1 package v1 2 3 import ( 4 metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" 5 ) 6 7 const ( 8 ClusterNetworkDefault = "default" 9 ) 10 11 // +genclient 12 // +genclient:nonNamespaced 13 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object 14 15 // ClusterNetwork describes the cluster network. There is normally only one object of this type, 16 // named "default", which is created by the SDN network plugin based on the master configuration 17 // when the cluster is brought up for the first time. 18 // 19 // Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). 20 // +kubebuilder:resource:scope="Cluster" 21 // +kubebuilder:printcolumn:name="Cluster Network",type=string,JSONPath=`.network`,description="The primary cluster network CIDR" 22 // +kubebuilder:printcolumn:name="Service Network",type=string,JSONPath=`.serviceNetwork`,description="The service network CIDR" 23 // +kubebuilder:printcolumn:name="Plugin Name",type=string,JSONPath=`.pluginName`,description="The Openshift SDN network plug-in in use" 24 // +openshift:compatibility-gen:level=1 25 type ClusterNetwork struct { 26 metav1.TypeMeta `json:",inline"` 27 28 // metadata is the standard object's metadata. 29 // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata 30 metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"` 31 32 // Network is a CIDR string specifying the global overlay network's L3 space 33 // +kubebuilder:validation:Pattern=`^(([0-9]|[0-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[0-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])/([0-9]|[12][0-9]|3[0-2])$` 34 Network string `json:"network,omitempty" protobuf:"bytes,2,opt,name=network"` 35 36 // HostSubnetLength is the number of bits of network to allocate to each node. eg, 8 would mean that each node would have a /24 slice of the overlay network for its pods 37 // +kubebuilder:validation:Minimum=2 38 // +kubebuilder:validation:Maximum=30 39 HostSubnetLength uint32 `json:"hostsubnetlength,omitempty" protobuf:"varint,3,opt,name=hostsubnetlength"` 40 41 // ServiceNetwork is the CIDR range that Service IP addresses are allocated from 42 // +kubebuilder:validation:Pattern=`^(([0-9]|[0-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[0-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])/([0-9]|[12][0-9]|3[0-2])$` 43 ServiceNetwork string `json:"serviceNetwork" protobuf:"bytes,4,opt,name=serviceNetwork"` 44 45 // PluginName is the name of the network plugin being used 46 PluginName string `json:"pluginName,omitempty" protobuf:"bytes,5,opt,name=pluginName"` 47 48 // ClusterNetworks is a list of ClusterNetwork objects that defines the global overlay network's L3 space by specifying a set of CIDR and netmasks that the SDN can allocate addresses from. 49 ClusterNetworks []ClusterNetworkEntry `json:"clusterNetworks" protobuf:"bytes,6,rep,name=clusterNetworks"` 50 51 // VXLANPort sets the VXLAN destination port used by the cluster. 52 // It is set by the master configuration file on startup and cannot be edited manually. 53 // Valid values for VXLANPort are integers 1-65535 inclusive and if unset defaults to 4789. 54 // Changing VXLANPort allows users to resolve issues between openshift SDN and other software trying to use the same VXLAN destination port. 55 // +kubebuilder:validation:Minimum=1 56 // +kubebuilder:validation:Maximum=65535 57 // +kubebuilder:validation:Optional 58 // +optional 59 VXLANPort *uint32 `json:"vxlanPort,omitempty" protobuf:"varint,7,opt,name=vxlanPort"` 60 61 // MTU is the MTU for the overlay network. This should be 50 less than the MTU of the network connecting the nodes. It is normally autodetected by the cluster network operator. 62 // +kubebuilder:validation:Minimum=576 63 // +kubebuilder:validation:Maximum=65536 64 // +kubebuilder:validation:Optional 65 // +optional 66 MTU *uint32 `json:"mtu,omitempty" protobuf:"varint,8,opt,name=mtu"` 67 } 68 69 // ClusterNetworkEntry defines an individual cluster network. The CIDRs cannot overlap with other cluster network CIDRs, CIDRs reserved for external ips, CIDRs reserved for service networks, and CIDRs reserved for ingress ips. 70 type ClusterNetworkEntry struct { 71 // CIDR defines the total range of a cluster networks address space. 72 // +kubebuilder:validation:Pattern=`^(([0-9]|[0-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[0-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])/([0-9]|[12][0-9]|3[0-2])$` 73 CIDR string `json:"CIDR" protobuf:"bytes,1,opt,name=cidr"` 74 75 // HostSubnetLength is the number of bits of the accompanying CIDR address to allocate to each node. eg, 8 would mean that each node would have a /24 slice of the overlay network for its pods. 76 // +kubebuilder:validation:Minimum=2 77 // +kubebuilder:validation:Maximum=30 78 HostSubnetLength uint32 `json:"hostSubnetLength" protobuf:"varint,2,opt,name=hostSubnetLength"` 79 } 80 81 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object 82 83 // ClusterNetworkList is a collection of ClusterNetworks 84 // 85 // Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). 86 // +openshift:compatibility-gen:level=1 87 type ClusterNetworkList struct { 88 metav1.TypeMeta `json:",inline"` 89 90 // metadata is the standard list's metadata. 91 // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata 92 metav1.ListMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"` 93 94 // Items is the list of cluster networks 95 Items []ClusterNetwork `json:"items" protobuf:"bytes,2,rep,name=items"` 96 } 97 98 // HostSubnetEgressIP represents one egress IP address currently hosted on the node represented by 99 // HostSubnet 100 // +kubebuilder:validation:Pattern=`^(([0-9]|[0-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[0-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])$` 101 type HostSubnetEgressIP string 102 103 // HostSubnetEgressCIDR represents one egress CIDR from which to assign IP addresses for this node 104 // represented by the HostSubnet 105 // +kubebuilder:validation:Pattern=`^(([0-9]|[0-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[0-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])/([0-9]|[12][0-9]|3[0-2])$` 106 type HostSubnetEgressCIDR string 107 108 // +genclient 109 // +genclient:nonNamespaced 110 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object 111 112 // HostSubnet describes the container subnet network on a node. The HostSubnet object must have the 113 // same name as the Node object it corresponds to. 114 // 115 // Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). 116 // +kubebuilder:printcolumn:name="Host",type=string,JSONPath=`.host`,description="The name of the node" 117 // +kubebuilder:printcolumn:name="Host IP",type=string,JSONPath=`.hostIP`,description="The IP address to be used as a VTEP by other nodes in the overlay network" 118 // +kubebuilder:printcolumn:name="Subnet",type=string,JSONPath=`.subnet`,description="The CIDR range of the overlay network assigned to the node for its pods" 119 // +kubebuilder:printcolumn:name="Egress CIDRs",type=string,JSONPath=`.egressCIDRs`,description="The network egress CIDRs" 120 // +kubebuilder:printcolumn:name="Egress IPs",type=string,JSONPath=`.egressIPs`,description="The network egress IP addresses" 121 // +openshift:compatibility-gen:level=1 122 type HostSubnet struct { 123 metav1.TypeMeta `json:",inline"` 124 125 // metadata is the standard object's metadata. 126 // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata 127 metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"` 128 129 // Host is the name of the node. (This is the same as the object's name, but both fields must be set.) 130 // +kubebuilder:validation:Pattern=`^[a-z0-9.-]+$` 131 Host string `json:"host" protobuf:"bytes,2,opt,name=host"` 132 133 // HostIP is the IP address to be used as a VTEP by other nodes in the overlay network 134 // +kubebuilder:validation:Pattern=`^(([0-9]|[0-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[0-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])$` 135 HostIP string `json:"hostIP" protobuf:"bytes,3,opt,name=hostIP"` 136 137 // Subnet is the CIDR range of the overlay network assigned to the node for its pods 138 // +kubebuilder:validation:Pattern=`^(([0-9]|[0-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[0-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])/([0-9]|[12][0-9]|3[0-2])$` 139 Subnet string `json:"subnet" protobuf:"bytes,4,opt,name=subnet"` 140 141 // EgressIPs is the list of automatic egress IP addresses currently hosted by this node. 142 // If EgressCIDRs is empty, this can be set by hand; if EgressCIDRs is set then the 143 // master will overwrite the value here with its own allocation of egress IPs. 144 // +optional 145 EgressIPs []HostSubnetEgressIP `json:"egressIPs,omitempty" protobuf:"bytes,5,rep,name=egressIPs"` 146 147 // EgressCIDRs is the list of CIDR ranges available for automatically assigning 148 // egress IPs to this node from. If this field is set then EgressIPs should be 149 // treated as read-only. 150 // +optional 151 EgressCIDRs []HostSubnetEgressCIDR `json:"egressCIDRs,omitempty" protobuf:"bytes,6,rep,name=egressCIDRs"` 152 } 153 154 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object 155 156 // HostSubnetList is a collection of HostSubnets 157 // 158 // Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). 159 // +openshift:compatibility-gen:level=1 160 type HostSubnetList struct { 161 metav1.TypeMeta `json:",inline"` 162 163 // metadata is the standard list's metadata. 164 // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata 165 metav1.ListMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"` 166 167 // Items is the list of host subnets 168 Items []HostSubnet `json:"items" protobuf:"bytes,2,rep,name=items"` 169 } 170 171 // NetNamespaceEgressIP is a single egress IP out of a list of reserved IPs used as source of external traffic coming 172 // from pods in this namespace 173 // +kubebuilder:validation:Pattern=`^(([0-9]|[0-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[0-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])$` 174 type NetNamespaceEgressIP string 175 176 // +genclient 177 // +genclient:nonNamespaced 178 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object 179 180 // NetNamespace describes a single isolated network. When using the redhat/openshift-ovs-multitenant 181 // plugin, every Namespace will have a corresponding NetNamespace object with the same name. 182 // (When using redhat/openshift-ovs-subnet, NetNamespaces are not used.) 183 // 184 // Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). 185 // +kubebuilder:printcolumn:name="NetID",type=integer,JSONPath=`.netid`,description="The network identifier of the network namespace" 186 // +kubebuilder:printcolumn:name="Egress IPs",type=string,JSONPath=`.egressIPs`,description="The network egress IP addresses" 187 // +openshift:compatibility-gen:level=1 188 type NetNamespace struct { 189 metav1.TypeMeta `json:",inline"` 190 191 // metadata is the standard object's metadata. 192 // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata 193 metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"` 194 195 // NetName is the name of the network namespace. (This is the same as the object's name, but both fields must be set.) 196 // +kubebuilder:validation:Pattern=`^[a-z0-9.-]+$` 197 NetName string `json:"netname" protobuf:"bytes,2,opt,name=netname"` 198 199 // NetID is the network identifier of the network namespace assigned to each overlay network packet. This can be manipulated with the "oc adm pod-network" commands. 200 // +kubebuilder:validation:Minimum=0 201 // +kubebuilder:validation:Maximum=16777215 202 NetID uint32 `json:"netid" protobuf:"varint,3,opt,name=netid"` 203 204 // EgressIPs is a list of reserved IPs that will be used as the source for external traffic coming from pods in this namespace. 205 // (If empty, external traffic will be masqueraded to Node IPs.) 206 // +optional 207 EgressIPs []NetNamespaceEgressIP `json:"egressIPs,omitempty" protobuf:"bytes,4,rep,name=egressIPs"` 208 } 209 210 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object 211 212 // NetNamespaceList is a collection of NetNamespaces 213 // 214 // Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). 215 // +openshift:compatibility-gen:level=1 216 type NetNamespaceList struct { 217 metav1.TypeMeta `json:",inline"` 218 219 // metadata is the standard list's metadata. 220 // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata 221 metav1.ListMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"` 222 223 // Items is the list of net namespaces 224 Items []NetNamespace `json:"items" protobuf:"bytes,2,rep,name=items"` 225 } 226 227 // EgressNetworkPolicyRuleType indicates whether an EgressNetworkPolicyRule allows or denies traffic 228 // +kubebuilder:validation:Pattern=`^Allow|Deny$` 229 type EgressNetworkPolicyRuleType string 230 231 const ( 232 EgressNetworkPolicyRuleAllow EgressNetworkPolicyRuleType = "Allow" 233 EgressNetworkPolicyRuleDeny EgressNetworkPolicyRuleType = "Deny" 234 ) 235 236 // EgressNetworkPolicyPeer specifies a target to apply egress network policy to 237 type EgressNetworkPolicyPeer struct { 238 // CIDRSelector is the CIDR range to allow/deny traffic to. If this is set, dnsName must be unset 239 // Ideally we would have liked to use the cidr openapi format for this property. 240 // But openshift-sdn only supports v4 while specifying the cidr format allows both v4 and v6 cidrs 241 // We are therefore using a regex pattern to validate instead. 242 // +kubebuilder:validation:Pattern=`^(([0-9]|[0-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[0-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])/([0-9]|[12][0-9]|3[0-2])$` 243 CIDRSelector string `json:"cidrSelector,omitempty" protobuf:"bytes,1,rep,name=cidrSelector"` 244 // DNSName is the domain name to allow/deny traffic to. If this is set, cidrSelector must be unset 245 // +kubebuilder:validation:Pattern=`^([A-Za-z0-9-]+\.)*[A-Za-z0-9-]+\.?$` 246 DNSName string `json:"dnsName,omitempty" protobuf:"bytes,2,rep,name=dnsName"` 247 } 248 249 // EgressNetworkPolicyRule contains a single egress network policy rule 250 type EgressNetworkPolicyRule struct { 251 // type marks this as an "Allow" or "Deny" rule 252 Type EgressNetworkPolicyRuleType `json:"type" protobuf:"bytes,1,rep,name=type"` 253 // to is the target that traffic is allowed/denied to 254 To EgressNetworkPolicyPeer `json:"to" protobuf:"bytes,2,rep,name=to"` 255 } 256 257 // EgressNetworkPolicySpec provides a list of policies on outgoing network traffic 258 type EgressNetworkPolicySpec struct { 259 // egress contains the list of egress policy rules 260 Egress []EgressNetworkPolicyRule `json:"egress" protobuf:"bytes,1,rep,name=egress"` 261 } 262 263 // +genclient 264 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object 265 266 // EgressNetworkPolicy describes the current egress network policy for a Namespace. When using 267 // the 'redhat/openshift-ovs-multitenant' network plugin, traffic from a pod to an IP address 268 // outside the cluster will be checked against each EgressNetworkPolicyRule in the pod's 269 // namespace's EgressNetworkPolicy, in order. If no rule matches (or no EgressNetworkPolicy 270 // is present) then the traffic will be allowed by default. 271 // 272 // Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). 273 // +openshift:compatibility-gen:level=1 274 type EgressNetworkPolicy struct { 275 metav1.TypeMeta `json:",inline"` 276 277 // metadata is the standard object's metadata. 278 // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata 279 metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"` 280 281 // spec is the specification of the current egress network policy 282 Spec EgressNetworkPolicySpec `json:"spec" protobuf:"bytes,2,opt,name=spec"` 283 } 284 285 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object 286 287 // EgressNetworkPolicyList is a collection of EgressNetworkPolicy 288 // 289 // Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). 290 // +openshift:compatibility-gen:level=1 291 type EgressNetworkPolicyList struct { 292 metav1.TypeMeta `json:",inline"` 293 294 // metadata is the standard list's metadata. 295 // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata 296 metav1.ListMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"` 297 298 // items is the list of policies 299 Items []EgressNetworkPolicy `json:"items" protobuf:"bytes,2,rep,name=items"` 300 } 301