Skip to content

Commit

Permalink
feat: Implement target selectors for policies. (#3704)
Browse files Browse the repository at this point in the history 
* Implement target selectors for policies.

Signed-off-by: Lior Okman <[email protected]>

* Also check the group in the selectors.

Signed-off-by: Lior Okman <[email protected]>

* Fixed the CEL validation so it would compile correctly.

Signed-off-by: Lior Okman <[email protected]>

* Sort the returned targetRefs by creation timestamp so that the set of
returned refs are consistent.

Signed-off-by: Lior Okman <[email protected]>

---------

Signed-off-by: Lior Okman <[email protected]>
  • Loading branch information
@liorokman
liorokman committed Jul 3, 2024
1 parent 015e7ff commit 93019c3
Show file tree
Hide file tree
Showing 14 changed files with 619 additions and 47 deletions.
27 changes: 21 additions & 6 deletions api/v1alpha1/policy_helpers.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,18 +10,33 @@ import (
)

type PolicyTargetReferences struct {
// TargetRef is the name of the Gateway resource this policy
// is being attached to.
// This Policy and the TargetRef MUST be in the same namespace
// for this Policy to have effect and be applied to the Gateway.
// TargetRef
// TargetRef is the name of the resource this policy is being attached to.
// This policy and the TargetRef MUST be in the same namespace for this
// Policy to have effect
//
// Deprecated: use targetRefs instead
// Deprecated: use targetRefs/targetSelectors instead
TargetRef *gwapiv1a2.LocalPolicyTargetReferenceWithSectionName `json:"targetRef,omitempty"`

// TargetRefs are the names of the Gateway resources this policy
// is being attached to.
TargetRefs []gwapiv1a2.LocalPolicyTargetReferenceWithSectionName `json:"targetRefs,omitempty"`

// TargetSelectors allow targeting resources for this policy based on labels
TargetSelectors []TargetSelector `json:"targetSelectors,omitempty"`
}

// +kubebuilder:validation:XValidation:rule="has(self.group) ? self.group == 'gateway.networking.k8s.io' : true ", message="group must be gateway.networking.k8s.io"
type TargetSelector struct {
// Group is the group that this selector targets. Defaults to gateway.networking.k8s.io
//
// +kubebuilder:default:="gateway.networking.k8s.io"
Group *gwapiv1a2.Group `json:"group,omitempty"`

// Kind is the resource kind that this selector targets.
Kind gwapiv1a2.Kind `json:"kind"`

// MatchLabels are the set of label selectors for identifying the targeted resource
MatchLabels map[string]string `json:"matchLabels"`
}

func (p PolicyTargetReferences) GetTargetRefs() []gwapiv1a2.LocalPolicyTargetReferenceWithSectionName {
Expand Down
34 changes: 34 additions & 0 deletions api/v1alpha1/zz_generated.deepcopy.go
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

43 changes: 37 additions & 6 deletions charts/gateway-helm/crds/generated/gateway.envoyproxy.io_backendtrafficpolicies.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -917,14 +917,12 @@ spec:
type: object
targetRef:
description: |-
TargetRef is the name of the Gateway resource this policy
is being attached to.
This Policy and the TargetRef MUST be in the same namespace
for this Policy to have effect and be applied to the Gateway.
TargetRef
TargetRef is the name of the resource this policy is being attached to.
This policy and the TargetRef MUST be in the same namespace for this
Policy to have effect
Deprecated: use targetRefs instead
Deprecated: use targetRefs/targetSelectors instead
properties:
group:
description: Group is the group of the target resource.
Expand Down Expand Up @@ -1024,6 +1022,39 @@ spec:
- name
type: object
type: array
targetSelectors:
description: TargetSelectors allow targeting resources for this policy
based on labels
items:
properties:
group:
default: gateway.networking.k8s.io
description: Group is the group that this selector targets.
Defaults to gateway.networking.k8s.io
maxLength: 253
pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
kind:
description: Kind is the resource kind that this selector targets.
maxLength: 63
minLength: 1
pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
type: string
matchLabels:
additionalProperties:
type: string
description: MatchLabels are the set of label selectors for
identifying the targeted resource
type: object
required:
- kind
- matchLabels
type: object
x-kubernetes-validations:
- message: group must be gateway.networking.k8s.io
rule: 'has(self.group) ? self.group == ''gateway.networking.k8s.io''
: true '
type: array
tcpKeepalive:
description: |-
TcpKeepalive settings associated with the upstream client connection.
Expand Down
43 changes: 37 additions & 6 deletions charts/gateway-helm/crds/generated/gateway.envoyproxy.io_clienttrafficpolicies.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -328,14 +328,12 @@ spec:
type: object
targetRef:
description: |-
TargetRef is the name of the Gateway resource this policy
is being attached to.
This Policy and the TargetRef MUST be in the same namespace
for this Policy to have effect and be applied to the Gateway.
TargetRef
TargetRef is the name of the resource this policy is being attached to.
This policy and the TargetRef MUST be in the same namespace for this
Policy to have effect
Deprecated: use targetRefs instead
Deprecated: use targetRefs/targetSelectors instead
properties:
group:
description: Group is the group of the target resource.
Expand Down Expand Up @@ -435,6 +433,39 @@ spec:
- name
type: object
type: array
targetSelectors:
description: TargetSelectors allow targeting resources for this policy
based on labels
items:
properties:
group:
default: gateway.networking.k8s.io
description: Group is the group that this selector targets.
Defaults to gateway.networking.k8s.io
maxLength: 253
pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
kind:
description: Kind is the resource kind that this selector targets.
maxLength: 63
minLength: 1
pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
type: string
matchLabels:
additionalProperties:
type: string
description: MatchLabels are the set of label selectors for
identifying the targeted resource
type: object
required:
- kind
- matchLabels
type: object
x-kubernetes-validations:
- message: group must be gateway.networking.k8s.io
rule: 'has(self.group) ? self.group == ''gateway.networking.k8s.io''
: true '
type: array
tcpKeepalive:
description: |-
TcpKeepalive settings associated with the downstream client connection.
Expand Down
43 changes: 37 additions & 6 deletions charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoyextensionpolicies.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -194,14 +194,12 @@ spec:
type: array
targetRef:
description: |-
TargetRef is the name of the Gateway resource this policy
is being attached to.
This Policy and the TargetRef MUST be in the same namespace
for this Policy to have effect and be applied to the Gateway.
TargetRef
TargetRef is the name of the resource this policy is being attached to.
This policy and the TargetRef MUST be in the same namespace for this
Policy to have effect
Deprecated: use targetRefs instead
Deprecated: use targetRefs/targetSelectors instead
properties:
group:
description: Group is the group of the target resource.
Expand Down Expand Up @@ -301,6 +299,39 @@ spec:
- name
type: object
type: array
targetSelectors:
description: TargetSelectors allow targeting resources for this policy
based on labels
items:
properties:
group:
default: gateway.networking.k8s.io
description: Group is the group that this selector targets.
Defaults to gateway.networking.k8s.io
maxLength: 253
pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
kind:
description: Kind is the resource kind that this selector targets.
maxLength: 63
minLength: 1
pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
type: string
matchLabels:
additionalProperties:
type: string
description: MatchLabels are the set of label selectors for
identifying the targeted resource
type: object
required:
- kind
- matchLabels
type: object
x-kubernetes-validations:
- message: group must be gateway.networking.k8s.io
rule: 'has(self.group) ? self.group == ''gateway.networking.k8s.io''
: true '
type: array
wasm:
description: |-
Wasm is a list of Wasm extensions to be loaded by the Gateway.
Expand Down
43 changes: 37 additions & 6 deletions charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -988,14 +988,12 @@ spec:
type: object
targetRef:
description: |-
TargetRef is the name of the Gateway resource this policy
is being attached to.
This Policy and the TargetRef MUST be in the same namespace
for this Policy to have effect and be applied to the Gateway.
TargetRef
TargetRef is the name of the resource this policy is being attached to.
This policy and the TargetRef MUST be in the same namespace for this
Policy to have effect
Deprecated: use targetRefs instead
Deprecated: use targetRefs/targetSelectors instead
properties:
group:
description: Group is the group of the target resource.
Expand Down Expand Up @@ -1095,6 +1093,39 @@ spec:
- name
type: object
type: array
targetSelectors:
description: TargetSelectors allow targeting resources for this policy
based on labels
items:
properties:
group:
default: gateway.networking.k8s.io
description: Group is the group that this selector targets.
Defaults to gateway.networking.k8s.io
maxLength: 253
pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
kind:
description: Kind is the resource kind that this selector targets.
maxLength: 63
minLength: 1
pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
type: string
matchLabels:
additionalProperties:
type: string
description: MatchLabels are the set of label selectors for
identifying the targeted resource
type: object
required:
- kind
- matchLabels
type: object
x-kubernetes-validations:
- message: group must be gateway.networking.k8s.io
rule: 'has(self.group) ? self.group == ''gateway.networking.k8s.io''
: true '
type: array
type: object
x-kubernetes-validations:
- message: either targetRef or targetRefs must be used
Expand Down
4 changes: 2 additions & 2 deletions internal/gatewayapi/backendtrafficpolicy.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -73,7 +73,7 @@ func (t *Translator) ProcessBackendTrafficPolicies(backendTrafficPolicies []*egv
// Process the policies targeting xRoutes
for _, currPolicy := range backendTrafficPolicies {
policyName := utils.NamespacedName(currPolicy)
targetRefs := currPolicy.Spec.GetTargetRefs()
targetRefs := getPolicyTargetRefs(currPolicy.Spec.PolicyTargetReferences, routes)
for _, currTarget := range targetRefs {
if currTarget.Kind != KindGateway {
policy, found := handledPolicies[policyName]
Expand Down Expand Up @@ -147,7 +147,7 @@ func (t *Translator) ProcessBackendTrafficPolicies(backendTrafficPolicies []*egv
// Process the policies targeting Gateways
for _, currPolicy := range backendTrafficPolicies {
policyName := utils.NamespacedName(currPolicy)
targetRefs := currPolicy.Spec.GetTargetRefs()
targetRefs := getPolicyTargetRefs(currPolicy.Spec.PolicyTargetReferences, gateways)
for _, currTarget := range targetRefs {
if currTarget.Kind == KindGateway {
policy, found := handledPolicies[policyName]
Expand Down
5 changes: 4 additions & 1 deletion internal/gatewayapi/clienttrafficpolicy.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -70,6 +70,9 @@ func (t *Translator) ProcessClientTrafficPolicies(
// before policy with no section so below loops can be flattened into 1.
for _, currPolicy := range clientTrafficPolicies {
policyName := utils.NamespacedName(currPolicy)
// This loop only handles policies that target a specific section. When
// targeting a policy with a selector, it's not possible to specify a SectionName
// so there's no need to try to match targets with selectors
targetRefs := currPolicy.Spec.GetTargetRefs()
for _, currTarget := range targetRefs {
if hasSectionName(&currTarget) {
Expand Down Expand Up @@ -165,7 +168,7 @@ func (t *Translator) ProcessClientTrafficPolicies(
// Policy with no section set (targeting all sections)
for _, currPolicy := range clientTrafficPolicies {
policyName := utils.NamespacedName(currPolicy)
targetRefs := currPolicy.Spec.GetTargetRefs()
targetRefs := getPolicyTargetRefs(currPolicy.Spec.PolicyTargetReferences, gateways)
for _, currTarget := range targetRefs {
if !hasSectionName(&currTarget) {

Expand Down
4 changes: 2 additions & 2 deletions internal/gatewayapi/envoyextensionpolicy.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -74,7 +74,7 @@ func (t *Translator) ProcessEnvoyExtensionPolicies(envoyExtensionPolicies []*egv
// Process the policies targeting xRoutes
for _, currPolicy := range envoyExtensionPolicies {
policyName := utils.NamespacedName(currPolicy)
targetRefs := currPolicy.Spec.GetTargetRefs()
targetRefs := getPolicyTargetRefs(currPolicy.Spec.PolicyTargetReferences, routes)
for _, currTarget := range targetRefs {
if currTarget.Kind != KindGateway {
policy, found := handledPolicies[policyName]
Expand Down Expand Up @@ -148,7 +148,7 @@ func (t *Translator) ProcessEnvoyExtensionPolicies(envoyExtensionPolicies []*egv
// Process the policies targeting Gateways
for _, currPolicy := range envoyExtensionPolicies {
policyName := utils.NamespacedName(currPolicy)
targetRefs := currPolicy.Spec.GetTargetRefs()
targetRefs := getPolicyTargetRefs(currPolicy.Spec.PolicyTargetReferences, gateways)
for _, currTarget := range targetRefs {
if currTarget.Kind == KindGateway {
policy, found := handledPolicies[policyName]
Expand Down
Loading

0 comments on commit 93019c3

Please sign in to comment.