Skip to content
Draft
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
43 changes: 42 additions & 1 deletion api/v1alpha1/policy_helpers.go
Original file line number Diff line number Diff line change
Expand Up @@ -42,6 +42,7 @@ type PolicyTargetReferences struct {
}

// +kubebuilder:validation:XValidation:rule="has(self.group) ? self.group == 'gateway.networking.k8s.io' : true ", message="group must be gateway.networking.k8s.io"
// +kubebuilder:validation:XValidation:rule="has(self.namespaces) || has(self.matchLabels) || has(self.matchExpressions)", message="at least one of namespaces, matchLabels, or matchExpressions must be specified"
type TargetSelector struct {
// Group is the group that this selector targets. Defaults to gateway.networking.k8s.io
//
Expand All @@ -51,7 +52,18 @@ type TargetSelector struct {
// Kind is the resource kind that this selector targets.
Kind gwapiv1.Kind `json:"kind"`

// MatchLabels are the set of label selectors for identifying the targeted resource
// Namespaces determines which namespaces are considered for target selection.
//
// If unspecified, only targets in the same namespace as this policy are considered.
//
// When specified, the effective set of namespaces is always constrained to the
// namespaces watched by Envoy Gateway.
//
// +optional
Namespaces *TargetSelectorNamespaces `json:"namespaces,omitempty"`
Comment thread
zhaohuabing marked this conversation as resolved.

// MatchLabels are the set of label selectors for identifying the targeted resource.
//
// +optional
MatchLabels map[string]string `json:"matchLabels,omitempty"`

Expand All @@ -62,6 +74,35 @@ type TargetSelector struct {
MatchExpressions []metav1.LabelSelectorRequirement `json:"matchExpressions,omitempty"`
}

type TargetNamespaceFrom string

const (
// TargetNamespaceFromSame limits target selection to the policy's namespace.
TargetNamespaceFromSame TargetNamespaceFrom = "Same"
// TargetNamespaceFromAll allows target selection from all watched namespaces.
TargetNamespaceFromAll TargetNamespaceFrom = "All"
// TargetNamespaceFromSelector allows target selection from watched namespaces matching the selector.
TargetNamespaceFromSelector TargetNamespaceFrom = "Selector"
)

// TargetSelectorNamespaces determines which namespaces are considered for target selection.
// +kubebuilder:validation:XValidation:rule="self.from != 'Selector' || has(self.selector)", message="selector must be specified when from is Selector"
type TargetSelectorNamespaces struct {
// From indicates how namespaces are selected for this target selector.
//
// All means all namespaces watched by Envoy Gateway.
// Selector means namespaces watched by Envoy Gateway that match Selector.
//
// +kubebuilder:validation:Enum=Same;All;Selector
// +kubebuilder:default:=Same
From TargetNamespaceFrom `json:"from"`

// Selector selects namespaces when From is set to Selector.
//
// +optional
Selector *metav1.LabelSelector `json:"selector,omitempty"`
Comment thread
zhaohuabing marked this conversation as resolved.
}

func (p PolicyTargetReferences) GetTargetRefs() []gwapiv1.LocalPolicyTargetReferenceWithSectionName {
if p.TargetRef != nil {
return []gwapiv1.LocalPolicyTargetReferenceWithSectionName{*p.TargetRef}
Expand Down
4 changes: 4 additions & 0 deletions api/v1alpha1/shared_types.go
Original file line number Diff line number Diff line change
Expand Up @@ -67,6 +67,10 @@ const (
// PolicyReasonDeprecatedField is used with the "Warning" condition when the policy
// uses deprecated fields that should be migrated to newer alternatives.
PolicyReasonDeprecatedField gwapiv1.PolicyConditionReason = "DeprecatedField"

// PolicyReasonRefNotPermitted is used with the "Accepted" condition when the policy
// targets a cross-namespace object without a matching ReferenceGrant.
PolicyReasonRefNotPermitted gwapiv1.PolicyConditionReason = "RefNotPermitted"
)

// GroupVersionKind unambiguously identifies a Kind.
Expand Down
25 changes: 25 additions & 0 deletions api/v1alpha1/zz_generated.deepcopy.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Original file line number Diff line number Diff line change
Expand Up @@ -2691,15 +2691,92 @@ spec:
additionalProperties:
type: string
description: MatchLabels are the set of label selectors for
identifying the targeted resource
identifying the targeted resource.
type: object
namespaces:
description: |-
Namespaces determines which namespaces are considered for target selection.

If unspecified, only targets in the same namespace as this policy are considered.

When specified, the effective set of namespaces is always constrained to the
namespaces watched by Envoy Gateway.
properties:
from:
default: Same
description: |-
From indicates how namespaces are selected for this target selector.

All means all namespaces watched by Envoy Gateway.
Selector means namespaces watched by Envoy Gateway that match Selector.
enum:
- Same
- All
- Selector
type: string
selector:
description: Selector selects namespaces when From is set
to Selector.
properties:
matchExpressions:
description: matchExpressions is a list of label selector
requirements. The requirements are ANDed.
items:
description: |-
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key that the selector
applies to.
type: string
operator:
description: |-
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: |-
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
required:
- from
type: object
x-kubernetes-validations:
- message: selector must be specified when from is Selector
rule: self.from != 'Selector' || has(self.selector)
required:
- kind
type: object
x-kubernetes-validations:
- message: group must be gateway.networking.k8s.io
rule: 'has(self.group) ? self.group == ''gateway.networking.k8s.io''
: true '
- message: at least one of namespaces, matchLabels, or matchExpressions
must be specified
rule: has(self.namespaces) || has(self.matchLabels) || has(self.matchExpressions)
type: array
tcpKeepalive:
description: |-
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -1171,15 +1171,92 @@ spec:
additionalProperties:
type: string
description: MatchLabels are the set of label selectors for
identifying the targeted resource
identifying the targeted resource.
type: object
namespaces:
description: |-
Namespaces determines which namespaces are considered for target selection.

If unspecified, only targets in the same namespace as this policy are considered.

When specified, the effective set of namespaces is always constrained to the
namespaces watched by Envoy Gateway.
properties:
from:
default: Same
description: |-
From indicates how namespaces are selected for this target selector.

All means all namespaces watched by Envoy Gateway.
Selector means namespaces watched by Envoy Gateway that match Selector.
enum:
- Same
- All
- Selector
type: string
selector:
description: Selector selects namespaces when From is set
to Selector.
properties:
matchExpressions:
description: matchExpressions is a list of label selector
requirements. The requirements are ANDed.
items:
description: |-
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key that the selector
applies to.
type: string
operator:
description: |-
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: |-
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
required:
- from
type: object
x-kubernetes-validations:
- message: selector must be specified when from is Selector
rule: self.from != 'Selector' || has(self.selector)
required:
- kind
type: object
x-kubernetes-validations:
- message: group must be gateway.networking.k8s.io
rule: 'has(self.group) ? self.group == ''gateway.networking.k8s.io''
: true '
- message: at least one of namespaces, matchLabels, or matchExpressions
must be specified
rule: has(self.namespaces) || has(self.matchLabels) || has(self.matchExpressions)
type: array
tcpKeepalive:
description: |-
Expand Down
Loading
Loading