Merge pull request #50033 from cmluciano/cml/addnpcidrselector

Automatic merge from submit-queue (batch tested with PRs 50033, 49988, 51132, 49674, 51207) Add IPBlock to Network Policy **What this PR does / why we need it**: Add ipBlockRule to NetworkPolicyPeer. **Which issue this PR fixes** fixes #49978 **Special notes for your reviewer**: - I added this directly as a field on the existing API per guidance from API-Machinery/lazy SIG-Network consensus. Todo: - [ ] Documentation comments to mention this is beta, unless we want to go straight to GA - [ ] e2e tests **Release note**: ``` Support ipBlock in NetworkPolicy ```
2025-09-17 15:13:08 +00:00 · 2017-08-25 11:07:07 -07:00
parent cb6f32e8ba 02735c3fb2
commit c04e516373
27 changed files with 2123 additions and 445 deletions
--- a/api/openapi-spec/swagger.json
+++ b/api/openapi-spec/swagger.json
@@ -62904,6 +62904,25 @@
     }
    }
   },
+   "io.k8s.api.extensions.v1beta1.IPBlock": {
+    "description": "IPBlock describes a particular CIDR (Ex. \"192.168.1.1/24\") that is allowed to the pods matched by a NetworkPolicySpec's podSelector. The except entry describes CIDRs that should not be included within this rule.",
+    "required": [
+     "cidr"
+    ],
+    "properties": {
+     "cidr": {
+      "description": "CIDR is a string representing the IP Block Valid examples are \"192.168.1.1/24\"",
+      "type": "string"
+     },
+     "except": {
+      "description": "Except is a slice of CIDRs that should not be included within an IP Block Valid examples are \"192.168.1.1/24\" Except values will be rejected if they are outside the CIDR range",
+      "type": "array",
+      "items": {
+       "type": "string"
+      }
+     }
+    }
+   },
   "io.k8s.api.extensions.v1beta1.Ingress": {
    "description": "Ingress is a collection of rules that allow inbound connections to reach the endpoints defined by a backend. An Ingress can be configured to give services externally-reachable urls, load balance traffic, terminate SSL, offer name based virtual hosting etc.",
    "properties": {
@@ -63130,6 +63149,10 @@
   },
   "io.k8s.api.extensions.v1beta1.NetworkPolicyPeer": {
    "properties": {
+     "ipBlock": {
+      "description": "IPBlock defines policy on a particular IPBlock",
+      "$ref": "#/definitions/io.k8s.api.extensions.v1beta1.IPBlock"
+     },
     "namespaceSelector": {
      "description": "Selects Namespaces using cluster scoped-labels.  This matches all pods in all namespaces selected by this label selector. This field follows standard label selector semantics. If present but empty, this selector selects all namespaces.",
      "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelector"
@@ -63631,6 +63654,25 @@
     }
    }
   },
+   "io.k8s.api.networking.v1.IPBlock": {
+    "description": "IPBlock describes a particular CIDR (Ex. \"192.168.1.1/24\") that is allowed to the pods matched by a NetworkPolicySpec's podSelector. The except entry describes CIDRs that should not be included within this rule.",
+    "required": [
+     "cidr"
+    ],
+    "properties": {
+     "cidr": {
+      "description": "CIDR is a string representing the IP Block Valid examples are \"192.168.1.1/24\"",
+      "type": "string"
+     },
+     "except": {
+      "description": "Except is a slice of CIDRs that should not be included within an IP Block Valid examples are \"192.168.1.1/24\" Except values will be rejected if they are outside the CIDR range",
+      "type": "array",
+      "items": {
+       "type": "string"
+      }
+     }
+    }
+   },
   "io.k8s.api.networking.v1.NetworkPolicy": {
    "description": "NetworkPolicy describes what network traffic is allowed for a set of Pods",
    "properties": {
@@ -63715,6 +63757,10 @@
   "io.k8s.api.networking.v1.NetworkPolicyPeer": {
    "description": "NetworkPolicyPeer describes a peer to allow traffic from. Exactly one of its fields must be specified.",
    "properties": {
+     "ipBlock": {
+      "description": "IPBlock defines policy on a particular IPBlock",
+      "$ref": "#/definitions/io.k8s.api.networking.v1.IPBlock"
+     },
     "namespaceSelector": {
      "description": "Selects Namespaces using cluster scoped-labels. This matches all pods in all namespaces selected by this label selector. This field follows standard label selector semantics. If present but empty, this selector selects all namespaces.",
      "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelector"
--- a/api/swagger-spec/extensions_v1beta1.json
+++ b/api/swagger-spec/extensions_v1beta1.json
@@ -9305,6 +9305,30 @@
     "namespaceSelector": {
      "$ref": "v1.LabelSelector",
      "description": "Selects Namespaces using cluster scoped-labels.  This matches all pods in all namespaces selected by this label selector. This field follows standard label selector semantics. If present but empty, this selector selects all namespaces."
+     },
+     "ipBlock": {
+      "$ref": "v1beta1.IPBlock",
+      "description": "IPBlock defines policy on a particular IPBlock"
+     }
+    }
+   },
+   "v1beta1.IPBlock": {
+    "id": "v1beta1.IPBlock",
+    "description": "IPBlock describes a particular CIDR (Ex. \"192.168.1.1/24\") that is allowed to the pods matched by a NetworkPolicySpec's podSelector. The except entry describes CIDRs that should not be included within this rule.",
+    "required": [
+     "cidr"
+    ],
+    "properties": {
+     "cidr": {
+      "type": "string",
+      "description": "CIDR is a string representing the IP Block Valid examples are \"192.168.1.1/24\""
+     },
+     "except": {
+      "type": "array",
+      "items": {
+       "type": "string"
+      },
+      "description": "Except is a slice of CIDRs that should not be included within an IP Block Valid examples are \"192.168.1.1/24\" Except values will be rejected if they are outside the CIDR range"
     }
    }
   },
--- a/api/swagger-spec/networking.k8s.io_v1.json
+++ b/api/swagger-spec/networking.k8s.io_v1.json
@@ -1307,6 +1307,30 @@
     "namespaceSelector": {
      "$ref": "v1.LabelSelector",
      "description": "Selects Namespaces using cluster scoped-labels. This matches all pods in all namespaces selected by this label selector. This field follows standard label selector semantics. If present but empty, this selector selects all namespaces."
+     },
+     "ipBlock": {
+      "$ref": "v1.IPBlock",
+      "description": "IPBlock defines policy on a particular IPBlock"
+     }
+    }
+   },
+   "v1.IPBlock": {
+    "id": "v1.IPBlock",
+    "description": "IPBlock describes a particular CIDR (Ex. \"192.168.1.1/24\") that is allowed to the pods matched by a NetworkPolicySpec's podSelector. The except entry describes CIDRs that should not be included within this rule.",
+    "required": [
+     "cidr"
+    ],
+    "properties": {
+     "cidr": {
+      "type": "string",
+      "description": "CIDR is a string representing the IP Block Valid examples are \"192.168.1.1/24\""
+     },
+     "except": {
+      "type": "array",
+      "items": {
+       "type": "string"
+      },
+      "description": "Except is a slice of CIDRs that should not be included within an IP Block Valid examples are \"192.168.1.1/24\" Except values will be rejected if they are outside the CIDR range"
     }
    }
   },