUnknown() { var xxx_messageInfo_PodReference proto.InternalMessageInfo +func (m *RuleRef) Reset() { *m = RuleRef{} } +func (*RuleRef) ProtoMessage() {} +func (*RuleRef) Descriptor() ([]byte, []int) { + return fileDescriptor_fbaa7d016762fa1d, []int{41} +} +func (m *RuleRef) XXX_Unmarshal(b []byte) error { + return m.Unmarshal(b) +} +func (m *RuleRef) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) { + b = b[:cap(b)] + n, err := m.MarshalToSizedBuffer(b) + if err != nil { + return nil, err + } + return b[:n], nil +} +func (m *RuleRef) XXX_Merge(src proto.Message) { + xxx_messageInfo_RuleRef.Merge(m, src) +} +func (m *RuleRef) XXX_Size() int { + return m.Size() +} +func (m *RuleRef) XXX_DiscardUnknown() { + xxx_messageInfo_RuleRef.DiscardUnknown(m) +} + +var xxx_messageInfo_RuleRef proto.InternalMessageInfo + func (m *Service) Reset() { *m = Service{} } func (*Service) ProtoMessage() {} func (*Service) Descriptor() ([]byte, []int) { - return fileDescriptor_fbaa7d016762fa1d, []int{37} + return fileDescriptor_fbaa7d016762fa1d, []int{42} } func (m *Service) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) @@ -1114,7 +1254,7 @@ var xxx_messageInfo_Service proto.InternalMessageInfo func (m *ServiceReference) Reset() { *m = ServiceReference{} } func (*ServiceReference) ProtoMessage() {} func (*ServiceReference) Descriptor() ([]byte, []int) { - return fileDescriptor_fbaa7d016762fa1d, []int{38} + return fileDescriptor_fbaa7d016762fa1d, []int{43} } func (m *ServiceReference) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) @@ -1142,7 +1282,7 @@ var xxx_messageInfo_ServiceReference proto.InternalMessageInfo func (m *SupportBundleCollection) Reset() { *m = SupportBundleCollection{} } func (*SupportBundleCollection) ProtoMessage() {} func (*SupportBundleCollection) Descriptor() ([]byte, []int) { - return fileDescriptor_fbaa7d016762fa1d, []int{39} + return fileDescriptor_fbaa7d016762fa1d, []int{44} } func (m *SupportBundleCollection) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) @@ -1170,7 +1310,7 @@ var xxx_messageInfo_SupportBundleCollection proto.InternalMessageInfo func (m *SupportBundleCollectionList) Reset() { *m = SupportBundleCollectionList{} } func (*SupportBundleCollectionList) ProtoMessage() {} func (*SupportBundleCollectionList) Descriptor() ([]byte, []int) { - return fileDescriptor_fbaa7d016762fa1d, []int{40} + return fileDescriptor_fbaa7d016762fa1d, []int{45} } func (m *SupportBundleCollectionList) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) @@ -1198,7 +1338,7 @@ var xxx_messageInfo_SupportBundleCollectionList proto.InternalMessageInfo func (m *SupportBundleCollectionNodeStatus) Reset() { *m = SupportBundleCollectionNodeStatus{} } func (*SupportBundleCollectionNodeStatus) ProtoMessage() {} func (*SupportBundleCollectionNodeStatus) Descriptor() ([]byte, []int) { - return fileDescriptor_fbaa7d016762fa1d, []int{41} + return fileDescriptor_fbaa7d016762fa1d, []int{46} } func (m *SupportBundleCollectionNodeStatus) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) @@ -1226,7 +1366,7 @@ var xxx_messageInfo_SupportBundleCollectionNodeStatus proto.InternalMessageInfo func (m *SupportBundleCollectionStatus) Reset() { *m = SupportBundleCollectionStatus{} } func (*SupportBundleCollectionStatus) ProtoMessage() {} func (*SupportBundleCollectionStatus) Descriptor() ([]byte, []int) { - return fileDescriptor_fbaa7d016762fa1d, []int{42} + return fileDescriptor_fbaa7d016762fa1d, []int{47} } func (m *SupportBundleCollectionStatus) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) @@ -1254,7 +1394,7 @@ var xxx_messageInfo_SupportBundleCollectionStatus proto.InternalMessageInfo func (m *TLSProtocol) Reset() { *m = TLSProtocol{} } func (*TLSProtocol) ProtoMessage() {} func (*TLSProtocol) Descriptor() ([]byte, []int) { - return fileDescriptor_fbaa7d016762fa1d, []int{43} + return fileDescriptor_fbaa7d016762fa1d, []int{48} } func (m *TLSProtocol) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) @@ -1293,6 +1433,7 @@ func init() { proto.RegisterType((*EgressGroup)(nil), "antrea_io.antrea.pkg.apis.controlplane.v1beta2.EgressGroup") proto.RegisterType((*EgressGroupList)(nil), "antrea_io.antrea.pkg.apis.controlplane.v1beta2.EgressGroupList") proto.RegisterType((*EgressGroupPatch)(nil), "antrea_io.antrea.pkg.apis.controlplane.v1beta2.EgressGroupPatch") + proto.RegisterType((*Entity)(nil), "antrea_io.antrea.pkg.apis.controlplane.v1beta2.Entity") proto.RegisterType((*ExternalEntityReference)(nil), "antrea_io.antrea.pkg.apis.controlplane.v1beta2.ExternalEntityReference") proto.RegisterType((*GroupAssociation)(nil), "antrea_io.antrea.pkg.apis.controlplane.v1beta2.GroupAssociation") proto.RegisterType((*GroupMember)(nil), "antrea_io.antrea.pkg.apis.controlplane.v1beta2.GroupMember") @@ -1306,6 +1447,9 @@ func init() { proto.RegisterType((*MulticastGroupInfo)(nil), "antrea_io.antrea.pkg.apis.controlplane.v1beta2.MulticastGroupInfo") proto.RegisterType((*NamedPort)(nil), "antrea_io.antrea.pkg.apis.controlplane.v1beta2.NamedPort") proto.RegisterType((*NetworkPolicy)(nil), "antrea_io.antrea.pkg.apis.controlplane.v1beta2.NetworkPolicy") + proto.RegisterType((*NetworkPolicyAccessRequest)(nil), "antrea_io.antrea.pkg.apis.controlplane.v1beta2.NetworkPolicyAccessRequest") + proto.RegisterType((*NetworkPolicyAccessResponse)(nil), "antrea_io.antrea.pkg.apis.controlplane.v1beta2.NetworkPolicyAccessResponse") + proto.RegisterType((*NetworkPolicyAccessReview)(nil), "antrea_io.antrea.pkg.apis.controlplane.v1beta2.NetworkPolicyAccessReview") proto.RegisterType((*NetworkPolicyList)(nil), "antrea_io.antrea.pkg.apis.controlplane.v1beta2.NetworkPolicyList") proto.RegisterType((*NetworkPolicyNodeStatus)(nil), "antrea_io.antrea.pkg.apis.controlplane.v1beta2.NetworkPolicyNodeStatus") proto.RegisterType((*NetworkPolicyPeer)(nil), "antrea_io.antrea.pkg.apis.controlplane.v1beta2.NetworkPolicyPeer") @@ -1317,6 +1461,7 @@ func init() { proto.RegisterType((*NodeStatsSummary)(nil), "antrea_io.antrea.pkg.apis.controlplane.v1beta2.NodeStatsSummary") proto.RegisterType((*PaginationGetOptions)(nil), "antrea_io.antrea.pkg.apis.controlplane.v1beta2.PaginationGetOptions") proto.RegisterType((*PodReference)(nil), "antrea_io.antrea.pkg.apis.controlplane.v1beta2.PodReference") + proto.RegisterType((*RuleRef)(nil), "antrea_io.antrea.pkg.apis.controlplane.v1beta2.RuleRef") proto.RegisterType((*Service)(nil), "antrea_io.antrea.pkg.apis.controlplane.v1beta2.Service") proto.RegisterType((*ServiceReference)(nil), "antrea_io.antrea.pkg.apis.controlplane.v1beta2.ServiceReference") proto.RegisterType((*SupportBundleCollection)(nil), "antrea_io.antrea.pkg.apis.controlplane.v1beta2.SupportBundleCollection") @@ -1331,186 +1476,199 @@ func init() { } var fileDescriptor_fbaa7d016762fa1d = []byte{ - // 2862 bytes of a gzipped FileDescriptorProto - 0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xec, 0x1b, 0x4b, 0x6f, 0x24, 0xc5, - 0x79, 0xdb, 0x33, 0x63, 0x7b, 0xbe, 0x19, 0x7b, 0xbd, 0x65, 0x60, 0x1d, 0x60, 0xed, 0xa5, 0x49, - 0xd0, 0x26, 0x22, 0x33, 0xd8, 0x01, 0x76, 0xc3, 0x4b, 0xf1, 0x78, 0xbd, 0x66, 0x82, 0x6d, 0x86, - 0x9a, 0x01, 0x24, 0x08, 0x84, 0x76, 0x77, 0xcd, 0xb8, 0xb3, 0x3d, 0x5d, 0x4d, 0x75, 0x8d, 0x59, - 0x73, 0x88, 0x88, 0x48, 0x0e, 0xe4, 0x45, 0x94, 0x4b, 0xc4, 0x2d, 0xb7, 0x5c, 0xf2, 0x0b, 0x38, - 0x85, 0x43, 0x24, 0x8e, 0x44, 0x51, 0x14, 0x4e, 0x56, 0xd6, 0x51, 0x88, 0x38, 0xe4, 0x92, 0x5b, - 0x36, 0x8a, 0x14, 0x55, 0x75, 0xf5, 0x73, 0x66, 0xd6, 0x3b, 0xb6, 0xd7, 0x91, 0xc2, 0x9e, 0x3c, - 0xfd, 0xbd, 0xab, 0xea, 0xfb, 0xea, 0x7b, 0x74, 0x1b, 0x9e, 0x31, 0x5c, 0xce, 0x88, 0x51, 0xb1, - 0x69, 0x35, 0xf8, 0x55, 0xf5, 0xae, 0x76, 0xaa, 0x86, 0x67, 0xfb, 0x55, 0x93, 0xba, 0x9c, 0x51, - 0xc7, 0x73, 0x0c, 0x97, 0x54, 0x77, 0x16, 0xb7, 0x08, 0x37, 0x96, 0xaa, 0x1d, 0xe2, 0x12, 0x66, - 0x70, 0x62, 0x55, 0x3c, 0x46, 0x39, 0x45, 0x95, 0x80, 0xeb, 0xbb, 0x36, 0x55, 0xbf, 0x2a, 0xde, - 0xd5, 0x4e, 0x45, 0xf0, 0x57, 0x92, 0xfc, 0x15, 0xc5, 0x7f, 0xef, 0xa5, 0xe1, 0xfa, 0x7c, 0x6e, - 0x70, 0xbf, 0xba, 0xb3, 0x68, 0x38, 0xde, 0xb6, 0xb1, 0x98, 0xd5, 0x74, 0xef, 0xd7, 0x3b, 0x36, - 0xdf, 0xee, 0x6d, 0x55, 0x4c, 0xda, 0xad, 0x76, 0x68, 0x87, 0x56, 0x25, 0x78, 0xab, 0xd7, 0x96, - 0x4f, 0xf2, 0x41, 0xfe, 0x52, 0xe4, 0x8f, 0x5e, 0xbd, 0xe4, 0x4b, 0x2d, 0x9e, 0xdd, 0x35, 0xcc, - 0x6d, 0xdb, 0x25, 0x6c, 0x37, 0xd6, 0xd5, 0x25, 0xdc, 0xa8, 0xee, 0xf4, 0x2b, 0xa9, 0x0e, 0xe3, - 0x62, 0x3d, 0x97, 0xdb, 0x5d, 0xd2, 0xc7, 0xf0, 0xf8, 0x41, 0x0c, 0xbe, 0xb9, 0x4d, 0xba, 0x46, - 0x1f, 0xdf, 0x37, 0x86, 0xf1, 0xf5, 0xb8, 0xed, 0x54, 0x6d, 0x97, 0xfb, 0x9c, 0x65, 0x99, 0xf4, - 0xbf, 0x6b, 0x50, 0x5e, 0xb6, 0x2c, 0x46, 0x7c, 0x7f, 0x8d, 0xd1, 0x9e, 0x87, 0xde, 0x80, 0x49, - 0xb1, 0x12, 0xcb, 0xe0, 0xc6, 0x9c, 0x76, 0x5e, 0xbb, 0x50, 0x5a, 0x7a, 0xa4, 0x12, 0x08, 0xae, - 0x24, 0x05, 0xc7, 0x67, 0x22, 0xa8, 0x2b, 0x3b, 0x8b, 0x95, 0xe7, 0xb7, 0xbe, 0x47, 0x4c, 0xbe, - 0x41, 0xb8, 0x51, 0x43, 0x1f, 0xef, 0x2d, 0x9c, 0xda, 0xdf, 0x5b, 0x80, 0x18, 0x86, 0x23, 0xa9, - 0xa8, 0x07, 0xe5, 0x8e, 0x50, 0xb5, 0x41, 0xba, 0x5b, 0x84, 0xf9, 0x73, 0x63, 0xe7, 0x73, 0x17, - 0x4a, 0x4b, 0x4f, 0x8e, 0x78, 0xec, 0x95, 0xb5, 0x58, 0x46, 0xed, 0x2e, 0xa5, 0xb0, 0x9c, 0x00, - 0xfa, 0x38, 0xa5, 0x46, 0xff, 0xa3, 0x06, 0x33, 0xc9, 0x95, 0xae, 0xdb, 0x3e, 0x47, 0xdf, 0xe9, - 0x5b, 0x6d, 0xe5, 0xd6, 0x56, 0x2b, 0xb8, 0xe5, 0x5a, 0x67, 0x94, 0xea, 0xc9, 0x10, 0x92, 0x58, - 0xa9, 0x01, 0x05, 0x9b, 0x93, 0x6e, 0xb8, 0xc4, 0xa7, 0x46, 0x5d, 0x62, 0xd2, 0xdc, 0xda, 0x94, - 0x52, 0x54, 0xa8, 0x0b, 0x91, 0x38, 0x90, 0xac, 0xbf, 0x97, 0x83, 0x33, 0x49, 0xb2, 0x86, 0xc1, - 0xcd, 0xed, 0x13, 0x38, 0xc4, 0x1f, 0x6a, 0x70, 0xc6, 0xb0, 0x2c, 0x62, 0xad, 0x1d, 0xf3, 0x51, - 0x7e, 0x49, 0xa9, 0x15, 0xab, 0x4a, 0x4b, 0xc7, 0xfd, 0x0a, 0xd1, 0x8f, 0x35, 0x98, 0x65, 0xa4, - 0x4b, 0x77, 0x32, 0x86, 0xe4, 0x8e, 0x6e, 0xc8, 0x7d, 0xca, 0x90, 0x59, 0xdc, 0x2f, 0x1f, 0x0f, - 0x52, 0xaa, 0x7f, 0xae, 0xc1, 0xf4, 0xb2, 0xe7, 0x39, 0x36, 0xb1, 0x5a, 0xf4, 0xff, 0x3c, 0x9a, - 0xfe, 0xac, 0x01, 0x4a, 0xaf, 0xf5, 0x04, 0xe2, 0xc9, 0x4c, 0xc7, 0xd3, 0x33, 0x23, 0xc7, 0x53, - 0xca, 0xe0, 0x21, 0x11, 0xf5, 0x93, 0x1c, 0xcc, 0xa6, 0x09, 0xef, 0xc4, 0xd4, 0xff, 0x2e, 0xa6, - 0xde, 0x84, 0xd9, 0x9a, 0xe1, 0xdb, 0xe6, 0x72, 0x8f, 0x6f, 0x13, 0x97, 0xdb, 0xa6, 0xc1, 0x6d, - 0xea, 0xa2, 0x87, 0x61, 0xb2, 0xe7, 0x13, 0xe6, 0x1a, 0x5d, 0x22, 0x0f, 0xa3, 0x18, 0xfb, 0xcd, - 0x8b, 0x0a, 0x8e, 0x23, 0x0a, 0x41, 0xed, 0x19, 0xbe, 0xff, 0x16, 0x65, 0xd6, 0xdc, 0x58, 0x9a, - 0xba, 0xa1, 0xe0, 0x38, 0xa2, 0xd0, 0x17, 0x61, 0xa6, 0xd6, 0x73, 0x2d, 0x87, 0x5c, 0xb1, 0x1d, - 0xd2, 0x24, 0x6c, 0x87, 0x30, 0x74, 0x0e, 0x72, 0x3d, 0xe6, 0x28, 0x55, 0x25, 0xc5, 0x9c, 0x7b, - 0x11, 0xaf, 0x63, 0x01, 0xd7, 0xdf, 0x1f, 0x83, 0x73, 0x01, 0x4f, 0x40, 0x2f, 0xac, 0x5d, 0xa1, - 0x6e, 0xdb, 0xee, 0xf4, 0x58, 0x60, 0xf0, 0x63, 0x50, 0xda, 0x22, 0x06, 0x23, 0xac, 0x45, 0xaf, - 0x12, 0x57, 0x09, 0x9a, 0x55, 0x82, 0x4a, 0xb5, 0x18, 0x85, 0x93, 0x74, 0xe8, 0x21, 0x18, 0x37, - 0x3c, 0xfb, 0x39, 0xb2, 0xab, 0xec, 0x9e, 0x56, 0x1c, 0xe3, 0xcb, 0x8d, 0xfa, 0x73, 0x64, 0x17, - 0x2b, 0x2c, 0xfa, 0xb9, 0x06, 0xb3, 0x5b, 0xfd, 0xfb, 0x34, 0x97, 0x93, 0x8e, 0xba, 0x32, 0xea, - 0x99, 0x0d, 0xd8, 0xf2, 0xda, 0x59, 0x71, 0x6e, 0x03, 0x10, 0x78, 0x90, 0x62, 0xfd, 0xd7, 0x79, - 0x98, 0x5d, 0x71, 0x7a, 0x3e, 0x27, 0x2c, 0xe5, 0x5c, 0xb7, 0x3f, 0x8a, 0x7e, 0xa0, 0xc1, 0x0c, - 0x69, 0xb7, 0x89, 0xc9, 0xed, 0x1d, 0x72, 0x8c, 0x41, 0x34, 0xa7, 0xb4, 0xce, 0xac, 0x66, 0x84, - 0xe3, 0x3e, 0x75, 0xe8, 0xfb, 0x70, 0x26, 0x82, 0xd5, 0x1b, 0x35, 0x87, 0x9a, 0x57, 0xc3, 0xf8, - 0x79, 0x6c, 0x54, 0x1b, 0xea, 0x8d, 0x4d, 0xc2, 0xe3, 0x10, 0x5e, 0xcd, 0xca, 0xc5, 0xfd, 0xaa, - 0xd0, 0x25, 0x28, 0x73, 0xca, 0x0d, 0x27, 0x5c, 0x7e, 0xfe, 0xbc, 0x76, 0x21, 0x17, 0xdf, 0xeb, - 0xad, 0x04, 0x0e, 0xa7, 0x28, 0xd1, 0x12, 0x80, 0x7c, 0x6e, 0x18, 0x1d, 0xe2, 0xcf, 0x15, 0x24, - 0x5f, 0xb4, 0xdf, 0xad, 0x08, 0x83, 0x13, 0x54, 0xc2, 0xb7, 0xcd, 0x1e, 0x63, 0xc4, 0xe5, 0xe2, - 0x79, 0x6e, 0x5c, 0x32, 0x45, 0xbe, 0xbd, 0x12, 0xa3, 0x70, 0x92, 0x4e, 0xff, 0x4c, 0x83, 0xd2, - 0x6a, 0xe7, 0x0b, 0x50, 0x79, 0xfe, 0x41, 0x83, 0xd3, 0x89, 0x85, 0x9e, 0x40, 0xa2, 0x7c, 0x23, - 0x9d, 0x28, 0x47, 0x5e, 0x61, 0xc2, 0xda, 0x21, 0x59, 0xf2, 0xa7, 0x39, 0x98, 0x49, 0x50, 0x05, - 0x29, 0xd2, 0x02, 0xa0, 0xd1, 0xbe, 0x1f, 0xeb, 0x19, 0x26, 0xe4, 0xde, 0x49, 0x93, 0x03, 0xd2, - 0xa4, 0x03, 0x67, 0x57, 0xaf, 0x71, 0x91, 0xee, 0x9c, 0x55, 0x97, 0xdb, 0x7c, 0x17, 0x93, 0x36, - 0x61, 0xc4, 0x35, 0x09, 0x3a, 0x0f, 0xf9, 0x44, 0x9a, 0x2c, 0x2b, 0xd1, 0xf9, 0x4d, 0x91, 0x22, - 0x25, 0x06, 0x55, 0xa1, 0x28, 0xfe, 0xfa, 0x9e, 0x61, 0x12, 0x95, 0x67, 0xce, 0x28, 0xb2, 0xe2, - 0x66, 0x88, 0xc0, 0x31, 0x8d, 0xfe, 0x6f, 0x0d, 0x66, 0xa4, 0xfa, 0x65, 0xdf, 0xa7, 0xa6, 0x1d, - 0x64, 0xb8, 0x13, 0xa9, 0x8f, 0x66, 0x0c, 0xa5, 0x51, 0xad, 0xff, 0xd0, 0xa5, 0xa0, 0xe4, 0x8e, - 0x36, 0x29, 0xbe, 0xdc, 0x97, 0x33, 0xf2, 0x71, 0x9f, 0x46, 0xfd, 0xc3, 0x3c, 0x94, 0x12, 0x9b, - 0x8f, 0x5e, 0x86, 0x9c, 0x47, 0x2d, 0xb5, 0xe6, 0x91, 0x7b, 0xbc, 0x06, 0xb5, 0x62, 0x33, 0x26, - 0x44, 0x55, 0x21, 0x20, 0x42, 0x22, 0x7a, 0x57, 0x83, 0x69, 0x92, 0x3a, 0x55, 0x79, 0x3a, 0xa5, - 0xa5, 0xb5, 0x91, 0xe3, 0x79, 0xb0, 0x6f, 0xd4, 0xd0, 0xfe, 0xde, 0xc2, 0x74, 0x06, 0x99, 0x51, - 0x89, 0x1e, 0x82, 0x9c, 0xed, 0x05, 0x6e, 0x5d, 0xae, 0xdd, 0x25, 0x0c, 0xac, 0x37, 0xfc, 0x1b, - 0x7b, 0x0b, 0xc5, 0x7a, 0x43, 0x35, 0x9e, 0x58, 0x10, 0xa0, 0xd7, 0xa1, 0xe0, 0x51, 0xc6, 0x45, - 0xb2, 0x11, 0x27, 0xf2, 0xcd, 0x51, 0x6d, 0x14, 0x9e, 0x66, 0x35, 0x28, 0xe3, 0xf1, 0x8d, 0x23, - 0x9e, 0x7c, 0x1c, 0x88, 0x45, 0xaf, 0x42, 0xde, 0xa5, 0x16, 0x91, 0x39, 0xa9, 0xb4, 0xf4, 0xf4, - 0xc8, 0xe2, 0xa9, 0x45, 0xe2, 0x85, 0x4f, 0xca, 0x10, 0x10, 0x20, 0x29, 0x14, 0x75, 0x60, 0xc2, - 0x27, 0x6c, 0xc7, 0x36, 0x83, 0xf4, 0x55, 0x5a, 0xfa, 0xd6, 0xa8, 0xf2, 0x9b, 0x01, 0x7b, 0xac, - 0xa2, 0xb4, 0xbf, 0xb7, 0x30, 0x11, 0x42, 0x43, 0xe9, 0xfa, 0x07, 0x79, 0x28, 0xdf, 0x29, 0x88, - 0xee, 0x14, 0x44, 0x83, 0x0a, 0xa2, 0xdf, 0x68, 0x30, 0x9d, 0xbe, 0x97, 0xd2, 0x57, 0xb3, 0x76, - 0xf0, 0xd5, 0x1c, 0xdd, 0xf6, 0x63, 0x43, 0x6f, 0xfb, 0x1a, 0xe4, 0x7a, 0xb6, 0x25, 0x3b, 0x83, - 0x62, 0xed, 0x91, 0xa8, 0x95, 0xa9, 0x5f, 0xbe, 0xb1, 0xb7, 0xf0, 0xc0, 0xb0, 0x11, 0x22, 0xdf, - 0xf5, 0x88, 0x5f, 0x79, 0xb1, 0x7e, 0x19, 0x0b, 0x66, 0xfd, 0x6d, 0x28, 0x3f, 0xdb, 0x6a, 0x35, - 0x1a, 0x8c, 0x72, 0x6a, 0x52, 0x47, 0x68, 0xdd, 0xa6, 0x3e, 0xcf, 0xe6, 0x98, 0x67, 0xa9, 0xcf, - 0xb1, 0xc4, 0x88, 0x46, 0xa6, 0x4b, 0xf8, 0x36, 0xb5, 0xb2, 0x8d, 0xcc, 0x86, 0x84, 0x62, 0x85, - 0x15, 0x92, 0x3c, 0x83, 0x6f, 0x2b, 0xf3, 0x22, 0x49, 0x0d, 0x83, 0x6f, 0x63, 0x89, 0xd1, 0x3f, - 0xd2, 0x60, 0x42, 0x9d, 0x2b, 0x7a, 0x19, 0xf2, 0xa6, 0x6d, 0x31, 0x15, 0x38, 0x87, 0xf4, 0xa4, - 0x48, 0xc9, 0x4a, 0xfd, 0x32, 0xc6, 0x52, 0x20, 0x7a, 0x0d, 0xc6, 0xc9, 0x35, 0x93, 0x78, 0x5c, - 0x05, 0xca, 0x21, 0x45, 0x47, 0xab, 0x5c, 0x95, 0xc2, 0xb0, 0x12, 0xaa, 0xff, 0x47, 0x03, 0x54, - 0x6f, 0x7c, 0x71, 0x53, 0x68, 0x1b, 0x0a, 0x72, 0x83, 0xd0, 0x83, 0x30, 0x66, 0x7b, 0x72, 0xad, - 0xe5, 0xda, 0xec, 0xfe, 0xde, 0xc2, 0x58, 0xbd, 0x91, 0x4e, 0x2d, 0x63, 0xb6, 0x27, 0x82, 0xd7, - 0x63, 0xa4, 0x6d, 0x5f, 0x5b, 0x27, 0x6e, 0x87, 0x6f, 0x4b, 0x0f, 0x2a, 0xc4, 0xc1, 0xdb, 0x48, - 0xe0, 0x70, 0x8a, 0x52, 0xff, 0x9d, 0x06, 0xb0, 0x7e, 0x31, 0x72, 0xd3, 0x57, 0x20, 0xbf, 0xcd, - 0xb9, 0x77, 0xd8, 0x54, 0x9d, 0x74, 0xf9, 0x20, 0x83, 0x08, 0x08, 0x96, 0x32, 0xd1, 0x4b, 0x90, - 0xe3, 0x8e, 0xaf, 0x12, 0xf4, 0xc8, 0xf7, 0x6a, 0x6b, 0xbd, 0x19, 0x49, 0x96, 0x45, 0x40, 0x6b, - 0xbd, 0x89, 0x85, 0x40, 0xfd, 0x03, 0x0d, 0xd0, 0x46, 0xcf, 0x11, 0x8d, 0xb5, 0xcf, 0xe5, 0xf6, - 0xd5, 0xdd, 0x36, 0x45, 0x0f, 0x42, 0x41, 0xf6, 0x18, 0x2a, 0xe4, 0xa2, 0x94, 0x19, 0x1c, 0x4a, - 0x80, 0x43, 0xaf, 0x43, 0xde, 0xa3, 0xd6, 0xa1, 0xc7, 0xcf, 0xa9, 0xd2, 0x24, 0x0e, 0x45, 0x6a, - 0xf9, 0x58, 0xca, 0xd5, 0xdf, 0xd3, 0xa0, 0x18, 0xa5, 0x6d, 0x19, 0xba, 0x94, 0x05, 0x97, 0x40, - 0x21, 0x49, 0xcf, 0x38, 0x96, 0x98, 0x5b, 0xb8, 0x9c, 0x2e, 0xc1, 0xa4, 0xa7, 0xf6, 0x41, 0x5d, - 0x01, 0xf7, 0x47, 0x93, 0x1a, 0x05, 0xbf, 0x91, 0xf8, 0x8d, 0x23, 0x6a, 0xfd, 0x1f, 0x39, 0x98, - 0xda, 0x24, 0xfc, 0x2d, 0xca, 0xae, 0x36, 0xa8, 0x63, 0x9b, 0xbb, 0x27, 0x10, 0x4d, 0x6d, 0x28, - 0xb0, 0x9e, 0x43, 0xc2, 0x0d, 0x5e, 0x1e, 0xb9, 0x26, 0x49, 0xda, 0x8b, 0x7b, 0x0e, 0x89, 0xcf, - 0x51, 0x3c, 0xf9, 0x38, 0x10, 0x8f, 0x9e, 0x86, 0xd3, 0x46, 0x6a, 0x22, 0x19, 0xe4, 0xce, 0xa2, - 0x0c, 0x99, 0xd3, 0xe9, 0x61, 0xa5, 0x8f, 0xb3, 0xb4, 0xe8, 0x82, 0xd8, 0x54, 0x9b, 0x32, 0x51, - 0x40, 0x8a, 0xc4, 0xa7, 0xd5, 0xca, 0xc1, 0x86, 0x06, 0x30, 0x1c, 0x61, 0xd1, 0xa3, 0x50, 0xe6, - 0x36, 0x61, 0x21, 0x46, 0xa6, 0xbb, 0x42, 0x6d, 0x46, 0xa6, 0xc8, 0x04, 0x1c, 0xa7, 0xa8, 0x90, - 0x0f, 0x45, 0x9f, 0xf6, 0x98, 0x2c, 0x7e, 0x54, 0xf9, 0x74, 0xe5, 0x68, 0x5b, 0x11, 0x79, 0xdd, - 0x94, 0x48, 0x74, 0xcd, 0x50, 0x38, 0x8e, 0xf5, 0xe8, 0x7f, 0xd2, 0xe0, 0x4c, 0x8a, 0xe9, 0x04, - 0xda, 0xea, 0xad, 0x74, 0x5b, 0xfd, 0xf4, 0x91, 0x16, 0x39, 0xa4, 0xb1, 0xfe, 0xa7, 0x06, 0x67, - 0x53, 0x74, 0xa2, 0x4a, 0x6d, 0x72, 0x83, 0xf7, 0x7c, 0xf4, 0x30, 0x4c, 0x8a, 0x6a, 0x75, 0x73, - 0xc0, 0xd4, 0x73, 0x53, 0xc1, 0x71, 0x44, 0x21, 0x2a, 0x17, 0xf5, 0xb6, 0xcf, 0xa6, 0xae, 0x8c, - 0xb9, 0x44, 0xe5, 0xb2, 0x16, 0x61, 0x70, 0x82, 0x0a, 0x7d, 0x1b, 0x10, 0x23, 0x86, 0x63, 0xbf, - 0x2d, 0x1f, 0xaf, 0x18, 0xb6, 0xd3, 0x63, 0x44, 0x46, 0xe2, 0x64, 0xed, 0x5e, 0xc5, 0x8b, 0x70, - 0x1f, 0x05, 0x1e, 0xc0, 0x85, 0xbe, 0x0a, 0x13, 0x5d, 0xe2, 0xfb, 0xa2, 0x02, 0xca, 0x4b, 0x63, - 0x4f, 0x2b, 0x01, 0x13, 0x1b, 0x01, 0x18, 0x87, 0x78, 0xf9, 0x16, 0x2b, 0xb5, 0xe8, 0x06, 0x21, - 0x0c, 0x5d, 0x84, 0x29, 0x23, 0xf1, 0x6a, 0xcb, 0x9f, 0xd3, 0xa4, 0xd3, 0x9f, 0xd9, 0xdf, 0x5b, - 0x98, 0x4a, 0xbe, 0xf3, 0xf2, 0x71, 0x9a, 0x0e, 0x11, 0x98, 0xb4, 0x3d, 0x55, 0x64, 0x06, 0x47, - 0x75, 0x71, 0xf4, 0xfc, 0x2d, 0xf9, 0xe3, 0x0d, 0x8e, 0xaa, 0xcb, 0x48, 0x34, 0x5a, 0x80, 0x42, - 0xfb, 0x4d, 0xcb, 0x0d, 0x83, 0xb1, 0x28, 0xce, 0xf2, 0xca, 0x0b, 0x97, 0x37, 0x7d, 0x1c, 0xc0, - 0x11, 0x17, 0xb5, 0xa3, 0x6a, 0x01, 0xc2, 0xbe, 0xe8, 0xe8, 0x8d, 0x45, 0xa2, 0xfa, 0x0c, 0x65, - 0xe3, 0x84, 0x1e, 0x71, 0x5b, 0x38, 0xc6, 0x16, 0x71, 0xea, 0x16, 0x11, 0x1d, 0x9c, 0x2d, 0xcb, - 0xd6, 0xdc, 0x85, 0xa9, 0xe0, 0xb6, 0x58, 0x4f, 0xa3, 0x70, 0x96, 0x56, 0xff, 0x4c, 0x83, 0x7b, - 0x06, 0x47, 0x23, 0x7a, 0x0c, 0xf2, 0xa2, 0x10, 0x54, 0xbe, 0xf7, 0x40, 0x78, 0x7f, 0xb7, 0x76, - 0x3d, 0x72, 0x63, 0x6f, 0x21, 0x7d, 0x82, 0x02, 0x88, 0x25, 0xf9, 0xc8, 0xf3, 0x85, 0x28, 0x4f, - 0xe4, 0x0e, 0x2a, 0x62, 0xf3, 0x47, 0x29, 0x62, 0x3f, 0x1a, 0xcf, 0x38, 0x9d, 0xb8, 0x73, 0xd1, - 0x53, 0x50, 0xb4, 0x6c, 0x26, 0xda, 0x07, 0x1a, 0x8e, 0xe9, 0xe7, 0x43, 0x63, 0x2f, 0x87, 0x88, - 0x1b, 0xc9, 0x07, 0x1c, 0x33, 0x20, 0x13, 0xf2, 0x6d, 0x46, 0xbb, 0xaa, 0x0c, 0x38, 0x5a, 0x42, - 0x10, 0x31, 0x10, 0x2f, 0xfe, 0x0a, 0xa3, 0x5d, 0x2c, 0x85, 0xa3, 0xd7, 0x60, 0x8c, 0x53, 0x35, - 0xda, 0x3f, 0x06, 0x15, 0xa0, 0x54, 0x8c, 0xb5, 0x28, 0x1e, 0xe3, 0x54, 0x44, 0x8f, 0x9f, 0xf6, - 0xd9, 0x8b, 0x87, 0xf4, 0xd9, 0x38, 0x7a, 0x22, 0x47, 0x8d, 0x44, 0xcb, 0x97, 0x32, 0x99, 0x3c, - 0x13, 0xa7, 0xfa, 0xbe, 0xcc, 0xf4, 0x12, 0x8c, 0x1b, 0xc1, 0x99, 0x8c, 0xcb, 0x33, 0x79, 0x46, - 0xbe, 0x04, 0x09, 0x0f, 0xe3, 0x91, 0x9b, 0x7c, 0x72, 0xc2, 0x2c, 0xf5, 0xa5, 0xc9, 0x62, 0x45, - 0x1c, 0x70, 0xc0, 0x83, 0x95, 0x34, 0xf4, 0x24, 0x4c, 0x11, 0xd7, 0xd8, 0x72, 0xc8, 0x3a, 0xed, - 0x74, 0x6c, 0xb7, 0x33, 0x37, 0x21, 0xef, 0xba, 0xbb, 0x95, 0x29, 0x53, 0xab, 0x49, 0x24, 0x4e, - 0xd3, 0x0e, 0xca, 0xcb, 0x93, 0x23, 0xe4, 0xe5, 0xd0, 0xcd, 0x8b, 0x43, 0xdd, 0xfc, 0x4d, 0x28, - 0x39, 0x51, 0xf9, 0xea, 0xcf, 0x81, 0x3c, 0x8d, 0x27, 0x46, 0x3d, 0x8d, 0xb8, 0x02, 0x8e, 0x9b, - 0xd0, 0x18, 0xe6, 0xe3, 0xa4, 0x0e, 0x71, 0x2c, 0x0e, 0xed, 0xc8, 0x5b, 0x62, 0xae, 0x94, 0xce, - 0x31, 0xeb, 0x0a, 0x8e, 0x23, 0x0a, 0xfd, 0xfd, 0x1c, 0xa0, 0x94, 0x47, 0x89, 0x4c, 0xe5, 0xa3, - 0x77, 0x35, 0x98, 0x72, 0x93, 0x60, 0x95, 0x8c, 0x8f, 0xab, 0x2c, 0x88, 0x8e, 0x27, 0x8d, 0x4f, - 0xeb, 0x44, 0x1e, 0x94, 0x39, 0x33, 0xda, 0x6d, 0xdb, 0x94, 0x56, 0xa9, 0xa0, 0x7c, 0xfc, 0x26, - 0x36, 0xc8, 0xef, 0x85, 0x2a, 0xe1, 0xf7, 0x42, 0x95, 0x56, 0x82, 0x3b, 0x31, 0x2c, 0x48, 0x40, - 0x71, 0x4a, 0x03, 0x7a, 0x47, 0x83, 0x19, 0x51, 0xb2, 0x25, 0x49, 0xd4, 0x98, 0xe3, 0x89, 0x5b, - 0x57, 0x8b, 0x33, 0x12, 0xe2, 0xd6, 0x2a, 0x8b, 0xc1, 0x7d, 0xda, 0xf4, 0xbf, 0x69, 0x30, 0xdb, - 0x77, 0x22, 0xbd, 0x93, 0x98, 0x33, 0x39, 0x50, 0x10, 0xb5, 0x47, 0x98, 0x72, 0xd7, 0x8e, 0x74, - 0xd6, 0x71, 0xd5, 0x13, 0xd7, 0x49, 0x02, 0xe6, 0xe3, 0x40, 0x89, 0xbe, 0x08, 0x53, 0xa9, 0x91, - 0xde, 0xc1, 0x73, 0x6e, 0xfd, 0xc3, 0x02, 0xcc, 0x84, 0x72, 0xfd, 0x66, 0xaf, 0xdb, 0x35, 0xd8, - 0x49, 0x74, 0x09, 0x3f, 0xd2, 0xe0, 0x74, 0xd2, 0x31, 0xed, 0x68, 0x8b, 0x6a, 0x47, 0xda, 0xa2, - 0xc0, 0x37, 0xce, 0x2a, 0xdd, 0xa7, 0x37, 0xd3, 0x2a, 0x70, 0x56, 0x27, 0xfa, 0xad, 0x06, 0xf7, - 0x07, 0x5a, 0xd4, 0x8b, 0xd9, 0x0c, 0x87, 0x72, 0xd4, 0xe3, 0x30, 0xea, 0xcb, 0xca, 0xa8, 0xfb, - 0x97, 0x6f, 0xa2, 0x0f, 0xdf, 0xd4, 0x1a, 0xf4, 0x2b, 0x0d, 0xee, 0x0e, 0x08, 0xb2, 0x76, 0xe6, - 0x8f, 0xcd, 0xce, 0x73, 0xca, 0xce, 0xbb, 0x97, 0x07, 0x29, 0xc2, 0x83, 0xf5, 0x8b, 0x7e, 0xa7, - 0x1b, 0x76, 0xe4, 0xb2, 0xb4, 0x3a, 0x84, 0x31, 0xfd, 0x2d, 0x7d, 0x5c, 0x13, 0x45, 0x38, 0x1c, - 0xeb, 0xd1, 0x5f, 0x83, 0xbb, 0x1a, 0x46, 0xc7, 0x76, 0x65, 0x89, 0xbd, 0x46, 0xf8, 0xf3, 0x9e, - 0xf8, 0xe1, 0x07, 0x03, 0xb3, 0x4e, 0xe0, 0xf6, 0xb9, 0xe4, 0xc0, 0xac, 0x43, 0xb0, 0xc4, 0xa0, - 0x07, 0xa1, 0xe0, 0xd8, 0x5d, 0x9b, 0xab, 0x16, 0x20, 0x0a, 0xa7, 0x75, 0x01, 0xc4, 0x01, 0x4e, - 0x37, 0xa0, 0x9c, 0x6c, 0xf7, 0x6f, 0xc7, 0x5b, 0xa3, 0xdf, 0xe7, 0x20, 0x9c, 0x87, 0xa3, 0x47, - 0x13, 0x7d, 0x7e, 0xa0, 0x62, 0xee, 0xe0, 0x1e, 0x1f, 0x6d, 0xaa, 0x09, 0xc3, 0xd8, 0x01, 0x71, - 0xda, 0xe3, 0xb6, 0x53, 0x09, 0x3e, 0x78, 0xac, 0xd4, 0x5d, 0xfe, 0x3c, 0x6b, 0x72, 0x66, 0xbb, - 0x9d, 0x60, 0x66, 0x93, 0x98, 0x47, 0x7c, 0x05, 0x26, 0x88, 0x2b, 0x87, 0x17, 0xb2, 0x9a, 0x2a, - 0x04, 0x33, 0xfb, 0xd5, 0x00, 0x84, 0x43, 0x9c, 0xe8, 0x9f, 0x6d, 0xb3, 0xeb, 0x89, 0x8a, 0x56, - 0x56, 0x9c, 0x85, 0xa0, 0x7f, 0xae, 0xaf, 0x6c, 0x34, 0x64, 0x95, 0x1b, 0x61, 0x43, 0xca, 0x95, - 0xf0, 0x3d, 0x45, 0x82, 0x52, 0xc0, 0x70, 0x84, 0x95, 0x94, 0x1d, 0x25, 0x73, 0x3c, 0x41, 0xb9, - 0x16, 0xc9, 0x54, 0x58, 0x74, 0x49, 0xbd, 0xb4, 0x56, 0x1d, 0x8f, 0x2c, 0x50, 0x8a, 0x99, 0xf7, - 0xce, 0xe1, 0xb4, 0x2c, 0x45, 0x29, 0x96, 0xe7, 0x33, 0x53, 0x2e, 0x6f, 0x32, 0x5e, 0x5e, 0x33, - 0x00, 0xe1, 0x10, 0x87, 0x2a, 0x00, 0x3e, 0x33, 0xd5, 0xaa, 0x65, 0x31, 0x52, 0xa8, 0x4d, 0x8b, - 0xdb, 0xac, 0x19, 0x41, 0x71, 0x82, 0x42, 0x27, 0x30, 0x93, 0xed, 0x49, 0x6e, 0x87, 0xbb, 0xbc, - 0x9f, 0x87, 0xb3, 0xcd, 0x9e, 0x27, 0x0e, 0x2a, 0xf8, 0xb4, 0x66, 0x85, 0x3a, 0x8e, 0x2a, 0xb3, - 0x6f, 0xff, 0xa5, 0xfd, 0x2a, 0x14, 0xc9, 0x35, 0xcf, 0x66, 0xc4, 0x5a, 0x0e, 0xfd, 0xed, 0x6b, - 0xb7, 0xa6, 0xa2, 0x65, 0x77, 0x49, 0xbc, 0xb4, 0xd5, 0x50, 0x08, 0x8e, 0xe5, 0x89, 0xbd, 0xf0, - 0x6d, 0xd7, 0x24, 0x82, 0x54, 0x35, 0x39, 0x11, 0x43, 0x33, 0x44, 0xe0, 0x98, 0x46, 0x34, 0x92, - 0xed, 0xe8, 0x63, 0x24, 0xe9, 0x83, 0x87, 0x68, 0x24, 0xb3, 0x1f, 0x35, 0xc5, 0x3b, 0x10, 0xc3, - 0x70, 0x42, 0x0f, 0xfa, 0x99, 0x06, 0xd3, 0x46, 0xfa, 0x7b, 0xa2, 0xe0, 0xe5, 0xdb, 0xc6, 0xe1, - 0x54, 0x0f, 0xf9, 0x36, 0xaa, 0x76, 0x8f, 0xb2, 0x63, 0x3a, 0xf3, 0x61, 0x51, 0x46, 0xb9, 0xfe, - 0xb9, 0x06, 0xf7, 0x0d, 0xf1, 0x88, 0x13, 0x18, 0xfe, 0x38, 0xe9, 0xe1, 0xcf, 0xc8, 0xe5, 0xcd, - 0x10, 0xcb, 0x87, 0x8c, 0x81, 0x7e, 0x39, 0x06, 0x0f, 0x0c, 0xe1, 0x38, 0xf4, 0x40, 0xe8, 0x49, - 0x98, 0x0a, 0x7f, 0x27, 0xc3, 0x30, 0x2e, 0xa6, 0x93, 0x48, 0x9c, 0xa6, 0x0d, 0x55, 0xc9, 0x0b, - 0x2b, 0xd7, 0xaf, 0x2a, 0xb8, 0xb4, 0x42, 0x0a, 0xe1, 0xe1, 0x26, 0xed, 0x7a, 0x0e, 0xe1, 0x24, - 0xe8, 0xd2, 0x27, 0x63, 0x0f, 0x5f, 0x09, 0x11, 0x38, 0xa6, 0x11, 0x49, 0x8a, 0x30, 0x46, 0x99, - 0xf4, 0xb0, 0xc4, 0x3c, 0x7b, 0x55, 0x00, 0x71, 0x80, 0xd3, 0xff, 0xa5, 0xc1, 0xb9, 0x21, 0x9b, - 0x72, 0x62, 0x55, 0xee, 0x4e, 0xba, 0xca, 0x7d, 0xe1, 0x98, 0xdc, 0xe0, 0xc0, 0x7a, 0xf7, 0x61, - 0x28, 0x25, 0x5e, 0x12, 0xa0, 0x73, 0x90, 0xf3, 0x5d, 0x3b, 0xfb, 0x41, 0x62, 0x73, 0xb3, 0x8e, - 0x05, 0xbc, 0xd6, 0xfa, 0xf8, 0xfa, 0xfc, 0xa9, 0x4f, 0xae, 0xcf, 0x9f, 0xfa, 0xf4, 0xfa, 0xfc, - 0xa9, 0x77, 0xf6, 0xe7, 0xb5, 0x8f, 0xf7, 0xe7, 0xb5, 0x4f, 0xf6, 0xe7, 0xb5, 0x4f, 0xf7, 0xe7, - 0xb5, 0xbf, 0xec, 0xcf, 0x6b, 0xbf, 0xf8, 0xeb, 0xfc, 0xa9, 0x57, 0x2a, 0xa3, 0xfd, 0xa7, 0xc6, - 0x7f, 0x03, 0x00, 0x00, 0xff, 0xff, 0xcb, 0x02, 0x8d, 0x03, 0xda, 0x31, 0x00, 0x00, + // 3057 bytes of a gzipped FileDescriptorProto + 0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xec, 0x3b, 0xcd, 0x6f, 0x24, 0xc5, + 0xf5, 0xdb, 0xf3, 0x61, 0x7b, 0xde, 0xd8, 0x5e, 0x6f, 0x19, 0x58, 0xb3, 0xb0, 0xf6, 0xd2, 0xfc, + 0x7e, 0x68, 0x13, 0x91, 0x31, 0x76, 0x80, 0xdd, 0xf0, 0xa5, 0x78, 0xbc, 0x5e, 0x33, 0x60, 0x9b, + 0xa1, 0x6c, 0x40, 0x81, 0x40, 0x68, 0x77, 0xd7, 0x8c, 0x3b, 0xdb, 0xd3, 0xdd, 0x5b, 0x55, 0x63, + 0xd6, 0x44, 0x8a, 0x88, 0x08, 0x07, 0xf2, 0x45, 0x94, 0x4b, 0xc4, 0x2d, 0xa7, 0xe4, 0x92, 0xbf, + 0x80, 0x53, 0x38, 0x44, 0xe2, 0x48, 0x14, 0x45, 0xe1, 0x64, 0x05, 0x47, 0x21, 0x42, 0x51, 0x2e, + 0xb9, 0x65, 0xa3, 0x48, 0x51, 0x7d, 0xf4, 0xd7, 0x7c, 0xac, 0x77, 0x6c, 0xaf, 0x23, 0x85, 0x3d, + 0x79, 0xfa, 0xbd, 0x57, 0xef, 0xbd, 0xaa, 0xf7, 0x5e, 0xbd, 0x8f, 0x6e, 0xc3, 0x53, 0x96, 0xcf, + 0x29, 0xb1, 0x2a, 0x6e, 0x30, 0xab, 0x7e, 0xcd, 0x86, 0x57, 0x9a, 0xb3, 0x56, 0xe8, 0xb2, 0x59, + 0x3b, 0xf0, 0x39, 0x0d, 0xbc, 0xd0, 0xb3, 0x7c, 0x32, 0xbb, 0x3d, 0xb7, 0x49, 0xb8, 0x35, 0x3f, + 0xdb, 0x24, 0x3e, 0xa1, 0x16, 0x27, 0x4e, 0x25, 0xa4, 0x01, 0x0f, 0x50, 0x45, 0xad, 0xfa, 0x96, + 0x1b, 0xe8, 0x5f, 0x95, 0xf0, 0x4a, 0xb3, 0x22, 0xd6, 0x57, 0xd2, 0xeb, 0x2b, 0x7a, 0xfd, 0x99, + 0x8b, 0xfd, 0xe5, 0x31, 0x6e, 0x71, 0x36, 0xbb, 0x3d, 0x67, 0x79, 0xe1, 0x96, 0x35, 0xd7, 0x29, + 0xe9, 0xcc, 0x57, 0x9a, 0x2e, 0xdf, 0x6a, 0x6f, 0x56, 0xec, 0xa0, 0x35, 0xdb, 0x0c, 0x9a, 0xc1, + 0xac, 0x04, 0x6f, 0xb6, 0x1b, 0xf2, 0x49, 0x3e, 0xc8, 0x5f, 0x9a, 0xfc, 0xe1, 0x2b, 0x17, 0x99, + 0x94, 0x12, 0xba, 0x2d, 0xcb, 0xde, 0x72, 0x7d, 0x42, 0x77, 0x12, 0x59, 0x2d, 0xc2, 0xad, 0xd9, + 0xed, 0x6e, 0x21, 0xb3, 0xfd, 0x56, 0xd1, 0xb6, 0xcf, 0xdd, 0x16, 0xe9, 0x5a, 0xf0, 0xe8, 0x7e, + 0x0b, 0x98, 0xbd, 0x45, 0x5a, 0x56, 0xd7, 0xba, 0xaf, 0xf6, 0x5b, 0xd7, 0xe6, 0xae, 0x37, 0xeb, + 0xfa, 0x9c, 0x71, 0xda, 0xb9, 0xc8, 0xfc, 0xab, 0x01, 0xa3, 0x0b, 0x8e, 0x43, 0x09, 0x63, 0xcb, + 0x34, 0x68, 0x87, 0xe8, 0x75, 0x18, 0x11, 0x3b, 0x71, 0x2c, 0x6e, 0x4d, 0x19, 0xe7, 0x8c, 0xf3, + 0xe5, 0xf9, 0x87, 0x2a, 0x8a, 0x71, 0x25, 0xcd, 0x38, 0xb1, 0x89, 0xa0, 0xae, 0x6c, 0xcf, 0x55, + 0x9e, 0xdb, 0xfc, 0x36, 0xb1, 0xf9, 0x2a, 0xe1, 0x56, 0x15, 0x7d, 0xb4, 0x3b, 0x73, 0x62, 0x6f, + 0x77, 0x06, 0x12, 0x18, 0x8e, 0xb9, 0xa2, 0x36, 0x8c, 0x36, 0x85, 0xa8, 0x55, 0xd2, 0xda, 0x24, + 0x94, 0x4d, 0xe5, 0xce, 0xe5, 0xcf, 0x97, 0xe7, 0x1f, 0x1f, 0xd0, 0xec, 0x95, 0xe5, 0x84, 0x47, + 0xf5, 0x0e, 0x2d, 0x70, 0x34, 0x05, 0x64, 0x38, 0x23, 0xc6, 0xfc, 0xbd, 0x01, 0x13, 0xe9, 0x9d, + 0xae, 0xb8, 0x8c, 0xa3, 0x6f, 0x76, 0xed, 0xb6, 0x72, 0x73, 0xbb, 0x15, 0xab, 0xe5, 0x5e, 0x27, + 0xb4, 0xe8, 0x91, 0x08, 0x92, 0xda, 0xa9, 0x05, 0x45, 0x97, 0x93, 0x56, 0xb4, 0xc5, 0x27, 0x06, + 0xdd, 0x62, 0x5a, 0xdd, 0xea, 0x98, 0x16, 0x54, 0xac, 0x09, 0x96, 0x58, 0x71, 0x36, 0xdf, 0xcd, + 0xc3, 0xa9, 0x34, 0x59, 0xdd, 0xe2, 0xf6, 0xd6, 0x31, 0x18, 0xf1, 0xfb, 0x06, 0x9c, 0xb2, 0x1c, + 0x87, 0x38, 0xcb, 0x47, 0x6c, 0xca, 0xbb, 0xb5, 0x58, 0xb1, 0xab, 0x2c, 0x77, 0xdc, 0x2d, 0x10, + 0xfd, 0xc0, 0x80, 0x49, 0x4a, 0x5a, 0xc1, 0x76, 0x87, 0x22, 0xf9, 0xc3, 0x2b, 0x72, 0x8f, 0x56, + 0x64, 0x12, 0x77, 0xf3, 0xc7, 0xbd, 0x84, 0x9a, 0x9f, 0x1b, 0x30, 0xbe, 0x10, 0x86, 0x9e, 0x4b, + 0x9c, 0x8d, 0xe0, 0x7f, 0x3c, 0x9a, 0xfe, 0x68, 0x00, 0xca, 0xee, 0xf5, 0x18, 0xe2, 0xc9, 0xce, + 0xc6, 0xd3, 0x53, 0x03, 0xc7, 0x53, 0x46, 0xe1, 0x3e, 0x11, 0xf5, 0xc3, 0x3c, 0x4c, 0x66, 0x09, + 0x6f, 0xc7, 0xd4, 0x7f, 0x2f, 0xa6, 0xae, 0xc2, 0x64, 0xd5, 0x62, 0xae, 0xbd, 0xd0, 0xe6, 0x5b, + 0xc4, 0xe7, 0xae, 0x6d, 0x71, 0x37, 0xf0, 0xd1, 0x83, 0x30, 0xd2, 0x66, 0x84, 0xfa, 0x56, 0x8b, + 0x48, 0x63, 0x94, 0x12, 0xbf, 0x79, 0x41, 0xc3, 0x71, 0x4c, 0x21, 0xa8, 0x43, 0x8b, 0xb1, 0x37, + 0x02, 0xea, 0x4c, 0xe5, 0xb2, 0xd4, 0x75, 0x0d, 0xc7, 0x31, 0x85, 0x39, 0x07, 0x13, 0xd5, 0xb6, + 0xef, 0x78, 0xe4, 0xb2, 0xeb, 0x91, 0x75, 0x42, 0xb7, 0x09, 0x45, 0x67, 0x21, 0xdf, 0xa6, 0x9e, + 0x16, 0x55, 0xd6, 0x8b, 0xf3, 0x2f, 0xe0, 0x15, 0x2c, 0xe0, 0xe6, 0x7b, 0x39, 0x38, 0xab, 0xd6, + 0x28, 0x7a, 0xa1, 0xed, 0x62, 0xe0, 0x37, 0xdc, 0x66, 0x9b, 0x2a, 0x85, 0x1f, 0x81, 0xf2, 0x26, + 0xb1, 0x28, 0xa1, 0x1b, 0xc1, 0x15, 0xe2, 0x6b, 0x46, 0x93, 0x9a, 0x51, 0xb9, 0x9a, 0xa0, 0x70, + 0x9a, 0x0e, 0x3d, 0x00, 0x43, 0x56, 0xe8, 0x3e, 0x4b, 0x76, 0xb4, 0xde, 0xe3, 0x7a, 0xc5, 0xd0, + 0x42, 0xbd, 0xf6, 0x2c, 0xd9, 0xc1, 0x1a, 0x8b, 0x7e, 0x62, 0xc0, 0xe4, 0x66, 0xf7, 0x39, 0x4d, + 0xe5, 0xa5, 0xa3, 0x2e, 0x0e, 0x6a, 0xb3, 0x1e, 0x47, 0x5e, 0x3d, 0x2d, 0xec, 0xd6, 0x03, 0x81, + 0x7b, 0x09, 0x36, 0x7f, 0x51, 0x80, 0xc9, 0x45, 0xaf, 0xcd, 0x38, 0xa1, 0x19, 0xe7, 0xba, 0xf5, + 0x51, 0xf4, 0x3d, 0x03, 0x26, 0x48, 0xa3, 0x41, 0x6c, 0xee, 0x6e, 0x93, 0x23, 0x0c, 0xa2, 0x29, + 0x2d, 0x75, 0x62, 0xa9, 0x83, 0x39, 0xee, 0x12, 0x87, 0xbe, 0x0b, 0xa7, 0x62, 0x58, 0xad, 0x5e, + 0xf5, 0x02, 0xfb, 0x4a, 0x14, 0x3f, 0x8f, 0x0c, 0xaa, 0x43, 0xad, 0xbe, 0x46, 0x78, 0x12, 0xc2, + 0x4b, 0x9d, 0x7c, 0x71, 0xb7, 0x28, 0x74, 0x11, 0x46, 0x79, 0xc0, 0x2d, 0x2f, 0xda, 0x7e, 0xe1, + 0x9c, 0x71, 0x3e, 0x9f, 0xdc, 0xeb, 0x1b, 0x29, 0x1c, 0xce, 0x50, 0xa2, 0x79, 0x00, 0xf9, 0x5c, + 0xb7, 0x9a, 0x84, 0x4d, 0x15, 0xe5, 0xba, 0xf8, 0xbc, 0x37, 0x62, 0x0c, 0x4e, 0x51, 0x09, 0xdf, + 0xb6, 0xdb, 0x94, 0x12, 0x9f, 0x8b, 0xe7, 0xa9, 0x21, 0xb9, 0x28, 0xf6, 0xed, 0xc5, 0x04, 0x85, + 0xd3, 0x74, 0xe6, 0x67, 0x06, 0x94, 0x97, 0x9a, 0x5f, 0x80, 0xca, 0xf3, 0x77, 0x06, 0x9c, 0x4c, + 0x6d, 0xf4, 0x18, 0x12, 0xe5, 0xeb, 0xd9, 0x44, 0x39, 0xf0, 0x0e, 0x53, 0xda, 0xf6, 0xc9, 0x92, + 0x3f, 0xca, 0xc3, 0x44, 0x8a, 0x4a, 0xa5, 0x48, 0x07, 0x20, 0x88, 0xcf, 0xfd, 0x48, 0x6d, 0x98, + 0xe2, 0x7b, 0x3b, 0x4d, 0xf6, 0x48, 0x93, 0x16, 0x0c, 0x2d, 0xf9, 0xdc, 0xe5, 0x3b, 0xe8, 0x25, + 0xc8, 0x87, 0x81, 0xa3, 0x0f, 0x7f, 0xe0, 0x8e, 0xa3, 0x1e, 0x38, 0x98, 0x34, 0x08, 0x25, 0xbe, + 0x4d, 0xaa, 0xc3, 0x22, 0xc7, 0x09, 0x88, 0xe0, 0x68, 0x7a, 0x70, 0x7a, 0xe9, 0x1a, 0x17, 0x19, + 0xd5, 0x53, 0xa2, 0x62, 0x42, 0x74, 0x0e, 0x0a, 0xa9, 0x4c, 0x3c, 0xaa, 0xb5, 0x2f, 0xac, 0x89, + 0x2c, 0x2c, 0x31, 0x68, 0x16, 0x4a, 0xe2, 0x2f, 0x0b, 0x2d, 0x9b, 0xe8, 0x54, 0x76, 0x4a, 0x93, + 0x95, 0xd6, 0x22, 0x04, 0x4e, 0x68, 0xcc, 0x7f, 0x19, 0x30, 0x21, 0x77, 0xb8, 0xc0, 0x58, 0x60, + 0xbb, 0x2a, 0x89, 0x1e, 0x4b, 0x09, 0x36, 0x61, 0x69, 0x89, 0xfa, 0x88, 0x0f, 0x5c, 0x6d, 0xca, + 0xd5, 0xc9, 0x69, 0xc6, 0xf9, 0x63, 0xa1, 0x83, 0x3f, 0xee, 0x92, 0x68, 0x7e, 0x50, 0x80, 0x72, + 0xca, 0xbe, 0xb7, 0xcc, 0xa8, 0xe8, 0x6d, 0x03, 0xc6, 0x49, 0xc6, 0xaa, 0xd2, 0x3a, 0xe5, 0xf9, + 0xe5, 0x81, 0xaf, 0x8c, 0xde, 0xbe, 0x51, 0x45, 0x7b, 0xbb, 0x33, 0xe3, 0x1d, 0xc8, 0x0e, 0x91, + 0xe8, 0x01, 0xc8, 0xbb, 0xa1, 0x8a, 0x9c, 0xd1, 0xea, 0x1d, 0x42, 0xc1, 0x5a, 0x9d, 0x5d, 0xdf, + 0x9d, 0x29, 0xd5, 0xea, 0xba, 0xb7, 0xc5, 0x82, 0x00, 0xbd, 0x06, 0xc5, 0x30, 0xa0, 0x5c, 0xe4, + 0x33, 0x61, 0x91, 0xaf, 0x0d, 0xaa, 0xa3, 0xf0, 0x34, 0xa7, 0x1e, 0x50, 0x9e, 0x5c, 0x6a, 0xe2, + 0x89, 0x61, 0xc5, 0x16, 0xbd, 0x02, 0x05, 0x3f, 0x70, 0x88, 0x4c, 0x7b, 0xe5, 0xf9, 0x27, 0x07, + 0x66, 0x1f, 0x38, 0x24, 0xd9, 0xf8, 0x88, 0x0c, 0x01, 0x01, 0x92, 0x4c, 0x51, 0x13, 0x86, 0x19, + 0xa1, 0xdb, 0xae, 0xad, 0x32, 0x64, 0x79, 0xfe, 0xeb, 0x83, 0xf2, 0x5f, 0x57, 0xcb, 0x13, 0x11, + 0xe5, 0xbd, 0xdd, 0x99, 0xe1, 0x08, 0x1a, 0x71, 0x37, 0xdf, 0x2f, 0xc0, 0xe8, 0xed, 0x9a, 0xeb, + 0x76, 0xcd, 0xd5, 0xab, 0xe6, 0xfa, 0x95, 0x01, 0xe3, 0xd9, 0x7b, 0x29, 0x7b, 0x35, 0x1b, 0xfb, + 0x5f, 0xcd, 0xf1, 0x6d, 0x9f, 0xeb, 0x7b, 0xdb, 0x57, 0x21, 0xdf, 0x76, 0x1d, 0xd9, 0x7c, 0x94, + 0xaa, 0x0f, 0xc5, 0xdd, 0x52, 0xed, 0xd2, 0xf5, 0xdd, 0x99, 0xfb, 0xfa, 0x4d, 0x29, 0xf9, 0x4e, + 0x48, 0x58, 0xe5, 0x85, 0xda, 0x25, 0x2c, 0x16, 0x9b, 0x6f, 0xc2, 0xe8, 0xd3, 0x1b, 0x1b, 0xf5, + 0x3a, 0x0d, 0x78, 0x60, 0x07, 0x9e, 0x90, 0xba, 0x15, 0x30, 0xde, 0x99, 0x63, 0x9e, 0x0e, 0x18, + 0xc7, 0x12, 0x23, 0x7a, 0xa5, 0x16, 0xe1, 0x5b, 0x81, 0xd3, 0xd9, 0x2b, 0xad, 0x4a, 0x28, 0xd6, + 0x58, 0xc1, 0x29, 0xb4, 0xf8, 0x96, 0x56, 0x2f, 0xe6, 0x54, 0xb7, 0xf8, 0x16, 0x96, 0x18, 0xf3, + 0x43, 0x03, 0x86, 0xb5, 0x5d, 0xd1, 0x4b, 0x50, 0xb0, 0x5d, 0x87, 0xea, 0xc0, 0x39, 0xa0, 0x27, + 0xc5, 0x42, 0x16, 0x6b, 0x97, 0x30, 0x96, 0x0c, 0xd1, 0xab, 0x30, 0x44, 0xae, 0xd9, 0x24, 0xe4, + 0x3a, 0x50, 0x0e, 0xc8, 0x3a, 0xde, 0xe5, 0x92, 0x64, 0x86, 0x35, 0x53, 0xf3, 0xdf, 0x06, 0xa0, + 0x5a, 0xfd, 0x8b, 0x9b, 0x42, 0x1b, 0x50, 0x94, 0x07, 0x84, 0xee, 0x87, 0x9c, 0x1b, 0xca, 0xbd, + 0x8e, 0x56, 0x27, 0xf7, 0x76, 0x67, 0x72, 0xb5, 0x7a, 0x36, 0xb5, 0xe4, 0xdc, 0x50, 0x04, 0x6f, + 0x48, 0x49, 0xc3, 0xbd, 0xb6, 0x42, 0xfc, 0x26, 0xdf, 0x92, 0x1e, 0x54, 0x4c, 0x82, 0xb7, 0x9e, + 0xc2, 0xe1, 0x0c, 0xa5, 0xf9, 0x1b, 0x03, 0x60, 0xe5, 0x42, 0xec, 0xa6, 0x2f, 0x43, 0x61, 0x8b, + 0xf3, 0xf0, 0xa0, 0xa9, 0x3a, 0xed, 0xf2, 0x2a, 0x83, 0x08, 0x08, 0x96, 0x3c, 0xd1, 0x8b, 0x90, + 0xe7, 0x1e, 0xd3, 0x09, 0x7a, 0xe0, 0x7b, 0x75, 0x63, 0x65, 0x3d, 0xe6, 0x2c, 0x8b, 0x80, 0x8d, + 0x95, 0x75, 0x2c, 0x18, 0x9a, 0xef, 0x1b, 0x80, 0x56, 0xdb, 0x9e, 0xe8, 0xdd, 0x19, 0x97, 0xc7, + 0x57, 0xf3, 0x1b, 0x01, 0xba, 0x1f, 0x8a, 0xb2, 0x8d, 0xd1, 0x21, 0x17, 0xa7, 0x4c, 0x65, 0x14, + 0x85, 0x43, 0xaf, 0x41, 0x21, 0x0c, 0x9c, 0x03, 0x4f, 0xb8, 0x33, 0xa5, 0x49, 0x12, 0x8a, 0x81, + 0xc3, 0xb0, 0xe4, 0x6b, 0xbe, 0x6b, 0x40, 0x29, 0x4e, 0xdb, 0x32, 0x74, 0x03, 0xaa, 0x2e, 0x81, + 0x62, 0x9a, 0x9e, 0x72, 0x2c, 0x31, 0x37, 0x71, 0x39, 0x5d, 0x84, 0x91, 0x50, 0x9f, 0x83, 0xbe, + 0x02, 0xee, 0x8d, 0x87, 0x41, 0x1a, 0x7e, 0x3d, 0xf5, 0x1b, 0xc7, 0xd4, 0xe6, 0xdf, 0xf3, 0x30, + 0xb6, 0x46, 0xf8, 0x1b, 0x01, 0xbd, 0x52, 0x0f, 0x3c, 0xd7, 0xde, 0x39, 0x86, 0x68, 0x6a, 0x40, + 0x91, 0xb6, 0x3d, 0x12, 0x1d, 0xf0, 0xc2, 0xc0, 0x35, 0x49, 0x5a, 0x5f, 0xdc, 0xf6, 0x48, 0x62, + 0x47, 0xf1, 0xc4, 0xb0, 0x62, 0x8f, 0x9e, 0x84, 0x93, 0x56, 0x66, 0xe8, 0xa9, 0x72, 0x67, 0x49, + 0x86, 0xcc, 0xc9, 0xec, 0x3c, 0x94, 0xe1, 0x4e, 0x5a, 0x74, 0x5e, 0x1c, 0xaa, 0x1b, 0x50, 0x51, + 0x40, 0x8a, 0xc4, 0x67, 0x54, 0x47, 0xd5, 0x81, 0x2a, 0x18, 0x8e, 0xb1, 0xe8, 0x61, 0x18, 0xe5, + 0x2e, 0xa1, 0x11, 0x46, 0xa6, 0xbb, 0x62, 0x75, 0x42, 0xa6, 0xc8, 0x14, 0x1c, 0x67, 0xa8, 0x10, + 0x83, 0x12, 0x0b, 0xda, 0x54, 0x16, 0x3f, 0xba, 0x7c, 0xba, 0x7c, 0xb8, 0xa3, 0x88, 0xbd, 0x6e, + 0x4c, 0x24, 0xba, 0xf5, 0x88, 0x39, 0x4e, 0xe4, 0x98, 0x7f, 0x33, 0xe0, 0x4c, 0x66, 0xd1, 0x82, + 0x6d, 0x8b, 0x0b, 0x83, 0x5c, 0x6d, 0x13, 0xc6, 0xd1, 0x6b, 0x30, 0xa4, 0x68, 0xb5, 0xe9, 0x1f, + 0x1d, 0xb8, 0x64, 0x96, 0xd5, 0x6f, 0x72, 0x83, 0x6b, 0x25, 0x34, 0x57, 0xd4, 0x82, 0xb2, 0x43, + 0x18, 0x77, 0x7d, 0x35, 0xca, 0xcb, 0x1d, 0x4a, 0x48, 0x5c, 0x1a, 0x5c, 0x4a, 0x58, 0xe2, 0x34, + 0x7f, 0xf3, 0x97, 0x39, 0xb8, 0xa7, 0xe7, 0x6e, 0x59, 0x18, 0xf8, 0x8c, 0xa0, 0xef, 0xa4, 0x4d, + 0x60, 0x1c, 0xa9, 0x09, 0xee, 0xd4, 0xca, 0x65, 0xa3, 0x2b, 0x65, 0x0a, 0x51, 0xa4, 0x08, 0x3f, + 0xad, 0xf9, 0x0e, 0xb9, 0xa6, 0x2f, 0xe7, 0xb8, 0x48, 0xc1, 0x11, 0x02, 0x27, 0x34, 0xe8, 0x1b, + 0x50, 0x10, 0x0f, 0x7a, 0x00, 0x7a, 0x61, 0x50, 0x45, 0x05, 0x4f, 0x4c, 0x1a, 0xc9, 0x05, 0x22, + 0x01, 0x92, 0xa5, 0xf9, 0x4e, 0x0e, 0xee, 0xee, 0x79, 0x50, 0xdb, 0x2e, 0x79, 0x03, 0x5d, 0x85, + 0x61, 0xaa, 0x1c, 0x44, 0x5b, 0xec, 0x99, 0x43, 0x1d, 0x52, 0xc6, 0xe5, 0x54, 0xc1, 0xaf, 0x1f, + 0x70, 0x24, 0x07, 0xb5, 0x61, 0x84, 0x6a, 0x2b, 0xe9, 0xfd, 0x3e, 0x7b, 0x24, 0x32, 0x15, 0x4b, + 0x15, 0xc9, 0xd1, 0x13, 0x8e, 0x45, 0x99, 0x7f, 0x30, 0xe0, 0x54, 0x66, 0xdd, 0x31, 0x0c, 0xb6, + 0x36, 0xb3, 0x83, 0xad, 0x27, 0x0f, 0xb5, 0xcf, 0x3e, 0xa3, 0xad, 0x7f, 0x18, 0x70, 0x3a, 0x43, + 0x27, 0x9a, 0xb8, 0x75, 0x6e, 0xf1, 0x36, 0x43, 0x0f, 0xc2, 0x88, 0x68, 0xe6, 0xd6, 0x7a, 0xbc, + 0x77, 0x58, 0xd3, 0x70, 0x1c, 0x53, 0x88, 0xc2, 0x5e, 0xbf, 0x6f, 0x8f, 0x02, 0x38, 0x55, 0xd8, + 0x2f, 0xc7, 0x18, 0x9c, 0xa2, 0x42, 0xcf, 0x00, 0xa2, 0xc4, 0xf2, 0xdc, 0x37, 0xe5, 0xe3, 0x65, + 0xcb, 0xf5, 0xda, 0x54, 0x99, 0x75, 0xa4, 0x7a, 0x46, 0xaf, 0x45, 0xb8, 0x8b, 0x02, 0xf7, 0x58, + 0x85, 0xbe, 0x04, 0xc3, 0x2d, 0xc2, 0x98, 0x68, 0x10, 0x0a, 0x52, 0xd9, 0x93, 0x9a, 0xc1, 0xf0, + 0xaa, 0x02, 0xe3, 0x08, 0x2f, 0xdf, 0x23, 0x67, 0x36, 0x5d, 0x27, 0x84, 0xa2, 0x0b, 0x30, 0x66, + 0xa5, 0x5e, 0x2e, 0xb3, 0x29, 0x43, 0xe6, 0x84, 0x53, 0x22, 0x56, 0xd3, 0x6f, 0x9d, 0x19, 0xce, + 0xd2, 0x21, 0x02, 0x23, 0x6e, 0xa8, 0x7b, 0x30, 0x65, 0xaa, 0x0b, 0x83, 0x97, 0xb7, 0x72, 0x7d, + 0x72, 0xc0, 0x71, 0xf3, 0x15, 0xb3, 0x46, 0x33, 0x50, 0x6c, 0x5c, 0x75, 0xfc, 0x28, 0x57, 0x95, + 0x84, 0x2d, 0x2f, 0x3f, 0x7f, 0x69, 0x8d, 0x61, 0x05, 0x47, 0x5c, 0xb4, 0x56, 0xba, 0x43, 0x8e, + 0xc6, 0x06, 0x87, 0xef, 0xbb, 0x53, 0xcd, 0x59, 0xc4, 0x1b, 0xa7, 0xe4, 0x88, 0x64, 0xea, 0x59, + 0x9b, 0xc4, 0xab, 0x39, 0x44, 0xdc, 0xbe, 0xae, 0xec, 0xea, 0xf2, 0xe7, 0xc7, 0x54, 0x32, 0x5d, + 0xc9, 0xa2, 0x70, 0x27, 0xad, 0xf9, 0x99, 0x01, 0x77, 0xf5, 0xbe, 0x29, 0xd1, 0x23, 0x50, 0x10, + 0x7d, 0x92, 0xf6, 0xbd, 0xfb, 0xa2, 0xdb, 0x69, 0x63, 0x27, 0x24, 0xd7, 0x77, 0x67, 0xb2, 0x16, + 0x14, 0x40, 0x2c, 0xc9, 0x07, 0x1e, 0xbf, 0xc5, 0x65, 0x54, 0x7e, 0xbf, 0x1e, 0xaf, 0x70, 0x98, + 0x1e, 0xef, 0xc3, 0xa1, 0x0e, 0xa7, 0x13, 0xb7, 0x2c, 0x7a, 0x02, 0x4a, 0x8e, 0x4b, 0x45, 0x77, + 0x1d, 0x44, 0x2f, 0xca, 0xa6, 0x23, 0x65, 0x2f, 0x45, 0x88, 0xeb, 0xe9, 0x07, 0x9c, 0x2c, 0x40, + 0x36, 0x14, 0x1a, 0x34, 0x68, 0xe9, 0xcb, 0xf7, 0x70, 0xf5, 0x92, 0x88, 0x81, 0x64, 0xf3, 0x97, + 0x69, 0xd0, 0xc2, 0x92, 0x39, 0x7a, 0x15, 0x72, 0x3c, 0xd0, 0x77, 0xed, 0x11, 0x88, 0x00, 0x2d, + 0x22, 0xb7, 0x11, 0xe0, 0x1c, 0x0f, 0x44, 0xf4, 0xb0, 0xac, 0xcf, 0x5e, 0x38, 0xa0, 0xcf, 0x26, + 0xd1, 0x13, 0x3b, 0x6a, 0xcc, 0x5a, 0xbe, 0x16, 0xed, 0x28, 0xc3, 0x92, 0x4a, 0xb8, 0xab, 0x70, + 0x7b, 0x11, 0x86, 0x2c, 0x65, 0x93, 0x21, 0x69, 0x93, 0xa7, 0xe4, 0x6b, 0xc8, 0xc8, 0x18, 0x0f, + 0xdd, 0xe0, 0xa3, 0x2f, 0xea, 0xe8, 0x6f, 0xbd, 0xe6, 0x64, 0x5e, 0x55, 0x6b, 0xb0, 0xe6, 0x86, + 0x1e, 0x87, 0x31, 0xe2, 0x5b, 0x9b, 0x1e, 0x59, 0x09, 0x9a, 0x4d, 0xd7, 0x6f, 0x4e, 0x0d, 0xcb, + 0xbb, 0x2e, 0xae, 0x09, 0x96, 0xd2, 0x48, 0x9c, 0xa5, 0xed, 0x55, 0xb6, 0x8e, 0x0c, 0x50, 0xb6, + 0x46, 0x6e, 0x5e, 0xea, 0xeb, 0xe6, 0x57, 0xa1, 0xec, 0xc5, 0xdd, 0x1d, 0x9b, 0x02, 0x69, 0x8d, + 0xc7, 0x06, 0xb5, 0x46, 0xd2, 0x20, 0x26, 0x85, 0x58, 0x02, 0x63, 0x38, 0x2d, 0x43, 0x98, 0xc5, + 0x0b, 0x9a, 0xf2, 0x96, 0x98, 0x2a, 0x67, 0x73, 0xcc, 0x8a, 0x86, 0xe3, 0x98, 0xc2, 0x7c, 0x2f, + 0x0f, 0x28, 0xe3, 0x51, 0x22, 0x53, 0x31, 0xf4, 0xb6, 0x01, 0x63, 0x7e, 0x1a, 0x7c, 0x3c, 0x25, + 0x5b, 0x56, 0x26, 0x0a, 0x61, 0x94, 0x53, 0xab, 0xd1, 0x70, 0x6d, 0xa9, 0xd5, 0x4d, 0xd4, 0xb0, + 0xf2, 0x8b, 0xbd, 0x4a, 0xf4, 0xc5, 0x5e, 0x65, 0x23, 0xb5, 0x3a, 0x35, 0x4b, 0x4b, 0x41, 0x71, + 0x46, 0x02, 0x7a, 0xcb, 0x80, 0x09, 0x51, 0xa5, 0xa5, 0x49, 0xf4, 0x14, 0xf0, 0xb1, 0x9b, 0x17, + 0x8b, 0x3b, 0x38, 0x24, 0x93, 0x87, 0x4e, 0x0c, 0xee, 0x92, 0x66, 0xfe, 0xc5, 0x80, 0xc9, 0x2e, + 0x8b, 0xb4, 0x8f, 0x63, 0x0c, 0xeb, 0x41, 0x51, 0xd4, 0x1e, 0x51, 0xca, 0x5d, 0x3e, 0x94, 0xad, + 0x93, 0xaa, 0x27, 0xa9, 0x93, 0x04, 0x8c, 0x61, 0x25, 0xc4, 0x9c, 0x83, 0xb1, 0xcc, 0xc4, 0x7b, + 0xff, 0xd7, 0x40, 0xe6, 0x07, 0x45, 0x98, 0x88, 0xf8, 0xb2, 0xf5, 0x76, 0xab, 0x65, 0xd1, 0xe3, + 0x68, 0xa2, 0xdf, 0x31, 0xe0, 0x64, 0xda, 0x31, 0xdd, 0xf8, 0x88, 0xaa, 0x87, 0x3a, 0x22, 0xe5, + 0x1b, 0xa7, 0xb5, 0xec, 0x93, 0x6b, 0x59, 0x11, 0xb8, 0x53, 0x26, 0xfa, 0xb5, 0x01, 0xf7, 0x2a, + 0x29, 0xfa, 0xd3, 0x88, 0x8e, 0x15, 0xda, 0x51, 0x8f, 0x42, 0xa9, 0xff, 0xd3, 0x4a, 0xdd, 0xbb, + 0x70, 0x03, 0x79, 0xf8, 0x86, 0xda, 0xa0, 0x9f, 0x1b, 0x70, 0xa7, 0x22, 0xe8, 0xd4, 0xb3, 0x70, + 0x64, 0x7a, 0x9e, 0xd5, 0x7a, 0xde, 0xb9, 0xd0, 0x4b, 0x10, 0xee, 0x2d, 0x1f, 0x31, 0x28, 0xb5, + 0xa2, 0x81, 0x95, 0x2c, 0xad, 0x0e, 0xa0, 0x4c, 0xf7, 0xc4, 0x2b, 0xa9, 0x89, 0x62, 0x1c, 0x4e, + 0xe4, 0x98, 0xaf, 0xc2, 0x1d, 0x75, 0xab, 0xa9, 0xdb, 0xe5, 0x65, 0xc2, 0x9f, 0x0b, 0xc5, 0x0f, + 0xa6, 0xe6, 0xc9, 0x4d, 0xe5, 0xf6, 0xf9, 0xf4, 0x3c, 0xb9, 0x49, 0xb0, 0xc4, 0xa0, 0xfb, 0xa1, + 0xe8, 0xb9, 0x2d, 0x97, 0xeb, 0x16, 0x20, 0x0e, 0xa7, 0x15, 0x01, 0xc4, 0x0a, 0x67, 0x5a, 0x30, + 0x9a, 0x9e, 0x86, 0xdd, 0x8a, 0x97, 0xaa, 0x1f, 0x1a, 0x30, 0xac, 0x3b, 0xdb, 0x43, 0x56, 0x59, + 0xfb, 0x8f, 0xd9, 0x92, 0x72, 0x21, 0x7f, 0x94, 0xe5, 0x82, 0xf9, 0xdb, 0x3c, 0x44, 0xaf, 0xbc, + 0xd0, 0xc3, 0xa9, 0x51, 0x9e, 0xda, 0xc2, 0xd4, 0xfe, 0x63, 0x3c, 0xb4, 0xa6, 0x87, 0x88, 0xb9, + 0x7d, 0xee, 0x9a, 0x36, 0x77, 0xbd, 0x8a, 0xfa, 0x6c, 0xba, 0x52, 0xf3, 0xf9, 0x73, 0x74, 0x9d, + 0x53, 0xd7, 0x6f, 0xaa, 0xb1, 0x6c, 0x6a, 0xe4, 0xf8, 0xff, 0x30, 0x4c, 0x7c, 0x39, 0x9f, 0x94, + 0x5b, 0x2d, 0xaa, 0x2e, 0x7d, 0x49, 0x81, 0x70, 0x84, 0x43, 0xe7, 0x61, 0xc4, 0xb5, 0x5b, 0xa1, + 0xa8, 0xca, 0x65, 0xd5, 0x5c, 0x54, 0x8d, 0x75, 0x6d, 0x71, 0xb5, 0x2e, 0x2b, 0xf5, 0x18, 0x1b, + 0x51, 0x2e, 0x46, 0xaf, 0x22, 0x53, 0x94, 0x02, 0x86, 0x63, 0xac, 0xa4, 0x6c, 0x6a, 0x9e, 0x43, + 0x29, 0xca, 0xe5, 0x98, 0xa7, 0xc6, 0xa2, 0x8b, 0xfa, 0xd3, 0x17, 0xdd, 0xb5, 0xc9, 0x22, 0xab, + 0xd4, 0xf1, 0xf5, 0x4a, 0x34, 0x10, 0xcf, 0x50, 0x8a, 0xed, 0x31, 0x6a, 0xcb, 0xed, 0x8d, 0x24, + 0xdb, 0x5b, 0x57, 0x20, 0x1c, 0xe1, 0x50, 0x05, 0x80, 0x51, 0x5b, 0xef, 0x5a, 0x16, 0x54, 0xc5, + 0xea, 0xb8, 0xb8, 0x91, 0xd7, 0x63, 0x28, 0x4e, 0x51, 0x98, 0x04, 0x26, 0x3a, 0xfb, 0xaa, 0x5b, + 0xe1, 0xf2, 0xef, 0x15, 0xe0, 0xf4, 0x7a, 0x3b, 0x14, 0x86, 0x52, 0x1f, 0xe8, 0x2d, 0x06, 0x9e, + 0xa7, 0x9d, 0xf8, 0xd6, 0x27, 0x9e, 0x57, 0xa0, 0x44, 0xae, 0x85, 0x2e, 0x25, 0xce, 0x42, 0xe4, + 0x6f, 0x5f, 0xbe, 0x39, 0x11, 0x1b, 0x6e, 0x8b, 0x24, 0x5b, 0x5b, 0x8a, 0x98, 0xe0, 0x84, 0x9f, + 0x38, 0x0b, 0xe6, 0xfa, 0x36, 0x11, 0xa4, 0x3a, 0xc8, 0xe2, 0x05, 0xeb, 0x11, 0x02, 0x27, 0x34, + 0xa2, 0x19, 0x6e, 0xc4, 0x9f, 0x34, 0x4a, 0x1f, 0x3c, 0x40, 0x33, 0xdc, 0xf9, 0x69, 0x64, 0x72, + 0x02, 0x09, 0x0c, 0xa7, 0xe4, 0xa0, 0x1f, 0x1b, 0x30, 0x6e, 0x65, 0xbf, 0x4a, 0x54, 0xef, 0xd7, + 0x57, 0x0f, 0x26, 0xba, 0xcf, 0x17, 0x96, 0xd5, 0xbb, 0xb4, 0x1e, 0xe3, 0x1d, 0x9f, 0x27, 0x76, + 0x08, 0x37, 0x3f, 0x37, 0xe0, 0x9e, 0x3e, 0x1e, 0x71, 0x0c, 0x03, 0x2c, 0x2f, 0x3b, 0xc0, 0x1a, + 0xb8, 0x44, 0xeb, 0xa3, 0x79, 0x9f, 0x51, 0xd6, 0xcf, 0x72, 0x70, 0x5f, 0x9f, 0x15, 0x07, 0x1e, + 0x6a, 0x3d, 0x0e, 0x63, 0xd1, 0xef, 0x74, 0x18, 0x26, 0x0d, 0x41, 0x1a, 0x89, 0xb3, 0xb4, 0x91, + 0x28, 0x79, 0x61, 0xe5, 0xbb, 0x45, 0xa9, 0x4b, 0x2b, 0xa2, 0x10, 0x1e, 0x6e, 0x07, 0xad, 0xd0, + 0x23, 0x9c, 0xa8, 0x49, 0xc3, 0x48, 0xe2, 0xe1, 0x8b, 0x11, 0x02, 0x27, 0x34, 0x22, 0xd1, 0x12, + 0x4a, 0x03, 0x2a, 0x3d, 0x2c, 0xf5, 0xca, 0x6a, 0x49, 0x00, 0xb1, 0xc2, 0x99, 0xff, 0x34, 0xe0, + 0x6c, 0x9f, 0x43, 0x39, 0xb6, 0x4a, 0x7d, 0x3b, 0x5b, 0xa9, 0x3f, 0x7f, 0x44, 0x6e, 0xb0, 0x6f, + 0xcd, 0xfe, 0x20, 0x94, 0x53, 0xef, 0x01, 0xd1, 0x59, 0xc8, 0x33, 0xdf, 0xed, 0xfc, 0xac, 0x79, + 0x7d, 0xad, 0x86, 0x05, 0xbc, 0xba, 0xf1, 0xd1, 0xa7, 0xd3, 0x27, 0x3e, 0xfe, 0x74, 0xfa, 0xc4, + 0x27, 0x9f, 0x4e, 0x9f, 0x78, 0x6b, 0x6f, 0xda, 0xf8, 0x68, 0x6f, 0xda, 0xf8, 0x78, 0x6f, 0xda, + 0xf8, 0x64, 0x6f, 0xda, 0xf8, 0xd3, 0xde, 0xb4, 0xf1, 0xd3, 0x3f, 0x4f, 0x9f, 0x78, 0xb9, 0x32, + 0xd8, 0xff, 0x7b, 0xfd, 0x27, 0x00, 0x00, 0xff, 0xff, 0x4c, 0x10, 0x0a, 0x52, 0x20, 0x36, 0x00, + 0x00, } func (m *AddressGroup) Marshal() (dAtA []byte, err error) { @@ -2154,6 +2312,41 @@ func (m *EgressGroupPatch) MarshalToSizedBuffer(dAtA []byte) (int, error) { return len(dAtA) - i, nil } +func (m *Entity) Marshal() (dAtA []byte, err error) { + size := m.Size() + dAtA = make([]byte, size) + n, err := m.MarshalToSizedBuffer(dAtA[:size]) + if err != nil { + return nil, err + } + return dAtA[:n], nil +} + +func (m *Entity) MarshalTo(dAtA []byte) (int, error) { + size := m.Size() + return m.MarshalToSizedBuffer(dAtA[:size]) +} + +func (m *Entity) MarshalToSizedBuffer(dAtA []byte) (int, error) { + i := len(dAtA) + _ = i + var l int + _ = l + if m.Pod != nil { + { + size, err := m.Pod.MarshalToSizedBuffer(dAtA[:i]) + if err != nil { + return 0, err + } + i -= size + i = encodeVarintGenerated(dAtA, i, uint64(size)) + } + i-- + dAtA[i] = 0xa + } + return len(dAtA) - i, nil +} + func (m *ExternalEntityReference) Marshal() (dAtA []byte, err error) { size := m.Size() dAtA = make([]byte, size) @@ -2805,7 +2998,7 @@ func (m *NetworkPolicy) MarshalToSizedBuffer(dAtA []byte) (int, error) { return len(dAtA) - i, nil } -func (m *NetworkPolicyList) Marshal() (dAtA []byte, err error) { +func (m *NetworkPolicyAccessRequest) Marshal() (dAtA []byte, err error) { size := m.Size() dAtA = make([]byte, size) n, err := m.MarshalToSizedBuffer(dAtA[:size]) @@ -2815,32 +3008,28 @@ func (m *NetworkPolicyList) Marshal() (dAtA []byte, err error) { return dAtA[:n], nil } -func (m *NetworkPolicyList) MarshalTo(dAtA []byte) (int, error) { +func (m *NetworkPolicyAccessRequest) MarshalTo(dAtA []byte) (int, error) { size := m.Size() return m.MarshalToSizedBuffer(dAtA[:size]) } -func (m *NetworkPolicyList) MarshalToSizedBuffer(dAtA []byte) (int, error) { +func (m *NetworkPolicyAccessRequest) MarshalToSizedBuffer(dAtA []byte) (int, error) { i := len(dAtA) _ = i var l int _ = l - if len(m.Items) > 0 { - for iNdEx := len(m.Items) - 1; iNdEx >= 0; iNdEx-- { - { - size, err := m.Items[iNdEx].MarshalToSizedBuffer(dAtA[:i]) - if err != nil { - return 0, err - } - i -= size - i = encodeVarintGenerated(dAtA, i, uint64(size)) - } - i-- - dAtA[i] = 0x12 + { + size, err := m.Destination.MarshalToSizedBuffer(dAtA[:i]) + if err != nil { + return 0, err } + i -= size + i = encodeVarintGenerated(dAtA, i, uint64(size)) } + i-- + dAtA[i] = 0x12 { - size, err := m.ListMeta.MarshalToSizedBuffer(dAtA[:i]) + size, err := m.Source.MarshalToSizedBuffer(dAtA[:i]) if err != nil { return 0, err } @@ -2852,7 +3041,7 @@ func (m *NetworkPolicyList) MarshalToSizedBuffer(dAtA []byte) (int, error) { return len(dAtA) - i, nil } -func (m *NetworkPolicyNodeStatus) Marshal() (dAtA []byte, err error) { +func (m *NetworkPolicyAccessResponse) Marshal() (dAtA []byte, err error) { size := m.Size() dAtA = make([]byte, size) n, err := m.MarshalToSizedBuffer(dAtA[:size]) @@ -2862,41 +3051,43 @@ func (m *NetworkPolicyNodeStatus) Marshal() (dAtA []byte, err error) { return dAtA[:n], nil } -func (m *NetworkPolicyNodeStatus) MarshalTo(dAtA []byte) (int, error) { +func (m *NetworkPolicyAccessResponse) MarshalTo(dAtA []byte) (int, error) { size := m.Size() return m.MarshalToSizedBuffer(dAtA[:size]) } -func (m *NetworkPolicyNodeStatus) MarshalToSizedBuffer(dAtA []byte) (int, error) { +func (m *NetworkPolicyAccessResponse) MarshalToSizedBuffer(dAtA []byte) (int, error) { i := len(dAtA) _ = i var l int _ = l - i -= len(m.Message) - copy(dAtA[i:], m.Message) - i = encodeVarintGenerated(dAtA, i, uint64(len(m.Message))) - i-- - dAtA[i] = 0x22 - i-- - if m.RealizationFailure { - dAtA[i] = 1 - } else { - dAtA[i] = 0 + { + size, err := m.Rule.MarshalToSizedBuffer(dAtA[:i]) + if err != nil { + return 0, err + } + i -= size + i = encodeVarintGenerated(dAtA, i, uint64(size)) } i-- - dAtA[i] = 0x18 - i = encodeVarintGenerated(dAtA, i, uint64(m.Generation)) + dAtA[i] = 0x1a + i = encodeVarintGenerated(dAtA, i, uint64(m.RuleIndex)) i-- dAtA[i] = 0x10 - i -= len(m.NodeName) - copy(dAtA[i:], m.NodeName) - i = encodeVarintGenerated(dAtA, i, uint64(len(m.NodeName))) + { + size, err := m.NetworkPolicy.MarshalToSizedBuffer(dAtA[:i]) + if err != nil { + return 0, err + } + i -= size + i = encodeVarintGenerated(dAtA, i, uint64(size)) + } i-- dAtA[i] = 0xa return len(dAtA) - i, nil } -func (m *NetworkPolicyPeer) Marshal() (dAtA []byte, err error) { +func (m *NetworkPolicyAccessReview) Marshal() (dAtA []byte, err error) { size := m.Size() dAtA = make([]byte, size) n, err := m.MarshalToSizedBuffer(dAtA[:size]) @@ -2906,35 +3097,173 @@ func (m *NetworkPolicyPeer) Marshal() (dAtA []byte, err error) { return dAtA[:n], nil } -func (m *NetworkPolicyPeer) MarshalTo(dAtA []byte) (int, error) { +func (m *NetworkPolicyAccessReview) MarshalTo(dAtA []byte) (int, error) { size := m.Size() return m.MarshalToSizedBuffer(dAtA[:size]) } -func (m *NetworkPolicyPeer) MarshalToSizedBuffer(dAtA []byte) (int, error) { +func (m *NetworkPolicyAccessReview) MarshalToSizedBuffer(dAtA []byte) (int, error) { i := len(dAtA) _ = i var l int _ = l - if len(m.LabelIdentities) > 0 { - for iNdEx := len(m.LabelIdentities) - 1; iNdEx >= 0; iNdEx-- { - i = encodeVarintGenerated(dAtA, i, uint64(m.LabelIdentities[iNdEx])) - i-- - dAtA[i] = 0x28 - } - } - if len(m.ToServices) > 0 { - for iNdEx := len(m.ToServices) - 1; iNdEx >= 0; iNdEx-- { - { - size, err := m.ToServices[iNdEx].MarshalToSizedBuffer(dAtA[:i]) - if err != nil { - return 0, err - } - i -= size - i = encodeVarintGenerated(dAtA, i, uint64(size)) + if m.Response != nil { + { + size, err := m.Response.MarshalToSizedBuffer(dAtA[:i]) + if err != nil { + return 0, err } - i-- - dAtA[i] = 0x22 + i -= size + i = encodeVarintGenerated(dAtA, i, uint64(size)) + } + i-- + dAtA[i] = 0x1a + } + if m.Request != nil { + { + size, err := m.Request.MarshalToSizedBuffer(dAtA[:i]) + if err != nil { + return 0, err + } + i -= size + i = encodeVarintGenerated(dAtA, i, uint64(size)) + } + i-- + dAtA[i] = 0x12 + } + return len(dAtA) - i, nil +} + +func (m *NetworkPolicyList) Marshal() (dAtA []byte, err error) { + size := m.Size() + dAtA = make([]byte, size) + n, err := m.MarshalToSizedBuffer(dAtA[:size]) + if err != nil { + return nil, err + } + return dAtA[:n], nil +} + +func (m *NetworkPolicyList) MarshalTo(dAtA []byte) (int, error) { + size := m.Size() + return m.MarshalToSizedBuffer(dAtA[:size]) +} + +func (m *NetworkPolicyList) MarshalToSizedBuffer(dAtA []byte) (int, error) { + i := len(dAtA) + _ = i + var l int + _ = l + if len(m.Items) > 0 { + for iNdEx := len(m.Items) - 1; iNdEx >= 0; iNdEx-- { + { + size, err := m.Items[iNdEx].MarshalToSizedBuffer(dAtA[:i]) + if err != nil { + return 0, err + } + i -= size + i = encodeVarintGenerated(dAtA, i, uint64(size)) + } + i-- + dAtA[i] = 0x12 + } + } + { + size, err := m.ListMeta.MarshalToSizedBuffer(dAtA[:i]) + if err != nil { + return 0, err + } + i -= size + i = encodeVarintGenerated(dAtA, i, uint64(size)) + } + i-- + dAtA[i] = 0xa + return len(dAtA) - i, nil +} + +func (m *NetworkPolicyNodeStatus) Marshal() (dAtA []byte, err error) { + size := m.Size() + dAtA = make([]byte, size) + n, err := m.MarshalToSizedBuffer(dAtA[:size]) + if err != nil { + return nil, err + } + return dAtA[:n], nil +} + +func (m *NetworkPolicyNodeStatus) MarshalTo(dAtA []byte) (int, error) { + size := m.Size() + return m.MarshalToSizedBuffer(dAtA[:size]) +} + +func (m *NetworkPolicyNodeStatus) MarshalToSizedBuffer(dAtA []byte) (int, error) { + i := len(dAtA) + _ = i + var l int + _ = l + i -= len(m.Message) + copy(dAtA[i:], m.Message) + i = encodeVarintGenerated(dAtA, i, uint64(len(m.Message))) + i-- + dAtA[i] = 0x22 + i-- + if m.RealizationFailure { + dAtA[i] = 1 + } else { + dAtA[i] = 0 + } + i-- + dAtA[i] = 0x18 + i = encodeVarintGenerated(dAtA, i, uint64(m.Generation)) + i-- + dAtA[i] = 0x10 + i -= len(m.NodeName) + copy(dAtA[i:], m.NodeName) + i = encodeVarintGenerated(dAtA, i, uint64(len(m.NodeName))) + i-- + dAtA[i] = 0xa + return len(dAtA) - i, nil +} + +func (m *NetworkPolicyPeer) Marshal() (dAtA []byte, err error) { + size := m.Size() + dAtA = make([]byte, size) + n, err := m.MarshalToSizedBuffer(dAtA[:size]) + if err != nil { + return nil, err + } + return dAtA[:n], nil +} + +func (m *NetworkPolicyPeer) MarshalTo(dAtA []byte) (int, error) { + size := m.Size() + return m.MarshalToSizedBuffer(dAtA[:size]) +} + +func (m *NetworkPolicyPeer) MarshalToSizedBuffer(dAtA []byte) (int, error) { + i := len(dAtA) + _ = i + var l int + _ = l + if len(m.LabelIdentities) > 0 { + for iNdEx := len(m.LabelIdentities) - 1; iNdEx >= 0; iNdEx-- { + i = encodeVarintGenerated(dAtA, i, uint64(m.LabelIdentities[iNdEx])) + i-- + dAtA[i] = 0x28 + } + } + if len(m.ToServices) > 0 { + for iNdEx := len(m.ToServices) - 1; iNdEx >= 0; iNdEx-- { + { + size, err := m.ToServices[iNdEx].MarshalToSizedBuffer(dAtA[:i]) + if err != nil { + return 0, err + } + i -= size + i = encodeVarintGenerated(dAtA, i, uint64(size)) + } + i-- + dAtA[i] = 0x22 } } if len(m.FQDNs) > 0 { @@ -3411,6 +3740,46 @@ func (m *PodReference) MarshalToSizedBuffer(dAtA []byte) (int, error) { return len(dAtA) - i, nil } +func (m *RuleRef) Marshal() (dAtA []byte, err error) { + size := m.Size() + dAtA = make([]byte, size) + n, err := m.MarshalToSizedBuffer(dAtA[:size]) + if err != nil { + return nil, err + } + return dAtA[:n], nil +} + +func (m *RuleRef) MarshalTo(dAtA []byte) (int, error) { + size := m.Size() + return m.MarshalToSizedBuffer(dAtA[:size]) +} + +func (m *RuleRef) MarshalToSizedBuffer(dAtA []byte) (int, error) { + i := len(dAtA) + _ = i + var l int + _ = l + if m.Action != nil { + i -= len(*m.Action) + copy(dAtA[i:], *m.Action) + i = encodeVarintGenerated(dAtA, i, uint64(len(*m.Action))) + i-- + dAtA[i] = 0x1a + } + i -= len(m.Name) + copy(dAtA[i:], m.Name) + i = encodeVarintGenerated(dAtA, i, uint64(len(m.Name))) + i-- + dAtA[i] = 0x12 + i -= len(m.Direction) + copy(dAtA[i:], m.Direction) + i = encodeVarintGenerated(dAtA, i, uint64(len(m.Direction))) + i-- + dAtA[i] = 0xa + return len(dAtA) - i, nil +} + func (m *Service) Marshal() (dAtA []byte, err error) { size := m.Size() dAtA = make([]byte, size) @@ -4011,6 +4380,19 @@ func (m *EgressGroupPatch) Size() (n int) { return n } +func (m *Entity) Size() (n int) { + if m == nil { + return 0 + } + var l int + _ = l + if m.Pod != nil { + l = m.Pod.Size() + n += 1 + l + sovGenerated(uint64(l)) + } + return n +} + func (m *ExternalEntityReference) Size() (n int) { if m == nil { return 0 @@ -4263,6 +4645,50 @@ func (m *NetworkPolicy) Size() (n int) { return n } +func (m *NetworkPolicyAccessRequest) Size() (n int) { + if m == nil { + return 0 + } + var l int + _ = l + l = m.Source.Size() + n += 1 + l + sovGenerated(uint64(l)) + l = m.Destination.Size() + n += 1 + l + sovGenerated(uint64(l)) + return n +} + +func (m *NetworkPolicyAccessResponse) Size() (n int) { + if m == nil { + return 0 + } + var l int + _ = l + l = m.NetworkPolicy.Size() + n += 1 + l + sovGenerated(uint64(l)) + n += 1 + sovGenerated(uint64(m.RuleIndex)) + l = m.Rule.Size() + n += 1 + l + sovGenerated(uint64(l)) + return n +} + +func (m *NetworkPolicyAccessReview) Size() (n int) { + if m == nil { + return 0 + } + var l int + _ = l + if m.Request != nil { + l = m.Request.Size() + n += 1 + l + sovGenerated(uint64(l)) + } + if m.Response != nil { + l = m.Response.Size() + n += 1 + l + sovGenerated(uint64(l)) + } + return n +} + func (m *NetworkPolicyList) Size() (n int) { if m == nil { return 0 @@ -4499,6 +4925,23 @@ func (m *PodReference) Size() (n int) { return n } +func (m *RuleRef) Size() (n int) { + if m == nil { + return 0 + } + var l int + _ = l + l = len(m.Direction) + n += 1 + l + sovGenerated(uint64(l)) + l = len(m.Name) + n += 1 + l + sovGenerated(uint64(l)) + if m.Action != nil { + l = len(*m.Action) + n += 1 + l + sovGenerated(uint64(l)) + } + return n +} + func (m *Service) Size() (n int) { if m == nil { return 0 @@ -4857,6 +5300,16 @@ func (this *EgressGroupPatch) String() string { }, "") return s } +func (this *Entity) String() string { + if this == nil { + return "nil" + } + s := strings.Join([]string{`&Entity{`, + `Pod:` + strings.Replace(this.Pod.String(), "PodReference", "PodReference", 1) + `,`, + `}`, + }, "") + return s +} func (this *ExternalEntityReference) String() string { if this == nil { return "nil" @@ -5055,12 +5508,46 @@ func (this *NetworkPolicy) String() string { }, "") return s } -func (this *NetworkPolicyList) String() string { +func (this *NetworkPolicyAccessRequest) String() string { if this == nil { return "nil" } - repeatedStringForItems := "[]NetworkPolicy{" - for _, f := range this.Items { + s := strings.Join([]string{`&NetworkPolicyAccessRequest{`, + `Source:` + strings.Replace(strings.Replace(this.Source.String(), "Entity", "Entity", 1), `&`, ``, 1) + `,`, + `Destination:` + strings.Replace(strings.Replace(this.Destination.String(), "Entity", "Entity", 1), `&`, ``, 1) + `,`, + `}`, + }, "") + return s +} +func (this *NetworkPolicyAccessResponse) String() string { + if this == nil { + return "nil" + } + s := strings.Join([]string{`&NetworkPolicyAccessResponse{`, + `NetworkPolicy:` + strings.Replace(strings.Replace(this.NetworkPolicy.String(), "NetworkPolicyReference", "NetworkPolicyReference", 1), `&`, ``, 1) + `,`, + `RuleIndex:` + fmt.Sprintf("%v", this.RuleIndex) + `,`, + `Rule:` + strings.Replace(strings.Replace(this.Rule.String(), "RuleRef", "RuleRef", 1), `&`, ``, 1) + `,`, + `}`, + }, "") + return s +} +func (this *NetworkPolicyAccessReview) String() string { + if this == nil { + return "nil" + } + s := strings.Join([]string{`&NetworkPolicyAccessReview{`, + `Request:` + strings.Replace(this.Request.String(), "NetworkPolicyAccessRequest", "NetworkPolicyAccessRequest", 1) + `,`, + `Response:` + strings.Replace(this.Response.String(), "NetworkPolicyAccessResponse", "NetworkPolicyAccessResponse", 1) + `,`, + `}`, + }, "") + return s +} +func (this *NetworkPolicyList) String() string { + if this == nil { + return "nil" + } + repeatedStringForItems := "[]NetworkPolicy{" + for _, f := range this.Items { repeatedStringForItems += strings.Replace(strings.Replace(f.String(), "NetworkPolicy", "NetworkPolicy", 1), `&`, ``, 1) + "," } repeatedStringForItems += "}" @@ -5250,6 +5737,18 @@ func (this *PodReference) String() string { }, "") return s } +func (this *RuleRef) String() string { + if this == nil { + return "nil" + } + s := strings.Join([]string{`&RuleRef{`, + `Direction:` + fmt.Sprintf("%v", this.Direction) + `,`, + `Name:` + fmt.Sprintf("%v", this.Name) + `,`, + `Action:` + valueToStringGenerated(this.Action) + `,`, + `}`, + }, "") + return s +} func (this *Service) String() string { if this == nil { return "nil" @@ -7066,6 +7565,92 @@ func (m *EgressGroupPatch) Unmarshal(dAtA []byte) error { } return nil } +func (m *Entity) Unmarshal(dAtA []byte) error { + l := len(dAtA) + iNdEx := 0 + for iNdEx < l { + preIndex := iNdEx + var wire uint64 + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowGenerated + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + wire |= uint64(b&0x7F) << shift + if b < 0x80 { + break + } + } + fieldNum := int32(wire >> 3) + wireType := int(wire & 0x7) + if wireType == 4 { + return fmt.Errorf("proto: Entity: wiretype end group for non-group") + } + if fieldNum <= 0 { + return fmt.Errorf("proto: Entity: illegal tag %d (wire type %d)", fieldNum, wire) + } + switch fieldNum { + case 1: + if wireType != 2 { + return fmt.Errorf("proto: wrong wireType = %d for field Pod", wireType) + } + var msglen int + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowGenerated + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + msglen |= int(b&0x7F) << shift + if b < 0x80 { + break + } + } + if msglen < 0 { + return ErrInvalidLengthGenerated + } + postIndex := iNdEx + msglen + if postIndex < 0 { + return ErrInvalidLengthGenerated + } + if postIndex > l { + return io.ErrUnexpectedEOF + } + if m.Pod == nil { + m.Pod = &PodReference{} + } + if err := m.Pod.Unmarshal(dAtA[iNdEx:postIndex]); err != nil { + return err + } + iNdEx = postIndex + default: + iNdEx = preIndex + skippy, err := skipGenerated(dAtA[iNdEx:]) + if err != nil { + return err + } + if (skippy < 0) || (iNdEx+skippy) < 0 { + return ErrInvalidLengthGenerated + } + if (iNdEx + skippy) > l { + return io.ErrUnexpectedEOF + } + iNdEx += skippy + } + } + + if iNdEx > l { + return io.ErrUnexpectedEOF + } + return nil +} func (m *ExternalEntityReference) Unmarshal(dAtA []byte) error { l := len(dAtA) iNdEx := 0 @@ -8982,7 +9567,7 @@ func (m *NetworkPolicy) Unmarshal(dAtA []byte) error { } return nil } -func (m *NetworkPolicyList) Unmarshal(dAtA []byte) error { +func (m *NetworkPolicyAccessRequest) Unmarshal(dAtA []byte) error { l := len(dAtA) iNdEx := 0 for iNdEx < l { @@ -9005,15 +9590,15 @@ func (m *NetworkPolicyList) Unmarshal(dAtA []byte) error { fieldNum := int32(wire >> 3) wireType := int(wire & 0x7) if wireType == 4 { - return fmt.Errorf("proto: NetworkPolicyList: wiretype end group for non-group") + return fmt.Errorf("proto: NetworkPolicyAccessRequest: wiretype end group for non-group") } if fieldNum <= 0 { - return fmt.Errorf("proto: NetworkPolicyList: illegal tag %d (wire type %d)", fieldNum, wire) + return fmt.Errorf("proto: NetworkPolicyAccessRequest: illegal tag %d (wire type %d)", fieldNum, wire) } switch fieldNum { case 1: if wireType != 2 { - return fmt.Errorf("proto: wrong wireType = %d for field ListMeta", wireType) + return fmt.Errorf("proto: wrong wireType = %d for field Source", wireType) } var msglen int for shift := uint(0); ; shift += 7 { @@ -9040,13 +9625,13 @@ func (m *NetworkPolicyList) Unmarshal(dAtA []byte) error { if postIndex > l { return io.ErrUnexpectedEOF } - if err := m.ListMeta.Unmarshal(dAtA[iNdEx:postIndex]); err != nil { + if err := m.Source.Unmarshal(dAtA[iNdEx:postIndex]); err != nil { return err } iNdEx = postIndex case 2: if wireType != 2 { - return fmt.Errorf("proto: wrong wireType = %d for field Items", wireType) + return fmt.Errorf("proto: wrong wireType = %d for field Destination", wireType) } var msglen int for shift := uint(0); ; shift += 7 { @@ -9073,8 +9658,7 @@ func (m *NetworkPolicyList) Unmarshal(dAtA []byte) error { if postIndex > l { return io.ErrUnexpectedEOF } - m.Items = append(m.Items, NetworkPolicy{}) - if err := m.Items[len(m.Items)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil { + if err := m.Destination.Unmarshal(dAtA[iNdEx:postIndex]); err != nil { return err } iNdEx = postIndex @@ -9099,7 +9683,7 @@ func (m *NetworkPolicyList) Unmarshal(dAtA []byte) error { } return nil } -func (m *NetworkPolicyNodeStatus) Unmarshal(dAtA []byte) error { +func (m *NetworkPolicyAccessResponse) Unmarshal(dAtA []byte) error { l := len(dAtA) iNdEx := 0 for iNdEx < l { @@ -9122,17 +9706,17 @@ func (m *NetworkPolicyNodeStatus) Unmarshal(dAtA []byte) error { fieldNum := int32(wire >> 3) wireType := int(wire & 0x7) if wireType == 4 { - return fmt.Errorf("proto: NetworkPolicyNodeStatus: wiretype end group for non-group") + return fmt.Errorf("proto: NetworkPolicyAccessResponse: wiretype end group for non-group") } if fieldNum <= 0 { - return fmt.Errorf("proto: NetworkPolicyNodeStatus: illegal tag %d (wire type %d)", fieldNum, wire) + return fmt.Errorf("proto: NetworkPolicyAccessResponse: illegal tag %d (wire type %d)", fieldNum, wire) } switch fieldNum { case 1: if wireType != 2 { - return fmt.Errorf("proto: wrong wireType = %d for field NodeName", wireType) + return fmt.Errorf("proto: wrong wireType = %d for field NetworkPolicy", wireType) } - var stringLen uint64 + var msglen int for shift := uint(0); ; shift += 7 { if shift >= 64 { return ErrIntOverflowGenerated @@ -9142,29 +9726,30 @@ func (m *NetworkPolicyNodeStatus) Unmarshal(dAtA []byte) error { } b := dAtA[iNdEx] iNdEx++ - stringLen |= uint64(b&0x7F) << shift + msglen |= int(b&0x7F) << shift if b < 0x80 { break } } - intStringLen := int(stringLen) - if intStringLen < 0 { + if msglen < 0 { return ErrInvalidLengthGenerated } - postIndex := iNdEx + intStringLen + postIndex := iNdEx + msglen if postIndex < 0 { return ErrInvalidLengthGenerated } if postIndex > l { return io.ErrUnexpectedEOF } - m.NodeName = string(dAtA[iNdEx:postIndex]) + if err := m.NetworkPolicy.Unmarshal(dAtA[iNdEx:postIndex]); err != nil { + return err + } iNdEx = postIndex case 2: if wireType != 0 { - return fmt.Errorf("proto: wrong wireType = %d for field Generation", wireType) + return fmt.Errorf("proto: wrong wireType = %d for field RuleIndex", wireType) } - m.Generation = 0 + m.RuleIndex = 0 for shift := uint(0); ; shift += 7 { if shift >= 64 { return ErrIntOverflowGenerated @@ -9174,36 +9759,16 @@ func (m *NetworkPolicyNodeStatus) Unmarshal(dAtA []byte) error { } b := dAtA[iNdEx] iNdEx++ - m.Generation |= int64(b&0x7F) << shift + m.RuleIndex |= int32(b&0x7F) << shift if b < 0x80 { break } } case 3: - if wireType != 0 { - return fmt.Errorf("proto: wrong wireType = %d for field RealizationFailure", wireType) - } - var v int - for shift := uint(0); ; shift += 7 { - if shift >= 64 { - return ErrIntOverflowGenerated - } - if iNdEx >= l { - return io.ErrUnexpectedEOF - } - b := dAtA[iNdEx] - iNdEx++ - v |= int(b&0x7F) << shift - if b < 0x80 { - break - } - } - m.RealizationFailure = bool(v != 0) - case 4: if wireType != 2 { - return fmt.Errorf("proto: wrong wireType = %d for field Message", wireType) + return fmt.Errorf("proto: wrong wireType = %d for field Rule", wireType) } - var stringLen uint64 + var msglen int for shift := uint(0); ; shift += 7 { if shift >= 64 { return ErrIntOverflowGenerated @@ -9213,23 +9778,24 @@ func (m *NetworkPolicyNodeStatus) Unmarshal(dAtA []byte) error { } b := dAtA[iNdEx] iNdEx++ - stringLen |= uint64(b&0x7F) << shift + msglen |= int(b&0x7F) << shift if b < 0x80 { break } } - intStringLen := int(stringLen) - if intStringLen < 0 { + if msglen < 0 { return ErrInvalidLengthGenerated } - postIndex := iNdEx + intStringLen + postIndex := iNdEx + msglen if postIndex < 0 { return ErrInvalidLengthGenerated } if postIndex > l { return io.ErrUnexpectedEOF } - m.Message = string(dAtA[iNdEx:postIndex]) + if err := m.Rule.Unmarshal(dAtA[iNdEx:postIndex]); err != nil { + return err + } iNdEx = postIndex default: iNdEx = preIndex @@ -9252,7 +9818,7 @@ func (m *NetworkPolicyNodeStatus) Unmarshal(dAtA []byte) error { } return nil } -func (m *NetworkPolicyPeer) Unmarshal(dAtA []byte) error { +func (m *NetworkPolicyAccessReview) Unmarshal(dAtA []byte) error { l := len(dAtA) iNdEx := 0 for iNdEx < l { @@ -9275,47 +9841,15 @@ func (m *NetworkPolicyPeer) Unmarshal(dAtA []byte) error { fieldNum := int32(wire >> 3) wireType := int(wire & 0x7) if wireType == 4 { - return fmt.Errorf("proto: NetworkPolicyPeer: wiretype end group for non-group") + return fmt.Errorf("proto: NetworkPolicyAccessReview: wiretype end group for non-group") } if fieldNum <= 0 { - return fmt.Errorf("proto: NetworkPolicyPeer: illegal tag %d (wire type %d)", fieldNum, wire) + return fmt.Errorf("proto: NetworkPolicyAccessReview: illegal tag %d (wire type %d)", fieldNum, wire) } switch fieldNum { - case 1: - if wireType != 2 { - return fmt.Errorf("proto: wrong wireType = %d for field AddressGroups", wireType) - } - var stringLen uint64 - for shift := uint(0); ; shift += 7 { - if shift >= 64 { - return ErrIntOverflowGenerated - } - if iNdEx >= l { - return io.ErrUnexpectedEOF - } - b := dAtA[iNdEx] - iNdEx++ - stringLen |= uint64(b&0x7F) << shift - if b < 0x80 { - break - } - } - intStringLen := int(stringLen) - if intStringLen < 0 { - return ErrInvalidLengthGenerated - } - postIndex := iNdEx + intStringLen - if postIndex < 0 { - return ErrInvalidLengthGenerated - } - if postIndex > l { - return io.ErrUnexpectedEOF - } - m.AddressGroups = append(m.AddressGroups, string(dAtA[iNdEx:postIndex])) - iNdEx = postIndex case 2: if wireType != 2 { - return fmt.Errorf("proto: wrong wireType = %d for field IPBlocks", wireType) + return fmt.Errorf("proto: wrong wireType = %d for field Request", wireType) } var msglen int for shift := uint(0); ; shift += 7 { @@ -9342,46 +9876,16 @@ func (m *NetworkPolicyPeer) Unmarshal(dAtA []byte) error { if postIndex > l { return io.ErrUnexpectedEOF } - m.IPBlocks = append(m.IPBlocks, IPBlock{}) - if err := m.IPBlocks[len(m.IPBlocks)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil { + if m.Request == nil { + m.Request = &NetworkPolicyAccessRequest{} + } + if err := m.Request.Unmarshal(dAtA[iNdEx:postIndex]); err != nil { return err } iNdEx = postIndex case 3: if wireType != 2 { - return fmt.Errorf("proto: wrong wireType = %d for field FQDNs", wireType) - } - var stringLen uint64 - for shift := uint(0); ; shift += 7 { - if shift >= 64 { - return ErrIntOverflowGenerated - } - if iNdEx >= l { - return io.ErrUnexpectedEOF - } - b := dAtA[iNdEx] - iNdEx++ - stringLen |= uint64(b&0x7F) << shift - if b < 0x80 { - break - } - } - intStringLen := int(stringLen) - if intStringLen < 0 { - return ErrInvalidLengthGenerated - } - postIndex := iNdEx + intStringLen - if postIndex < 0 { - return ErrInvalidLengthGenerated - } - if postIndex > l { - return io.ErrUnexpectedEOF - } - m.FQDNs = append(m.FQDNs, string(dAtA[iNdEx:postIndex])) - iNdEx = postIndex - case 4: - if wireType != 2 { - return fmt.Errorf("proto: wrong wireType = %d for field ToServices", wireType) + return fmt.Errorf("proto: wrong wireType = %d for field Response", wireType) } var msglen int for shift := uint(0); ; shift += 7 { @@ -9408,12 +9912,466 @@ func (m *NetworkPolicyPeer) Unmarshal(dAtA []byte) error { if postIndex > l { return io.ErrUnexpectedEOF } - m.ToServices = append(m.ToServices, ServiceReference{}) - if err := m.ToServices[len(m.ToServices)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil { + if m.Response == nil { + m.Response = &NetworkPolicyAccessResponse{} + } + if err := m.Response.Unmarshal(dAtA[iNdEx:postIndex]); err != nil { return err } iNdEx = postIndex - case 5: + default: + iNdEx = preIndex + skippy, err := skipGenerated(dAtA[iNdEx:]) + if err != nil { + return err + } + if (skippy < 0) || (iNdEx+skippy) < 0 { + return ErrInvalidLengthGenerated + } + if (iNdEx + skippy) > l { + return io.ErrUnexpectedEOF + } + iNdEx += skippy + } + } + + if iNdEx > l { + return io.ErrUnexpectedEOF + } + return nil +} +func (m *NetworkPolicyList) Unmarshal(dAtA []byte) error { + l := len(dAtA) + iNdEx := 0 + for iNdEx < l { + preIndex := iNdEx + var wire uint64 + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowGenerated + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + wire |= uint64(b&0x7F) << shift + if b < 0x80 { + break + } + } + fieldNum := int32(wire >> 3) + wireType := int(wire & 0x7) + if wireType == 4 { + return fmt.Errorf("proto: NetworkPolicyList: wiretype end group for non-group") + } + if fieldNum <= 0 { + return fmt.Errorf("proto: NetworkPolicyList: illegal tag %d (wire type %d)", fieldNum, wire) + } + switch fieldNum { + case 1: + if wireType != 2 { + return fmt.Errorf("proto: wrong wireType = %d for field ListMeta", wireType) + } + var msglen int + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowGenerated + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + msglen |= int(b&0x7F) << shift + if b < 0x80 { + break + } + } + if msglen < 0 { + return ErrInvalidLengthGenerated + } + postIndex := iNdEx + msglen + if postIndex < 0 { + return ErrInvalidLengthGenerated + } + if postIndex > l { + return io.ErrUnexpectedEOF + } + if err := m.ListMeta.Unmarshal(dAtA[iNdEx:postIndex]); err != nil { + return err + } + iNdEx = postIndex + case 2: + if wireType != 2 { + return fmt.Errorf("proto: wrong wireType = %d for field Items", wireType) + } + var msglen int + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowGenerated + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + msglen |= int(b&0x7F) << shift + if b < 0x80 { + break + } + } + if msglen < 0 { + return ErrInvalidLengthGenerated + } + postIndex := iNdEx + msglen + if postIndex < 0 { + return ErrInvalidLengthGenerated + } + if postIndex > l { + return io.ErrUnexpectedEOF + } + m.Items = append(m.Items, NetworkPolicy{}) + if err := m.Items[len(m.Items)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil { + return err + } + iNdEx = postIndex + default: + iNdEx = preIndex + skippy, err := skipGenerated(dAtA[iNdEx:]) + if err != nil { + return err + } + if (skippy < 0) || (iNdEx+skippy) < 0 { + return ErrInvalidLengthGenerated + } + if (iNdEx + skippy) > l { + return io.ErrUnexpectedEOF + } + iNdEx += skippy + } + } + + if iNdEx > l { + return io.ErrUnexpectedEOF + } + return nil +} +func (m *NetworkPolicyNodeStatus) Unmarshal(dAtA []byte) error { + l := len(dAtA) + iNdEx := 0 + for iNdEx < l { + preIndex := iNdEx + var wire uint64 + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowGenerated + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + wire |= uint64(b&0x7F) << shift + if b < 0x80 { + break + } + } + fieldNum := int32(wire >> 3) + wireType := int(wire & 0x7) + if wireType == 4 { + return fmt.Errorf("proto: NetworkPolicyNodeStatus: wiretype end group for non-group") + } + if fieldNum <= 0 { + return fmt.Errorf("proto: NetworkPolicyNodeStatus: illegal tag %d (wire type %d)", fieldNum, wire) + } + switch fieldNum { + case 1: + if wireType != 2 { + return fmt.Errorf("proto: wrong wireType = %d for field NodeName", wireType) + } + var stringLen uint64 + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowGenerated + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + stringLen |= uint64(b&0x7F) << shift + if b < 0x80 { + break + } + } + intStringLen := int(stringLen) + if intStringLen < 0 { + return ErrInvalidLengthGenerated + } + postIndex := iNdEx + intStringLen + if postIndex < 0 { + return ErrInvalidLengthGenerated + } + if postIndex > l { + return io.ErrUnexpectedEOF + } + m.NodeName = string(dAtA[iNdEx:postIndex]) + iNdEx = postIndex + case 2: + if wireType != 0 { + return fmt.Errorf("proto: wrong wireType = %d for field Generation", wireType) + } + m.Generation = 0 + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowGenerated + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + m.Generation |= int64(b&0x7F) << shift + if b < 0x80 { + break + } + } + case 3: + if wireType != 0 { + return fmt.Errorf("proto: wrong wireType = %d for field RealizationFailure", wireType) + } + var v int + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowGenerated + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + v |= int(b&0x7F) << shift + if b < 0x80 { + break + } + } + m.RealizationFailure = bool(v != 0) + case 4: + if wireType != 2 { + return fmt.Errorf("proto: wrong wireType = %d for field Message", wireType) + } + var stringLen uint64 + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowGenerated + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + stringLen |= uint64(b&0x7F) << shift + if b < 0x80 { + break + } + } + intStringLen := int(stringLen) + if intStringLen < 0 { + return ErrInvalidLengthGenerated + } + postIndex := iNdEx + intStringLen + if postIndex < 0 { + return ErrInvalidLengthGenerated + } + if postIndex > l { + return io.ErrUnexpectedEOF + } + m.Message = string(dAtA[iNdEx:postIndex]) + iNdEx = postIndex + default: + iNdEx = preIndex + skippy, err := skipGenerated(dAtA[iNdEx:]) + if err != nil { + return err + } + if (skippy < 0) || (iNdEx+skippy) < 0 { + return ErrInvalidLengthGenerated + } + if (iNdEx + skippy) > l { + return io.ErrUnexpectedEOF + } + iNdEx += skippy + } + } + + if iNdEx > l { + return io.ErrUnexpectedEOF + } + return nil +} +func (m *NetworkPolicyPeer) Unmarshal(dAtA []byte) error { + l := len(dAtA) + iNdEx := 0 + for iNdEx < l { + preIndex := iNdEx + var wire uint64 + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowGenerated + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + wire |= uint64(b&0x7F) << shift + if b < 0x80 { + break + } + } + fieldNum := int32(wire >> 3) + wireType := int(wire & 0x7) + if wireType == 4 { + return fmt.Errorf("proto: NetworkPolicyPeer: wiretype end group for non-group") + } + if fieldNum <= 0 { + return fmt.Errorf("proto: NetworkPolicyPeer: illegal tag %d (wire type %d)", fieldNum, wire) + } + switch fieldNum { + case 1: + if wireType != 2 { + return fmt.Errorf("proto: wrong wireType = %d for field AddressGroups", wireType) + } + var stringLen uint64 + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowGenerated + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + stringLen |= uint64(b&0x7F) << shift + if b < 0x80 { + break + } + } + intStringLen := int(stringLen) + if intStringLen < 0 { + return ErrInvalidLengthGenerated + } + postIndex := iNdEx + intStringLen + if postIndex < 0 { + return ErrInvalidLengthGenerated + } + if postIndex > l { + return io.ErrUnexpectedEOF + } + m.AddressGroups = append(m.AddressGroups, string(dAtA[iNdEx:postIndex])) + iNdEx = postIndex + case 2: + if wireType != 2 { + return fmt.Errorf("proto: wrong wireType = %d for field IPBlocks", wireType) + } + var msglen int + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowGenerated + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + msglen |= int(b&0x7F) << shift + if b < 0x80 { + break + } + } + if msglen < 0 { + return ErrInvalidLengthGenerated + } + postIndex := iNdEx + msglen + if postIndex < 0 { + return ErrInvalidLengthGenerated + } + if postIndex > l { + return io.ErrUnexpectedEOF + } + m.IPBlocks = append(m.IPBlocks, IPBlock{}) + if err := m.IPBlocks[len(m.IPBlocks)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil { + return err + } + iNdEx = postIndex + case 3: + if wireType != 2 { + return fmt.Errorf("proto: wrong wireType = %d for field FQDNs", wireType) + } + var stringLen uint64 + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowGenerated + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + stringLen |= uint64(b&0x7F) << shift + if b < 0x80 { + break + } + } + intStringLen := int(stringLen) + if intStringLen < 0 { + return ErrInvalidLengthGenerated + } + postIndex := iNdEx + intStringLen + if postIndex < 0 { + return ErrInvalidLengthGenerated + } + if postIndex > l { + return io.ErrUnexpectedEOF + } + m.FQDNs = append(m.FQDNs, string(dAtA[iNdEx:postIndex])) + iNdEx = postIndex + case 4: + if wireType != 2 { + return fmt.Errorf("proto: wrong wireType = %d for field ToServices", wireType) + } + var msglen int + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowGenerated + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + msglen |= int(b&0x7F) << shift + if b < 0x80 { + break + } + } + if msglen < 0 { + return ErrInvalidLengthGenerated + } + postIndex := iNdEx + msglen + if postIndex < 0 { + return ErrInvalidLengthGenerated + } + if postIndex > l { + return io.ErrUnexpectedEOF + } + m.ToServices = append(m.ToServices, ServiceReference{}) + if err := m.ToServices[len(m.ToServices)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil { + return err + } + iNdEx = postIndex + case 5: if wireType == 0 { var v uint32 for shift := uint(0); ; shift += 7 { @@ -10842,6 +11800,153 @@ func (m *PodReference) Unmarshal(dAtA []byte) error { } return nil } +func (m *RuleRef) Unmarshal(dAtA []byte) error { + l := len(dAtA) + iNdEx := 0 + for iNdEx < l { + preIndex := iNdEx + var wire uint64 + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowGenerated + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + wire |= uint64(b&0x7F) << shift + if b < 0x80 { + break + } + } + fieldNum := int32(wire >> 3) + wireType := int(wire & 0x7) + if wireType == 4 { + return fmt.Errorf("proto: RuleRef: wiretype end group for non-group") + } + if fieldNum <= 0 { + return fmt.Errorf("proto: RuleRef: illegal tag %d (wire type %d)", fieldNum, wire) + } + switch fieldNum { + case 1: + if wireType != 2 { + return fmt.Errorf("proto: wrong wireType = %d for field Direction", wireType) + } + var stringLen uint64 + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowGenerated + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + stringLen |= uint64(b&0x7F) << shift + if b < 0x80 { + break + } + } + intStringLen := int(stringLen) + if intStringLen < 0 { + return ErrInvalidLengthGenerated + } + postIndex := iNdEx + intStringLen + if postIndex < 0 { + return ErrInvalidLengthGenerated + } + if postIndex > l { + return io.ErrUnexpectedEOF + } + m.Direction = Direction(dAtA[iNdEx:postIndex]) + iNdEx = postIndex + case 2: + if wireType != 2 { + return fmt.Errorf("proto: wrong wireType = %d for field Name", wireType) + } + var stringLen uint64 + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowGenerated + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + stringLen |= uint64(b&0x7F) << shift + if b < 0x80 { + break + } + } + intStringLen := int(stringLen) + if intStringLen < 0 { + return ErrInvalidLengthGenerated + } + postIndex := iNdEx + intStringLen + if postIndex < 0 { + return ErrInvalidLengthGenerated + } + if postIndex > l { + return io.ErrUnexpectedEOF + } + m.Name = string(dAtA[iNdEx:postIndex]) + iNdEx = postIndex + case 3: + if wireType != 2 { + return fmt.Errorf("proto: wrong wireType = %d for field Action", wireType) + } + var stringLen uint64 + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowGenerated + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + stringLen |= uint64(b&0x7F) << shift + if b < 0x80 { + break + } + } + intStringLen := int(stringLen) + if intStringLen < 0 { + return ErrInvalidLengthGenerated + } + postIndex := iNdEx + intStringLen + if postIndex < 0 { + return ErrInvalidLengthGenerated + } + if postIndex > l { + return io.ErrUnexpectedEOF + } + s := antrea_io_antrea_pkg_apis_crd_v1beta1.RuleAction(dAtA[iNdEx:postIndex]) + m.Action = &s + iNdEx = postIndex + default: + iNdEx = preIndex + skippy, err := skipGenerated(dAtA[iNdEx:]) + if err != nil { + return err + } + if (skippy < 0) || (iNdEx+skippy) < 0 { + return ErrInvalidLengthGenerated + } + if (iNdEx + skippy) > l { + return io.ErrUnexpectedEOF + } + iNdEx += skippy + } + } + + if iNdEx > l { + return io.ErrUnexpectedEOF + } + return nil +} func (m *Service) Unmarshal(dAtA []byte) error { l := len(dAtA) iNdEx := 0 diff --git a/pkg/apis/controlplane/v1beta2/generated.proto b/pkg/apis/controlplane/v1beta2/generated.proto index e6e89d96d24..495ea77b9b4 100644 --- a/pkg/apis/controlplane/v1beta2/generated.proto +++ b/pkg/apis/controlplane/v1beta2/generated.proto @@ -1,4 +1,4 @@ -// Copyright 2023 Antrea Authors +// Copyright 2024 Antrea Authors // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. @@ -130,6 +130,11 @@ message EgressGroupPatch { repeated GroupMember removedGroupMembers = 3; } +// Entity contains Namespace and Pod name as a request parameter. +message Entity { + optional PodReference pod = 1; +} + // ExternalEntityReference represents a ExternalEntity Reference. message ExternalEntityReference { // The name of this ExternalEntity. @@ -289,6 +294,31 @@ message NetworkPolicy { optional NetworkPolicyReference sourceRef = 6; } +// NetworkPolicyAccessRequest is the request body of NetworkPolicy access review. +message NetworkPolicyAccessRequest { + optional Entity source = 1; + + optional Entity destination = 2; +} + +// NetworkPolicyAccessResponse is the response of NetworkPolicy access review. +message NetworkPolicyAccessResponse { + // The reference of the effective NetworkPolicy. + optional NetworkPolicyReference sourceRef = 1; + + optional int32 ruleIndex = 2; + + // The content of the effective rule. + optional RuleRef rule = 3; +} + +// NetworkPolicyAccessReview contains the request and response for a NetworkPolicy access review. +message NetworkPolicyAccessReview { + optional NetworkPolicyAccessRequest request = 2; + + optional NetworkPolicyAccessResponse response = 3; +} + // NetworkPolicyList is a list of NetworkPolicy objects. message NetworkPolicyList { optional k8s.io.apimachinery.pkg.apis.meta.v1.ListMeta metadata = 1; @@ -449,6 +479,15 @@ message PodReference { optional string namespace = 2; } +// RuleRef contains basic information for the rule. +message RuleRef { + optional string direction = 1; + + optional string name = 2; + + optional string action = 3; +} + // Service describes a port to allow traffic on. message Service { // The protocol (TCP, UDP, SCTP, or ICMP) which traffic must match. If not specified, this diff --git a/pkg/apis/controlplane/v1beta2/register.go b/pkg/apis/controlplane/v1beta2/register.go index e90252dfa8f..0cba31788d7 100644 --- a/pkg/apis/controlplane/v1beta2/register.go +++ b/pkg/apis/controlplane/v1beta2/register.go @@ -44,6 +44,11 @@ var ( Version: SchemeGroupVersion.Version, Resource: "groups", } + NetworkPolicyAccessReviewVersionResource = schema.GroupVersionResource{ + Group: SchemeGroupVersion.Group, + Version: SchemeGroupVersion.Version, + Resource: "networkpolicyaccessreview", + } ) // Resource takes an unqualified resource and returns a Group qualified GroupResource. @@ -69,6 +74,7 @@ func addKnownTypes(scheme *runtime.Scheme) error { &NetworkPolicy{}, &NetworkPolicyList{}, &NetworkPolicyStatus{}, + &NetworkPolicyAccessReview{}, &NodeStatsSummary{}, &ClusterGroupMembers{}, &GroupMembers{}, diff --git a/pkg/apis/controlplane/v1beta2/types.go b/pkg/apis/controlplane/v1beta2/types.go index 8eae3c3cc4e..56ce8433c89 100644 --- a/pkg/apis/controlplane/v1beta2/types.go +++ b/pkg/apis/controlplane/v1beta2/types.go @@ -450,6 +450,45 @@ type NetworkPolicyNodeStatus struct { Message string `json:"message,omitempty" protobuf:"bytes,4,opt,name=message"` } +// +genclient +// +genclient:nonNamespaced +// +genclient:onlyVerbs=create +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object + +// NetworkPolicyAccessReview contains the request and response for a NetworkPolicy access review. +type NetworkPolicyAccessReview struct { + metav1.TypeMeta `json:",inline"` + Request *NetworkPolicyAccessRequest `json:"request,omitempty" protobuf:"bytes,2,opt,name=request"` + Response *NetworkPolicyAccessResponse `json:"response,omitempty" protobuf:"bytes,3,opt,name=response"` +} + +// Entity contains Namespace and Pod name as a request parameter. +type Entity struct { + Pod *PodReference `json:"pod,omitempty" protobuf:"bytes,1,opt,name=pod"` +} + +// NetworkPolicyAccessRequest is the request body of NetworkPolicy access review. +type NetworkPolicyAccessRequest struct { + Source Entity `json:"source,omitempty" protobuf:"bytes,1,opt,name=source"` + Destination Entity `json:"destination,omitempty" protobuf:"bytes,2,opt,name=destination"` +} + +// RuleRef contains basic information for the rule. +type RuleRef struct { + Direction Direction `json:"direction,omitempty" protobuf:"bytes,1,opt,name=direction"` + Name string `json:"name,omitempty" protobuf:"bytes,2,opt,name=name"` + Action *crdv1beta1.RuleAction `json:"action,omitempty" protobuf:"bytes,3,opt,name=action,casttype=antrea.io/antrea/pkg/apis/security/v1beta1.RuleAction"` +} + +// NetworkPolicyAccessResponse is the response of NetworkPolicy access review. +type NetworkPolicyAccessResponse struct { + // The reference of the effective NetworkPolicy. + NetworkPolicy NetworkPolicyReference `json:"sourceRef,omitempty" protobuf:"bytes,1,opt,name=sourceRef"` + RuleIndex int32 `json:"ruleIndex,omitempty" protobuf:"varint,2,opt,name=ruleIndex"` + // The content of the effective rule. + Rule RuleRef `json:"rule,omitempty" protobuf:"bytes,3,opt,name=rule"` +} + type GroupReference struct { // Namespace of the Group. Empty for ClusterGroup. Namespace string `json:"namespace,omitempty" protobuf:"bytes,1,opt,name=namespace"` diff --git a/pkg/apis/controlplane/v1beta2/zz_generated.conversion.go b/pkg/apis/controlplane/v1beta2/zz_generated.conversion.go index 09df61a866c..e8514ec299d 100644 --- a/pkg/apis/controlplane/v1beta2/zz_generated.conversion.go +++ b/pkg/apis/controlplane/v1beta2/zz_generated.conversion.go @@ -1,7 +1,7 @@ //go:build !ignore_autogenerated // +build !ignore_autogenerated -// Copyright 2023 Antrea Authors +// Copyright 2024 Antrea Authors // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. @@ -169,6 +169,16 @@ func RegisterConversions(s *runtime.Scheme) error { }); err != nil { return err } + if err := s.AddGeneratedConversionFunc((*Entity)(nil), (*controlplane.Entity)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_v1beta2_Entity_To_controlplane_Entity(a.(*Entity), b.(*controlplane.Entity), scope) + }); err != nil { + return err + } + if err := s.AddGeneratedConversionFunc((*controlplane.Entity)(nil), (*Entity)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_controlplane_Entity_To_v1beta2_Entity(a.(*controlplane.Entity), b.(*Entity), scope) + }); err != nil { + return err + } if err := s.AddGeneratedConversionFunc((*ExternalEntityReference)(nil), (*controlplane.ExternalEntityReference)(nil), func(a, b interface{}, scope conversion.Scope) error { return Convert_v1beta2_ExternalEntityReference_To_controlplane_ExternalEntityReference(a.(*ExternalEntityReference), b.(*controlplane.ExternalEntityReference), scope) }); err != nil { @@ -299,6 +309,36 @@ func RegisterConversions(s *runtime.Scheme) error { }); err != nil { return err } + if err := s.AddGeneratedConversionFunc((*NetworkPolicyAccessRequest)(nil), (*controlplane.NetworkPolicyAccessRequest)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_v1beta2_NetworkPolicyAccessRequest_To_controlplane_NetworkPolicyAccessRequest(a.(*NetworkPolicyAccessRequest), b.(*controlplane.NetworkPolicyAccessRequest), scope) + }); err != nil { + return err + } + if err := s.AddGeneratedConversionFunc((*controlplane.NetworkPolicyAccessRequest)(nil), (*NetworkPolicyAccessRequest)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_controlplane_NetworkPolicyAccessRequest_To_v1beta2_NetworkPolicyAccessRequest(a.(*controlplane.NetworkPolicyAccessRequest), b.(*NetworkPolicyAccessRequest), scope) + }); err != nil { + return err + } + if err := s.AddGeneratedConversionFunc((*NetworkPolicyAccessResponse)(nil), (*controlplane.NetworkPolicyAccessResponse)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_v1beta2_NetworkPolicyAccessResponse_To_controlplane_NetworkPolicyAccessResponse(a.(*NetworkPolicyAccessResponse), b.(*controlplane.NetworkPolicyAccessResponse), scope) + }); err != nil { + return err + } + if err := s.AddGeneratedConversionFunc((*controlplane.NetworkPolicyAccessResponse)(nil), (*NetworkPolicyAccessResponse)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_controlplane_NetworkPolicyAccessResponse_To_v1beta2_NetworkPolicyAccessResponse(a.(*controlplane.NetworkPolicyAccessResponse), b.(*NetworkPolicyAccessResponse), scope) + }); err != nil { + return err + } + if err := s.AddGeneratedConversionFunc((*NetworkPolicyAccessReview)(nil), (*controlplane.NetworkPolicyAccessReview)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_v1beta2_NetworkPolicyAccessReview_To_controlplane_NetworkPolicyAccessReview(a.(*NetworkPolicyAccessReview), b.(*controlplane.NetworkPolicyAccessReview), scope) + }); err != nil { + return err + } + if err := s.AddGeneratedConversionFunc((*controlplane.NetworkPolicyAccessReview)(nil), (*NetworkPolicyAccessReview)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_controlplane_NetworkPolicyAccessReview_To_v1beta2_NetworkPolicyAccessReview(a.(*controlplane.NetworkPolicyAccessReview), b.(*NetworkPolicyAccessReview), scope) + }); err != nil { + return err + } if err := s.AddGeneratedConversionFunc((*NetworkPolicyList)(nil), (*controlplane.NetworkPolicyList)(nil), func(a, b interface{}, scope conversion.Scope) error { return Convert_v1beta2_NetworkPolicyList_To_controlplane_NetworkPolicyList(a.(*NetworkPolicyList), b.(*controlplane.NetworkPolicyList), scope) }); err != nil { @@ -409,6 +449,16 @@ func RegisterConversions(s *runtime.Scheme) error { }); err != nil { return err } + if err := s.AddGeneratedConversionFunc((*RuleRef)(nil), (*controlplane.RuleRef)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_v1beta2_RuleRef_To_controlplane_RuleRef(a.(*RuleRef), b.(*controlplane.RuleRef), scope) + }); err != nil { + return err + } + if err := s.AddGeneratedConversionFunc((*controlplane.RuleRef)(nil), (*RuleRef)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_controlplane_RuleRef_To_v1beta2_RuleRef(a.(*controlplane.RuleRef), b.(*RuleRef), scope) + }); err != nil { + return err + } if err := s.AddGeneratedConversionFunc((*Service)(nil), (*controlplane.Service)(nil), func(a, b interface{}, scope conversion.Scope) error { return Convert_v1beta2_Service_To_controlplane_Service(a.(*Service), b.(*controlplane.Service), scope) }); err != nil { @@ -787,6 +837,26 @@ func Convert_controlplane_EgressGroupPatch_To_v1beta2_EgressGroupPatch(in *contr return autoConvert_controlplane_EgressGroupPatch_To_v1beta2_EgressGroupPatch(in, out, s) } +func autoConvert_v1beta2_Entity_To_controlplane_Entity(in *Entity, out *controlplane.Entity, s conversion.Scope) error { + out.Pod = (*controlplane.PodReference)(unsafe.Pointer(in.Pod)) + return nil +} + +// Convert_v1beta2_Entity_To_controlplane_Entity is an autogenerated conversion function. +func Convert_v1beta2_Entity_To_controlplane_Entity(in *Entity, out *controlplane.Entity, s conversion.Scope) error { + return autoConvert_v1beta2_Entity_To_controlplane_Entity(in, out, s) +} + +func autoConvert_controlplane_Entity_To_v1beta2_Entity(in *controlplane.Entity, out *Entity, s conversion.Scope) error { + out.Pod = (*PodReference)(unsafe.Pointer(in.Pod)) + return nil +} + +// Convert_controlplane_Entity_To_v1beta2_Entity is an autogenerated conversion function. +func Convert_controlplane_Entity_To_v1beta2_Entity(in *controlplane.Entity, out *Entity, s conversion.Scope) error { + return autoConvert_controlplane_Entity_To_v1beta2_Entity(in, out, s) +} + func autoConvert_v1beta2_ExternalEntityReference_To_controlplane_ExternalEntityReference(in *ExternalEntityReference, out *controlplane.ExternalEntityReference, s conversion.Scope) error { out.Name = in.Name out.Namespace = in.Namespace @@ -1127,6 +1197,90 @@ func Convert_controlplane_NetworkPolicy_To_v1beta2_NetworkPolicy(in *controlplan return autoConvert_controlplane_NetworkPolicy_To_v1beta2_NetworkPolicy(in, out, s) } +func autoConvert_v1beta2_NetworkPolicyAccessRequest_To_controlplane_NetworkPolicyAccessRequest(in *NetworkPolicyAccessRequest, out *controlplane.NetworkPolicyAccessRequest, s conversion.Scope) error { + if err := Convert_v1beta2_Entity_To_controlplane_Entity(&in.Source, &out.Source, s); err != nil { + return err + } + if err := Convert_v1beta2_Entity_To_controlplane_Entity(&in.Destination, &out.Destination, s); err != nil { + return err + } + return nil +} + +// Convert_v1beta2_NetworkPolicyAccessRequest_To_controlplane_NetworkPolicyAccessRequest is an autogenerated conversion function. +func Convert_v1beta2_NetworkPolicyAccessRequest_To_controlplane_NetworkPolicyAccessRequest(in *NetworkPolicyAccessRequest, out *controlplane.NetworkPolicyAccessRequest, s conversion.Scope) error { + return autoConvert_v1beta2_NetworkPolicyAccessRequest_To_controlplane_NetworkPolicyAccessRequest(in, out, s) +} + +func autoConvert_controlplane_NetworkPolicyAccessRequest_To_v1beta2_NetworkPolicyAccessRequest(in *controlplane.NetworkPolicyAccessRequest, out *NetworkPolicyAccessRequest, s conversion.Scope) error { + if err := Convert_controlplane_Entity_To_v1beta2_Entity(&in.Source, &out.Source, s); err != nil { + return err + } + if err := Convert_controlplane_Entity_To_v1beta2_Entity(&in.Destination, &out.Destination, s); err != nil { + return err + } + return nil +} + +// Convert_controlplane_NetworkPolicyAccessRequest_To_v1beta2_NetworkPolicyAccessRequest is an autogenerated conversion function. +func Convert_controlplane_NetworkPolicyAccessRequest_To_v1beta2_NetworkPolicyAccessRequest(in *controlplane.NetworkPolicyAccessRequest, out *NetworkPolicyAccessRequest, s conversion.Scope) error { + return autoConvert_controlplane_NetworkPolicyAccessRequest_To_v1beta2_NetworkPolicyAccessRequest(in, out, s) +} + +func autoConvert_v1beta2_NetworkPolicyAccessResponse_To_controlplane_NetworkPolicyAccessResponse(in *NetworkPolicyAccessResponse, out *controlplane.NetworkPolicyAccessResponse, s conversion.Scope) error { + if err := Convert_v1beta2_NetworkPolicyReference_To_controlplane_NetworkPolicyReference(&in.NetworkPolicy, &out.NetworkPolicy, s); err != nil { + return err + } + out.RuleIndex = in.RuleIndex + if err := Convert_v1beta2_RuleRef_To_controlplane_RuleRef(&in.Rule, &out.Rule, s); err != nil { + return err + } + return nil +} + +// Convert_v1beta2_NetworkPolicyAccessResponse_To_controlplane_NetworkPolicyAccessResponse is an autogenerated conversion function. +func Convert_v1beta2_NetworkPolicyAccessResponse_To_controlplane_NetworkPolicyAccessResponse(in *NetworkPolicyAccessResponse, out *controlplane.NetworkPolicyAccessResponse, s conversion.Scope) error { + return autoConvert_v1beta2_NetworkPolicyAccessResponse_To_controlplane_NetworkPolicyAccessResponse(in, out, s) +} + +func autoConvert_controlplane_NetworkPolicyAccessResponse_To_v1beta2_NetworkPolicyAccessResponse(in *controlplane.NetworkPolicyAccessResponse, out *NetworkPolicyAccessResponse, s conversion.Scope) error { + if err := Convert_controlplane_NetworkPolicyReference_To_v1beta2_NetworkPolicyReference(&in.NetworkPolicy, &out.NetworkPolicy, s); err != nil { + return err + } + out.RuleIndex = in.RuleIndex + if err := Convert_controlplane_RuleRef_To_v1beta2_RuleRef(&in.Rule, &out.Rule, s); err != nil { + return err + } + return nil +} + +// Convert_controlplane_NetworkPolicyAccessResponse_To_v1beta2_NetworkPolicyAccessResponse is an autogenerated conversion function. +func Convert_controlplane_NetworkPolicyAccessResponse_To_v1beta2_NetworkPolicyAccessResponse(in *controlplane.NetworkPolicyAccessResponse, out *NetworkPolicyAccessResponse, s conversion.Scope) error { + return autoConvert_controlplane_NetworkPolicyAccessResponse_To_v1beta2_NetworkPolicyAccessResponse(in, out, s) +} + +func autoConvert_v1beta2_NetworkPolicyAccessReview_To_controlplane_NetworkPolicyAccessReview(in *NetworkPolicyAccessReview, out *controlplane.NetworkPolicyAccessReview, s conversion.Scope) error { + out.Request = (*controlplane.NetworkPolicyAccessRequest)(unsafe.Pointer(in.Request)) + out.Response = (*controlplane.NetworkPolicyAccessResponse)(unsafe.Pointer(in.Response)) + return nil +} + +// Convert_v1beta2_NetworkPolicyAccessReview_To_controlplane_NetworkPolicyAccessReview is an autogenerated conversion function. +func Convert_v1beta2_NetworkPolicyAccessReview_To_controlplane_NetworkPolicyAccessReview(in *NetworkPolicyAccessReview, out *controlplane.NetworkPolicyAccessReview, s conversion.Scope) error { + return autoConvert_v1beta2_NetworkPolicyAccessReview_To_controlplane_NetworkPolicyAccessReview(in, out, s) +} + +func autoConvert_controlplane_NetworkPolicyAccessReview_To_v1beta2_NetworkPolicyAccessReview(in *controlplane.NetworkPolicyAccessReview, out *NetworkPolicyAccessReview, s conversion.Scope) error { + out.Request = (*NetworkPolicyAccessRequest)(unsafe.Pointer(in.Request)) + out.Response = (*NetworkPolicyAccessResponse)(unsafe.Pointer(in.Response)) + return nil +} + +// Convert_controlplane_NetworkPolicyAccessReview_To_v1beta2_NetworkPolicyAccessReview is an autogenerated conversion function. +func Convert_controlplane_NetworkPolicyAccessReview_To_v1beta2_NetworkPolicyAccessReview(in *controlplane.NetworkPolicyAccessReview, out *NetworkPolicyAccessReview, s conversion.Scope) error { + return autoConvert_controlplane_NetworkPolicyAccessReview_To_v1beta2_NetworkPolicyAccessReview(in, out, s) +} + func autoConvert_v1beta2_NetworkPolicyList_To_controlplane_NetworkPolicyList(in *NetworkPolicyList, out *controlplane.NetworkPolicyList, s conversion.Scope) error { out.ListMeta = in.ListMeta if in.Items != nil { @@ -1484,6 +1638,30 @@ func Convert_controlplane_PodReference_To_v1beta2_PodReference(in *controlplane. return autoConvert_controlplane_PodReference_To_v1beta2_PodReference(in, out, s) } +func autoConvert_v1beta2_RuleRef_To_controlplane_RuleRef(in *RuleRef, out *controlplane.RuleRef, s conversion.Scope) error { + out.Direction = controlplane.Direction(in.Direction) + out.Name = in.Name + out.Action = (*v1beta1.RuleAction)(unsafe.Pointer(in.Action)) + return nil +} + +// Convert_v1beta2_RuleRef_To_controlplane_RuleRef is an autogenerated conversion function. +func Convert_v1beta2_RuleRef_To_controlplane_RuleRef(in *RuleRef, out *controlplane.RuleRef, s conversion.Scope) error { + return autoConvert_v1beta2_RuleRef_To_controlplane_RuleRef(in, out, s) +} + +func autoConvert_controlplane_RuleRef_To_v1beta2_RuleRef(in *controlplane.RuleRef, out *RuleRef, s conversion.Scope) error { + out.Direction = Direction(in.Direction) + out.Name = in.Name + out.Action = (*v1beta1.RuleAction)(unsafe.Pointer(in.Action)) + return nil +} + +// Convert_controlplane_RuleRef_To_v1beta2_RuleRef is an autogenerated conversion function. +func Convert_controlplane_RuleRef_To_v1beta2_RuleRef(in *controlplane.RuleRef, out *RuleRef, s conversion.Scope) error { + return autoConvert_controlplane_RuleRef_To_v1beta2_RuleRef(in, out, s) +} + func autoConvert_v1beta2_Service_To_controlplane_Service(in *Service, out *controlplane.Service, s conversion.Scope) error { out.Protocol = (*controlplane.Protocol)(unsafe.Pointer(in.Protocol)) out.Port = (*intstr.IntOrString)(unsafe.Pointer(in.Port)) diff --git a/pkg/apis/controlplane/v1beta2/zz_generated.deepcopy.go b/pkg/apis/controlplane/v1beta2/zz_generated.deepcopy.go index 86e63a1a0db..ed20bd6147b 100644 --- a/pkg/apis/controlplane/v1beta2/zz_generated.deepcopy.go +++ b/pkg/apis/controlplane/v1beta2/zz_generated.deepcopy.go @@ -1,7 +1,7 @@ //go:build !ignore_autogenerated // +build !ignore_autogenerated -// Copyright 2023 Antrea Authors +// Copyright 2024 Antrea Authors // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. @@ -437,6 +437,27 @@ func (in *EgressGroupPatch) DeepCopyObject() runtime.Object { return nil } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *Entity) DeepCopyInto(out *Entity) { + *out = *in + if in.Pod != nil { + in, out := &in.Pod, &out.Pod + *out = new(PodReference) + **out = **in + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Entity. +func (in *Entity) DeepCopy() *Entity { + if in == nil { + return nil + } + out := new(Entity) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *ExternalEntityReference) DeepCopyInto(out *ExternalEntityReference) { *out = *in @@ -820,6 +841,77 @@ func (in *NetworkPolicy) DeepCopyObject() runtime.Object { return nil } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *NetworkPolicyAccessRequest) DeepCopyInto(out *NetworkPolicyAccessRequest) { + *out = *in + in.Source.DeepCopyInto(&out.Source) + in.Destination.DeepCopyInto(&out.Destination) + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NetworkPolicyAccessRequest. +func (in *NetworkPolicyAccessRequest) DeepCopy() *NetworkPolicyAccessRequest { + if in == nil { + return nil + } + out := new(NetworkPolicyAccessRequest) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *NetworkPolicyAccessResponse) DeepCopyInto(out *NetworkPolicyAccessResponse) { + *out = *in + out.NetworkPolicy = in.NetworkPolicy + in.Rule.DeepCopyInto(&out.Rule) + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NetworkPolicyAccessResponse. +func (in *NetworkPolicyAccessResponse) DeepCopy() *NetworkPolicyAccessResponse { + if in == nil { + return nil + } + out := new(NetworkPolicyAccessResponse) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *NetworkPolicyAccessReview) DeepCopyInto(out *NetworkPolicyAccessReview) { + *out = *in + out.TypeMeta = in.TypeMeta + if in.Request != nil { + in, out := &in.Request, &out.Request + *out = new(NetworkPolicyAccessRequest) + (*in).DeepCopyInto(*out) + } + if in.Response != nil { + in, out := &in.Response, &out.Response + *out = new(NetworkPolicyAccessResponse) + (*in).DeepCopyInto(*out) + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NetworkPolicyAccessReview. +func (in *NetworkPolicyAccessReview) DeepCopy() *NetworkPolicyAccessReview { + if in == nil { + return nil + } + out := new(NetworkPolicyAccessReview) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *NetworkPolicyAccessReview) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *NetworkPolicyList) DeepCopyInto(out *NetworkPolicyList) { *out = *in @@ -1135,6 +1227,27 @@ func (in *PodReference) DeepCopy() *PodReference { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *RuleRef) DeepCopyInto(out *RuleRef) { + *out = *in + if in.Action != nil { + in, out := &in.Action, &out.Action + *out = new(v1beta1.RuleAction) + **out = **in + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RuleRef. +func (in *RuleRef) DeepCopy() *RuleRef { + if in == nil { + return nil + } + out := new(RuleRef) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *Service) DeepCopyInto(out *Service) { *out = *in diff --git a/pkg/apis/controlplane/zz_generated.deepcopy.go b/pkg/apis/controlplane/zz_generated.deepcopy.go index c95c736789c..7b6a2694537 100644 --- a/pkg/apis/controlplane/zz_generated.deepcopy.go +++ b/pkg/apis/controlplane/zz_generated.deepcopy.go @@ -1,7 +1,7 @@ //go:build !ignore_autogenerated // +build !ignore_autogenerated -// Copyright 2023 Antrea Authors +// Copyright 2024 Antrea Authors // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. @@ -437,6 +437,27 @@ func (in *EgressGroupPatch) DeepCopyObject() runtime.Object { return nil } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *Entity) DeepCopyInto(out *Entity) { + *out = *in + if in.Pod != nil { + in, out := &in.Pod, &out.Pod + *out = new(PodReference) + **out = **in + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Entity. +func (in *Entity) DeepCopy() *Entity { + if in == nil { + return nil + } + out := new(Entity) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *ExternalEntityReference) DeepCopyInto(out *ExternalEntityReference) { *out = *in @@ -820,6 +841,77 @@ func (in *NetworkPolicy) DeepCopyObject() runtime.Object { return nil } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *NetworkPolicyAccessRequest) DeepCopyInto(out *NetworkPolicyAccessRequest) { + *out = *in + in.Source.DeepCopyInto(&out.Source) + in.Destination.DeepCopyInto(&out.Destination) + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NetworkPolicyAccessRequest. +func (in *NetworkPolicyAccessRequest) DeepCopy() *NetworkPolicyAccessRequest { + if in == nil { + return nil + } + out := new(NetworkPolicyAccessRequest) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *NetworkPolicyAccessResponse) DeepCopyInto(out *NetworkPolicyAccessResponse) { + *out = *in + out.NetworkPolicy = in.NetworkPolicy + in.Rule.DeepCopyInto(&out.Rule) + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NetworkPolicyAccessResponse. +func (in *NetworkPolicyAccessResponse) DeepCopy() *NetworkPolicyAccessResponse { + if in == nil { + return nil + } + out := new(NetworkPolicyAccessResponse) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *NetworkPolicyAccessReview) DeepCopyInto(out *NetworkPolicyAccessReview) { + *out = *in + out.TypeMeta = in.TypeMeta + if in.Request != nil { + in, out := &in.Request, &out.Request + *out = new(NetworkPolicyAccessRequest) + (*in).DeepCopyInto(*out) + } + if in.Response != nil { + in, out := &in.Response, &out.Response + *out = new(NetworkPolicyAccessResponse) + (*in).DeepCopyInto(*out) + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NetworkPolicyAccessReview. +func (in *NetworkPolicyAccessReview) DeepCopy() *NetworkPolicyAccessReview { + if in == nil { + return nil + } + out := new(NetworkPolicyAccessReview) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *NetworkPolicyAccessReview) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *NetworkPolicyList) DeepCopyInto(out *NetworkPolicyList) { *out = *in @@ -1135,6 +1227,27 @@ func (in *PodReference) DeepCopy() *PodReference { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *RuleRef) DeepCopyInto(out *RuleRef) { + *out = *in + if in.Action != nil { + in, out := &in.Action, &out.Action + *out = new(v1beta1.RuleAction) + **out = **in + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RuleRef. +func (in *RuleRef) DeepCopy() *RuleRef { + if in == nil { + return nil + } + out := new(RuleRef) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *Service) DeepCopyInto(out *Service) { *out = *in diff --git a/pkg/apiserver/apiserver.go b/pkg/apiserver/apiserver.go index 3de181e9589..4383ed36a86 100644 --- a/pkg/apiserver/apiserver.go +++ b/pkg/apiserver/apiserver.go @@ -41,7 +41,6 @@ import ( "antrea.io/antrea/pkg/apiserver/handlers/endpoint" "antrea.io/antrea/pkg/apiserver/handlers/featuregates" "antrea.io/antrea/pkg/apiserver/handlers/loglevel" - "antrea.io/antrea/pkg/apiserver/handlers/networkpolicyanalysis" "antrea.io/antrea/pkg/apiserver/handlers/webhook" "antrea.io/antrea/pkg/apiserver/registry/controlplane/egressgroup" "antrea.io/antrea/pkg/apiserver/registry/controlplane/nodestatssummary" @@ -53,6 +52,7 @@ import ( "antrea.io/antrea/pkg/apiserver/registry/networkpolicy/groupmember" "antrea.io/antrea/pkg/apiserver/registry/networkpolicy/ipgroupassociation" "antrea.io/antrea/pkg/apiserver/registry/networkpolicy/networkpolicy" + "antrea.io/antrea/pkg/apiserver/registry/networkpolicy/networkpolicyaccessreview" "antrea.io/antrea/pkg/apiserver/registry/stats/antreaclusternetworkpolicystats" "antrea.io/antrea/pkg/apiserver/registry/stats/antreanetworkpolicystats" "antrea.io/antrea/pkg/apiserver/registry/stats/multicastgroup" @@ -197,6 +197,7 @@ func installAPIGroup(s *APIServer, c completedConfig) error { appliedToGroupStorage := appliedtogroup.NewREST(c.extraConfig.appliedToGroupStore) networkPolicyStorage := networkpolicy.NewREST(c.extraConfig.networkPolicyStore) networkPolicyStatusStorage := networkpolicy.NewStatusREST(c.extraConfig.networkPolicyStatusController) + networkPolicyAccessReviewStorage := networkpolicyaccessreview.NewREST(controllernetworkpolicy.NewPolicyRuleQuerier(c.extraConfig.endpointQuerier)) clusterGroupMembershipStorage := clustergroupmember.NewREST(c.extraConfig.networkPolicyController) groupMembershipStorage := groupmember.NewREST(c.extraConfig.networkPolicyController) groupAssociationStorage := groupassociation.NewREST(c.extraConfig.networkPolicyController) @@ -211,6 +212,7 @@ func installAPIGroup(s *APIServer, c completedConfig) error { cpv1beta2Storage["appliedtogroups"] = appliedToGroupStorage cpv1beta2Storage["networkpolicies"] = networkPolicyStorage cpv1beta2Storage["networkpolicies/status"] = networkPolicyStatusStorage + cpv1beta2Storage["networkpolicyaccessreview"] = networkPolicyAccessReviewStorage cpv1beta2Storage["nodestatssummaries"] = nodeStatsSummaryStorage cpv1beta2Storage["groupassociations"] = groupAssociationStorage cpv1beta2Storage["ipgroupassociations"] = ipGroupAssociationStorage @@ -296,7 +298,6 @@ func installHandlers(c *ExtraConfig, s *genericapiserver.GenericAPIServer) { s.Handler.NonGoRestfulMux.HandleFunc("/loglevel", loglevel.HandleFunc()) s.Handler.NonGoRestfulMux.HandleFunc("/featuregates", featuregates.HandleFunc(c.k8sClient)) s.Handler.NonGoRestfulMux.HandleFunc("/endpoint", endpoint.HandleFunc(c.endpointQuerier)) - s.Handler.NonGoRestfulMux.HandleFunc("/networkpolicyanalysis", networkpolicyanalysis.HandleFunc(c.endpointQuerier)) // Webhook to mutate Namespace labels and add its metadata.name as a label s.Handler.NonGoRestfulMux.HandleFunc("/mutate/namespace", webhook.HandleMutationLabels()) if features.DefaultFeatureGate.Enabled(features.AntreaPolicy) { diff --git a/pkg/apiserver/handlers/endpoint/handler.go b/pkg/apiserver/handlers/endpoint/handler.go index 976e50f193e..cc62e395825 100644 --- a/pkg/apiserver/handlers/endpoint/handler.go +++ b/pkg/apiserver/handlers/endpoint/handler.go @@ -18,10 +18,7 @@ import ( "encoding/json" "net/http" - "k8s.io/apimachinery/pkg/types" - "antrea.io/antrea/pkg/apis/controlplane" - cpv1beta "antrea.io/antrea/pkg/apis/controlplane/v1beta2" "antrea.io/antrea/pkg/controller/networkpolicy" ) @@ -30,28 +27,17 @@ type EndpointQueryResponse struct { Endpoints []Endpoint `json:"endpoints,omitempty"` } -type Endpoint struct { - Namespace string `json:"namespace,omitempty"` - Name string `json:"name,omitempty"` - Policies []Policy `json:"policies,omitempty"` - Rules []Rule `json:"rules,omitempty"` -} - -type PolicyRef struct { - Type controlplane.NetworkPolicyType `json:"type,omitempty"` - Namespace string `json:"namespace,omitempty"` - Name string `json:"name,omitempty"` - UID types.UID `json:"uid,omitempty"` -} - -type Policy struct { - PolicyRef +type Rule struct { + PolicyRef controlplane.NetworkPolicyReference + Direction controlplane.Direction + RuleIndex int } -type Rule struct { - PolicyRef - Direction cpv1beta.Direction `json:"direction,omitempty"` - RuleIndex int `json:"ruleindex,omitempty"` +type Endpoint struct { + Namespace string `json:"namespace,omitempty"` + Name string `json:"name,omitempty"` + Policies []controlplane.NetworkPolicyReference `json:"policies,omitempty"` + Rules []Rule `json:"rules,omitempty"` } // HandleFunc creates a http.HandlerFunc which uses an AgentNetworkPolicyInfoQuerier @@ -60,9 +46,6 @@ func HandleFunc(eq networkpolicy.EndpointQuerier) http.HandlerFunc { return func(w http.ResponseWriter, r *http.Request) { podName := r.URL.Query().Get("pod") namespace := r.URL.Query().Get("namespace") - if namespace == "" { - namespace = "default" - } // check for incomplete arguments if podName == "" { http.Error(w, "pod must be provided", http.StatusBadRequest) @@ -80,30 +63,18 @@ func HandleFunc(eq networkpolicy.EndpointQuerier) http.HandlerFunc { } // make response policies - responsePolicies := make([]Policy, 0) + responsePolicies := make([]controlplane.NetworkPolicyReference, 0) for _, internalPolicy := range endpointNetworkPolicyRules.AppliedPolicies { - responsePolicy := Policy{ - PolicyRef: PolicyRef{ - Type: internalPolicy.SourceRef.Type, - Namespace: internalPolicy.SourceRef.Namespace, - Name: internalPolicy.SourceRef.Name, - UID: internalPolicy.SourceRef.UID, - }, - } + responsePolicy := *internalPolicy.SourceRef responsePolicies = append(responsePolicies, responsePolicy) } responseRules := make([]Rule, 0) // create rules based on egress and ingress policies - for _, internalPolicy := range append(endpointNetworkPolicyRules.EgressRules, endpointNetworkPolicyRules.IngressRules...) { + for _, rule := range append(endpointNetworkPolicyRules.EgressRules, endpointNetworkPolicyRules.IngressRules...) { newRule := Rule{ - PolicyRef: PolicyRef{ - Type: internalPolicy.Policy.SourceRef.Type, - Namespace: internalPolicy.Policy.SourceRef.Namespace, - Name: internalPolicy.Policy.SourceRef.Name, - UID: internalPolicy.Policy.SourceRef.UID, - }, - Direction: internalPolicy.Direction, - RuleIndex: internalPolicy.Index, + PolicyRef: *rule.Policy.SourceRef, + Direction: rule.Rule.Direction, + RuleIndex: rule.Index, } responseRules = append(responseRules, newRule) } diff --git a/pkg/apiserver/handlers/endpoint/handler_test.go b/pkg/apiserver/handlers/endpoint/handler_test.go index b60c97a5b8e..34092aaba27 100644 --- a/pkg/apiserver/handlers/endpoint/handler_test.go +++ b/pkg/apiserver/handlers/endpoint/handler_test.go @@ -24,7 +24,6 @@ import ( "go.uber.org/mock/gomock" "antrea.io/antrea/pkg/apis/controlplane" - "antrea.io/antrea/pkg/apis/controlplane/v1beta2" "antrea.io/antrea/pkg/controller/networkpolicy" queriermock "antrea.io/antrea/pkg/controller/networkpolicy/testing" "antrea.io/antrea/pkg/controller/types" @@ -100,11 +99,11 @@ func TestSinglePolicyResponse(t *testing.T) { expectedStatus: http.StatusOK, expectedResponse: &EndpointQueryResponse{Endpoints: []Endpoint{ { - Policies: []Policy{ - {PolicyRef: PolicyRef{Name: "policy1"}}, + Policies: []controlplane.NetworkPolicyReference{ + {Name: "policy1"}, }, Rules: []Rule{ - {PolicyRef: PolicyRef{Name: "policy2"}}, + {PolicyRef: controlplane.NetworkPolicyReference{Name: "policy2"}}, }, }, }, @@ -119,8 +118,10 @@ func TestSinglePolicyResponse(t *testing.T) { Policy: &types.NetworkPolicy{ SourceRef: &controlplane.NetworkPolicyReference{Name: "policy2"}, }, - Index: 0, - Direction: v1beta2.DirectionIn, + Index: 0, + Rule: &controlplane.NetworkPolicyRule{ + Direction: controlplane.DirectionIn, + }, }, }, }, @@ -144,9 +145,8 @@ func TestMultiPolicyResponse(t *testing.T) { expectedStatus: http.StatusOK, expectedResponse: &EndpointQueryResponse{Endpoints: []Endpoint{ { - Policies: []Policy{ - {PolicyRef: PolicyRef{Name: "policy1"}}, - {PolicyRef: PolicyRef{Name: "policy2"}}, + Policies: []controlplane.NetworkPolicyReference{ + {Name: "policy1"}, {Name: "policy2"}, }, }, }, @@ -191,7 +191,7 @@ func evaluateTestCases(testCases map[string]TestCase, mockCtrl *gomock.Controlle assert.Equal(t, policy.Name, received.Endpoints[0].Policies[i].Name) } for i, rule := range tc.expectedResponse.Endpoints[0].Rules { - assert.Equal(t, rule.PolicyRef.Name, received.Endpoints[0].Rules[i].Name) + assert.Equal(t, rule.PolicyRef.Name, received.Endpoints[0].Rules[i].PolicyRef.Name) } } } diff --git a/pkg/apiserver/handlers/networkpolicyanalysis/handler.go b/pkg/apiserver/handlers/networkpolicyanalysis/handler.go deleted file mode 100644 index 067feea6695..00000000000 --- a/pkg/apiserver/handlers/networkpolicyanalysis/handler.go +++ /dev/null @@ -1,249 +0,0 @@ -// Copyright 2023 Antrea Authors -// -// Licensed under the Apache License, Version 2.0 (the "License"); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. - -package networkpolicyanalysis - -import ( - "encoding/json" - "net/http" - "sort" - "strings" - - "k8s.io/apimachinery/pkg/types" - "k8s.io/apimachinery/pkg/util/sets" - - "antrea.io/antrea/pkg/apis/controlplane" - "antrea.io/antrea/pkg/apis/controlplane/v1beta2" - "antrea.io/antrea/pkg/apis/crd/v1beta1" - "antrea.io/antrea/pkg/apiserver/handlers/endpoint" - "antrea.io/antrea/pkg/controller/networkpolicy" -) - -type lessFunc func(p1, p2 *networkpolicy.RuleInfo) int - -// multiSorter implements the Sort interface, sorting the rules within. -type multiSorter struct { - rules []*networkpolicy.RuleInfo - less []lessFunc -} - -// Sort sorts the argument slice according to the less functions passed to OrderedBy. -func (ms *multiSorter) Sort(rules []*networkpolicy.RuleInfo) { - ms.rules = rules - sort.Sort(ms) -} - -// OrderedBy returns a Sorter that sorts using the less functions, in order. -// Call its Sort method to sort the data. -func OrderedBy(less ...lessFunc) *multiSorter { - return &multiSorter{ - less: less, - } -} - -func (ms *multiSorter) Len() int { - return len(ms.rules) -} - -func (ms *multiSorter) Swap(i, j int) { - ms.rules[i], ms.rules[j] = ms.rules[j], ms.rules[i] -} - -func (ms *multiSorter) Less(i, j int) bool { - p, q := ms.rules[i], ms.rules[j] - // Try all but the last comparison. - var k int - for k = 0; k < len(ms.less)-1; k++ { - less := ms.less[k] - switch less(p, q) { - case 1: - // p < q - return true - case -1: - // p > q - return false - } - // p == q; try the next comparison. - } - return ms.less[k](p, q) == 1 -} - -// parsePeer parses Namespace/Pod name, empty string is returned if the argument is not of a -// valid Namespace/Pod reference (missing pod name or invalid format). Namespace will be set -// as default if missing, string without separator will be considered as pod name. -func parsePeer(str string) (string, string) { - parts := strings.Split(str, "/") - ns, pod := "", "" - if len(parts) == 1 { - ns, pod = "default", parts[0] - } else if len(parts) == 2 { - ns, pod = parts[0], parts[1] - } - return ns, pod -} - -// processQueryResults processes the AppliedPolicies in endpoints, returns a set -// of the policy UIDs, and manually inserts Kubernetes NetworkPolicy default isolation -// rules if exists. The default isolation rule's direction depends on ifSource, -// and has the index of -1 to indicate lower precedence. -func processQueryResults(endpoints *networkpolicy.EndpointNetworkPolicyRules, ifSource bool) (sets.Set[types.UID], []*networkpolicy.RuleInfo) { - policyUIDs := sets.New[types.UID]() - isolation := make([]*networkpolicy.RuleInfo, 0) - for _, internalPolicy := range endpoints.AppliedPolicies { - policyUIDs.Insert(internalPolicy.SourceRef.UID) - if internalPolicy.SourceRef.Type == controlplane.K8sNetworkPolicy { - // check if the Kubernetes NetworkPolicy creates ingress or egress isolation - for _, rule := range internalPolicy.Rules { - if rule.Direction == controlplane.DirectionIn && !ifSource { - isolation = append(isolation, &networkpolicy.RuleInfo{Policy: internalPolicy, Index: -1, Direction: v1beta2.DirectionIn}) - } else if rule.Direction == controlplane.DirectionOut && ifSource { - isolation = append(isolation, &networkpolicy.RuleInfo{Policy: internalPolicy, Index: -1, Direction: v1beta2.DirectionOut}) - } - } - } - } - return policyUIDs, isolation -} - -// predictEndpointsRules returns the predicted rules effective from srcEndpoints to dstEndpoints. -// Rules returned satisfy a. in source applied policies and destination egress rules, -// or b. in source ingress rules and destination applied policies or c. applied to KNP default isolation. -func predictEndpointsRules(srcEndpoints, dstEndpoints *networkpolicy.EndpointNetworkPolicyRules) *endpoint.Rule { - commonRules := make([]*networkpolicy.RuleInfo, 0) - if srcEndpoints != nil && dstEndpoints != nil { - srcPolicies, srcIsolated := processQueryResults(srcEndpoints, true) - dstPolicies, dstIsolated := processQueryResults(dstEndpoints, false) - for _, rule := range dstEndpoints.EgressRules { - if srcPolicies.Has(rule.Policy.SourceRef.UID) { - commonRules = append(commonRules, rule) - } - } - for _, rule := range srcEndpoints.IngressRules { - if dstPolicies.Has(rule.Policy.SourceRef.UID) { - commonRules = append(commonRules, rule) - } - } - for _, defaultDropRule := range srcIsolated { - commonRules = append(commonRules, defaultDropRule) - } - for _, defaultDropRule := range dstIsolated { - commonRules = append(commonRules, defaultDropRule) - } - } - // if no common rule or default isolation is found, return empty result - if len(commonRules) == 0 { - return &endpoint.Rule{} - } - // sort the common rules based on multiple closures, the top rule has the highest precedence - passRule := func(r1, r2 *networkpolicy.RuleInfo) int { - if r2.Policy.SourceRef.Type != controlplane.K8sNetworkPolicy && r2.Policy.Rules[r2.Index].Action != nil && *r2.Policy.Rules[r2.Index].Action == v1beta1.RuleActionPass { - return 1 - } - return 0 - } - tierPriority := func(r1, r2 *networkpolicy.RuleInfo) int { - effectiveTierPriorityK8sNP := (networkpolicy.DefaultTierPriority + networkpolicy.BaselineTierPriority) / 2 - r1Priority, r2Priority := effectiveTierPriorityK8sNP, effectiveTierPriorityK8sNP - if r1.Policy.TierPriority != nil { - r1Priority = *r1.Policy.TierPriority - } - if r2.Policy.TierPriority != nil { - r2Priority = *r2.Policy.TierPriority - } - if r1Priority < r2Priority { - return 1 - } else if r1Priority > r2Priority { - return -1 - } - return 0 - } - policyPriority := func(r1, r2 *networkpolicy.RuleInfo) int { - if r1.Policy.Priority != nil && r2.Policy.Priority != nil { - if *r1.Policy.Priority < *r2.Policy.Priority { - return 1 - } else if *r1.Policy.Priority > *r2.Policy.Priority { - return -1 - } - } - return 0 - } - rulePriority := func(r1, r2 *networkpolicy.RuleInfo) int { - // Kubernetes NetworkPolicies rules have the same default priorities, so rule index is hacked for comparison - // "-1" indicates default isolation, which has a lower precedence than KNP policy rules with ">=0" rule indexes - if r1.Policy.SourceRef.Type == controlplane.K8sNetworkPolicy && r2.Policy.SourceRef.Type == controlplane.K8sNetworkPolicy { - if r1.Index > r2.Index { - return 1 - } else if r1.Index < r2.Index { - return -1 - } - } else { - if r1.Index < r2.Index { - return 1 - } else if r1.Index > r2.Index { - return -1 - } - } - return 0 - } - defaultOrder := func(r1, r2 *networkpolicy.RuleInfo) int { - if r1.Policy.Name < r2.Policy.Name { - return 1 - } - return 0 - } - OrderedBy(passRule, tierPriority, policyPriority, rulePriority, defaultOrder).Sort(commonRules) - return &endpoint.Rule{ - PolicyRef: endpoint.PolicyRef{ - Type: commonRules[0].Policy.SourceRef.Type, - Namespace: commonRules[0].Policy.SourceRef.Namespace, - Name: commonRules[0].Policy.SourceRef.Name, - UID: commonRules[0].Policy.SourceRef.UID, - }, - Direction: commonRules[0].Direction, - RuleIndex: commonRules[0].Index, - } -} - -// HandleFunc creates a http.HandlerFunc which uses an AgentNetworkPolicyInfoQuerier -// to query network policy rules in current agent. -func HandleFunc(eq networkpolicy.EndpointQuerier) http.HandlerFunc { - return func(w http.ResponseWriter, r *http.Request) { - src := r.URL.Query().Get("source") - dst := r.URL.Query().Get("destination") - - var srcNS, srcPod, dstNS, dstPod string - srcNS, srcPod = parsePeer(src) - dstNS, dstPod = parsePeer(dst) - if srcPod == "" || dstPod == "" { - http.Error(w, "invalid command argument format", http.StatusBadRequest) - return - } - - // query endpoints and handle response errors - endpointAnalysisSource, err := eq.QueryNetworkPolicyRules(srcNS, srcPod) - if err != nil { - http.Error(w, err.Error(), http.StatusInternalServerError) - return - } - endpointAnalysisDestination, err := eq.QueryNetworkPolicyRules(dstNS, dstPod) - if err != nil { - http.Error(w, err.Error(), http.StatusInternalServerError) - return - } - endpointAnalysisRule := predictEndpointsRules(endpointAnalysisSource, endpointAnalysisDestination) - if err := json.NewEncoder(w).Encode(endpointAnalysisRule); err != nil { - http.Error(w, "failed to encode response: "+err.Error(), http.StatusInternalServerError) - } - } -} diff --git a/pkg/apiserver/handlers/networkpolicyanalysis/handler_test.go b/pkg/apiserver/handlers/networkpolicyanalysis/handler_test.go deleted file mode 100644 index 9563391924f..00000000000 --- a/pkg/apiserver/handlers/networkpolicyanalysis/handler_test.go +++ /dev/null @@ -1,322 +0,0 @@ -// Copyright 2023 Antrea Authors -// -// Licensed under the Apache License, Version 2.0 (the "License"); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. - -package networkpolicyanalysis - -import ( - "encoding/json" - "fmt" - "net/http" - "net/http/httptest" - "testing" - - "github.com/stretchr/testify/assert" - "go.uber.org/mock/gomock" - "k8s.io/apimachinery/pkg/api/errors" - "k8s.io/apimachinery/pkg/types" - - "antrea.io/antrea/pkg/apis/controlplane" - "antrea.io/antrea/pkg/apis/controlplane/v1beta2" - "antrea.io/antrea/pkg/apis/crd/v1beta1" - "antrea.io/antrea/pkg/apiserver/handlers/endpoint" - "antrea.io/antrea/pkg/controller/networkpolicy" - queriermock "antrea.io/antrea/pkg/controller/networkpolicy/testing" - antreatypes "antrea.io/antrea/pkg/controller/types" -) - -type TestCase struct { - name string - handlerRequest string - argsMock []string - mockQueryResponse []mockResponse - - expectedStatus int - expectedResult *endpoint.Rule -} - -type mockResponse struct { - response *networkpolicy.EndpointNetworkPolicyRules - error error -} - -// TestIncompleteArguments tests how the handler function responds when the user -// passes in a query command with incomplete arguments (missing pod names or namespaces) -func TestIncompleteArguments(t *testing.T) { - mockCtrl := gomock.NewController(t) - testCases := []TestCase{ - { - name: "Invalid format", - handlerRequest: "?source=ns1/&destination=ns2/pod2/foo", - expectedStatus: http.StatusBadRequest, - }, - { - name: "Missing pod names", - handlerRequest: "?source=&destination=", - expectedStatus: http.StatusBadRequest, - }, - { - name: "Default namespaces", - handlerRequest: "?source=pod1&destination=/pod2", - argsMock: []string{"default", "pod1", "default", "pod2"}, - mockQueryResponse: []mockResponse{{response: nil, error: nil}, {response: nil, error: nil}}, - expectedStatus: http.StatusOK, - expectedResult: &endpoint.Rule{}, - }, - } - evaluateTestCases(testCases, mockCtrl, t) -} - -func TestNetworkPolicyAnalysis(t *testing.T) { - mockCtrl := gomock.NewController(t) - handlerRequest := "?source=ns/pod1&destination=ns/pod2" - var namespace = "ns" - argsMock := []string{namespace, "pod1", namespace, "pod2"} - uid1, uid2 := types.UID(fmt.Sprint(111)), types.UID(fmt.Sprint(222)) - priority1, priority2, defaultPriority, tierEmergency := float64(10), float64(15), float64(-1), int32(50) - passAction := v1beta1.RuleActionPass - - // functions used to generate mock responses - generatePolicies := func(policyUID types.UID, policyType controlplane.NetworkPolicyType, direction controlplane.Direction, tierPriority *int32, policyPriority *float64, numRules int, action *v1beta1.RuleAction) []*antreatypes.NetworkPolicy { - rules := make([]controlplane.NetworkPolicyRule, numRules) - for i := 0; i < numRules; i++ { - rules[i] = controlplane.NetworkPolicyRule{ - Direction: direction, - Name: fmt.Sprintf("Policy%sRule%d", policyUID, i), - Priority: int32(i), - } - if action != nil { - rules[i].Action = action - } - } - return []*antreatypes.NetworkPolicy{{ - UID: policyUID, - Name: fmt.Sprintf("Policy%s", policyUID), - SourceRef: &controlplane.NetworkPolicyReference{Type: policyType, Namespace: namespace, Name: fmt.Sprintf("Policy%s", policyUID), UID: policyUID}, - Rules: rules, - TierPriority: tierPriority, - Priority: policyPriority, - }} - } - generateRuleInfo := func(policy *antreatypes.NetworkPolicy) []*networkpolicy.RuleInfo { - ruleInfoMatches := make([]*networkpolicy.RuleInfo, len(policy.Rules)) - for i := 0; i < len(policy.Rules); i++ { - ruleInfoMatches[i] = &networkpolicy.RuleInfo{ - Policy: policy, - Index: i, - Direction: v1beta2.Direction(policy.Rules[i].Direction), - } - } - return ruleInfoMatches - } - generateResponse := func(podID int, appliedPolicies []*antreatypes.NetworkPolicy, matchedRules []*networkpolicy.RuleInfo) *networkpolicy.EndpointNetworkPolicyRules { - endpointRule := &networkpolicy.EndpointNetworkPolicyRules{ - Namespace: namespace, - Name: fmt.Sprintf("pod%d", podID), - AppliedPolicies: appliedPolicies, - } - if podID == 1 { - endpointRule.IngressRules = matchedRules - } else if podID == 2 { - endpointRule.EgressRules = matchedRules - } - return endpointRule - } - - expectedRuleEgress := endpoint.Rule{ - PolicyRef: endpoint.PolicyRef{Type: controlplane.AntreaNetworkPolicy, Namespace: namespace, Name: "Policy111", UID: uid1}, - Direction: v1beta2.DirectionOut, - RuleIndex: 0, - } - expectedRuleIngress := endpoint.Rule{ - PolicyRef: endpoint.PolicyRef{Type: controlplane.AntreaNetworkPolicy, Namespace: namespace, Name: "Policy222", UID: uid2}, - Direction: v1beta2.DirectionIn, - RuleIndex: 0, - } - - testCases := []TestCase{ - { - name: "Pass rule fallthrough", - handlerRequest: handlerRequest, - argsMock: argsMock, - mockQueryResponse: []mockResponse{ - {response: generateResponse(1, generatePolicies(uid1, controlplane.AntreaNetworkPolicy, controlplane.DirectionOut, &networkpolicy.DefaultTierPriority, nil, 1, nil), - generateRuleInfo(generatePolicies(uid2, controlplane.AntreaNetworkPolicy, controlplane.DirectionIn, &tierEmergency, nil, 1, &passAction)[0]))}, - {response: generateResponse(2, generatePolicies(uid2, controlplane.AntreaNetworkPolicy, controlplane.DirectionIn, &networkpolicy.DefaultTierPriority, nil, 1, &passAction), - generateRuleInfo(generatePolicies(uid1, controlplane.AntreaNetworkPolicy, controlplane.DirectionOut, &networkpolicy.DefaultTierPriority, nil, 1, nil)[0]))}, - }, - expectedStatus: http.StatusOK, - expectedResult: &expectedRuleIngress, - }, - { - name: "Different Tier priorities", - handlerRequest: handlerRequest, - argsMock: argsMock, - mockQueryResponse: []mockResponse{ - {response: generateResponse(1, generatePolicies(uid1, controlplane.AntreaNetworkPolicy, controlplane.DirectionOut, &networkpolicy.DefaultTierPriority, nil, 1, nil), - generateRuleInfo(generatePolicies(uid2, controlplane.AntreaNetworkPolicy, controlplane.DirectionIn, &tierEmergency, nil, 1, nil)[0]))}, - {response: generateResponse(2, generatePolicies(uid2, controlplane.AntreaNetworkPolicy, controlplane.DirectionIn, &tierEmergency, nil, 1, nil), - generateRuleInfo(generatePolicies(uid1, controlplane.AntreaNetworkPolicy, controlplane.DirectionOut, &networkpolicy.DefaultTierPriority, nil, 1, nil)[0]))}, - }, - expectedStatus: http.StatusOK, - expectedResult: &expectedRuleIngress, - }, - { - name: "Different policy priorities", - handlerRequest: handlerRequest, - argsMock: argsMock, - mockQueryResponse: []mockResponse{ - {response: generateResponse(1, generatePolicies(uid1, controlplane.AntreaNetworkPolicy, controlplane.DirectionOut, &networkpolicy.DefaultTierPriority, &priority1, 1, nil), - generateRuleInfo(generatePolicies(uid2, controlplane.AntreaNetworkPolicy, controlplane.DirectionIn, &networkpolicy.DefaultTierPriority, &priority2, 1, nil)[0]))}, - {response: generateResponse(2, generatePolicies(uid2, controlplane.AntreaNetworkPolicy, controlplane.DirectionIn, &networkpolicy.DefaultTierPriority, &priority2, 1, nil), - generateRuleInfo(generatePolicies(uid1, controlplane.AntreaNetworkPolicy, controlplane.DirectionOut, &networkpolicy.DefaultTierPriority, &priority1, 1, nil)[0]))}, - }, - expectedStatus: http.StatusOK, - expectedResult: &expectedRuleEgress, - }, - { - name: "Different rule priorities", - handlerRequest: handlerRequest, - argsMock: argsMock, - mockQueryResponse: []mockResponse{ - {response: generateResponse(1, nil, generateRuleInfo(generatePolicies(uid2, controlplane.AntreaNetworkPolicy, controlplane.DirectionIn, &networkpolicy.DefaultTierPriority, &priority1, 2, nil)[0]))}, - {response: generateResponse(2, generatePolicies(uid2, controlplane.AntreaNetworkPolicy, controlplane.DirectionIn, &networkpolicy.DefaultTierPriority, &priority1, 2, nil), nil)}, - }, - expectedStatus: http.StatusOK, - expectedResult: &expectedRuleIngress, - }, - { - name: "Different policy names", - handlerRequest: handlerRequest, - argsMock: argsMock, - mockQueryResponse: []mockResponse{ - {response: generateResponse(1, generatePolicies(uid1, controlplane.AntreaNetworkPolicy, controlplane.DirectionOut, &networkpolicy.DefaultTierPriority, &priority1, 1, nil), - generateRuleInfo(generatePolicies(uid2, controlplane.AntreaNetworkPolicy, controlplane.DirectionIn, &networkpolicy.DefaultTierPriority, &priority1, 1, nil)[0]))}, - {response: generateResponse(2, generatePolicies(uid2, controlplane.AntreaNetworkPolicy, controlplane.DirectionIn, &networkpolicy.DefaultTierPriority, &priority1, 1, nil), - generateRuleInfo(generatePolicies(uid1, controlplane.AntreaNetworkPolicy, controlplane.DirectionOut, &networkpolicy.DefaultTierPriority, &priority1, 1, nil)[0]))}, - }, - expectedStatus: http.StatusOK, - expectedResult: &expectedRuleEgress, - }, - { - name: "KNP and baseline ANP", - handlerRequest: handlerRequest, - argsMock: argsMock, - mockQueryResponse: []mockResponse{ - {response: generateResponse(1, generatePolicies(uid1, controlplane.AntreaNetworkPolicy, controlplane.DirectionOut, &networkpolicy.BaselineTierPriority, nil, 1, nil), - generateRuleInfo(generatePolicies(uid2, controlplane.K8sNetworkPolicy, controlplane.DirectionIn, nil, &defaultPriority, 1, nil)[0]))}, - {response: generateResponse(2, generatePolicies(uid2, controlplane.K8sNetworkPolicy, controlplane.DirectionIn, nil, &defaultPriority, 1, nil), - generateRuleInfo(generatePolicies(uid1, controlplane.AntreaNetworkPolicy, controlplane.DirectionOut, &networkpolicy.BaselineTierPriority, nil, 1, nil)[0]))}, - }, - expectedStatus: http.StatusOK, - expectedResult: &endpoint.Rule{ - PolicyRef: endpoint.PolicyRef{Type: controlplane.K8sNetworkPolicy, Namespace: namespace, Name: "Policy222", UID: uid2}, - Direction: v1beta2.DirectionIn, - RuleIndex: 0, - }, - }, - { - name: "KNP and default isolation", - handlerRequest: handlerRequest, - argsMock: argsMock, - mockQueryResponse: []mockResponse{ - {response: generateResponse(1, generatePolicies(uid1, controlplane.K8sNetworkPolicy, controlplane.DirectionOut, nil, &defaultPriority, 1, nil), nil)}, - {response: generateResponse(2, generatePolicies(uid2, controlplane.K8sNetworkPolicy, controlplane.DirectionIn, nil, &defaultPriority, 1, nil), - generateRuleInfo(generatePolicies(uid1, controlplane.K8sNetworkPolicy, controlplane.DirectionOut, nil, &defaultPriority, 1, nil)[0]))}, - }, - expectedStatus: http.StatusOK, - expectedResult: &endpoint.Rule{ - PolicyRef: endpoint.PolicyRef{Type: controlplane.K8sNetworkPolicy, Namespace: namespace, Name: "Policy111", UID: uid1}, - Direction: v1beta2.DirectionOut, - RuleIndex: 0, - }, - }, - { - name: "KNP egress default isolation", - handlerRequest: handlerRequest, - argsMock: argsMock, - mockQueryResponse: []mockResponse{ - {response: generateResponse(1, generatePolicies(uid1, controlplane.K8sNetworkPolicy, controlplane.DirectionOut, nil, &defaultPriority, 1, nil), nil)}, - {response: generateResponse(2, nil, nil)}, - }, - expectedStatus: http.StatusOK, - expectedResult: &endpoint.Rule{ - PolicyRef: endpoint.PolicyRef{Type: controlplane.K8sNetworkPolicy, Namespace: namespace, Name: "Policy111", UID: uid1}, - Direction: v1beta2.DirectionOut, - RuleIndex: -1, - }, - }, - { - name: "KNP ingress default isolation", - handlerRequest: handlerRequest, - argsMock: argsMock, - mockQueryResponse: []mockResponse{ - {response: generateResponse(1, nil, nil)}, - {response: generateResponse(2, generatePolicies(uid2, controlplane.K8sNetworkPolicy, controlplane.DirectionIn, nil, &defaultPriority, 1, nil), nil)}, - }, - expectedStatus: http.StatusOK, - expectedResult: &endpoint.Rule{ - PolicyRef: endpoint.PolicyRef{Type: controlplane.K8sNetworkPolicy, Namespace: namespace, Name: "Policy222", UID: uid2}, - Direction: v1beta2.DirectionIn, - RuleIndex: -1, - }, - }, - { - name: "No common rule found", - handlerRequest: handlerRequest, - argsMock: argsMock, - mockQueryResponse: []mockResponse{ - {response: generateResponse(1, generatePolicies(uid1, controlplane.AntreaNetworkPolicy, controlplane.DirectionOut, &networkpolicy.DefaultTierPriority, nil, 1, nil), nil)}, - {response: generateResponse(2, nil, nil)}, - }, - expectedStatus: http.StatusOK, - expectedResult: &endpoint.Rule{}, - }, - { - name: "Querier error", - handlerRequest: handlerRequest, - argsMock: argsMock, - mockQueryResponse: []mockResponse{{}, {error: errors.NewInternalError(fmt.Errorf("querier error"))}}, - expectedStatus: http.StatusInternalServerError, - }, - } - evaluateTestCases(testCases, mockCtrl, t) -} - -// evaluateTestCases executes the test cases by mocking QueryNetworkPolicyRules mock. It assumes that -// argsMock has at least 4 entries and mockQueryResponse has at least 2 entries if not expecting bad request. -func evaluateTestCases(testCases []TestCase, mockCtrl *gomock.Controller, t *testing.T) { - for _, tc := range testCases { - mockQuerier := queriermock.NewMockEndpointQuerier(mockCtrl) - if tc.expectedStatus != http.StatusBadRequest { - mockQuerier.EXPECT().QueryNetworkPolicyRules(tc.argsMock[0], tc.argsMock[1]).Return(tc.mockQueryResponse[0].response, tc.mockQueryResponse[0].error) - mockQuerier.EXPECT().QueryNetworkPolicyRules(tc.argsMock[2], tc.argsMock[3]).Return(tc.mockQueryResponse[1].response, tc.mockQueryResponse[1].error) - } - - handler := HandleFunc(mockQuerier) - req, err := http.NewRequest(http.MethodGet, tc.handlerRequest, nil) - assert.Nil(t, err) - - recorder := httptest.NewRecorder() - handler.ServeHTTP(recorder, req) - assert.Equal(t, tc.expectedStatus, recorder.Code) - if tc.expectedStatus != http.StatusOK { - return - } - - var received endpoint.Rule - err = json.Unmarshal(recorder.Body.Bytes(), &received) - assert.Nil(t, err) - assert.EqualValues(t, *tc.expectedResult, received) - } -} diff --git a/pkg/apiserver/openapi/zz_generated.openapi.go b/pkg/apiserver/openapi/zz_generated.openapi.go index 626f6d18b8f..adbe813d12d 100644 --- a/pkg/apiserver/openapi/zz_generated.openapi.go +++ b/pkg/apiserver/openapi/zz_generated.openapi.go @@ -1,7 +1,7 @@ //go:build !ignore_autogenerated // +build !ignore_autogenerated -// Copyright 2023 Antrea Authors +// Copyright 2024 Antrea Authors // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. @@ -43,6 +43,7 @@ func GetOpenAPIDefinitions(ref common.ReferenceCallback) map[string]common.OpenA "antrea.io/antrea/pkg/apis/controlplane/v1beta2.EgressGroup": schema_pkg_apis_controlplane_v1beta2_EgressGroup(ref), "antrea.io/antrea/pkg/apis/controlplane/v1beta2.EgressGroupList": schema_pkg_apis_controlplane_v1beta2_EgressGroupList(ref), "antrea.io/antrea/pkg/apis/controlplane/v1beta2.EgressGroupPatch": schema_pkg_apis_controlplane_v1beta2_EgressGroupPatch(ref), + "antrea.io/antrea/pkg/apis/controlplane/v1beta2.Entity": schema_pkg_apis_controlplane_v1beta2_Entity(ref), "antrea.io/antrea/pkg/apis/controlplane/v1beta2.ExternalEntityReference": schema_pkg_apis_controlplane_v1beta2_ExternalEntityReference(ref), "antrea.io/antrea/pkg/apis/controlplane/v1beta2.GroupAssociation": schema_pkg_apis_controlplane_v1beta2_GroupAssociation(ref), "antrea.io/antrea/pkg/apis/controlplane/v1beta2.GroupMember": schema_pkg_apis_controlplane_v1beta2_GroupMember(ref), @@ -56,6 +57,9 @@ func GetOpenAPIDefinitions(ref common.ReferenceCallback) map[string]common.OpenA "antrea.io/antrea/pkg/apis/controlplane/v1beta2.MulticastGroupInfo": schema_pkg_apis_controlplane_v1beta2_MulticastGroupInfo(ref), "antrea.io/antrea/pkg/apis/controlplane/v1beta2.NamedPort": schema_pkg_apis_controlplane_v1beta2_NamedPort(ref), "antrea.io/antrea/pkg/apis/controlplane/v1beta2.NetworkPolicy": schema_pkg_apis_controlplane_v1beta2_NetworkPolicy(ref), + "antrea.io/antrea/pkg/apis/controlplane/v1beta2.NetworkPolicyAccessRequest": schema_pkg_apis_controlplane_v1beta2_NetworkPolicyAccessRequest(ref), + "antrea.io/antrea/pkg/apis/controlplane/v1beta2.NetworkPolicyAccessResponse": schema_pkg_apis_controlplane_v1beta2_NetworkPolicyAccessResponse(ref), + "antrea.io/antrea/pkg/apis/controlplane/v1beta2.NetworkPolicyAccessReview": schema_pkg_apis_controlplane_v1beta2_NetworkPolicyAccessReview(ref), "antrea.io/antrea/pkg/apis/controlplane/v1beta2.NetworkPolicyList": schema_pkg_apis_controlplane_v1beta2_NetworkPolicyList(ref), "antrea.io/antrea/pkg/apis/controlplane/v1beta2.NetworkPolicyNodeStatus": schema_pkg_apis_controlplane_v1beta2_NetworkPolicyNodeStatus(ref), "antrea.io/antrea/pkg/apis/controlplane/v1beta2.NetworkPolicyPeer": schema_pkg_apis_controlplane_v1beta2_NetworkPolicyPeer(ref), @@ -67,6 +71,7 @@ func GetOpenAPIDefinitions(ref common.ReferenceCallback) map[string]common.OpenA "antrea.io/antrea/pkg/apis/controlplane/v1beta2.NodeStatsSummary": schema_pkg_apis_controlplane_v1beta2_NodeStatsSummary(ref), "antrea.io/antrea/pkg/apis/controlplane/v1beta2.PaginationGetOptions": schema_pkg_apis_controlplane_v1beta2_PaginationGetOptions(ref), "antrea.io/antrea/pkg/apis/controlplane/v1beta2.PodReference": schema_pkg_apis_controlplane_v1beta2_PodReference(ref), + "antrea.io/antrea/pkg/apis/controlplane/v1beta2.RuleRef": schema_pkg_apis_controlplane_v1beta2_RuleRef(ref), "antrea.io/antrea/pkg/apis/controlplane/v1beta2.Service": schema_pkg_apis_controlplane_v1beta2_Service(ref), "antrea.io/antrea/pkg/apis/controlplane/v1beta2.ServiceReference": schema_pkg_apis_controlplane_v1beta2_ServiceReference(ref), "antrea.io/antrea/pkg/apis/controlplane/v1beta2.SupportBundleCollection": schema_pkg_apis_controlplane_v1beta2_SupportBundleCollection(ref), @@ -1052,6 +1057,26 @@ func schema_pkg_apis_controlplane_v1beta2_EgressGroupPatch(ref common.ReferenceC } } +func schema_pkg_apis_controlplane_v1beta2_Entity(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "Entity contains Namespace and Pod name as a request parameter.", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "pod": { + SchemaProps: spec.SchemaProps{ + Ref: ref("antrea.io/antrea/pkg/apis/controlplane/v1beta2.PodReference"), + }, + }, + }, + }, + }, + Dependencies: []string{ + "antrea.io/antrea/pkg/apis/controlplane/v1beta2.PodReference"}, + } +} + func schema_pkg_apis_controlplane_v1beta2_ExternalEntityReference(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ @@ -1636,6 +1661,107 @@ func schema_pkg_apis_controlplane_v1beta2_NetworkPolicy(ref common.ReferenceCall } } +func schema_pkg_apis_controlplane_v1beta2_NetworkPolicyAccessRequest(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "NetworkPolicyAccessRequest is the request body of NetworkPolicy access review.", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "source": { + SchemaProps: spec.SchemaProps{ + Default: map[string]interface{}{}, + Ref: ref("antrea.io/antrea/pkg/apis/controlplane/v1beta2.Entity"), + }, + }, + "destination": { + SchemaProps: spec.SchemaProps{ + Default: map[string]interface{}{}, + Ref: ref("antrea.io/antrea/pkg/apis/controlplane/v1beta2.Entity"), + }, + }, + }, + }, + }, + Dependencies: []string{ + "antrea.io/antrea/pkg/apis/controlplane/v1beta2.Entity"}, + } +} + +func schema_pkg_apis_controlplane_v1beta2_NetworkPolicyAccessResponse(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "NetworkPolicyAccessResponse is the response of NetworkPolicy access review.", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "sourceRef": { + SchemaProps: spec.SchemaProps{ + Description: "The reference of the effective NetworkPolicy.", + Default: map[string]interface{}{}, + Ref: ref("antrea.io/antrea/pkg/apis/controlplane/v1beta2.NetworkPolicyReference"), + }, + }, + "ruleIndex": { + SchemaProps: spec.SchemaProps{ + Type: []string{"integer"}, + Format: "int32", + }, + }, + "rule": { + SchemaProps: spec.SchemaProps{ + Description: "The content of the effective rule.", + Default: map[string]interface{}{}, + Ref: ref("antrea.io/antrea/pkg/apis/controlplane/v1beta2.RuleRef"), + }, + }, + }, + }, + }, + Dependencies: []string{ + "antrea.io/antrea/pkg/apis/controlplane/v1beta2.NetworkPolicyReference", "antrea.io/antrea/pkg/apis/controlplane/v1beta2.RuleRef"}, + } +} + +func schema_pkg_apis_controlplane_v1beta2_NetworkPolicyAccessReview(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "NetworkPolicyAccessReview contains the request and response for a NetworkPolicy access review.", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "kind": { + SchemaProps: spec.SchemaProps{ + Description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + Type: []string{"string"}, + Format: "", + }, + }, + "apiVersion": { + SchemaProps: spec.SchemaProps{ + Description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + Type: []string{"string"}, + Format: "", + }, + }, + "request": { + SchemaProps: spec.SchemaProps{ + Ref: ref("antrea.io/antrea/pkg/apis/controlplane/v1beta2.NetworkPolicyAccessRequest"), + }, + }, + "response": { + SchemaProps: spec.SchemaProps{ + Ref: ref("antrea.io/antrea/pkg/apis/controlplane/v1beta2.NetworkPolicyAccessResponse"), + }, + }, + }, + }, + }, + Dependencies: []string{ + "antrea.io/antrea/pkg/apis/controlplane/v1beta2.NetworkPolicyAccessRequest", "antrea.io/antrea/pkg/apis/controlplane/v1beta2.NetworkPolicyAccessResponse"}, + } +} + func schema_pkg_apis_controlplane_v1beta2_NetworkPolicyList(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ @@ -2243,6 +2369,37 @@ func schema_pkg_apis_controlplane_v1beta2_PodReference(ref common.ReferenceCallb } } +func schema_pkg_apis_controlplane_v1beta2_RuleRef(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "RuleRef contains basic information for the rule.", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "direction": { + SchemaProps: spec.SchemaProps{ + Type: []string{"string"}, + Format: "", + }, + }, + "name": { + SchemaProps: spec.SchemaProps{ + Type: []string{"string"}, + Format: "", + }, + }, + "action": { + SchemaProps: spec.SchemaProps{ + Type: []string{"string"}, + Format: "", + }, + }, + }, + }, + }, + } +} + func schema_pkg_apis_controlplane_v1beta2_Service(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ diff --git a/pkg/apiserver/registry/networkpolicy/networkpolicyaccessreview/rest.go b/pkg/apiserver/registry/networkpolicy/networkpolicyaccessreview/rest.go new file mode 100644 index 00000000000..de908d79cd4 --- /dev/null +++ b/pkg/apiserver/registry/networkpolicy/networkpolicyaccessreview/rest.go @@ -0,0 +1,67 @@ +// Copyright 2024 Antrea Authors +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package networkpolicyaccessreview + +import ( + "context" + "fmt" + + "k8s.io/apimachinery/pkg/api/errors" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/runtime" + "k8s.io/apiserver/pkg/registry/rest" + + "antrea.io/antrea/pkg/apis/controlplane" + "antrea.io/antrea/pkg/controller/networkpolicy" +) + +type REST struct { + querier networkpolicy.PolicyRuleQuerier +} + +var ( + _ rest.Storage = &REST{} + _ rest.Scoper = &REST{} + _ rest.Creater = &REST{} +) + +// NewREST returns a REST object that will work against API services. +func NewREST(querier networkpolicy.PolicyRuleQuerier) *REST { + return &REST{querier} +} + +func (r *REST) New() runtime.Object { + return &controlplane.NetworkPolicyAccessReview{} +} + +func (r *REST) Destroy() { +} + +func (r *REST) Create(ctx context.Context, obj runtime.Object, createValidation rest.ValidateObjectFunc, options *metav1.CreateOptions) (runtime.Object, error) { + review, ok := obj.(*controlplane.NetworkPolicyAccessReview) + if !ok { + return nil, errors.NewBadRequest(fmt.Sprintf("not a NetworkPolicyAccessReview object: %T", obj)) + } + response, err := r.querier.QueryNetworkPolicyAccessReview(review.Request) + if err != nil { + return nil, err + } + review.Response = response + return review, nil +} + +func (r *REST) NamespaceScoped() bool { + return false +} diff --git a/pkg/apiserver/registry/networkpolicy/networkpolicyaccessreview/rest_test.go b/pkg/apiserver/registry/networkpolicy/networkpolicyaccessreview/rest_test.go new file mode 100644 index 00000000000..9547d55fb9b --- /dev/null +++ b/pkg/apiserver/registry/networkpolicy/networkpolicyaccessreview/rest_test.go @@ -0,0 +1,96 @@ +// Copyright 2024 Antrea Authors +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package networkpolicyaccessreview + +import ( + "context" + "fmt" + "testing" + + "github.com/stretchr/testify/assert" + "go.uber.org/mock/gomock" + "k8s.io/apimachinery/pkg/api/errors" + v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/runtime" + + "antrea.io/antrea/pkg/apis/controlplane" + queriermock "antrea.io/antrea/pkg/controller/networkpolicy/testing" +) + +func TestREST(t *testing.T) { + r := NewREST(nil) + assert.Equal(t, &controlplane.NetworkPolicyAccessReview{}, r.New()) + assert.False(t, r.NamespaceScoped()) +} + +func TestRESTCreate(t *testing.T) { + request := controlplane.NetworkPolicyAccessRequest{Source: controlplane.Entity{Pod: &controlplane.PodReference{Namespace: "ns", Name: "pod1"}}, Destination: controlplane.Entity{Pod: &controlplane.PodReference{Namespace: "ns", Name: "pod2"}}} + tests := []struct { + name string + obj runtime.Object + expectedReturnedObj runtime.Object + expectedErr error + mockResponse *controlplane.NetworkPolicyAccessResponse + mockErr error + }{ + { + name: "Succeed", + obj: &controlplane.NetworkPolicyAccessReview{ + Request: &request, + }, + expectedReturnedObj: &controlplane.NetworkPolicyAccessReview{ + Request: &request, + Response: &controlplane.NetworkPolicyAccessResponse{ + NetworkPolicy: controlplane.NetworkPolicyReference{Name: "test"}, + Rule: controlplane.RuleRef{Direction: controlplane.DirectionIn}, + }, + }, + mockResponse: &controlplane.NetworkPolicyAccessResponse{ + NetworkPolicy: controlplane.NetworkPolicyReference{Name: "test"}, + Rule: controlplane.RuleRef{Direction: controlplane.DirectionIn}, + }, + }, + { + name: "Query error", + obj: &controlplane.NetworkPolicyAccessReview{ + Request: &request, + }, + mockErr: fmt.Errorf("querier error"), + expectedErr: fmt.Errorf("querier error"), + }, + { + name: "Unexpected type", + obj: &controlplane.NetworkPolicy{ + ObjectMeta: v1.ObjectMeta{ + Name: "foo", + }, + }, + expectedErr: errors.NewBadRequest("not a NetworkPolicyAccessReview object: *controlplane.NetworkPolicy"), + }, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + mockCtrl := gomock.NewController(t) + mockQuerier := queriermock.NewMockPolicyRuleQuerier(mockCtrl) + if tt.mockResponse != nil || tt.mockErr != nil { + mockQuerier.EXPECT().QueryNetworkPolicyAccessReview(tt.obj.(*controlplane.NetworkPolicyAccessReview).Request).Return(tt.mockResponse, tt.mockErr) + } + r := NewREST(mockQuerier) + actualObj, err := r.Create(context.TODO(), tt.obj, nil, &v1.CreateOptions{}) + assert.Equal(t, tt.expectedErr, err) + assert.Equal(t, tt.expectedReturnedObj, actualObj) + }) + } +} diff --git a/pkg/client/clientset/versioned/typed/controlplane/v1beta2/controlplane_client.go b/pkg/client/clientset/versioned/typed/controlplane/v1beta2/controlplane_client.go index 98c7b89f758..ba654b4473e 100644 --- a/pkg/client/clientset/versioned/typed/controlplane/v1beta2/controlplane_client.go +++ b/pkg/client/clientset/versioned/typed/controlplane/v1beta2/controlplane_client.go @@ -1,4 +1,4 @@ -// Copyright 2023 Antrea Authors +// Copyright 2024 Antrea Authors // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. @@ -34,6 +34,7 @@ type ControlplaneV1beta2Interface interface { GroupMembersGetter IPGroupAssociationsGetter NetworkPoliciesGetter + NetworkPolicyAccessReviewsGetter NodeStatsSummariesGetter SupportBundleCollectionsGetter } @@ -75,6 +76,10 @@ func (c *ControlplaneV1beta2Client) NetworkPolicies() NetworkPolicyInterface { return newNetworkPolicies(c) } +func (c *ControlplaneV1beta2Client) NetworkPolicyAccessReviews() NetworkPolicyAccessReviewInterface { + return newNetworkPolicyAccessReviews(c) +} + func (c *ControlplaneV1beta2Client) NodeStatsSummaries() NodeStatsSummaryInterface { return newNodeStatsSummaries(c) } diff --git a/pkg/client/clientset/versioned/typed/controlplane/v1beta2/fake/fake_controlplane_client.go b/pkg/client/clientset/versioned/typed/controlplane/v1beta2/fake/fake_controlplane_client.go index 232d3b75f8a..49f06cdd81d 100644 --- a/pkg/client/clientset/versioned/typed/controlplane/v1beta2/fake/fake_controlplane_client.go +++ b/pkg/client/clientset/versioned/typed/controlplane/v1beta2/fake/fake_controlplane_client.go @@ -1,4 +1,4 @@ -// Copyright 2023 Antrea Authors +// Copyright 2024 Antrea Authors // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. @@ -58,6 +58,10 @@ func (c *FakeControlplaneV1beta2) NetworkPolicies() v1beta2.NetworkPolicyInterfa return &FakeNetworkPolicies{c} } +func (c *FakeControlplaneV1beta2) NetworkPolicyAccessReviews() v1beta2.NetworkPolicyAccessReviewInterface { + return &FakeNetworkPolicyAccessReviews{c} +} + func (c *FakeControlplaneV1beta2) NodeStatsSummaries() v1beta2.NodeStatsSummaryInterface { return &FakeNodeStatsSummaries{c} } diff --git a/pkg/client/clientset/versioned/typed/controlplane/v1beta2/fake/fake_networkpolicyaccessreview.go b/pkg/client/clientset/versioned/typed/controlplane/v1beta2/fake/fake_networkpolicyaccessreview.go new file mode 100644 index 00000000000..bf31ae51e17 --- /dev/null +++ b/pkg/client/clientset/versioned/typed/controlplane/v1beta2/fake/fake_networkpolicyaccessreview.go @@ -0,0 +1,45 @@ +// Copyright 2024 Antrea Authors +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +// Code generated by client-gen. DO NOT EDIT. + +package fake + +import ( + "context" + + v1beta2 "antrea.io/antrea/pkg/apis/controlplane/v1beta2" + v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + schema "k8s.io/apimachinery/pkg/runtime/schema" + testing "k8s.io/client-go/testing" +) + +// FakeNetworkPolicyAccessReviews implements NetworkPolicyAccessReviewInterface +type FakeNetworkPolicyAccessReviews struct { + Fake *FakeControlplaneV1beta2 +} + +var networkpolicyaccessreviewsResource = schema.GroupVersionResource{Group: "controlplane.antrea.io", Version: "v1beta2", Resource: "networkpolicyaccessreviews"} + +var networkpolicyaccessreviewsKind = schema.GroupVersionKind{Group: "controlplane.antrea.io", Version: "v1beta2", Kind: "NetworkPolicyAccessReview"} + +// Create takes the representation of a networkPolicyAccessReview and creates it. Returns the server's representation of the networkPolicyAccessReview, and an error, if there is any. +func (c *FakeNetworkPolicyAccessReviews) Create(ctx context.Context, networkPolicyAccessReview *v1beta2.NetworkPolicyAccessReview, opts v1.CreateOptions) (result *v1beta2.NetworkPolicyAccessReview, err error) { + obj, err := c.Fake. + Invokes(testing.NewRootCreateAction(networkpolicyaccessreviewsResource, networkPolicyAccessReview), &v1beta2.NetworkPolicyAccessReview{}) + if obj == nil { + return nil, err + } + return obj.(*v1beta2.NetworkPolicyAccessReview), err +} diff --git a/pkg/client/clientset/versioned/typed/controlplane/v1beta2/generated_expansion.go b/pkg/client/clientset/versioned/typed/controlplane/v1beta2/generated_expansion.go index b6b453ba588..22ce72cfcbd 100644 --- a/pkg/client/clientset/versioned/typed/controlplane/v1beta2/generated_expansion.go +++ b/pkg/client/clientset/versioned/typed/controlplane/v1beta2/generated_expansion.go @@ -1,4 +1,4 @@ -// Copyright 2023 Antrea Authors +// Copyright 2024 Antrea Authors // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. @@ -26,4 +26,6 @@ type GroupAssociationExpansion interface{} type IPGroupAssociationExpansion interface{} +type NetworkPolicyAccessReviewExpansion interface{} + type NodeStatsSummaryExpansion interface{} diff --git a/pkg/client/clientset/versioned/typed/controlplane/v1beta2/networkpolicyaccessreview.go b/pkg/client/clientset/versioned/typed/controlplane/v1beta2/networkpolicyaccessreview.go new file mode 100644 index 00000000000..247caf4b74a --- /dev/null +++ b/pkg/client/clientset/versioned/typed/controlplane/v1beta2/networkpolicyaccessreview.go @@ -0,0 +1,62 @@ +// Copyright 2024 Antrea Authors +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +// Code generated by client-gen. DO NOT EDIT. + +package v1beta2 + +import ( + "context" + + v1beta2 "antrea.io/antrea/pkg/apis/controlplane/v1beta2" + scheme "antrea.io/antrea/pkg/client/clientset/versioned/scheme" + v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + rest "k8s.io/client-go/rest" +) + +// NetworkPolicyAccessReviewsGetter has a method to return a NetworkPolicyAccessReviewInterface. +// A group's client should implement this interface. +type NetworkPolicyAccessReviewsGetter interface { + NetworkPolicyAccessReviews() NetworkPolicyAccessReviewInterface +} + +// NetworkPolicyAccessReviewInterface has methods to work with NetworkPolicyAccessReview resources. +type NetworkPolicyAccessReviewInterface interface { + Create(ctx context.Context, networkPolicyAccessReview *v1beta2.NetworkPolicyAccessReview, opts v1.CreateOptions) (*v1beta2.NetworkPolicyAccessReview, error) + NetworkPolicyAccessReviewExpansion +} + +// networkPolicyAccessReviews implements NetworkPolicyAccessReviewInterface +type networkPolicyAccessReviews struct { + client rest.Interface +} + +// newNetworkPolicyAccessReviews returns a NetworkPolicyAccessReviews +func newNetworkPolicyAccessReviews(c *ControlplaneV1beta2Client) *networkPolicyAccessReviews { + return &networkPolicyAccessReviews{ + client: c.RESTClient(), + } +} + +// Create takes the representation of a networkPolicyAccessReview and creates it. Returns the server's representation of the networkPolicyAccessReview, and an error, if there is any. +func (c *networkPolicyAccessReviews) Create(ctx context.Context, networkPolicyAccessReview *v1beta2.NetworkPolicyAccessReview, opts v1.CreateOptions) (result *v1beta2.NetworkPolicyAccessReview, err error) { + result = &v1beta2.NetworkPolicyAccessReview{} + err = c.client.Post(). + Resource("networkpolicyaccessreviews"). + VersionedParams(&opts, scheme.ParameterCodec). + Body(networkPolicyAccessReview). + Do(ctx). + Into(result) + return +} diff --git a/pkg/controller/networkpolicy/adminnetworkpolicy_test.go b/pkg/controller/networkpolicy/adminnetworkpolicy_test.go index c7dea83f135..4346687b04e 100644 --- a/pkg/controller/networkpolicy/adminnetworkpolicy_test.go +++ b/pkg/controller/networkpolicy/adminnetworkpolicy_test.go @@ -416,7 +416,7 @@ func TestProcessAdminNetworkPolicy(t *testing.T) { defer featuregatetesting.SetFeatureGateDuringTest(t, features.DefaultFeatureGate, features.AdminNetworkPolicy, true) for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { - _, c := newController(nil, nil) + _, c := NewController(nil, nil) actualPolicy, actualAppliedToGroups, actualAddressGroups := c.processAdminNetworkPolicy(tt.inputPolicy) assert.Equal(t, tt.expectedPolicy.UID, actualPolicy.UID) assert.Equal(t, tt.expectedPolicy.Name, actualPolicy.Name) @@ -712,7 +712,7 @@ func TestProcessBaselineAdminNetworkPolicy(t *testing.T) { defer featuregatetesting.SetFeatureGateDuringTest(t, features.DefaultFeatureGate, features.AdminNetworkPolicy, true) for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { - _, c := newController(nil, nil) + _, c := NewController(nil, nil) actualPolicy, actualAppliedToGroups, actualAddressGroups := c.processBaselineAdminNetworkPolicy(tt.inputPolicy) assert.Equal(t, tt.expectedPolicy.UID, actualPolicy.UID) assert.Equal(t, tt.expectedPolicy.Name, actualPolicy.Name) diff --git a/pkg/controller/networkpolicy/antreanetworkpolicy_test.go b/pkg/controller/networkpolicy/antreanetworkpolicy_test.go index 62554de4402..c0d5e7e42db 100644 --- a/pkg/controller/networkpolicy/antreanetworkpolicy_test.go +++ b/pkg/controller/networkpolicy/antreanetworkpolicy_test.go @@ -739,7 +739,7 @@ func TestProcessAntreaNetworkPolicy(t *testing.T) { } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { - _, c := newController(nil, nil) + _, c := NewController(nil, nil) c.serviceStore.Add(&svcA) actualPolicy, actualAppliedToGroups, actualAddressGroups := c.processAntreaNetworkPolicy(tt.inputPolicy) assert.Equal(t, tt.expectedPolicy, actualPolicy) @@ -750,7 +750,7 @@ func TestProcessAntreaNetworkPolicy(t *testing.T) { } func TestAddANNP(t *testing.T) { - _, npc := newController(nil, nil) + _, npc := NewController(nil, nil) annp := getANNP() npc.addANNP(annp) require.Equal(t, 1, npc.internalNetworkPolicyQueue.Len()) @@ -761,7 +761,7 @@ func TestAddANNP(t *testing.T) { } func TestUpdateANNP(t *testing.T) { - _, npc := newController(nil, nil) + _, npc := NewController(nil, nil) annp := getANNP() newANNP := annp.DeepCopy() // Make a change to the ANNP. @@ -775,7 +775,7 @@ func TestUpdateANNP(t *testing.T) { } func TestDeleteANNP(t *testing.T) { - _, npc := newController(nil, nil) + _, npc := NewController(nil, nil) annp := getANNP() npc.deleteANNP(annp) require.Equal(t, 1, npc.internalNetworkPolicyQueue.Len()) diff --git a/pkg/controller/networkpolicy/clustergroup.go b/pkg/controller/networkpolicy/clustergroup.go index 735b365c241..f4cb27e0c4b 100644 --- a/pkg/controller/networkpolicy/clustergroup.go +++ b/pkg/controller/networkpolicy/clustergroup.go @@ -210,9 +210,9 @@ func (c *NetworkPolicyController) syncInternalClusterGroup(grp *antreatypes.Grou } selectorUpdated := c.processServiceReference(grp) if grp.Selector != nil { - c.groupingInterface.AddGroup(internalGroupType, grp.SourceReference.ToGroupName(), grp.Selector) + c.GroupingInterface.AddGroup(internalGroupType, grp.SourceReference.ToGroupName(), grp.Selector) } else { - c.groupingInterface.DeleteGroup(internalGroupType, grp.SourceReference.ToGroupName()) + c.GroupingInterface.DeleteGroup(internalGroupType, grp.SourceReference.ToGroupName()) } membersComputed, membersComputedStatus := true, v1.ConditionFalse @@ -368,9 +368,9 @@ func (c *NetworkPolicyController) serviceToGroupSelector(service *v1.Service) *a // queried (Pod or ExternalEntity identified by name and namespace). func (c *NetworkPolicyController) GetAssociatedGroups(name, namespace string) []antreatypes.Group { // Try Pod first, then ExternalEntity. - groups, exists := c.groupingInterface.GetGroupsForPod(namespace, name) + groups, exists := c.GroupingInterface.GetGroupsForPod(namespace, name) if !exists { - groups, exists = c.groupingInterface.GetGroupsForExternalEntity(namespace, name) + groups, exists = c.GroupingInterface.GetGroupsForExternalEntity(namespace, name) if !exists { return nil } diff --git a/pkg/controller/networkpolicy/clustergroup_test.go b/pkg/controller/networkpolicy/clustergroup_test.go index e957d024318..a32aea82100 100644 --- a/pkg/controller/networkpolicy/clustergroup_test.go +++ b/pkg/controller/networkpolicy/clustergroup_test.go @@ -167,7 +167,7 @@ func TestProcessClusterGroup(t *testing.T) { } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { - _, c := newController(nil, nil) + _, c := NewController(nil, nil) actualGroup := c.processClusterGroup(tt.inputGroup) assert.Equal(t, tt.expectedGroup, actualGroup) }) @@ -269,7 +269,7 @@ func TestAddClusterGroup(t *testing.T) { } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { - _, npc := newController(nil, nil) + _, npc := NewController(nil, nil) npc.addClusterGroup(tt.inputGroup) key := tt.inputGroup.Name actualGroupObj, _, _ := npc.internalGroupStore.Get(key) @@ -418,7 +418,7 @@ func TestUpdateClusterGroup(t *testing.T) { }, }, } - _, npc := newController(nil, nil) + _, npc := NewController(nil, nil) npc.addClusterGroup(&testCG) key := testCG.Name for _, tt := range tests { @@ -440,7 +440,7 @@ func TestDeleteCG(t *testing.T) { }, } key := testCG.Name - _, npc := newController(nil, nil) + _, npc := NewController(nil, nil) npc.addClusterGroup(&testCG) npc.deleteClusterGroup(&testCG) _, found, _ := npc.internalGroupStore.Get(key) @@ -584,7 +584,7 @@ func TestFilterInternalGroupsForService(t *testing.T) { sets.New[string]("cgC"), }, } - _, npc := newController(nil, nil) + _, npc := NewController(nil, nil) npc.internalGroupStore.Create(grp1) npc.internalGroupStore.Create(grp2) npc.internalGroupStore.Create(grp3) @@ -688,7 +688,7 @@ func TestServiceToGroupSelector(t *testing.T) { nil, }, } - _, npc := newController(nil, nil) + _, npc := NewController(nil, nil) npc.serviceStore.Add(svc1) npc.serviceStore.Add(svc2) npc.serviceStore.Add(svc3) @@ -858,19 +858,19 @@ func TestGetAssociatedGroups(t *testing.T) { []antreatypes.Group{}, }, } - _, npc := newController(nil, nil) + _, npc := NewController(nil, nil) for i := range testPods { - npc.groupingInterface.AddPod(testPods[i]) + npc.GroupingInterface.AddPod(testPods[i]) } for j := range externalEntities { - npc.groupingInterface.AddExternalEntity(externalEntities[j]) + npc.GroupingInterface.AddExternalEntity(externalEntities[j]) } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { for i, g := range tt.existingGroups { npc.internalGroupStore.Create(&tt.existingGroups[i]) if g.Selector != nil { - npc.groupingInterface.AddGroup(internalGroupType, g.SourceReference.Name, g.Selector) + npc.GroupingInterface.AddGroup(internalGroupType, g.SourceReference.Name, g.Selector) } } groups := npc.GetAssociatedGroups(tt.queryName, tt.queryNamespace) @@ -906,17 +906,17 @@ func TestGetClusterGroupMembers(t *testing.T) { controlplane.GroupMemberSet{}, }, } - _, npc := newController(nil, nil) + _, npc := NewController(nil, nil) for i := range testPods { - npc.groupingInterface.AddPod(testPods[i]) + npc.GroupingInterface.AddPod(testPods[i]) } for j := range externalEntities { - npc.groupingInterface.AddExternalEntity(externalEntities[j]) + npc.GroupingInterface.AddExternalEntity(externalEntities[j]) } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { npc.internalGroupStore.Create(&tt.group) - npc.groupingInterface.AddGroup(internalGroupType, tt.group.SourceReference.Name, tt.group.Selector) + npc.GroupingInterface.AddGroup(internalGroupType, tt.group.SourceReference.Name, tt.group.Selector) members, _, err := npc.GetGroupMembers(tt.group.SourceReference.Name) assert.Equal(t, nil, err) assert.Equal(t, tt.expectedMembers, members) @@ -972,8 +972,8 @@ func TestSyncInternalGroup(t *testing.T) { _, npc := newControllerWithoutEventHandler(nil, []runtime.Object{cnp1, cnp2, cg}) stopCh := make(chan struct{}) defer close(stopCh) - npc.crdInformerFactory.Start(stopCh) - npc.crdInformerFactory.WaitForCacheSync(stopCh) + npc.CrdInformerFactory.Start(stopCh) + npc.CrdInformerFactory.WaitForCacheSync(stopCh) // cnp1 is synced before the ClusterGroup. The rule's From should be empty as the ClusterGroup hasn't been synced, require.NoError(t, npc.syncInternalNetworkPolicy(getACNPReference(cnp1))) @@ -1153,8 +1153,8 @@ func TestGetAssociatedIPBlockGroups(t *testing.T) { _, npc := newControllerWithoutEventHandler(nil, []runtime.Object{cg1, cg2, cg2Parent}) stopCh := make(chan struct{}) defer close(stopCh) - npc.crdInformerFactory.Start(stopCh) - npc.crdInformerFactory.WaitForCacheSync(stopCh) + npc.CrdInformerFactory.Start(stopCh) + npc.CrdInformerFactory.WaitForCacheSync(stopCh) npc.addClusterGroup(cg1) npc.syncInternalGroup(internalGroupKeyFunc(cg1)) diff --git a/pkg/controller/networkpolicy/clusternetworkpolicy_test.go b/pkg/controller/networkpolicy/clusternetworkpolicy_test.go index 1a0d19e3921..cc1d595d26a 100644 --- a/pkg/controller/networkpolicy/clusternetworkpolicy_test.go +++ b/pkg/controller/networkpolicy/clusternetworkpolicy_test.go @@ -1777,7 +1777,7 @@ func TestProcessClusterNetworkPolicy(t *testing.T) { } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { - _, c := newController(nil, nil) + _, c := NewController(nil, nil) c.addClusterGroup(&cgA) c.cgStore.Add(&cgA) c.namespaceStore.Add(&nsA) @@ -1800,7 +1800,7 @@ func TestProcessClusterNetworkPolicy(t *testing.T) { } func TestAddCNP(t *testing.T) { - _, npc := newController(nil, nil) + _, npc := NewController(nil, nil) cnp := getCNP() npc.addCNP(cnp) require.Equal(t, 1, npc.internalNetworkPolicyQueue.Len()) @@ -1811,7 +1811,7 @@ func TestAddCNP(t *testing.T) { } func TestUpdateCNP(t *testing.T) { - _, npc := newController(nil, nil) + _, npc := NewController(nil, nil) cnp := getCNP() newCNP := cnp.DeepCopy() // Make a change to the CNP. @@ -1825,7 +1825,7 @@ func TestUpdateCNP(t *testing.T) { } func TestDeleteCNP(t *testing.T) { - _, npc := newController(nil, nil) + _, npc := NewController(nil, nil) cnp := getCNP() npc.deleteCNP(cnp) require.Equal(t, 1, npc.internalNetworkPolicyQueue.Len()) @@ -1861,7 +1861,7 @@ func TestGetTierPriority(t *testing.T) { } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { - _, npc := newController(nil, nil) + _, npc := NewController(nil, nil) name := "" if tt.inputTier != nil { npc.tierStore.Add(tt.inputTier) @@ -1932,7 +1932,7 @@ func TestProcessRefGroupOrClusterGroup(t *testing.T) { }, }, } - _, npc := newController(nil, nil) + _, npc := NewController(nil, nil) npc.addClusterGroup(&cgA) npc.addClusterGroup(&cgB) npc.addClusterGroup(&cgNested1) @@ -2193,7 +2193,7 @@ func TestFilterPerNamespaceRuleACNPsByNSLabels(t *testing.T) { } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { - _, c := newController(nil, nil) + _, c := NewController(nil, nil) c.acnpStore.Add(cnpWithSpecAppliedTo) c.acnpStore.Add(cnpWithRuleAppliedTo) c.acnpStore.Add(cnpMatchAllNamespaces) diff --git a/pkg/controller/networkpolicy/crd_utils.go b/pkg/controller/networkpolicy/crd_utils.go index 801470383e4..0a7c61e7c33 100644 --- a/pkg/controller/networkpolicy/crd_utils.go +++ b/pkg/controller/networkpolicy/crd_utils.go @@ -368,7 +368,7 @@ func (n *NetworkPolicyController) syncInternalGroup(key string) error { grpObj, found, _ := n.internalGroupStore.Get(key) if !found { klog.V(2).InfoS("Internal group not found", "internalGroup", key) - n.groupingInterface.DeleteGroup(internalGroupType, key) + n.GroupingInterface.DeleteGroup(internalGroupType, key) return nil } grp := grpObj.(*antreatypes.Group) diff --git a/pkg/controller/networkpolicy/crd_utils_test.go b/pkg/controller/networkpolicy/crd_utils_test.go index a572e347c28..57240c1bb3f 100644 --- a/pkg/controller/networkpolicy/crd_utils_test.go +++ b/pkg/controller/networkpolicy/crd_utils_test.go @@ -472,7 +472,7 @@ func TestToAntreaPeerForCRD(t *testing.T) { } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { - _, npc := newController(nil, nil) + _, npc := NewController(nil, nil) npc.addClusterGroup(&cgA) npc.cgStore.Add(&cgA) if tt.clusterSetScope { @@ -523,7 +523,7 @@ func TestCreateAppliedToGroupsForGroup(t *testing.T) { ObjectMeta: metav1.ObjectMeta{Namespace: "nsB", Name: "gB", UID: "uidB"}, Spec: crdv1beta1.GroupSpec{IPBlocks: []crdv1beta1.IPBlock{{CIDR: cidr}}}, } - _, npc := newController(nil, nil) + _, npc := NewController(nil, nil) npc.addClusterGroup(clusterGroupWithSelector) npc.addClusterGroup(clusterGroupWithIPBlock) npc.addGroup(groupWithSelector) diff --git a/pkg/controller/networkpolicy/endpoint_querier.go b/pkg/controller/networkpolicy/endpoint_querier.go index 31343eceeb0..a25eb47a9c4 100644 --- a/pkg/controller/networkpolicy/endpoint_querier.go +++ b/pkg/controller/networkpolicy/endpoint_querier.go @@ -18,8 +18,14 @@ package networkpolicy import ( + "errors" + "sort" + + "k8s.io/apimachinery/pkg/types" + "k8s.io/apimachinery/pkg/util/sets" + "antrea.io/antrea/pkg/apis/controlplane" - cpv1beta "antrea.io/antrea/pkg/apis/controlplane/v1beta2" + crdv1beta1 "antrea.io/antrea/pkg/apis/crd/v1beta1" "antrea.io/antrea/pkg/controller/networkpolicy/store" antreatypes "antrea.io/antrea/pkg/controller/types" ) @@ -31,15 +37,39 @@ type EndpointQuerier interface { QueryNetworkPolicyRules(namespace, podName string) (*EndpointNetworkPolicyRules, error) } -// endpointQuerier implements the EndpointQuerier interface -type endpointQuerier struct { +// EndpointQuerierImpl implements the EndpointQuerier interface +type EndpointQuerierImpl struct { networkPolicyController *NetworkPolicyController } +// NewEndpointQuerier returns a new *EndpointQuerierImpl. +func NewEndpointQuerier(networkPolicyController *NetworkPolicyController) *EndpointQuerierImpl { + return &EndpointQuerierImpl{ + networkPolicyController: networkPolicyController, + } +} + +// PolicyRuleQuerier handles requests for querying effective policy rule on entities. +type PolicyRuleQuerier interface { + QueryNetworkPolicyAccessReview(entities *controlplane.NetworkPolicyAccessRequest) (*controlplane.NetworkPolicyAccessResponse, error) +} + +// policyRuleQuerier implements the PolicyRuleQuerier interface +type policyRuleQuerier struct { + endpointQuerier EndpointQuerier +} + +// NewPolicyRuleQuerier returns a new *policyRuleQuerier +func NewPolicyRuleQuerier(endpointQuerier EndpointQuerier) *policyRuleQuerier { + return &policyRuleQuerier{ + endpointQuerier: endpointQuerier, + } +} + type RuleInfo struct { - Policy *antreatypes.NetworkPolicy - Index int - Direction cpv1beta.Direction + Policy *antreatypes.NetworkPolicy + Index int + Rule *controlplane.NetworkPolicyRule } type EndpointNetworkPolicyRules struct { @@ -50,20 +80,45 @@ type EndpointNetworkPolicyRules struct { EgressRules []*RuleInfo } -// NewEndpointQuerier returns a new *endpointQuerier. -func NewEndpointQuerier(networkPolicyController *NetworkPolicyController) *endpointQuerier { - n := &endpointQuerier{ - networkPolicyController: networkPolicyController, +type lessFunc func(p1, p2 *RuleInfo) int + +// ByRulePriority implements the Sort interface, sorting the rules within. +// Comparators should be ordered by their importance in terms of determining rule priority. +type ByRulePriority struct { + rules []*RuleInfo + comparators []lessFunc +} + +func (s ByRulePriority) Len() int { return len(s.rules) } + +func (s ByRulePriority) Swap(i, j int) { s.rules[i], s.rules[j] = s.rules[j], s.rules[i] } + +func (s ByRulePriority) Less(i, j int) bool { + p, q := s.rules[i], s.rules[j] + // Try all but the last comparison. + var k int + for k = 0; k < len(s.comparators)-1; k++ { + less := s.comparators[k] + switch less(p, q) { + case 1: // p < q + return true + case -1: // p > q + return false + } + // p == q; try the next comparison. } - return n + return s.comparators[k](p, q) == 1 } // QueryNetworkPolicyRules returns network policies and rules relevant to the selected // network endpoint. Relevant network policies fall into three categories: applied policies // are policies which directly apply to an endpoint, egress/ingress rules are rules which // reference the endpoint respectively. -func (eq *endpointQuerier) QueryNetworkPolicyRules(namespace, podName string) (*EndpointNetworkPolicyRules, error) { - groups, exists := eq.networkPolicyController.groupingInterface.GetGroupsForPod(namespace, podName) +func (eq *EndpointQuerierImpl) QueryNetworkPolicyRules(namespace, podName string) (*EndpointNetworkPolicyRules, error) { + if namespace == "" { + namespace = "default" + } + groups, exists := eq.networkPolicyController.GroupingInterface.GetGroupsForPod(namespace, podName) if !exists { return nil, nil } @@ -109,14 +164,16 @@ func (eq *endpointQuerier) QueryNetworkPolicyRules(namespace, podName string) (* for _, rule := range policy.(*antreatypes.NetworkPolicy).Rules { for _, addressGroupTrial := range rule.To.AddressGroups { if addressGroupTrial == string(addressGroup.(*antreatypes.AddressGroup).UID) { - egress = append(egress, &RuleInfo{Policy: policy.(*antreatypes.NetworkPolicy), Index: egressIndex, Direction: cpv1beta.DirectionOut}) + egress = append(egress, &RuleInfo{Policy: policy.(*antreatypes.NetworkPolicy), Index: egressIndex, + Rule: &controlplane.NetworkPolicyRule{Direction: rule.Direction, Name: rule.Name, Action: rule.Action}}) // an AddressGroup can only be referenced in a rule once break } } for _, addressGroupTrial := range rule.From.AddressGroups { if addressGroupTrial == string(addressGroup.(*antreatypes.AddressGroup).UID) { - ingress = append(ingress, &RuleInfo{Policy: policy.(*antreatypes.NetworkPolicy), Index: ingressIndex, Direction: cpv1beta.DirectionIn}) + ingress = append(ingress, &RuleInfo{Policy: policy.(*antreatypes.NetworkPolicy), Index: ingressIndex, + Rule: &controlplane.NetworkPolicyRule{Direction: rule.Direction, Name: rule.Name, Action: rule.Action}}) // an AddressGroup can only be referenced in a rule once break } @@ -134,3 +191,156 @@ func (eq *endpointQuerier) QueryNetworkPolicyRules(namespace, podName string) (* } return &EndpointNetworkPolicyRules{namespace, podName, applied, ingress, egress}, nil } + +// processQueryResults processes the AppliedPolicies in endpoints, returns a set +// of the policy UIDs, and manually inserts Kubernetes NetworkPolicy default isolation +// rules if exists. The default isolation rule's direction depends on ifSource, +// and has the index of -1 to indicate lower precedence. +func processQueryResults(endpoints *EndpointNetworkPolicyRules, ifSource bool) (sets.Set[types.UID], []*RuleInfo) { + policyUIDs := sets.New[types.UID]() + isolation := make([]*RuleInfo, 0) + for _, internalPolicy := range endpoints.AppliedPolicies { + policyUIDs.Insert(internalPolicy.SourceRef.UID) + if internalPolicy.SourceRef.Type == controlplane.K8sNetworkPolicy { + // check if the Kubernetes NetworkPolicy creates ingress or egress isolation + for _, rule := range internalPolicy.Rules { + if rule.Direction == controlplane.DirectionIn && !ifSource { + isolation = append(isolation, &RuleInfo{Policy: internalPolicy, Index: -1, + Rule: &controlplane.NetworkPolicyRule{Direction: rule.Direction, Name: rule.Name, Action: rule.Action}}) + } else if rule.Direction == controlplane.DirectionOut && ifSource { + isolation = append(isolation, &RuleInfo{Policy: internalPolicy, Index: -1, + Rule: &controlplane.NetworkPolicyRule{Direction: rule.Direction, Name: rule.Name, Action: rule.Action}}) + } + } + } + } + return policyUIDs, isolation +} + +// predictEndpointsRules returns the predicted rules effective from srcEndpoints to dstEndpoints. +// Rules returned satisfy a. in source applied policies and destination egress rules, +// or b. in source ingress rules and destination applied policies or c. applied to KNP default isolation. +func predictEndpointsRules(srcEndpoints, dstEndpoints *EndpointNetworkPolicyRules) *RuleInfo { + commonRules := make([]*RuleInfo, 0) + if srcEndpoints != nil && dstEndpoints != nil { + srcPolicies, srcIsolated := processQueryResults(srcEndpoints, true) + dstPolicies, dstIsolated := processQueryResults(dstEndpoints, false) + for _, rule := range dstEndpoints.EgressRules { + if srcPolicies.Has(rule.Policy.SourceRef.UID) { + commonRules = append(commonRules, rule) + } + } + for _, rule := range srcEndpoints.IngressRules { + if dstPolicies.Has(rule.Policy.SourceRef.UID) { + commonRules = append(commonRules, rule) + } + } + for _, defaultDropRule := range srcIsolated { + commonRules = append(commonRules, defaultDropRule) + } + for _, defaultDropRule := range dstIsolated { + commonRules = append(commonRules, defaultDropRule) + } + } + + // sort the common rules based on multiple closures, the top rule has the highest precedence + tierPriority := func(r1, r2 *RuleInfo) int { + effectiveTierPriorityK8sNP := (DefaultTierPriority + BaselineTierPriority) / 2 + r1Priority, r2Priority := effectiveTierPriorityK8sNP, effectiveTierPriorityK8sNP + if r1.Policy.TierPriority != nil { + r1Priority = *r1.Policy.TierPriority + } + if r2.Policy.TierPriority != nil { + r2Priority = *r2.Policy.TierPriority + } + if r1Priority < r2Priority { + return 1 + } else if r1Priority > r2Priority { + return -1 + } + return 0 + } + policyPriority := func(r1, r2 *RuleInfo) int { + if r1.Policy.Priority != nil && r2.Policy.Priority != nil { + if *r1.Policy.Priority < *r2.Policy.Priority { + return 1 + } else if *r1.Policy.Priority > *r2.Policy.Priority { + return -1 + } + } + return 0 + } + rulePriority := func(r1, r2 *RuleInfo) int { + // Kubernetes NetworkPolicies rules have the same default priorities, so rule index is hacked for comparison + // "-1" indicates default isolation, which has a lower precedence than KNP policy rules with ">=0" rule indexes + if r1.Policy.SourceRef.Type == controlplane.K8sNetworkPolicy && r2.Policy.SourceRef.Type == controlplane.K8sNetworkPolicy { + if r1.Index > r2.Index { + return 1 + } else if r1.Index < r2.Index { + return -1 + } + } else { + if r1.Index < r2.Index { + return 1 + } else if r1.Index > r2.Index { + return -1 + } + } + return 0 + } + defaultOrder := func(r1, r2 *RuleInfo) int { + if r1.Policy.Name < r2.Policy.Name { + return 1 + } + return 0 + } + sort.Sort(ByRulePriority{rules: commonRules, comparators: []lessFunc{tierPriority, policyPriority, rulePriority, defaultOrder}}) + // filter Antrea-native policy rules with Pass action + // if pass rule currently has the highest precedence, skip the remaining rules + // until the next K8s rule or Baseline rule, or return the pass rule otherwise + var result *RuleInfo + passExists := false + for idx, rule := range commonRules { + result = commonRules[idx] + if rule.Rule.Action != nil && *rule.Rule.Action == crdv1beta1.RuleActionPass { + passExists = true + continue + } + if !passExists || + passExists && (rule.Policy.SourceRef.Type == controlplane.K8sNetworkPolicy || + (rule.Policy.TierPriority != nil && *rule.Policy.TierPriority == BaselineTierPriority)) { + break + } + } + return result +} + +// QueryNetworkPolicyAccessReview returns the effective NetworkPolicy rule on given +// source and destination entities. +func (eq *policyRuleQuerier) QueryNetworkPolicyAccessReview(entities *controlplane.NetworkPolicyAccessRequest) (*controlplane.NetworkPolicyAccessResponse, error) { + if entities.Source.Pod == nil || entities.Destination.Pod == nil || entities.Source.Pod.Name == "" || entities.Destination.Pod.Name == "" { + return nil, errors.New("invalid NetworkPolicyAccessReview request entities") + } + // query endpoints and handle response errors + endpointAnalysisSource, err := eq.endpointQuerier.QueryNetworkPolicyRules(entities.Source.Pod.Namespace, entities.Source.Pod.Name) + if err != nil { + return nil, err + } + endpointAnalysisDestination, err := eq.endpointQuerier.QueryNetworkPolicyRules(entities.Destination.Pod.Namespace, entities.Destination.Pod.Name) + if err != nil { + return nil, err + } + endpointAnalysisRule := predictEndpointsRules(endpointAnalysisSource, endpointAnalysisDestination) + if endpointAnalysisRule == nil { + return nil, nil + } + return &controlplane.NetworkPolicyAccessResponse{ + NetworkPolicy: *endpointAnalysisRule.Policy.SourceRef, + RuleIndex: int32(endpointAnalysisRule.Index), + Rule: controlplane.RuleRef{ + Direction: endpointAnalysisRule.Rule.Direction, + Name: endpointAnalysisRule.Rule.Name, + Action: endpointAnalysisRule.Rule.Action, + }, + }, nil +} diff --git a/pkg/controller/networkpolicy/endpoint_querier_perf_test.go b/pkg/controller/networkpolicy/endpoint_querier_perf_test.go index 19911dfdbe0..e422a859613 100644 --- a/pkg/controller/networkpolicy/endpoint_querier_perf_test.go +++ b/pkg/controller/networkpolicy/endpoint_querier_perf_test.go @@ -15,7 +15,7 @@ // See the License for the specific language governing permissions and // limitations under the License. -package networkpolicy +package networkpolicy_test import ( "sync" @@ -27,6 +27,8 @@ import ( metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/runtime" "k8s.io/apimachinery/pkg/util/rand" + + "antrea.io/antrea/pkg/controller/networkpolicy" ) /* @@ -47,11 +49,11 @@ func TestLargeScaleEndpointQueryManyPolicies(t *testing.T) { }, } uid := rand.String(8) - networkPolicies = []runtime.Object{newNetworkPolicy(namespace, "np-1"+uid, map[string]string{"app-1": "scale-1"}, map[string]string{"app-1": "scale-1"}, nil, nil, nil)} - pods = []runtime.Object{newPod(namespace, "pod1"+uid, map[string]string{"app-1": "scale-1"})} + networkPolicies = []runtime.Object{networkpolicy.NewNetworkPolicy(namespace, "np-1"+uid, map[string]string{"app-1": "scale-1"}, map[string]string{"app-1": "scale-1"}, nil, nil, nil)} + pods = []runtime.Object{networkpolicy.NewPod(namespace, "pod1"+uid, map[string]string{"app-1": "scale-1"})} return namespaces, networkPolicies, pods } - namespaces, networkPolicies, pods := getXObjects(10000, getObjects) + namespaces, networkPolicies, pods := networkpolicy.GetXObjects(10000, getObjects) testQueryEndpoint(t, 25*time.Second, namespaces[0:1], networkPolicies, pods, 10000) } @@ -62,11 +64,11 @@ func testQueryEndpoint(t *testing.T, maxExecutionTime time.Duration, namespaces var maxAlloc uint64 wg.Add(1) go func() { - statMaxMemAlloc(&maxAlloc, 500*time.Millisecond, stopCh) + networkpolicy.StatMaxMemAlloc(&maxAlloc, 500*time.Millisecond, stopCh) wg.Done() }() // create controller - objs := toRunTimeObjects(namespaces) + objs := networkpolicy.ToRunTimeObjects(namespaces) objs = append(objs, networkPolicies...) objs = append(objs, pods...) querier := makeControllerAndEndpointQuerier(objs...) diff --git a/pkg/controller/networkpolicy/endpoint_querier_test.go b/pkg/controller/networkpolicy/endpoint_querier_test.go index d6937892bbf..77ce341fd5d 100644 --- a/pkg/controller/networkpolicy/endpoint_querier_test.go +++ b/pkg/controller/networkpolicy/endpoint_querier_test.go @@ -12,22 +12,27 @@ // See the License for the specific language governing permissions and // limitations under the License. -package networkpolicy +package networkpolicy_test import ( + "fmt" "testing" "time" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" + "go.uber.org/mock/gomock" corev1 "k8s.io/api/core/v1" networkingv1 "k8s.io/api/networking/v1" + "k8s.io/apimachinery/pkg/api/errors" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/runtime" "k8s.io/apimachinery/pkg/types" "antrea.io/antrea/pkg/apis/controlplane" - "antrea.io/antrea/pkg/apis/controlplane/v1beta2" + crdv1beta1 "antrea.io/antrea/pkg/apis/crd/v1beta1" + "antrea.io/antrea/pkg/controller/networkpolicy" + queriermock "antrea.io/antrea/pkg/controller/networkpolicy/testing" antreatypes "antrea.io/antrea/pkg/controller/types" ) @@ -182,18 +187,18 @@ var namespaces = []*corev1.Namespace{ }, } -func makeControllerAndEndpointQuerier(objects ...runtime.Object) *endpointQuerier { +func makeControllerAndEndpointQuerier(objects ...runtime.Object) *networkpolicy.EndpointQuerierImpl { // create controller - _, c := newController(objects, nil) - c.heartbeatCh = make(chan heartbeat, 1000) + _, c := networkpolicy.NewController(objects, nil) + c.HeartbeatCh = make(chan networkpolicy.Heartbeat, 1000) stopCh := make(chan struct{}) // create querier with stores inside controller - querier := NewEndpointQuerier(c.NetworkPolicyController) + querier := networkpolicy.NewEndpointQuerier(c.NetworkPolicyController) // start informers and run controller - c.informerFactory.Start(stopCh) - c.crdInformerFactory.Start(stopCh) - go c.groupingController.Run(stopCh) - go c.groupingInterface.Run(stopCh) + c.InformerFactory.Start(stopCh) + c.CrdInformerFactory.Start(stopCh) + go c.GroupingController.Run(stopCh) + go c.GroupingInterface.Run(stopCh) go c.Run(stopCh) // wait until computation is done, we assume it is done when no signal has been received on heartbeat channel for 3s. idleTimeout := 3 * time.Second @@ -202,7 +207,7 @@ func makeControllerAndEndpointQuerier(objects ...runtime.Object) *endpointQuerie for { timer.Reset(idleTimeout) select { - case <-c.heartbeatCh: + case <-c.HeartbeatCh: continue case <-timer.C: close(stopCh) @@ -226,7 +231,7 @@ func TestQueryNetworkPolicyRules(t *testing.T) { objs []runtime.Object podNamespace string podName string - expectedResponse *EndpointNetworkPolicyRules + expectedResponse *networkpolicy.EndpointNetworkPolicyRules }{ { "No matching pod", @@ -240,24 +245,24 @@ func TestQueryNetworkPolicyRules(t *testing.T) { []runtime.Object{namespaces[0], pods[0]}, ns, podA, - &EndpointNetworkPolicyRules{Namespace: ns, Name: podA}, + &networkpolicy.EndpointNetworkPolicyRules{Namespace: ns, Name: podA}, }, { name: "Single KNP applied with ingress and egress rules", objs: []runtime.Object{namespaces[0], pods[0], policies[0]}, podNamespace: ns, podName: podA, - expectedResponse: &EndpointNetworkPolicyRules{ + expectedResponse: &networkpolicy.EndpointNetworkPolicyRules{ Namespace: ns, Name: podA, AppliedPolicies: []*antreatypes.NetworkPolicy{ {SourceRef: &policyRef}, }, - IngressRules: []*RuleInfo{ - {&antreatypes.NetworkPolicy{SourceRef: &policyRef}, 0, v1beta2.DirectionIn}, + IngressRules: []*networkpolicy.RuleInfo{ + {&antreatypes.NetworkPolicy{SourceRef: &policyRef}, 0, &controlplane.NetworkPolicyRule{Direction: controlplane.DirectionIn}}, }, - EgressRules: []*RuleInfo{ - {&antreatypes.NetworkPolicy{SourceRef: &policyRef}, 0, v1beta2.DirectionOut}, + EgressRules: []*networkpolicy.RuleInfo{ + {&antreatypes.NetworkPolicy{SourceRef: &policyRef}, 0, &controlplane.NetworkPolicyRule{Direction: controlplane.DirectionOut}}, }, }, }, @@ -266,18 +271,18 @@ func TestQueryNetworkPolicyRules(t *testing.T) { objs: []runtime.Object{namespaces[0], pods[0], policies[0], policies[1]}, podNamespace: ns, podName: podA, - expectedResponse: &EndpointNetworkPolicyRules{ + expectedResponse: &networkpolicy.EndpointNetworkPolicyRules{ Namespace: ns, Name: podA, AppliedPolicies: []*antreatypes.NetworkPolicy{ {SourceRef: &policyRef}, {SourceRef: &policyRef1}, }, - IngressRules: []*RuleInfo{ - {&antreatypes.NetworkPolicy{SourceRef: &policyRef}, 0, v1beta2.DirectionIn}, + IngressRules: []*networkpolicy.RuleInfo{ + {&antreatypes.NetworkPolicy{SourceRef: &policyRef}, 0, &controlplane.NetworkPolicyRule{Direction: controlplane.DirectionIn}}, }, - EgressRules: []*RuleInfo{ - {&antreatypes.NetworkPolicy{SourceRef: &policyRef}, 0, v1beta2.DirectionOut}, + EgressRules: []*networkpolicy.RuleInfo{ + {&antreatypes.NetworkPolicy{SourceRef: &policyRef}, 0, &controlplane.NetworkPolicyRule{Direction: controlplane.DirectionOut}}, }, }, }, @@ -286,23 +291,23 @@ func TestQueryNetworkPolicyRules(t *testing.T) { objs: []runtime.Object{namespaces[0], pods[0], policies[2]}, podNamespace: ns, podName: podA, - expectedResponse: &EndpointNetworkPolicyRules{ + expectedResponse: &networkpolicy.EndpointNetworkPolicyRules{ Namespace: ns, Name: podA, AppliedPolicies: []*antreatypes.NetworkPolicy{ {SourceRef: &policyRef2}, }, - IngressRules: []*RuleInfo{ - {&antreatypes.NetworkPolicy{SourceRef: &policyRef2}, 1, v1beta2.DirectionIn}, + IngressRules: []*networkpolicy.RuleInfo{ + {&antreatypes.NetworkPolicy{SourceRef: &policyRef2}, 1, &controlplane.NetworkPolicyRule{Direction: controlplane.DirectionIn}}, }, }, }, } - evaluateResponse := func(expectedRules, responseRules []*RuleInfo) { + evaluateResponse := func(expectedRules, responseRules []*networkpolicy.RuleInfo) { assert.Equal(t, len(expectedRules), len(responseRules)) for idx := range expectedRules { - assert.EqualValues(t, expectedRules[idx].Direction, responseRules[idx].Direction) + assert.EqualValues(t, expectedRules[idx].Rule.Direction, responseRules[idx].Rule.Direction) assert.Equal(t, expectedRules[idx].Index, responseRules[idx].Index) assert.Equal(t, expectedRules[idx].Policy.SourceRef, responseRules[idx].Policy.SourceRef) } @@ -334,3 +339,238 @@ func TestQueryNetworkPolicyRules(t *testing.T) { }) } } + +type AccessTestCase struct { + name string + request *controlplane.NetworkPolicyAccessRequest + mockQueryResponse []mockResponse + expectedResult *controlplane.NetworkPolicyAccessResponse + expectedErr string +} + +type mockResponse struct { + response *networkpolicy.EndpointNetworkPolicyRules + error error +} + +func TestQueryNetworkPolicyAccessReview(t *testing.T) { + mockCtrl := gomock.NewController(t) + namespace, pod1, pod2 := "ns", "pod1", "pod2" + accessRequest := &controlplane.NetworkPolicyAccessRequest{ + Source: controlplane.Entity{Pod: &controlplane.PodReference{Namespace: namespace, Name: pod1}}, + Destination: controlplane.Entity{Pod: &controlplane.PodReference{Namespace: namespace, Name: pod2}}, + } + argsMock := []string{namespace, pod1, namespace, pod2} + uid1, uid2 := types.UID(fmt.Sprint(111)), types.UID(fmt.Sprint(222)) + priority1, priority2, defaultPriority, tierEmergency := float64(10), float64(15), float64(-1), int32(50) + passAction, allowAction := crdv1beta1.RuleActionPass, crdv1beta1.RuleActionAllow + + // functions used to generate mock responses + generatePolicies := func(policyUID types.UID, policyType controlplane.NetworkPolicyType, direction controlplane.Direction, tierPriority *int32, policyPriority *float64, numRules int, action *crdv1beta1.RuleAction) []*antreatypes.NetworkPolicy { + rules := make([]controlplane.NetworkPolicyRule, numRules) + for i := 0; i < numRules; i++ { + rules[i] = controlplane.NetworkPolicyRule{ + Direction: direction, + Name: fmt.Sprintf("Policy%sRule%d", policyUID, i), + Priority: int32(i), + } + if action != nil { + rules[i].Action = action + } + } + return []*antreatypes.NetworkPolicy{{ + UID: policyUID, + Name: fmt.Sprintf("Policy%s", policyUID), + SourceRef: &controlplane.NetworkPolicyReference{Type: policyType, Namespace: namespace, Name: fmt.Sprintf("Policy%s", policyUID), UID: policyUID}, + Rules: rules, + TierPriority: tierPriority, + Priority: policyPriority, + }} + } + generateRuleInfo := func(policy *antreatypes.NetworkPolicy) []*networkpolicy.RuleInfo { + ruleInfoMatches := make([]*networkpolicy.RuleInfo, len(policy.Rules)) + for i := 0; i < len(policy.Rules); i++ { + ruleInfoMatches[i] = &networkpolicy.RuleInfo{ + Policy: policy, + Index: i, + Rule: &controlplane.NetworkPolicyRule{Direction: policy.Rules[i].Direction, Name: policy.Rules[i].Name, Action: policy.Rules[i].Action}, + } + } + return ruleInfoMatches + } + generateResponse := func(podID int, appliedPolicies []*antreatypes.NetworkPolicy, matchedRules []*networkpolicy.RuleInfo) *networkpolicy.EndpointNetworkPolicyRules { + endpointRule := &networkpolicy.EndpointNetworkPolicyRules{ + Namespace: namespace, + Name: fmt.Sprintf("pod%d", podID), + AppliedPolicies: appliedPolicies, + } + if podID == 1 { + endpointRule.IngressRules = matchedRules + } else if podID == 2 { + endpointRule.EgressRules = matchedRules + } + return endpointRule + } + + expectedResponse111 := controlplane.NetworkPolicyAccessResponse{ + NetworkPolicy: controlplane.NetworkPolicyReference{Type: controlplane.AntreaNetworkPolicy, Namespace: namespace, Name: "Policy111", UID: uid1}, + RuleIndex: 0, + Rule: controlplane.RuleRef{Direction: controlplane.DirectionOut, Name: "Policy111Rule0", Action: &allowAction}, + } + expectedResponse222 := controlplane.NetworkPolicyAccessResponse{ + NetworkPolicy: controlplane.NetworkPolicyReference{Type: controlplane.AntreaNetworkPolicy, Namespace: namespace, Name: "Policy222", UID: uid2}, + RuleIndex: 0, + Rule: controlplane.RuleRef{Direction: controlplane.DirectionIn, Name: "Policy222Rule0", Action: &allowAction}, + } + + testCases := []AccessTestCase{ + { + name: "Pass rule fallthrough", + request: accessRequest, + mockQueryResponse: []mockResponse{ + {response: generateResponse(1, generatePolicies(uid1, controlplane.AntreaNetworkPolicy, controlplane.DirectionOut, &networkpolicy.BaselineTierPriority, nil, 1, &allowAction), + generateRuleInfo(generatePolicies(uid2, controlplane.AntreaNetworkPolicy, controlplane.DirectionIn, &tierEmergency, nil, 1, &passAction)[0]))}, + {response: generateResponse(2, generatePolicies(uid2, controlplane.AntreaNetworkPolicy, controlplane.DirectionIn, &tierEmergency, nil, 1, &passAction), + generateRuleInfo(generatePolicies(uid1, controlplane.AntreaNetworkPolicy, controlplane.DirectionOut, &networkpolicy.BaselineTierPriority, nil, 1, &allowAction)[0]))}, + }, + expectedResult: &expectedResponse111, + }, + { + name: "Different Tier priorities", + request: accessRequest, + mockQueryResponse: []mockResponse{ + {response: generateResponse(1, generatePolicies(uid1, controlplane.AntreaNetworkPolicy, controlplane.DirectionOut, &networkpolicy.DefaultTierPriority, nil, 1, &allowAction), + generateRuleInfo(generatePolicies(uid2, controlplane.AntreaNetworkPolicy, controlplane.DirectionIn, &tierEmergency, nil, 1, &allowAction)[0]))}, + {response: generateResponse(2, generatePolicies(uid2, controlplane.AntreaNetworkPolicy, controlplane.DirectionIn, &tierEmergency, nil, 1, &allowAction), + generateRuleInfo(generatePolicies(uid1, controlplane.AntreaNetworkPolicy, controlplane.DirectionOut, &networkpolicy.DefaultTierPriority, nil, 1, &allowAction)[0]))}, + }, + expectedResult: &expectedResponse222, + }, + { + name: "Different policy priorities", + request: accessRequest, + mockQueryResponse: []mockResponse{ + {response: generateResponse(1, generatePolicies(uid1, controlplane.AntreaNetworkPolicy, controlplane.DirectionOut, &networkpolicy.DefaultTierPriority, &priority1, 1, &allowAction), + generateRuleInfo(generatePolicies(uid2, controlplane.AntreaNetworkPolicy, controlplane.DirectionIn, &networkpolicy.DefaultTierPriority, &priority2, 1, &allowAction)[0]))}, + {response: generateResponse(2, generatePolicies(uid2, controlplane.AntreaNetworkPolicy, controlplane.DirectionIn, &networkpolicy.DefaultTierPriority, &priority2, 1, &allowAction), + generateRuleInfo(generatePolicies(uid1, controlplane.AntreaNetworkPolicy, controlplane.DirectionOut, &networkpolicy.DefaultTierPriority, &priority1, 1, &allowAction)[0]))}, + }, + expectedResult: &expectedResponse111, + }, + { + name: "Different rule priorities", + request: accessRequest, + mockQueryResponse: []mockResponse{ + {response: generateResponse(1, nil, generateRuleInfo(generatePolicies(uid2, controlplane.AntreaNetworkPolicy, controlplane.DirectionIn, &networkpolicy.DefaultTierPriority, &priority1, 2, &allowAction)[0]))}, + {response: generateResponse(2, generatePolicies(uid2, controlplane.AntreaNetworkPolicy, controlplane.DirectionIn, &networkpolicy.DefaultTierPriority, &priority1, 2, &allowAction), nil)}, + }, + expectedResult: &expectedResponse222, + }, + { + name: "Different policy names", + request: accessRequest, + mockQueryResponse: []mockResponse{ + {response: generateResponse(1, generatePolicies(uid1, controlplane.AntreaNetworkPolicy, controlplane.DirectionOut, &networkpolicy.DefaultTierPriority, &priority1, 1, &allowAction), + generateRuleInfo(generatePolicies(uid2, controlplane.AntreaNetworkPolicy, controlplane.DirectionIn, &networkpolicy.DefaultTierPriority, &priority1, 1, &allowAction)[0]))}, + {response: generateResponse(2, generatePolicies(uid2, controlplane.AntreaNetworkPolicy, controlplane.DirectionIn, &networkpolicy.DefaultTierPriority, &priority1, 1, &allowAction), + generateRuleInfo(generatePolicies(uid1, controlplane.AntreaNetworkPolicy, controlplane.DirectionOut, &networkpolicy.DefaultTierPriority, &priority1, 1, &allowAction)[0]))}, + }, + expectedResult: &expectedResponse111, + }, + { + name: "KNP and baseline ANP", + request: accessRequest, + mockQueryResponse: []mockResponse{ + {response: generateResponse(1, generatePolicies(uid1, controlplane.AntreaNetworkPolicy, controlplane.DirectionOut, &networkpolicy.BaselineTierPriority, nil, 1, &allowAction), + generateRuleInfo(generatePolicies(uid2, controlplane.K8sNetworkPolicy, controlplane.DirectionIn, nil, &defaultPriority, 1, nil)[0]))}, + {response: generateResponse(2, generatePolicies(uid2, controlplane.K8sNetworkPolicy, controlplane.DirectionIn, nil, &defaultPriority, 1, nil), + generateRuleInfo(generatePolicies(uid1, controlplane.AntreaNetworkPolicy, controlplane.DirectionOut, &networkpolicy.BaselineTierPriority, nil, 1, &allowAction)[0]))}, + }, + expectedResult: &controlplane.NetworkPolicyAccessResponse{ + NetworkPolicy: controlplane.NetworkPolicyReference{Type: controlplane.K8sNetworkPolicy, Namespace: namespace, Name: "Policy222", UID: uid2}, + RuleIndex: 0, + Rule: controlplane.RuleRef{Direction: controlplane.DirectionIn, Name: "Policy222Rule0"}, + }, + }, + { + name: "KNP and default isolation", + request: accessRequest, + mockQueryResponse: []mockResponse{ + {response: generateResponse(1, generatePolicies(uid1, controlplane.K8sNetworkPolicy, controlplane.DirectionOut, nil, &defaultPriority, 1, nil), nil)}, + {response: generateResponse(2, generatePolicies(uid2, controlplane.K8sNetworkPolicy, controlplane.DirectionIn, nil, &defaultPriority, 1, nil), + generateRuleInfo(generatePolicies(uid1, controlplane.K8sNetworkPolicy, controlplane.DirectionOut, nil, &defaultPriority, 1, nil)[0]))}, + }, + expectedResult: &controlplane.NetworkPolicyAccessResponse{ + NetworkPolicy: controlplane.NetworkPolicyReference{Type: controlplane.K8sNetworkPolicy, Namespace: namespace, Name: "Policy111", UID: uid1}, + RuleIndex: 0, + Rule: controlplane.RuleRef{Direction: controlplane.DirectionOut, Name: "Policy111Rule0"}, + }, + }, + { + name: "KNP egress default isolation", + request: accessRequest, + mockQueryResponse: []mockResponse{ + {response: generateResponse(1, generatePolicies(uid1, controlplane.K8sNetworkPolicy, controlplane.DirectionOut, nil, &defaultPriority, 1, nil), nil)}, + {response: generateResponse(2, nil, nil)}, + }, + expectedResult: &controlplane.NetworkPolicyAccessResponse{ + NetworkPolicy: controlplane.NetworkPolicyReference{Type: controlplane.K8sNetworkPolicy, Namespace: namespace, Name: "Policy111", UID: uid1}, + RuleIndex: -1, + Rule: controlplane.RuleRef{Direction: controlplane.DirectionOut, Name: "Policy111Rule0"}, + }, + }, + { + name: "KNP ingress default isolation", + request: accessRequest, + mockQueryResponse: []mockResponse{ + {response: generateResponse(1, nil, nil)}, + {response: generateResponse(2, generatePolicies(uid2, controlplane.K8sNetworkPolicy, controlplane.DirectionIn, nil, &defaultPriority, 1, nil), nil)}, + }, + expectedResult: &controlplane.NetworkPolicyAccessResponse{ + NetworkPolicy: controlplane.NetworkPolicyReference{Type: controlplane.K8sNetworkPolicy, Namespace: namespace, Name: "Policy222", UID: uid2}, + RuleIndex: -1, + Rule: controlplane.RuleRef{Direction: controlplane.DirectionIn, Name: "Policy222Rule0"}, + }, + }, + { + name: "No common rule found", + request: accessRequest, + mockQueryResponse: []mockResponse{ + {response: generateResponse(1, generatePolicies(uid1, controlplane.AntreaNetworkPolicy, controlplane.DirectionOut, &networkpolicy.DefaultTierPriority, nil, 1, &allowAction), nil)}, + {response: generateResponse(2, nil, nil)}, + }, + }, + { + name: "Querier error", + request: accessRequest, + mockQueryResponse: []mockResponse{{}, {error: errors.NewInternalError(fmt.Errorf("querier error"))}}, + expectedErr: "querier error", + }, + { + name: "Request error", + request: &controlplane.NetworkPolicyAccessRequest{Destination: controlplane.Entity{Pod: &controlplane.PodReference{Namespace: namespace}}}, + expectedErr: "invalid NetworkPolicyAccessReview request entities", + }, + } + + for _, tc := range testCases { + tc := tc + t.Run(tc.name, func(t *testing.T) { + t.Parallel() + mockQuerier := queriermock.NewMockEndpointQuerier(mockCtrl) + if tc.mockQueryResponse != nil { + mockQuerier.EXPECT().QueryNetworkPolicyRules(argsMock[0], argsMock[1]).Return(tc.mockQueryResponse[0].response, tc.mockQueryResponse[0].error) + mockQuerier.EXPECT().QueryNetworkPolicyRules(argsMock[2], argsMock[3]).Return(tc.mockQueryResponse[1].response, tc.mockQueryResponse[1].error) + } + policyRuleQuerier := networkpolicy.NewPolicyRuleQuerier(mockQuerier) + response, err := policyRuleQuerier.QueryNetworkPolicyAccessReview(tc.request) + if tc.expectedErr == "" { + assert.Nil(t, err) + assert.Equal(t, tc.expectedResult, response) + } else { + assert.ErrorContains(t, err, tc.expectedErr) + } + + }) + } +} diff --git a/pkg/controller/networkpolicy/group.go b/pkg/controller/networkpolicy/group.go index ab2486330a6..33c88ea0938 100644 --- a/pkg/controller/networkpolicy/group.go +++ b/pkg/controller/networkpolicy/group.go @@ -169,9 +169,9 @@ func (n *NetworkPolicyController) syncInternalNamespacedGroup(grp *antreatypes.G key := internalGroupKeyFunc(g) selectorUpdated := n.processServiceReference(grp) if grp.Selector != nil { - n.groupingInterface.AddGroup(internalGroupType, key, grp.Selector) + n.GroupingInterface.AddGroup(internalGroupType, key, grp.Selector) } else { - n.groupingInterface.DeleteGroup(internalGroupType, key) + n.GroupingInterface.DeleteGroup(internalGroupType, key) } membersComputed, membersComputedStatus := true, v1.ConditionFalse diff --git a/pkg/controller/networkpolicy/group_test.go b/pkg/controller/networkpolicy/group_test.go index 153266c48a0..fdc3b9d75b5 100644 --- a/pkg/controller/networkpolicy/group_test.go +++ b/pkg/controller/networkpolicy/group_test.go @@ -170,7 +170,7 @@ func TestProcessGroup(t *testing.T) { } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { - _, c := newController(nil, nil) + _, c := NewController(nil, nil) actualGroup := c.processGroup(tt.inputGroup) assert.Equal(t, tt.expectedGroup, actualGroup) }) @@ -276,7 +276,7 @@ func TestAddGroup(t *testing.T) { } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { - _, npc := newController(nil, nil) + _, npc := NewController(nil, nil) npc.addGroup(tt.inputGroup) key := fmt.Sprintf("%s/%s", tt.inputGroup.Namespace, tt.inputGroup.Name) actualGroupObj, _, _ := npc.internalGroupStore.Get(key) @@ -431,7 +431,7 @@ func TestUpdateGroup(t *testing.T) { }, }, } - _, npc := newController(nil, nil) + _, npc := NewController(nil, nil) npc.addGroup(&testG) key := fmt.Sprintf("%s/%s", testG.Namespace, testG.Name) for _, tt := range tests { @@ -453,7 +453,7 @@ func TestDeleteG(t *testing.T) { }, } key := fmt.Sprintf("%s/%s", testG.Namespace, testG.Name) - _, npc := newController(nil, nil) + _, npc := NewController(nil, nil) npc.addGroup(&testG) npc.deleteGroup(&testG) _, found, _ := npc.internalGroupStore.Get(key) @@ -570,18 +570,18 @@ func TestGetGroupMembers(t *testing.T) { controlplane.GroupMemberSet{}, }, } - _, npc := newController(nil, nil) + _, npc := NewController(nil, nil) for i := range testPods { - npc.groupingInterface.AddPod(testPods[i]) + npc.GroupingInterface.AddPod(testPods[i]) } for j := range externalEntities { - npc.groupingInterface.AddExternalEntity(externalEntities[j]) + npc.GroupingInterface.AddExternalEntity(externalEntities[j]) } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { npc.internalGroupStore.Create(&tt.group) groupName := k8s.NamespacedName(tt.group.SourceReference.Namespace, tt.group.SourceReference.Name) - npc.groupingInterface.AddGroup(internalGroupType, groupName, tt.group.Selector) + npc.GroupingInterface.AddGroup(internalGroupType, groupName, tt.group.Selector) members, _, err := npc.GetGroupMembers(groupName) assert.Equal(t, nil, err) assert.Equal(t, tt.expectedMembers, members) diff --git a/pkg/controller/networkpolicy/mutate_test.go b/pkg/controller/networkpolicy/mutate_test.go index 4d0dc25e25c..db2b555e346 100644 --- a/pkg/controller/networkpolicy/mutate_test.go +++ b/pkg/controller/networkpolicy/mutate_test.go @@ -184,7 +184,7 @@ func TestMutateAntreaClusterNetworkPolicy(t *testing.T) { for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { - _, controller := newController(nil, nil) + _, controller := NewController(nil, nil) mutator := NewNetworkPolicyMutator(controller.NetworkPolicyController) _, _, patch := mutator.mutateAntreaPolicy(tt.operation, tt.policy.Spec.Ingress, tt.policy.Spec.Egress, tt.policy.Spec.Tier) marshalExpPatch, _ := json.Marshal(tt.expectPatch) @@ -353,7 +353,7 @@ func TestMutateAntreaNetworkPolicy(t *testing.T) { for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { - _, controller := newController(nil, nil) + _, controller := NewController(nil, nil) mutator := NewNetworkPolicyMutator(controller.NetworkPolicyController) _, _, patch := mutator.mutateAntreaPolicy(tt.operation, tt.policy.Spec.Ingress, tt.policy.Spec.Egress, tt.policy.Spec.Tier) marshalExpPatch, _ := json.Marshal(tt.expectPatch) diff --git a/pkg/controller/networkpolicy/networkpolicy_controller.go b/pkg/controller/networkpolicy/networkpolicy_controller.go index 3e83e2017f4..ae6d7faad67 100644 --- a/pkg/controller/networkpolicy/networkpolicy_controller.go +++ b/pkg/controller/networkpolicy/networkpolicy_controller.go @@ -253,7 +253,7 @@ type NetworkPolicyController struct { // The typical subscribers of AppliedToGroup are NetworkPolicies. appliedToGroupNotifier *notifier - groupingInterface grouping.Interface + GroupingInterface grouping.Interface // Added as a member to the struct to allow injection for testing. groupingInterfaceSynced func() bool @@ -261,12 +261,12 @@ type NetworkPolicyController struct { // Enable Stretched Networkpolicy feature which allows Antrea-native policies to select peer // from other clusters in a ClusterSet. stretchNPEnabled bool - // heartbeatCh is an internal channel for testing. It's used to know whether all tasks have been + // HeartbeatCh is an internal channel for testing. It's used to know whether all tasks have been // processed, and to count executions of each function. - heartbeatCh chan heartbeat + HeartbeatCh chan Heartbeat } -type heartbeat struct { +type Heartbeat struct { name string timestamp time.Time } @@ -432,15 +432,15 @@ func NewNetworkPolicyController(kubeClient clientset.Interface, addressGroupQueue: workqueue.NewNamedRateLimitingQueue(workqueue.NewItemExponentialFailureRateLimiter(minRetryDelay, maxRetryDelay), "addressGroup"), internalNetworkPolicyQueue: workqueue.NewNamedRateLimitingQueue(workqueue.NewItemExponentialFailureRateLimiter(minRetryDelay, maxRetryDelay), "internalNetworkPolicy"), internalGroupQueue: workqueue.NewNamedRateLimitingQueue(workqueue.NewItemExponentialFailureRateLimiter(minRetryDelay, maxRetryDelay), "internalGroup"), - groupingInterface: groupingInterface, + GroupingInterface: groupingInterface, groupingInterfaceSynced: groupingInterface.HasSynced, labelIdentityInterface: labelIdentityInterface, stretchNPEnabled: stretchedNPEnabled, appliedToGroupNotifier: newNotifier(), } - n.groupingInterface.AddEventHandler(appliedToGroupType, n.enqueueAppliedToGroup) - n.groupingInterface.AddEventHandler(addressGroupType, n.enqueueAddressGroup) - n.groupingInterface.AddEventHandler(internalGroupType, n.enqueueInternalGroup) + n.GroupingInterface.AddEventHandler(appliedToGroupType, n.enqueueAppliedToGroup) + n.GroupingInterface.AddEventHandler(addressGroupType, n.enqueueAddressGroup) + n.GroupingInterface.AddEventHandler(internalGroupType, n.enqueueInternalGroup) n.labelIdentityInterface.AddEventHandler(n.triggerPolicyResyncForLabelIdentityUpdates) // Add handlers for NetworkPolicy events. n.namespaceInformer = namespaceInformer @@ -563,8 +563,8 @@ func NewNetworkPolicyController(kubeClient clientset.Interface, } func (n *NetworkPolicyController) heartbeat(name string) { - if n.heartbeatCh != nil { - n.heartbeatCh <- heartbeat{ + if n.HeartbeatCh != nil { + n.HeartbeatCh <- Heartbeat{ name: name, timestamp: time.Now(), } @@ -1168,7 +1168,7 @@ func (n *NetworkPolicyController) getInternalGroupMembers(group *antreatypes.Gro // groupType and group name. func (n *NetworkPolicyController) getMemberSetForGroupType(groupType grouping.GroupType, name string) controlplane.GroupMemberSet { groupMemberSet := controlplane.GroupMemberSet{} - pods, externalEntities := n.groupingInterface.GetEntities(groupType, name) + pods, externalEntities := n.GroupingInterface.GetEntities(groupType, name) for _, pod := range pods { // HostNetwork Pods should be excluded from group members // https://github.com/antrea-io/antrea/issues/3078 @@ -1385,7 +1385,7 @@ func (n *NetworkPolicyController) getAppliedToWorkloads(g *antreatypes.AppliedTo nodes, err := n.nodeLister.List(g.Selector.NodeSelector) return nil, nil, nodes, err } - pods, ees := n.groupingInterface.GetEntities(appliedToGroupType, g.Name) + pods, ees := n.GroupingInterface.GetEntities(appliedToGroupType, g.Name) return pods, ees, nil, nil } @@ -1414,7 +1414,7 @@ func (n *NetworkPolicyController) getInternalGroupWorkloads(group *antreatypes.G } if len(group.ChildGroups) == 0 { - pods, ees := n.groupingInterface.GetEntities(internalGroupType, group.SourceReference.ToGroupName()) + pods, ees := n.GroupingInterface.GetEntities(internalGroupType, group.SourceReference.ToGroupName()) if !validateNamespace(pods, ees) { return nil, nil, &ErrNetworkPolicyAppliedToUnsupportedGroup{groupName: group.SourceReference.Name, namespace: group.SourceReference.Namespace} } @@ -1426,7 +1426,7 @@ func (n *NetworkPolicyController) getInternalGroupWorkloads(group *antreatypes.G for _, childName := range group.ChildGroups { // childNameString will either be name of the child ClusterGroup or Namespaced name of the child Group. childNameString := k8s.NamespacedName(group.SourceReference.Namespace, childName) - childPods, childEEs := n.groupingInterface.GetEntities(internalGroupType, childNameString) + childPods, childEEs := n.GroupingInterface.GetEntities(internalGroupType, childNameString) if !validateNamespace(childPods, childEEs) { return nil, nil, &ErrNetworkPolicyAppliedToUnsupportedGroup{groupName: group.SourceReference.Name, namespace: group.SourceReference.Namespace} } @@ -1580,7 +1580,7 @@ func (n *NetworkPolicyController) syncInternalNetworkPolicy(key *controlplane.Ne klog.V(2).InfoS("Creating new AppliedToGroup", "name", name, "uid", appliedToGroup.UID, "selector", appliedToGroup.Selector, "service", appliedToGroup.Service) n.appliedToGroupStore.Create(appliedToGroup) if appliedToGroup.Selector != nil { - n.groupingInterface.AddGroup(appliedToGroupType, appliedToGroup.Name, appliedToGroup.Selector) + n.GroupingInterface.AddGroup(appliedToGroupType, appliedToGroup.Name, appliedToGroup.Selector) } appliedToGroupsToSync.Insert(name) } @@ -1596,7 +1596,7 @@ func (n *NetworkPolicyController) syncInternalNetworkPolicy(key *controlplane.Ne // For an AddressGroup that selects Nodes via nodeSelector, we calculate its members via NodeLister // directly, instead of groupingInterface which handles Pod and ExternalEntity currently. if addressGroup.Selector.NodeSelector == nil { - n.groupingInterface.AddGroup(addressGroupType, addressGroup.Name, &addressGroup.Selector) + n.GroupingInterface.AddGroup(addressGroupType, addressGroup.Name, &addressGroup.Selector) } } @@ -1674,14 +1674,14 @@ func (n *NetworkPolicyController) cleanupOrphanGroups(internalNetworkPolicy *ant objs, _ := n.internalNetworkPolicyStore.GetByIndex(store.AppliedToGroupIndex, atgName) if len(objs) == 0 { n.appliedToGroupStore.Delete(atgName) - n.groupingInterface.DeleteGroup(appliedToGroupType, atgName) + n.GroupingInterface.DeleteGroup(appliedToGroupType, atgName) } } for agName := range internalNetworkPolicy.GetAddressGroups() { objs, _ := n.internalNetworkPolicyStore.GetByIndex(store.AddressGroupIndex, agName) if len(objs) == 0 { n.addressGroupStore.Delete(agName) - n.groupingInterface.DeleteGroup(addressGroupType, agName) + n.GroupingInterface.DeleteGroup(addressGroupType, agName) } } } diff --git a/pkg/controller/networkpolicy/networkpolicy_controller_perf_test.go b/pkg/controller/networkpolicy/networkpolicy_controller_perf_test.go index fcc091a6e52..82c99b08ba0 100644 --- a/pkg/controller/networkpolicy/networkpolicy_controller_perf_test.go +++ b/pkg/controller/networkpolicy/networkpolicy_controller_perf_test.go @@ -64,19 +64,19 @@ func getXLargeScaleWithSmallNamespaces() (namespaces []*corev1.Namespace, networ namespace := rand.String(8) namespaces = []*corev1.Namespace{newNamespace(namespace, map[string]string{"app": namespace})} networkPolicies = []runtime.Object{ - newNetworkPolicy(namespace, "default-deny-all", nil, nil, nil, nil, nil), - newNetworkPolicy(namespace, "np-1", map[string]string{"app-1": "scale-1"}, map[string]string{"app-1": "scale-1"}, nil, nil, nil), - newNetworkPolicy(namespace, "np-2", map[string]string{"app-2": "scale-2"}, map[string]string{"app-2": "scale-2"}, nil, nil, nil), + NewNetworkPolicy(namespace, "default-deny-all", nil, nil, nil, nil, nil), + NewNetworkPolicy(namespace, "np-1", map[string]string{"app-1": "scale-1"}, map[string]string{"app-1": "scale-1"}, nil, nil, nil), + NewNetworkPolicy(namespace, "np-2", map[string]string{"app-2": "scale-2"}, map[string]string{"app-2": "scale-2"}, nil, nil, nil), } pods = []runtime.Object{ - newPod(namespace, "pod1", map[string]string{"app-1": "scale-1"}), - newPod(namespace, "pod2", map[string]string{"app-1": "scale-1"}), - newPod(namespace, "pod3", map[string]string{"app-2": "scale-2"}), - newPod(namespace, "pod4", map[string]string{"app-2": "scale-2"}), + NewPod(namespace, "pod1", map[string]string{"app-1": "scale-1"}), + NewPod(namespace, "pod2", map[string]string{"app-1": "scale-1"}), + NewPod(namespace, "pod3", map[string]string{"app-2": "scale-2"}), + NewPod(namespace, "pod4", map[string]string{"app-2": "scale-2"}), } return namespaces, networkPolicies, pods } - namespaces, networkPolicies, pods = getXObjects(25000, getObjects) + namespaces, networkPolicies, pods = GetXObjects(25000, getObjects) return namespaces, networkPolicies, pods } @@ -92,18 +92,18 @@ func getXLargeScaleWithLargeNamespaces() (namespaces []*corev1.Namespace, networ newNamespace(namespace, map[string]string{"app": namespace}), } networkPolicies = []runtime.Object{ - newNetworkPolicy(namespace, "default-deny-all", nil, nil, nil, nil, nil), + NewNetworkPolicy(namespace, "default-deny-all", nil, nil, nil, nil, nil), } for i := 0; i < 100; i++ { labels := map[string]string{fmt.Sprintf("app-%d", i): fmt.Sprintf("scale-%d", i)} - networkPolicies = append(networkPolicies, newNetworkPolicy(namespace, fmt.Sprintf("np-%d", i), labels, labels, nil, nil, nil)) + networkPolicies = append(networkPolicies, NewNetworkPolicy(namespace, fmt.Sprintf("np-%d", i), labels, labels, nil, nil, nil)) for j := 0; j < 10; j++ { - pods = append(pods, newPod(namespace, fmt.Sprintf("pod-%d-%d", i, j), labels)) + pods = append(pods, NewPod(namespace, fmt.Sprintf("pod-%d-%d", i, j), labels)) } } return namespaces, networkPolicies, pods } - namespaces, networkPolicies, pods = getXObjects(100, getObjects) + namespaces, networkPolicies, pods = GetXObjects(100, getObjects) return namespaces, networkPolicies, pods } @@ -125,11 +125,11 @@ func getXLargeScaleWithOneNamespace() (namespaces []*corev1.Namespace, networkPo namespace := rand.String(8) getObjects := func() (namespaces []*corev1.Namespace, networkPolicies []runtime.Object, pods []runtime.Object) { namespaces = []*corev1.Namespace{newNamespace(namespace, map[string]string{"app": namespace})} - networkPolicies = []runtime.Object{newNetworkPolicy(namespace, "", map[string]string{"app-1": "scale-1"}, map[string]string{"app-1": "scale-1"}, nil, nil, nil)} - pods = []runtime.Object{newPod(namespace, "", map[string]string{"app-1": "scale-1"})} + networkPolicies = []runtime.Object{NewNetworkPolicy(namespace, "", map[string]string{"app-1": "scale-1"}, map[string]string{"app-1": "scale-1"}, nil, nil, nil)} + pods = []runtime.Object{NewPod(namespace, "", map[string]string{"app-1": "scale-1"})} return namespaces, networkPolicies, pods } - namespaces, networkPolicies, pods = getXObjects(10000, getObjects) + namespaces, networkPolicies, pods = GetXObjects(10000, getObjects) return namespaces[0:1], networkPolicies, pods } @@ -149,16 +149,16 @@ func getXLargeScaleWithNetpolPerPod() (namespaces []*corev1.Namespace, networkPo app2 := rand.String(8) labels2 := map[string]string{"app": fmt.Sprintf("scale-%v", app2)} networkPolicies = []runtime.Object{ - newNetworkPolicy(namespace, "", labels1, labels2, nil, nil, nil), - newNetworkPolicy(namespace, "", labels2, labels1, nil, nil, nil), + NewNetworkPolicy(namespace, "", labels1, labels2, nil, nil, nil), + NewNetworkPolicy(namespace, "", labels2, labels1, nil, nil, nil), } pods = []runtime.Object{ - newPod(namespace, "", labels1), - newPod(namespace, "", labels2), + NewPod(namespace, "", labels1), + NewPod(namespace, "", labels2), } return namespaces, networkPolicies, pods } - namespaces, networkPolicies, pods = getXObjects(5000, getObjects) + namespaces, networkPolicies, pods = GetXObjects(5000, getObjects) return namespaces[0:1], networkPolicies, pods } @@ -185,7 +185,7 @@ func getXLargeScaleWithANNPPerExternalEntity() (namespaces []*corev1.Namespace, } return namespaces, annps, externalEntities } - namespaces, annps, externalEntities = getXObjects(5000, getObjects) + namespaces, annps, externalEntities = GetXObjects(5000, getObjects) return namespaces[0:1], annps, externalEntities } @@ -208,14 +208,14 @@ func getXLargeScaleWithClusterScopedNetpol() (namespaces []*corev1.Namespace, ne namespaces = []*corev1.Namespace{newNamespace(namespace, namespaceLabels)} for j := 0; j < 10; j++ { labels := map[string]string{"app": fmt.Sprintf("scale-%d", j)} - networkPolicies = append(networkPolicies, newNetworkPolicy(namespace, fmt.Sprintf("np-%d", j), labels, labels, namespaceLabels, nil, nil)) + networkPolicies = append(networkPolicies, NewNetworkPolicy(namespace, fmt.Sprintf("np-%d", j), labels, labels, namespaceLabels, nil, nil)) for k := 0; k < 10; k++ { - pods = append(pods, newPod(namespace, fmt.Sprintf("pod-%d-%d", j, k), labels)) + pods = append(pods, NewPod(namespace, fmt.Sprintf("pod-%d-%d", j, k), labels)) } } return namespaces, networkPolicies, pods } - namespaces, networkPolicies, pods = getXObjects(1000, getObjects) + namespaces, networkPolicies, pods = GetXObjects(1000, getObjects) return namespaces, networkPolicies, pods } @@ -240,9 +240,9 @@ func testComputeNetworkPolicy(t *testing.T, maxExecutionTime time.Duration, name } } - k8sObjs = append(k8sObjs, toRunTimeObjects(namespaces)...) - _, c := newController(k8sObjs, crdObjs) - c.heartbeatCh = make(chan heartbeat, 1000) + k8sObjs = append(k8sObjs, ToRunTimeObjects(namespaces)...) + _, c := NewController(k8sObjs, crdObjs) + c.HeartbeatCh = make(chan Heartbeat, 1000) stopCh := make(chan struct{}) @@ -261,7 +261,7 @@ func testComputeNetworkPolicy(t *testing.T, maxExecutionTime time.Duration, name for { timer.Reset(idleTimeout) select { - case heartbeat := <-c.heartbeatCh: + case heartbeat := <-c.HeartbeatCh: m, ok := executionMetrics[heartbeat.name] if !ok { m = &executionMetric{} @@ -291,18 +291,18 @@ func testComputeNetworkPolicy(t *testing.T, maxExecutionTime time.Duration, name var maxAlloc uint64 wg.Add(1) go func() { - statMaxMemAlloc(&maxAlloc, 500*time.Millisecond, stopCh) + StatMaxMemAlloc(&maxAlloc, 500*time.Millisecond, stopCh) wg.Done() }() // Everything is ready, now start timing. start := time.Now() - c.informerFactory.Start(stopCh) - c.crdInformerFactory.Start(stopCh) - go c.groupingInterface.Run(stopCh) - go c.groupingController.Run(stopCh) - c.informerFactory.WaitForCacheSync(stopCh) - c.crdInformerFactory.WaitForCacheSync(stopCh) + c.InformerFactory.Start(stopCh) + c.CrdInformerFactory.Start(stopCh) + go c.GroupingInterface.Run(stopCh) + go c.GroupingController.Run(stopCh) + c.InformerFactory.WaitForCacheSync(stopCh) + c.CrdInformerFactory.WaitForCacheSync(stopCh) cache.WaitForCacheSync(stopCh, c.groupingInterfaceSynced) go c.Run(stopCh) @@ -346,7 +346,7 @@ func statEvents(c *networkPolicyController, addressGroupEvents, appliedToGroupEv } } -func statMaxMemAlloc(maxAlloc *uint64, interval time.Duration, stopCh chan struct{}) { +func StatMaxMemAlloc(maxAlloc *uint64, interval time.Duration, stopCh chan struct{}) { var memStats goruntime.MemStats ticker := time.NewTicker(interval) defer ticker.Stop() @@ -371,8 +371,8 @@ func getRandomNodeName() string { return fmt.Sprintf("Node-%d", rand.Intn(1000)) } -// getXObjects calls the provided getObjectsFunc x times and aggregate the objects. -func getXObjects(x int, getObjectsFunc func() (namespaces []*corev1.Namespace, networkPolicies []runtime.Object, entities []runtime.Object)) (namespaces []*corev1.Namespace, networkPolicies []runtime.Object, entities []runtime.Object) { +// GetXObjects calls the provided getObjectsFunc x times and aggregate the objects. +func GetXObjects(x int, getObjectsFunc func() (namespaces []*corev1.Namespace, networkPolicies []runtime.Object, entities []runtime.Object)) (namespaces []*corev1.Namespace, networkPolicies []runtime.Object, entities []runtime.Object) { for i := 0; i < x; i++ { newNamespaces, newNetworkPolicies, newEntities := getObjectsFunc() namespaces = append(namespaces, newNamespaces...) @@ -382,7 +382,7 @@ func getXObjects(x int, getObjectsFunc func() (namespaces []*corev1.Namespace, n return namespaces, networkPolicies, entities } -func toRunTimeObjects(namespaces []*corev1.Namespace) []runtime.Object { +func ToRunTimeObjects(namespaces []*corev1.Namespace) []runtime.Object { objs := make([]runtime.Object, 0, len(namespaces)) for i := range namespaces { objs = append(objs, namespaces[i]) @@ -396,7 +396,7 @@ func newNamespace(name string, labels map[string]string) *corev1.Namespace { } } -func newPod(namespace, name string, labels map[string]string) *corev1.Pod { +func NewPod(namespace, name string, labels map[string]string) *corev1.Pod { if name == "" { name = "pod-" + rand.String(8) } @@ -435,7 +435,7 @@ func newExternalEntity(namespace, name string, labels map[string]string) *v1alph return externalEntity } -func newNetworkPolicy(namespace, name string, podSelector, ingressPodSelector, ingressNamespaceSelector, egressPodSelector, egressNamespaceSelector map[string]string) *networkingv1.NetworkPolicy { +func NewNetworkPolicy(namespace, name string, podSelector, ingressPodSelector, ingressNamespaceSelector, egressPodSelector, egressNamespaceSelector map[string]string) *networkingv1.NetworkPolicy { if name == "" { name = "np-" + rand.String(8) } @@ -523,26 +523,26 @@ func BenchmarkSyncAddressGroup(b *testing.B) { labels := map[string]string{"app-1": "scale-1"} getObjects := func() (namespaces []*corev1.Namespace, networkPolicies []runtime.Object, pods []runtime.Object) { namespaces = []*corev1.Namespace{newNamespace(namespace, nil)} - networkPolicies = []runtime.Object{newNetworkPolicy(namespace, "", labels, labels, nil, nil, nil)} - pods = []runtime.Object{newPod(namespace, "", labels)} + networkPolicies = []runtime.Object{NewNetworkPolicy(namespace, "", labels, labels, nil, nil, nil)} + pods = []runtime.Object{NewPod(namespace, "", labels)} return namespaces, networkPolicies, pods } - namespaces, networkPolicies, pods := getXObjects(1000, getObjects) - objs := toRunTimeObjects(namespaces[0:1]) + namespaces, networkPolicies, pods := GetXObjects(1000, getObjects) + objs := ToRunTimeObjects(namespaces[0:1]) objs = append(objs, networkPolicies...) objs = append(objs, pods...) stopCh := make(chan struct{}) defer close(stopCh) - _, c := newController(objs, nil) - c.informerFactory.Start(stopCh) - c.crdInformerFactory.Start(stopCh) - go c.groupingController.Run(stopCh) - go c.groupingInterface.Run(stopCh) + _, c := NewController(objs, nil) + c.InformerFactory.Start(stopCh) + c.CrdInformerFactory.Start(stopCh) + go c.GroupingController.Run(stopCh) + go c.GroupingInterface.Run(stopCh) // wait for cache syncs // after that, event handlers should have been called to enqueue AppliedToGroups and // InternalNetworkPolicies. - c.informerFactory.WaitForCacheSync(stopCh) - c.crdInformerFactory.WaitForCacheSync(stopCh) + c.InformerFactory.WaitForCacheSync(stopCh) + c.CrdInformerFactory.WaitForCacheSync(stopCh) cache.WaitForCacheSync(stopCh, c.groupingInterfaceSynced) for c.appliedToGroupQueue.Len() > 0 { @@ -614,7 +614,7 @@ func benchmarkInit(b *testing.B, namespaces []*corev1.Namespace, networkPolicies crdObjs = append(crdObjs, entity) } } - k8sObjs = append(k8sObjs, toRunTimeObjects(namespaces)...) + k8sObjs = append(k8sObjs, ToRunTimeObjects(namespaces)...) b.ReportAllocs() b.ResetTimer() @@ -624,28 +624,28 @@ func benchmarkInit(b *testing.B, namespaces []*corev1.Namespace, networkPolicies stopCh := make(chan struct{}) defer close(stopCh) _, c := newControllerWithoutEventHandler(k8sObjs, crdObjs) - c.informerFactory.Start(stopCh) - c.crdInformerFactory.Start(stopCh) - go c.groupingInterface.Run(stopCh) + c.InformerFactory.Start(stopCh) + c.CrdInformerFactory.Start(stopCh) + go c.GroupingInterface.Run(stopCh) defer func() { c.addressGroupStore.Stop() c.appliedToGroupStore.Stop() c.internalGroupStore.Stop() c.internalNetworkPolicyStore.Stop() }() - c.informerFactory.WaitForCacheSync(stopCh) - c.crdInformerFactory.WaitForCacheSync(stopCh) + c.InformerFactory.WaitForCacheSync(stopCh) + c.CrdInformerFactory.WaitForCacheSync(stopCh) b.StartTimer() for _, namespace := range namespaces { - c.groupingInterface.AddNamespace(namespace) + c.GroupingInterface.AddNamespace(namespace) } for _, obj := range entities { switch entity := obj.(type) { case *corev1.Pod: - c.groupingInterface.AddPod(entity) + c.GroupingInterface.AddPod(entity) case *v1alpha2.ExternalEntity: - c.groupingInterface.AddExternalEntity(entity) + c.GroupingInterface.AddExternalEntity(entity) } } for _, obj := range networkPolicies { diff --git a/pkg/controller/networkpolicy/networkpolicy_controller_test.go b/pkg/controller/networkpolicy/networkpolicy_controller_test.go index 9459934d557..eb056c00152 100644 --- a/pkg/controller/networkpolicy/networkpolicy_controller_test.go +++ b/pkg/controller/networkpolicy/networkpolicy_controller_test.go @@ -98,14 +98,14 @@ type networkPolicyController struct { appliedToGroupStore storage.Interface addressGroupStore storage.Interface internalNetworkPolicyStore storage.Interface - informerFactory informers.SharedInformerFactory - crdInformerFactory crdinformers.SharedInformerFactory - groupingController *grouping.GroupEntityController + InformerFactory informers.SharedInformerFactory + CrdInformerFactory crdinformers.SharedInformerFactory + GroupingController *grouping.GroupEntityController labelIdentityController *labelidentity.Controller } // objects is an initial set of K8s objects that is exposed through the client. -func newController(k8sObjects, crdObjects []runtime.Object) (*fake.Clientset, *networkPolicyController) { +func NewController(k8sObjects, crdObjects []runtime.Object) (*fake.Clientset, *networkPolicyController) { client := newClientset(k8sObjects...) crdClient := fakeversioned.NewSimpleClientset(crdObjects...) mcsClient := fakemcsversioned.NewSimpleClientset() @@ -232,7 +232,7 @@ func newControllerWithoutEventHandler(k8sObjects, crdObjects []runtime.Object) ( addressGroupQueue: workqueue.NewNamedRateLimitingQueue(workqueue.NewItemExponentialFailureRateLimiter(minRetryDelay, maxRetryDelay), "addressGroup"), internalNetworkPolicyQueue: workqueue.NewNamedRateLimitingQueue(workqueue.NewItemExponentialFailureRateLimiter(minRetryDelay, maxRetryDelay), "internalNetworkPolicy"), internalGroupQueue: workqueue.NewNamedRateLimitingQueue(workqueue.NewItemExponentialFailureRateLimiter(minRetryDelay, maxRetryDelay), "internalGroup"), - groupingInterface: groupEntityIndex, + GroupingInterface: groupEntityIndex, appliedToGroupNotifier: newNotifier(), } npController.tierInformer.Informer().AddIndexers(tierIndexers) @@ -278,7 +278,7 @@ func newClientset(objects ...runtime.Object) *fake.Clientset { } func TestAddNetworkPolicy(t *testing.T) { - _, npc := newController(nil, nil) + _, npc := NewController(nil, nil) np := getK8sNetworkPolicyObj() npc.addNetworkPolicy(np) require.Equal(t, 1, npc.internalNetworkPolicyQueue.Len()) @@ -289,7 +289,7 @@ func TestAddNetworkPolicy(t *testing.T) { } func TestDeleteNetworkPolicy(t *testing.T) { - _, npc := newController(nil, nil) + _, npc := NewController(nil, nil) np := getK8sNetworkPolicyObj() npc.addNetworkPolicy(np) require.Equal(t, 1, npc.internalNetworkPolicyQueue.Len()) @@ -300,7 +300,7 @@ func TestDeleteNetworkPolicy(t *testing.T) { } func TestUpdateNetworkPolicy(t *testing.T) { - _, npc := newController(nil, nil) + _, npc := NewController(nil, nil) np := getK8sNetworkPolicyObj() newNP := np.DeepCopy() newNP.Spec.Ingress = nil @@ -736,13 +736,13 @@ func TestAddPod(t *testing.T) { } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { - _, npc := newController(nil, nil) + _, npc := NewController(nil, nil) npc.networkPolicyStore.Add(testNPObj) npc.syncInternalNetworkPolicy(getKNPReference(testNPObj)) groupKey := testCG.Name npc.addClusterGroup(testCG) npc.cgStore.Add(testCG) - npc.groupingInterface.AddPod(tt.addedPod) + npc.GroupingInterface.AddPod(tt.addedPod) appGroupID := getNormalizedUID(antreatypes.NewGroupSelector("nsA", &selectorSpec, nil, nil, nil).NormalizedName) inGroupID := getNormalizedUID(antreatypes.NewGroupSelector("nsA", &selectorIn, nil, nil, nil).NormalizedName) outGroupID := getNormalizedUID(antreatypes.NewGroupSelector("nsA", &selectorOut, nil, nil, nil).NormalizedName) @@ -827,12 +827,12 @@ func TestDeletePod(t *testing.T) { p2 := getPod("p2", ns, "", p2IP, false) // Ensure Pod p2 matches AddressGroup. p2.Labels = ruleLabels - _, npc := newController(nil, nil) + _, npc := NewController(nil, nil) npc.networkPolicyStore.Add(matchNPObj) npc.syncInternalNetworkPolicy(getKNPReference(matchNPObj)) npc.addClusterGroup(testCG) - npc.groupingInterface.AddPod(p1) - npc.groupingInterface.AddPod(p2) + npc.GroupingInterface.AddPod(p1) + npc.GroupingInterface.AddPod(p2) npc.syncAppliedToGroup(matchAppGID) // Retrieve AddressGroup. adgs := npc.addressGroupStore.List() @@ -841,7 +841,7 @@ func TestDeletePod(t *testing.T) { addrGroup := addrGroupObj.(*antreatypes.AddressGroup) npc.syncAddressGroup(addrGroup.Name) // Delete Pod P1 matching the AppliedToGroup. - npc.groupingInterface.DeletePod(p1) + npc.GroupingInterface.DeletePod(p1) npc.syncAppliedToGroup(matchAppGID) appGroupObj, _, _ := npc.appliedToGroupStore.Get(matchAppGID) appGroup := appGroupObj.(*antreatypes.AppliedToGroup) @@ -849,7 +849,7 @@ func TestDeletePod(t *testing.T) { // Ensure Pod1 reference is removed from AppliedToGroup. assert.Len(t, podsAdded, 0, "expected Pod to be deleted from AppliedToGroup") // Delete Pod P2 matching the NetworkPolicy Rule. - npc.groupingInterface.DeletePod(p2) + npc.GroupingInterface.DeletePod(p2) npc.syncAddressGroup(addrGroup.Name) npc.syncInternalGroup(groupKey) updatedAddrGroupObj, _, _ := npc.addressGroupStore.Get(addrGroup.Name) @@ -980,18 +980,18 @@ func TestAddNamespace(t *testing.T) { } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { - _, npc := newController(nil, nil) + _, npc := NewController(nil, nil) npc.networkPolicyStore.Add(testNPObj) npc.syncInternalNetworkPolicy(getKNPReference(testNPObj)) npc.addClusterGroup(testCG) npc.cgStore.Add(testCG) groupKey := testCG.Name - npc.groupingInterface.AddNamespace(tt.addedNamespace) + npc.GroupingInterface.AddNamespace(tt.addedNamespace) p1 := getPod("p1", "nsA", "nodeA", "1.2.3.4", false) p2 := getPod("p2", "nsA", "nodeA", "2.2.3.4", false) - npc.groupingInterface.AddPod(p1) - npc.groupingInterface.AddPod(p2) + npc.GroupingInterface.AddPod(p1) + npc.GroupingInterface.AddPod(p2) inGroupID := getNormalizedUID(antreatypes.NewGroupSelector("", nil, &selectorIn, nil, nil).NormalizedName) outGroupID := getNormalizedUID(antreatypes.NewGroupSelector("", nil, &selectorOut, nil, nil).NormalizedName) npc.syncAddressGroup(inGroupID) @@ -1139,25 +1139,25 @@ func TestDeleteNamespace(t *testing.T) { } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { - _, npc := newController(nil, nil) + _, npc := NewController(nil, nil) npc.networkPolicyStore.Add(testNPObj) npc.syncInternalNetworkPolicy(getKNPReference(testNPObj)) npc.addClusterGroup(testCG) groupKey := testCG.Name p1 := getPod("p1", "nsA", "", "1.1.1.1", false) p2 := getPod("p2", "nsA", "", "1.1.1.2", false) - npc.groupingInterface.AddNamespace(tt.deletedNamespace) - npc.groupingInterface.AddPod(p1) - npc.groupingInterface.AddPod(p2) - npc.groupingInterface.DeleteNamespace(tt.deletedNamespace) + npc.GroupingInterface.AddNamespace(tt.deletedNamespace) + npc.GroupingInterface.AddPod(p1) + npc.GroupingInterface.AddPod(p2) + npc.GroupingInterface.DeleteNamespace(tt.deletedNamespace) inGroupID := getNormalizedUID(antreatypes.NewGroupSelector("", nil, &selectorIn, nil, nil).NormalizedName) outGroupID := getNormalizedUID(antreatypes.NewGroupSelector("", nil, &selectorOut, nil, nil).NormalizedName) npc.syncAddressGroup(inGroupID) npc.syncAddressGroup(outGroupID) npc.syncInternalGroup(groupKey) - npc.groupingInterface.DeletePod(p1) - npc.groupingInterface.DeletePod(p2) - npc.groupingInterface.DeleteNamespace(tt.deletedNamespace) + npc.GroupingInterface.DeletePod(p1) + npc.GroupingInterface.DeletePod(p2) + npc.GroupingInterface.DeleteNamespace(tt.deletedNamespace) npc.syncAddressGroup(inGroupID) npc.syncAddressGroup(outGroupID) npc.syncInternalGroup(groupKey) @@ -1270,13 +1270,13 @@ func TestAddAndUpdateService(t *testing.T) { Selector: map[string]string{"app": "test-2"}, }, } - _, npc := newController(nil, nil) + _, npc := NewController(nil, nil) npc.cgStore.Add(testCG1) npc.cgStore.Add(testCG2) npc.addClusterGroup(testCG1) npc.addClusterGroup(testCG2) - npc.groupingInterface.AddPod(testPod1) - npc.groupingInterface.AddPod(testPod2) + npc.GroupingInterface.AddPod(testPod1) + npc.GroupingInterface.AddPod(testPod2) npc.serviceStore.Add(testSvc1) npc.serviceStore.Add(testSvc2) npc.syncInternalGroup(testCG1.Name) @@ -1349,10 +1349,10 @@ func TestDeleteService(t *testing.T) { Selector: map[string]string{"app": "test"}, }, } - _, npc := newController(nil, nil) + _, npc := NewController(nil, nil) npc.cgStore.Add(testCG) npc.addClusterGroup(testCG) - npc.groupingInterface.AddPod(testPod) + npc.GroupingInterface.AddPod(testPod) npc.serviceStore.Add(testSvc) npc.syncInternalGroup(testCG.Name) memberPod := &controlplane.GroupMember{ @@ -1786,7 +1786,7 @@ func TestToAntreaPeer(t *testing.T) { } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { - _, npc := newController(nil, nil) + _, npc := NewController(nil, nil) actualPeer, _ := npc.toAntreaPeer(tt.inPeers, testNPObj, tt.direction, tt.namedPortExist) if !reflect.DeepEqual(tt.outPeer.AddressGroups, (*actualPeer).AddressGroups) { t.Errorf("Unexpected AddressGroups in Antrea Peer conversion. Expected %v, got %v", tt.outPeer.AddressGroups, (*actualPeer).AddressGroups) @@ -2202,11 +2202,11 @@ func TestProcessNetworkPolicy(t *testing.T) { } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { - _, c := newController(tt.existingObjects, nil) + _, c := NewController(tt.existingObjects, nil) stopCh := make(chan struct{}) defer close(stopCh) - c.informerFactory.Start(stopCh) - c.informerFactory.WaitForCacheSync(stopCh) + c.InformerFactory.Start(stopCh) + c.InformerFactory.WaitForCacheSync(stopCh) actualPolicy, actualAppliedToGroups, actualAddressGroups := c.processNetworkPolicy(tt.inputPolicy) assert.Equal(t, tt.expectedPolicy, actualPolicy, "processNetworkPolicy() got unexpected result") @@ -2475,8 +2475,8 @@ func TestIPStrToIPAddress(t *testing.T) { } func TestDeleteFinalStateUnknownNetworkPolicy(t *testing.T) { - _, c := newController(nil, nil) - c.heartbeatCh = make(chan heartbeat, 2) + _, c := NewController(nil, nil) + c.HeartbeatCh = make(chan Heartbeat, 2) np := &networkingv1.NetworkPolicy{ ObjectMeta: metav1.ObjectMeta{Namespace: "nsA", Name: "npA", UID: "uidA"}, Spec: networkingv1.NetworkPolicySpec{ @@ -2487,11 +2487,11 @@ func TestDeleteFinalStateUnknownNetworkPolicy(t *testing.T) { c.addNetworkPolicy(np) key, _ := cache.MetaNamespaceKeyFunc(np) c.deleteNetworkPolicy(cache.DeletedFinalStateUnknown{Key: key, Obj: np}) - close(c.heartbeatCh) + close(c.HeartbeatCh) var ok bool - _, ok = <-c.heartbeatCh + _, ok = <-c.HeartbeatCh assert.True(t, ok, "Missing event on channel") - _, ok = <-c.heartbeatCh + _, ok = <-c.HeartbeatCh assert.True(t, ok, "Missing event on channel") } @@ -2659,13 +2659,13 @@ func TestGetAppliedToWorkloads(t *testing.T) { expNodes: []*corev1.Node{nodeA}, }, } - _, c := newController([]runtime.Object{nodeA, nodeB}, nil) + _, c := NewController([]runtime.Object{nodeA, nodeB}, nil) stopCh := make(chan struct{}) defer close(stopCh) - c.informerFactory.Start(stopCh) - c.informerFactory.WaitForCacheSync(stopCh) - c.groupingInterface.AddPod(podA) - c.groupingInterface.AddPod(podB) + c.InformerFactory.Start(stopCh) + c.InformerFactory.WaitForCacheSync(stopCh) + c.GroupingInterface.AddPod(podA) + c.GroupingInterface.AddPod(podB) clusterGroups := []v1beta1.ClusterGroup{cgA, cgB, cgC, cgD, nestedCG1, nestedCG2} for i, cg := range clusterGroups { c.cgStore.Add(&clusterGroups[i]) @@ -2785,9 +2785,9 @@ func TestGetAddressGroupMemberSet(t *testing.T) { expMemberSet: podABMemberSet, }, } - _, c := newController(nil, nil) - c.groupingInterface.AddPod(podA) - c.groupingInterface.AddPod(podB) + _, c := NewController(nil, nil) + c.GroupingInterface.AddPod(podA) + c.GroupingInterface.AddPod(podB) clusterGroups := []v1beta1.ClusterGroup{cgA, cgB, cgC, cgD, nestedCG1, nestedCG2} for i, cg := range clusterGroups { c.cgStore.Add(&clusterGroups[i]) @@ -2808,13 +2808,13 @@ func TestGetAddressGroupMemberSet(t *testing.T) { func TestAddressGroupWithNodeSelector(t *testing.T) { stopCh := make(chan struct{}) defer close(stopCh) - _, c := newController(nil, nil) - c.informerFactory.Start(stopCh) - c.crdInformerFactory.Start(stopCh) - go c.groupingController.Run(stopCh) - go c.groupingInterface.Run(stopCh) - c.informerFactory.WaitForCacheSync(stopCh) - c.crdInformerFactory.WaitForCacheSync(stopCh) + _, c := NewController(nil, nil) + c.InformerFactory.Start(stopCh) + c.CrdInformerFactory.Start(stopCh) + go c.GroupingController.Run(stopCh) + go c.GroupingInterface.Run(stopCh) + c.InformerFactory.WaitForCacheSync(stopCh) + c.CrdInformerFactory.WaitForCacheSync(stopCh) cache.WaitForCacheSync(stopCh, c.groupingInterfaceSynced) nodeSelectorA := metav1.LabelSelector{MatchLabels: map[string]string{"env": "pro"}} @@ -3085,15 +3085,15 @@ func TestMultipleNetworkPoliciesWithSameAppliedTo(t *testing.T) { }, AppliedToGroups: []string{selectorAGroupUID}, } - _, c := newController([]runtime.Object{podA, podB, podC}, nil) + _, c := NewController([]runtime.Object{podA, podB, podC}, nil) stopCh := make(chan struct{}) defer close(stopCh) - c.informerFactory.Start(stopCh) - c.crdInformerFactory.Start(stopCh) - c.informerFactory.WaitForCacheSync(stopCh) - c.crdInformerFactory.WaitForCacheSync(stopCh) - go c.groupingInterface.Run(stopCh) - go c.groupingController.Run(stopCh) + c.InformerFactory.Start(stopCh) + c.CrdInformerFactory.Start(stopCh) + c.InformerFactory.WaitForCacheSync(stopCh) + c.CrdInformerFactory.WaitForCacheSync(stopCh) + go c.GroupingInterface.Run(stopCh) + go c.GroupingController.Run(stopCh) go c.Run(stopCh) c.kubeClient.NetworkingV1().NetworkPolicies(policyA.Namespace).Create(context.TODO(), policyA, metav1.CreateOptions{}) @@ -3226,7 +3226,7 @@ func TestSyncInternalNetworkPolicy(t *testing.T) { } // Add a new policy, it should create an internal NetworkPolicy, AddressGroups and AppliedToGroups used by it. - _, c := newController(nil, nil) + _, c := NewController(nil, nil) c.acnpStore.Add(inputPolicy) networkPolicyRef := getACNPReference(inputPolicy) assert.NoError(t, c.syncInternalNetworkPolicy(networkPolicyRef)) @@ -3334,7 +3334,7 @@ func TestSyncInternalNetworkPolicyWithSameName(t *testing.T) { } // Add and sync policyA first, it should create an AppliedToGroup. - _, c := newController(nil, nil) + _, c := NewController(nil, nil) c.networkPolicyStore.Add(policyA) networkPolicyRefA := getKNPReference(policyA) assert.NoError(t, c.syncInternalNetworkPolicy(networkPolicyRefA)) @@ -3446,7 +3446,7 @@ func TestSyncInternalNetworkPolicyConcurrently(t *testing.T) { } // Add and sync policyA first, it should create an AddressGroup and AppliedToGroups. - _, c := newController(nil, nil) + _, c := NewController(nil, nil) c.networkPolicyStore.Add(policyA) networkPolicyRefA := getKNPReference(policyA) assert.NoError(t, c.syncInternalNetworkPolicy(networkPolicyRefA)) @@ -3694,15 +3694,15 @@ func TestSyncInternalNetworkPolicyWithGroups(t *testing.T) { } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { - _, c := newController([]runtime.Object{podA, podB}, nil) + _, c := NewController([]runtime.Object{podA, podB}, nil) stopCh := make(chan struct{}) defer close(stopCh) - c.informerFactory.Start(stopCh) - c.crdInformerFactory.Start(stopCh) - c.informerFactory.WaitForCacheSync(stopCh) - c.crdInformerFactory.WaitForCacheSync(stopCh) - go c.groupingInterface.Run(stopCh) - go c.groupingController.Run(stopCh) + c.InformerFactory.Start(stopCh) + c.CrdInformerFactory.Start(stopCh) + c.InformerFactory.WaitForCacheSync(stopCh) + c.CrdInformerFactory.WaitForCacheSync(stopCh) + go c.GroupingInterface.Run(stopCh) + go c.GroupingController.Run(stopCh) go c.Run(stopCh) for _, group := range tt.groups { @@ -3801,8 +3801,8 @@ func TestSyncAppliedToGroupWithExternalEntity(t *testing.T) { } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { - _, npc := newController(nil, nil) - npc.groupingInterface.AddExternalEntity(tt.addedExternalEntity) + _, npc := NewController(nil, nil) + npc.GroupingInterface.AddExternalEntity(tt.addedExternalEntity) groupSelector := antreatypes.NewGroupSelector("nsA", nil, nil, &selectorSpec, nil) appGroupID := getNormalizedUID(groupSelector.NormalizedName) appliedToGroup := &antreatypes.AppliedToGroup{ @@ -3811,7 +3811,7 @@ func TestSyncAppliedToGroupWithExternalEntity(t *testing.T) { Selector: groupSelector, } npc.appliedToGroupStore.Create(appliedToGroup) - npc.groupingInterface.AddGroup(appliedToGroupType, appliedToGroup.Name, appliedToGroup.Selector) + npc.GroupingInterface.AddGroup(appliedToGroupType, appliedToGroup.Name, appliedToGroup.Selector) npc.syncAppliedToGroup(appGroupID) appGroupObj, _, _ := npc.appliedToGroupStore.Get(appGroupID) appGroup := appGroupObj.(*antreatypes.AppliedToGroup) @@ -3848,11 +3848,11 @@ func TestSyncAppliedToGroupWithNode(t *testing.T) { }, } - _, npc := newController([]runtime.Object{nodeA, nodeB, nodeC}, nil) + _, npc := NewController([]runtime.Object{nodeA, nodeB, nodeC}, nil) stopCh := make(chan struct{}) defer close(stopCh) - npc.informerFactory.Start(stopCh) - npc.informerFactory.WaitForCacheSync(stopCh) + npc.InformerFactory.Start(stopCh) + npc.InformerFactory.WaitForCacheSync(stopCh) groupSelector := antreatypes.NewGroupSelector("", nil, nil, nil, &selector) appGroupID := getNormalizedUID(groupSelector.NormalizedName) appliedToGroup := &antreatypes.AppliedToGroup{ diff --git a/pkg/controller/networkpolicy/testing/mock_networkpolicy.go b/pkg/controller/networkpolicy/testing/mock_networkpolicy.go index 333094ceb25..1ba13e1a7a5 100644 --- a/pkg/controller/networkpolicy/testing/mock_networkpolicy.go +++ b/pkg/controller/networkpolicy/testing/mock_networkpolicy.go @@ -1,4 +1,4 @@ -// Copyright 2023 Antrea Authors +// Copyright 2024 Antrea Authors // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. @@ -14,11 +14,11 @@ // // Code generated by MockGen. DO NOT EDIT. -// Source: antrea.io/antrea/pkg/controller/networkpolicy (interfaces: EndpointQuerier) +// Source: antrea.io/antrea/pkg/controller/networkpolicy (interfaces: EndpointQuerier,PolicyRuleQuerier) // // Generated by this command: // -// mockgen -copyright_file hack/boilerplate/license_header.raw.txt -destination pkg/controller/networkpolicy/testing/mock_networkpolicy.go -package testing antrea.io/antrea/pkg/controller/networkpolicy EndpointQuerier +// mockgen -copyright_file hack/boilerplate/license_header.raw.txt -destination pkg/controller/networkpolicy/testing/mock_networkpolicy.go -package testing antrea.io/antrea/pkg/controller/networkpolicy EndpointQuerier,PolicyRuleQuerier // // Package testing is a generated GoMock package. package testing @@ -26,6 +26,7 @@ package testing import ( reflect "reflect" + controlplane "antrea.io/antrea/pkg/apis/controlplane" networkpolicy "antrea.io/antrea/pkg/controller/networkpolicy" gomock "go.uber.org/mock/gomock" ) @@ -67,3 +68,41 @@ func (mr *MockEndpointQuerierMockRecorder) QueryNetworkPolicyRules(arg0, arg1 an mr.mock.ctrl.T.Helper() return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "QueryNetworkPolicyRules", reflect.TypeOf((*MockEndpointQuerier)(nil).QueryNetworkPolicyRules), arg0, arg1) } + +// MockPolicyRuleQuerier is a mock of PolicyRuleQuerier interface. +type MockPolicyRuleQuerier struct { + ctrl *gomock.Controller + recorder *MockPolicyRuleQuerierMockRecorder +} + +// MockPolicyRuleQuerierMockRecorder is the mock recorder for MockPolicyRuleQuerier. +type MockPolicyRuleQuerierMockRecorder struct { + mock *MockPolicyRuleQuerier +} + +// NewMockPolicyRuleQuerier creates a new mock instance. +func NewMockPolicyRuleQuerier(ctrl *gomock.Controller) *MockPolicyRuleQuerier { + mock := &MockPolicyRuleQuerier{ctrl: ctrl} + mock.recorder = &MockPolicyRuleQuerierMockRecorder{mock} + return mock +} + +// EXPECT returns an object that allows the caller to indicate expected use. +func (m *MockPolicyRuleQuerier) EXPECT() *MockPolicyRuleQuerierMockRecorder { + return m.recorder +} + +// QueryNetworkPolicyAccessReview mocks base method. +func (m *MockPolicyRuleQuerier) QueryNetworkPolicyAccessReview(arg0 *controlplane.NetworkPolicyAccessRequest) (*controlplane.NetworkPolicyAccessResponse, error) { + m.ctrl.T.Helper() + ret := m.ctrl.Call(m, "QueryNetworkPolicyAccessReview", arg0) + ret0, _ := ret[0].(*controlplane.NetworkPolicyAccessResponse) + ret1, _ := ret[1].(error) + return ret0, ret1 +} + +// QueryNetworkPolicyAccessReview indicates an expected call of QueryNetworkPolicyAccessReview. +func (mr *MockPolicyRuleQuerierMockRecorder) QueryNetworkPolicyAccessReview(arg0 any) *gomock.Call { + mr.mock.ctrl.T.Helper() + return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "QueryNetworkPolicyAccessReview", reflect.TypeOf((*MockPolicyRuleQuerier)(nil).QueryNetworkPolicyAccessReview), arg0) +} diff --git a/pkg/controller/networkpolicy/tier_test.go b/pkg/controller/networkpolicy/tier_test.go index bcbe2fc549c..faf5c9108dc 100644 --- a/pkg/controller/networkpolicy/tier_test.go +++ b/pkg/controller/networkpolicy/tier_test.go @@ -70,7 +70,7 @@ func TestInitTier(t *testing.T) { } for _, tc := range tests { t.Run(tc.name, func(t *testing.T) { - _, c := newController(nil, nil) + _, c := NewController(nil, nil) if tc.reactor != nil { c.crdClient.(*fake.Clientset).PrependReactor("create", "tiers", tc.reactor) } diff --git a/pkg/controller/networkpolicy/validate_test.go b/pkg/controller/networkpolicy/validate_test.go index 43b20fe13ca..d2731671002 100644 --- a/pkg/controller/networkpolicy/validate_test.go +++ b/pkg/controller/networkpolicy/validate_test.go @@ -1668,7 +1668,7 @@ func TestValidateAntreaClusterNetworkPolicy(t *testing.T) { for feature, value := range tt.featureGates { defer featuregatetesting.SetFeatureGateDuringTest(t, features.DefaultFeatureGate, feature, value)() } - _, controller := newController(nil, nil) + _, controller := NewController(nil, nil) validator := NewNetworkPolicyValidator(controller.NetworkPolicyController) actualReason, allowed := validator.validateAntreaPolicy(tt.policy, "", tt.operation, authenticationv1.UserInfo{}) assert.Equal(t, tt.expectedReason, actualReason) @@ -1740,7 +1740,7 @@ func TestValidateAntreaNetworkPolicy(t *testing.T) { for feature, value := range tt.featureGates { defer featuregatetesting.SetFeatureGateDuringTest(t, features.DefaultFeatureGate, feature, value)() } - _, controller := newController(nil, nil) + _, controller := NewController(nil, nil) validator := NewNetworkPolicyValidator(controller.NetworkPolicyController) actualReason, allowed := validator.validateAntreaPolicy(tt.policy, "", tt.operation, authenticationv1.UserInfo{}) assert.Equal(t, tt.expectedReason, actualReason) @@ -2023,7 +2023,7 @@ func TestValidateAntreaClusterGroup(t *testing.T) { } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { - _, controller := newController(nil, nil) + _, controller := NewController(nil, nil) if tt.existGroup != nil { controller.cgStore.Add(tt.existGroup) controller.addClusterGroup(tt.existGroup) @@ -2280,7 +2280,7 @@ func TestValidateAntreaGroup(t *testing.T) { } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { - _, controller := newController(nil, nil) + _, controller := NewController(nil, nil) if tt.existGroup != nil { controller.gStore.Add(tt.existGroup) controller.addGroup(tt.existGroup) @@ -2488,7 +2488,7 @@ func TestValidateTier(t *testing.T) { for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { - _, controller := newController(nil, nil) + _, controller := NewController(nil, nil) for i := 1; i <= tt.existTierNum; i++ { controller.tierStore.Add(&crdv1beta1.Tier{ ObjectMeta: metav1.ObjectMeta{ @@ -2710,7 +2710,7 @@ func TestValidateAdminNetworkPolicy(t *testing.T) { } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { - _, controller := newController(nil, nil) + _, controller := NewController(nil, nil) validator := NewNetworkPolicyValidator(controller.NetworkPolicyController) actualReason, allowed := validator.validateAdminNetworkPolicy(tt.policy, "", tt.operation, authenticationv1.UserInfo{}) assert.Equal(t, tt.expectedReason, actualReason)