Initial pass at BaselineAdminNetworkPolicy.

projectcalico · Nov 19, 2024 · 56fa5a4 · 56fa5a4
1 parent 7c376cc
commit 56fa5a4
Show file tree

Hide file tree

Showing 30 changed files with 13,284 additions and 40 deletions.
diff --git a/Makefile b/Makefile
@@ -102,13 +102,22 @@ image:
 # using a local kind cluster.
 ###############################################################################
 E2E_FOCUS ?= "sig-network.*Conformance"
-ADMINPOLICY_SUPPORTED_FEATURES ?= "AdminNetworkPolicy"
-ADMINPOLICY_UNSUPPORTED_FEATURES ?= "BaselineAdminNetworkPolicy"
+ADMINPOLICY_SUPPORTED_FEATURES ?= "AdminNetworkPolicy,BaselineAdminNetworkPolicy"
+ADMINPOLICY_UNSUPPORTED_FEATURES ?= ""
 e2e-test:
 	$(MAKE) -C e2e build
 	$(MAKE) -C node kind-k8st-setup
 	KUBECONFIG=$(KIND_KUBECONFIG) ./e2e/bin/k8s/e2e.test -ginkgo.focus=$(E2E_FOCUS)
-	KUBECONFIG=$(KIND_KUBECONFIG) ./e2e/bin/adminpolicy/e2e.test -exempt-features=$(ADMINPOLICY_UNSUPPORTED_FEATURES) -supported-features=$(ADMINPOLICY_SUPPORTED_FEATURES)
+	KUBECONFIG=$(KIND_KUBECONFIG) ./e2e/bin/adminpolicy/e2e.test \
+	  -exempt-features=$(ADMINPOLICY_UNSUPPORTED_FEATURES) \
+	  -supported-features=$(ADMINPOLICY_SUPPORTED_FEATURES)
+
+e2e-test-adminpolicy:
+	$(MAKE) -C e2e build
+	$(MAKE) -C node kind-k8st-setup
+	KUBECONFIG=$(KIND_KUBECONFIG) ./e2e/bin/adminpolicy/e2e.test \
+	  -exempt-features=$(ADMINPOLICY_UNSUPPORTED_FEATURES) \
+	  -supported-features=$(ADMINPOLICY_SUPPORTED_FEATURES)
 
 ###############################################################################
 # Release logic below

diff --git a/api/pkg/apis/projectcalico/v3/tier.go b/api/pkg/apis/projectcalico/v3/tier.go
@@ -37,8 +37,9 @@ type Tier struct {
 }
 
 const (
-	DefaultTierOrder            = float64(1_000_000) // 1Million
-	AdminNetworkPolicyTierOrder = float64(1_000)     // 1K
+	AdminNetworkPolicyTierOrder         = float64(1_000)      // 1K
+	DefaultTierOrder                    = float64(1_000_000)  // 1Million
+	BaselineAdminNetworkPolicyTierOrder = float64(10_000_000) // 10Million
 )
 
 // TierSpec contains the specification for a security policy tier resource.

diff --git a/apiserver/pkg/storage/calico/tier_storage_test.go b/apiserver/pkg/storage/calico/tier_storage_test.go
@@ -534,6 +534,12 @@ func TestTierList(t *testing.T) {
 		t.Fatalf("Get failed: %v", err)
 	}
 
+	banpTier := makeTier(names.BaselineAdminNetworkPolicyTierName, "", v3.BaselineAdminNetworkPolicyTierOrder)
+	err = store.Get(ctx, "projectcalico.org/tiers/baselineadminnetworkpolicy", opts, banpTier)
+	if err != nil {
+		t.Fatalf("Get failed: %v", err)
+	}
+
 	tests := []struct {
 		prefix      string
 		pred        storage.SelectionPredicate
@@ -552,7 +558,8 @@ func TestTierList(t *testing.T) {
 				return nil, fields.Set{"metadata.name": tier.Name}, nil
 			},
 		},
-		expectedOut: []*v3.Tier{anpTier, preset[1].storedObj, defaultTier},
+		// Tiers are returned in name order.
+		expectedOut: []*v3.Tier{anpTier, preset[1].storedObj, banpTier, defaultTier},
 	}}
 
 	for i, tt := range tests {
@@ -566,6 +573,17 @@ func TestTierList(t *testing.T) {
 			t.Errorf("#%d: length of list want=%d, get=%d", i, len(tt.expectedOut), len(out.Items))
 			continue
 		}
+		var wantNames, gotNames []string
+		for _, wantTier := range tt.expectedOut {
+			wantNames = append(wantNames, wantTier.Name)
+		}
+		for _, getTier := range out.Items {
+			gotNames = append(gotNames, getTier.Name)
+		}
+		if !reflect.DeepEqual(wantNames, gotNames) {
+			t.Errorf("#%d: tier names want=%v, get=%v", i, wantNames, gotNames)
+		}
+
 		for j, wantTier := range tt.expectedOut {
 			getTier := &out.Items[j]
 			if !reflect.DeepEqual(wantTier, getTier) {

diff --git a/calicoctl/calicoctl/commands/datastore/migrate/export.go b/calicoctl/calicoctl/commands/datastore/migrate/export.go
@@ -246,9 +246,12 @@ Description:
 					if !ok {
 						return fmt.Errorf("Unable to convert Calico gloabal network policy for inspection")
 					}
-					if !strings.HasPrefix(metaObj.GetObjectMeta().GetName(), names.K8sAdminNetworkPolicyNamePrefix) {
-						filtered = append(filtered, obj)
+					if strings.HasPrefix(metaObj.GetObjectMeta().GetName(), names.K8sAdminNetworkPolicyNamePrefix) ||
+						strings.HasPrefix(metaObj.GetObjectMeta().GetName(), names.K8sBaselineAdminNetworkPolicyNamePrefix) {
+						continue
 					}
+					filtered = append(filtered, obj)
+
 				}
 
 				err = meta.SetList(resource, filtered)

diff --git a/calicoctl/calicoctl/resourcemgr/globalnetworkpolicy.go b/calicoctl/calicoctl/resourcemgr/globalnetworkpolicy.go
@@ -43,7 +43,7 @@ func init() {
 		},
 		func(ctx context.Context, client client.Interface, resource ResourceObject) (ResourceObject, error) {
 			r := resource.(*api.GlobalNetworkPolicy)
-			if strings.HasPrefix(r.Name, names.K8sAdminNetworkPolicyNamePrefix) {
+			if policyIsANP(r) {
 				return nil, cerrors.ErrorOperationNotSupported{
 					Operation:  "create or apply",
 					Identifier: resource,
@@ -54,7 +54,7 @@ func init() {
 		},
 		func(ctx context.Context, client client.Interface, resource ResourceObject) (ResourceObject, error) {
 			r := resource.(*api.GlobalNetworkPolicy)
-			if strings.HasPrefix(r.Name, names.K8sAdminNetworkPolicyNamePrefix) {
+			if policyIsANP(r) {
 				return nil, cerrors.ErrorOperationNotSupported{
 					Operation:  "create or apply",
 					Identifier: resource,
@@ -65,7 +65,7 @@ func init() {
 		},
 		func(ctx context.Context, client client.Interface, resource ResourceObject) (ResourceObject, error) {
 			r := resource.(*api.GlobalNetworkPolicy)
-			if strings.HasPrefix(r.Name, names.K8sAdminNetworkPolicyNamePrefix) {
+			if policyIsANP(r) {
 				return nil, cerrors.ErrorOperationNotSupported{
 					Operation:  "create or apply",
 					Identifier: resource,
@@ -85,6 +85,11 @@ func init() {
 	)
 }
 
+func policyIsANP(r *api.GlobalNetworkPolicy) bool {
+	return strings.HasPrefix(r.Name, names.K8sAdminNetworkPolicyNamePrefix) ||
+		strings.HasPrefix(r.Name, names.K8sBaselineAdminNetworkPolicyNamePrefix)
+}
+
 // newGlobalNetworkPolicyList creates a new (zeroed) GlobalNetworkPolicyList struct with the TypeMetadata initialised to the current
 // version.
 func newGlobalNetworkPolicyList() *api.GlobalNetworkPolicyList {

diff --git a/charts/calico/templates/calico-node-rbac.yaml b/charts/calico/templates/calico-node-rbac.yaml
@@ -68,10 +68,11 @@ rules:
     verbs:
       - watch
       - list
-  # Watch for changes to Kubernetes AdminNetworkPolicies.
+  # Watch for changes to Kubernetes (Baseline)AdminNetworkPolicies.
   - apiGroups: ["policy.networking.k8s.io"]
     resources:
       - adminnetworkpolicies
+      - baselineadminnetworkpolicies
     verbs:
       - watch
       - list

diff --git a/libcalico-go/Makefile b/libcalico-go/Makefile
@@ -9,6 +9,7 @@ KIND_CONFIG = $(KIND_DIR)/kind-single.config
 NETPOL_TAG = v0.1.5
 NETPOL_CRD_URL = https://raw.githubusercontent.com/kubernetes-sigs/network-policy-api/refs/tags/$(NETPOL_TAG)/config/crd/experimental
 NETPOL_ANP_CRD = policy.networking.k8s.io_adminnetworkpolicies.yaml
+NETPOL_BANP_CRD = policy.networking.k8s.io_baselineadminnetworkpolicies.yaml
 
 ###############################################################################
 # Download and include ../lib.Makefile
@@ -59,6 +60,7 @@ gen-crds:
 	$(DOCKER_GO_BUILD) sh -c 'find ./config/crd -name "*.yaml" | xargs sed -i -e 1,2d'
 	# Add K8S AdminNetworkPolicy CRD
 	curl $(NETPOL_CRD_URL)/$(NETPOL_ANP_CRD) -o ./config/crd/$(NETPOL_ANP_CRD)
+	curl $(NETPOL_CRD_URL)/$(NETPOL_BANP_CRD) -o ./config/crd/$(NETPOL_BANP_CRD)
 
 ./lib/upgrade/migrator/clients/v1/k8s/custom/zz_generated.deepcopy.go: $(UPGRADE_SRCS)
 	$(DOCKER_GO_BUILD) sh -c 'deepcopy-gen \