-
Notifications
You must be signed in to change notification settings - Fork 13
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add core code to support namespace based CRDs
For security reasons, cluster admins may want to limit certain applications to only loading eBPF programs within a given namespace. Currently, all bpfman Custom Resource Definitions (CRDs) are Cluster scoped. To provide cluster admins with tighter controls on eBPF program loading, some of the bpfman CRDs also need to be Namespace scoped. See Design Doc: bpfman/bpfman#1359 Signed-off-by: Billy McFall <[email protected]>
- Loading branch information
Showing
160 changed files
with
17,983 additions
and
427 deletions.
There are no files selected for viewing
File renamed without changes.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,97 @@ | ||
| /* | ||
| Copyright 2024. | ||
| Licensed under the Apache License, Version 2.0 (the "License"); | ||
| you may not use this file except in compliance with the License. | ||
| You may obtain a copy of the License at | ||
| http://www.apache.org/licenses/LICENSE-2.0 | ||
| Unless required by applicable law or agreed to in writing, software | ||
| distributed under the License is distributed on an "AS IS" BASIS, | ||
| WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
| See the License for the specific language governing permissions and | ||
| limitations under the License. | ||
| */ | ||
|
|
||
| package v1alpha1 | ||
|
|
||
| import ( | ||
| metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" | ||
| ) | ||
|
|
||
| // BpfNsApplicationProgram defines the desired state of BpfApplication | ||
| // +union | ||
| // +kubebuilder:validation:XValidation:rule="has(self.type) && self.type == 'XDP' ? has(self.xdp) : !has(self.xdp)",message="xdp configuration is required when type is XDP, and forbidden otherwise" | ||
| // +kubebuilder:validation:XValidation:rule="has(self.type) && self.type == 'TC' ? has(self.tc) : !has(self.tc)",message="tc configuration is required when type is TC, and forbidden otherwise" | ||
| // +kubebuilder:validation:XValidation:rule="has(self.type) && self.type == 'TCX' ? has(self.tcx) : !has(self.tcx)",message="tcx configuration is required when type is TCX, and forbidden otherwise" | ||
| // +kubebuilder:validation:XValidation:rule="has(self.type) && self.type == 'Uprobe' ? has(self.uprobe) : !has(self.uprobe)",message="uprobe configuration is required when type is Uprobe, and forbidden otherwise" | ||
| // +kubebuilder:validation:XValidation:rule="has(self.type) && self.type == 'Uretprobe' ? has(self.uretprobe) : !has(self.uretprobe)",message="uretprobe configuration is required when type is Uretprobe, and forbidden otherwise" | ||
| type BpfNsApplicationProgram struct { | ||
| // Type specifies the bpf program type | ||
| // +unionDiscriminator | ||
| // +kubebuilder:validation:Required | ||
| // +kubebuilder:validation:Enum:="XDP";"TC";"TCX";"Uprobe";"Uretprobe" | ||
| Type EBPFProgType `json:"type,omitempty"` | ||
|
|
||
| // xdp defines the desired state of the application's XdpPrograms. | ||
| // +unionMember | ||
| // +optional | ||
| XDP *XdpProgramInfo `json:"xdp,omitempty"` | ||
|
|
||
| // tc defines the desired state of the application's TcPrograms. | ||
| // +unionMember | ||
| // +optional | ||
| TC *TcProgramInfo `json:"tc,omitempty"` | ||
|
|
||
| // tcx defines the desired state of the application's TcxPrograms. | ||
| // +unionMember | ||
| // +optional | ||
| TCX *TcxProgramInfo `json:"tcx,omitempty"` | ||
|
|
||
| // uprobe defines the desired state of the application's UprobePrograms. | ||
| // +unionMember | ||
| // +optional | ||
| Uprobe *UprobeProgramInfo `json:"uprobe,omitempty"` | ||
|
|
||
| // uretprobe defines the desired state of the application's UretprobePrograms. | ||
| // +unionMember | ||
| // +optional | ||
| Uretprobe *UprobeProgramInfo `json:"uretprobe,omitempty"` | ||
| } | ||
|
|
||
| // BpfApplicationSpec defines the desired state of BpfApplication | ||
| type BpfNsApplicationSpec struct { | ||
| BpfAppCommon `json:",inline"` | ||
|
|
||
| // Programs is a list of bpf programs supported for a specific application. | ||
| // It's possible that the application can selectively choose which program(s) | ||
| // to run from this list. | ||
| // +kubebuilder:validation:MinItems:=1 | ||
| Programs []BpfNsApplicationProgram `json:"programs,omitempty"` | ||
| } | ||
|
|
||
| // +genclient | ||
| //+kubebuilder:object:root=true | ||
| //+kubebuilder:subresource:status | ||
| //+kubebuilder:resource:scope=Namespaced | ||
|
|
||
| // BpfNsApplication is the Schema for the bpfapplications API | ||
| // +kubebuilder:printcolumn:name="NodeSelector",type=string,JSONPath=`.spec.nodeselector` | ||
| // +kubebuilder:printcolumn:name="Status",type=string,JSONPath=`.status.conditions[0].reason` | ||
| // +kubebuilder:printcolumn:name="Age",type="date",JSONPath=".metadata.creationTimestamp" | ||
| type BpfNsApplication struct { | ||
| metav1.TypeMeta `json:",inline"` | ||
| metav1.ObjectMeta `json:"metadata,omitempty"` | ||
|
|
||
| Spec BpfNsApplicationSpec `json:"spec,omitempty"` | ||
| Status BpfApplicationStatus `json:"status,omitempty"` | ||
| } | ||
|
|
||
| // +kubebuilder:object:root=true | ||
| // BpfNsApplicationList contains a list of BpfNsApplications | ||
| type BpfNsApplicationList struct { | ||
| metav1.TypeMeta `json:",inline"` | ||
| metav1.ListMeta `json:"metadata,omitempty"` | ||
| Items []BpfNsApplication `json:"items"` | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,79 @@ | ||
| /* | ||
| Copyright 2024. | ||
| Licensed under the Apache License, Version 2.0 (the "License"); | ||
| you may not use this file except in compliance with the License. | ||
| You may obtain a copy of the License at | ||
| http://www.apache.org/licenses/LICENSE-2.0 | ||
| Unless required by applicable law or agreed to in writing, software | ||
| distributed under the License is distributed on an "AS IS" BASIS, | ||
| WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
| See the License for the specific language governing permissions and | ||
| limitations under the License. | ||
| */ | ||
|
|
||
| // All fields are required unless explicitly marked optional | ||
| // +kubebuilder:validation:Required | ||
| package v1alpha1 | ||
|
|
||
| import ( | ||
| metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" | ||
| metav1types "k8s.io/apimachinery/pkg/types" | ||
| "sigs.k8s.io/controller-runtime/pkg/client" | ||
| ) | ||
|
|
||
| // +genclient | ||
| //+kubebuilder:object:root=true | ||
| //+kubebuilder:subresource:status | ||
|
|
||
| // BpfNsProgram is the Schema for the Bpfnsprograms API | ||
| // +kubebuilder:printcolumn:name="Type",type=string,JSONPath=`.spec.type` | ||
| // +kubebuilder:printcolumn:name="Status",type=string,JSONPath=`.status.conditions[0].reason` | ||
| // +kubebuilder:printcolumn:name="Age",type="date",JSONPath=".metadata.creationTimestamp" | ||
| type BpfNsProgram struct { | ||
| metav1.TypeMeta `json:",inline"` | ||
| metav1.ObjectMeta `json:"metadata,omitempty"` | ||
|
|
||
| Spec BpfProgramSpec `json:"spec"` | ||
| // +optional | ||
| Status BpfProgramStatus `json:"status,omitempty"` | ||
| } | ||
|
|
||
| //+kubebuilder:object:root=true | ||
|
|
||
| // BpfNsProgramList contains a list of BpfProgram | ||
| type BpfNsProgramList struct { | ||
| metav1.TypeMeta `json:",inline"` | ||
| metav1.ListMeta `json:"metadata,omitempty"` | ||
| Items []BpfNsProgram `json:"items"` | ||
| } | ||
|
|
||
| func (bp BpfNsProgram) GetName() string { | ||
| return bp.Name | ||
| } | ||
|
|
||
| func (bp BpfNsProgram) GetUID() metav1types.UID { | ||
| return bp.UID | ||
| } | ||
|
|
||
| func (bp BpfNsProgram) GetAnnotations() map[string]string { | ||
| return bp.Annotations | ||
| } | ||
|
|
||
| func (bp BpfNsProgram) GetLabels() map[string]string { | ||
| return bp.Labels | ||
| } | ||
|
|
||
| func (bp BpfNsProgram) GetStatus() *BpfProgramStatus { | ||
| return &bp.Status | ||
| } | ||
|
|
||
| func (bp BpfNsProgram) GetClientObject() client.Object { | ||
| return &bp | ||
| } | ||
|
|
||
| func (bpl BpfNsProgramList) GetItems() []BpfNsProgram { | ||
| return bpl.Items | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,53 @@ | ||
| /* | ||
| Copyright 2024. | ||
| Licensed under the Apache License, Version 2.0 (the "License"); | ||
| you may not use this file except in compliance with the License. | ||
| You may obtain a copy of the License at | ||
| http://www.apache.org/licenses/LICENSE-2.0 | ||
| Unless required by applicable law or agreed to in writing, software | ||
| distributed under the License is distributed on an "AS IS" BASIS, | ||
| WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
| See the License for the specific language governing permissions and | ||
| limitations under the License. | ||
| */ | ||
|
|
||
| // All fields are required unless explicitly marked optional | ||
| // +kubebuilder:validation:Required | ||
| package v1alpha1 | ||
|
|
||
| import ( | ||
| metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" | ||
| ) | ||
|
|
||
| // +genclient | ||
| //+kubebuilder:object:root=true | ||
| //+kubebuilder:subresource:status | ||
| //+kubebuilder:resource:scope=Namespaced | ||
|
|
||
| // TcNsProgram is the Schema for the TcNsProgram API | ||
| // +kubebuilder:printcolumn:name="BpfFunctionName",type=string,JSONPath=`.spec.bpffunctionname` | ||
| // +kubebuilder:printcolumn:name="NodeSelector",type=string,JSONPath=`.spec.nodeselector` | ||
| // +kubebuilder:printcolumn:name="Status",type=string,JSONPath=`.status.conditions[0].reason` | ||
| // +kubebuilder:printcolumn:name="Priority",type=string,JSONPath=`.spec.priority`,priority=1 | ||
| // +kubebuilder:printcolumn:name="Direction",type=string,JSONPath=`.spec.direction`,priority=1 | ||
| // +kubebuilder:printcolumn:name="InterfaceSelector",type=string,JSONPath=`.spec.interfaceselector`,priority=1 | ||
| // +kubebuilder:printcolumn:name="ProceedOn",type=string,JSONPath=`.spec.proceedon`,priority=1 | ||
| type TcNsProgram struct { | ||
| metav1.TypeMeta `json:",inline"` | ||
| metav1.ObjectMeta `json:"metadata,omitempty"` | ||
|
|
||
| Spec TcProgramSpec `json:"spec"` | ||
| // +optional | ||
| Status TcProgramStatus `json:"status,omitempty"` | ||
| } | ||
|
|
||
| // +kubebuilder:object:root=true | ||
| // TcNsProgramList contains a list of TcNsPrograms | ||
| type TcNsProgramList struct { | ||
| metav1.TypeMeta `json:",inline"` | ||
| metav1.ListMeta `json:"metadata,omitempty"` | ||
| Items []TcNsProgram `json:"items"` | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,53 @@ | ||
| /* | ||
| Copyright 2024. | ||
| Licensed under the Apache License, Version 2.0 (the "License"); | ||
| you may not use this file except in compliance with the License. | ||
| You may obtain a copy of the License at | ||
| http://www.apache.org/licenses/LICENSE-2.0 | ||
| Unless required by applicable law or agreed to in writing, software | ||
| distributed under the License is distributed on an "AS IS" BASIS, | ||
| WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
| See the License for the specific language governing permissions and | ||
| limitations under the License. | ||
| */ | ||
|
|
||
| // All fields are required unless explicitly marked optional | ||
| // +kubebuilder:validation:Required | ||
| package v1alpha1 | ||
|
|
||
| import ( | ||
| metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" | ||
| ) | ||
|
|
||
| // +genclient | ||
| //+kubebuilder:object:root=true | ||
| //+kubebuilder:subresource:status | ||
| //+kubebuilder:resource:scope=Namespaced | ||
|
|
||
| // TcxNsProgram is the Schema for the TcxNsProgram API | ||
| // +kubebuilder:printcolumn:name="BpfFunctionName",type=string,JSONPath=`.spec.bpffunctionname` | ||
| // +kubebuilder:printcolumn:name="NodeSelector",type=string,JSONPath=`.spec.nodeselector` | ||
| // +kubebuilder:printcolumn:name="Status",type=string,JSONPath=`.status.conditions[0].reason` | ||
| // +kubebuilder:printcolumn:name="Direction",type=string,JSONPath=`.spec.direction`,priority=1 | ||
| // +kubebuilder:printcolumn:name="InterfaceSelector",type=string,JSONPath=`.spec.interfaceselector`,priority=1 | ||
| // +kubebuilder:printcolumn:name="Position",type=string,JSONPath=`.spec.position`,priority=1 | ||
| // +kubebuilder:printcolumn:name="Priority",type=string,JSONPath=`.spec.priority`,priority=1 | ||
| type TcxNsProgram struct { | ||
| metav1.TypeMeta `json:",inline"` | ||
| metav1.ObjectMeta `json:"metadata,omitempty"` | ||
|
|
||
| Spec TcxProgramSpec `json:"spec"` | ||
| // +optional | ||
| Status TcxProgramStatus `json:"status,omitempty"` | ||
| } | ||
|
|
||
| // +kubebuilder:object:root=true | ||
| // TcxNsProgramList contains a list of TcxNsPrograms | ||
| type TcxNsProgramList struct { | ||
| metav1.TypeMeta `json:",inline"` | ||
| metav1.ListMeta `json:"metadata,omitempty"` | ||
| Items []TcxNsProgram `json:"items"` | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,54 @@ | ||
| /* | ||
| Copyright 2024. | ||
| Licensed under the Apache License, Version 2.0 (the "License"); | ||
| you may not use this file except in compliance with the License. | ||
| You may obtain a copy of the License at | ||
| http://www.apache.org/licenses/LICENSE-2.0 | ||
| Unless required by applicable law or agreed to in writing, software | ||
| distributed under the License is distributed on an "AS IS" BASIS, | ||
| WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
| See the License for the specific language governing permissions and | ||
| limitations under the License. | ||
| */ | ||
|
|
||
| // All fields are required unless explicitly marked optional | ||
| // +kubebuilder:validation:Required | ||
| package v1alpha1 | ||
|
|
||
| import ( | ||
| metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" | ||
| ) | ||
|
|
||
| // +genclient | ||
| //+kubebuilder:object:root=true | ||
| //+kubebuilder:subresource:status | ||
| //+kubebuilder:resource:scope=Namespaced | ||
|
|
||
| // UprobeNsProgram is the Schema for the UprobeNsPrograms API | ||
| // +kubebuilder:printcolumn:name="BpfFunctionName",type=string,JSONPath=`.spec.bpffunctionname` | ||
| // +kubebuilder:printcolumn:name="NodeSelector",type=string,JSONPath=`.spec.nodeselector` | ||
| // +kubebuilder:printcolumn:name="Status",type=string,JSONPath=`.status.conditions[0].reason` | ||
| // +kubebuilder:printcolumn:name="FunctionName",type=string,JSONPath=`.spec.func_name`,priority=1 | ||
| // +kubebuilder:printcolumn:name="Offset",type=integer,JSONPath=`.spec.offset`,priority=1 | ||
| // +kubebuilder:printcolumn:name="Target",type=string,JSONPath=`.spec.target`,priority=1 | ||
| // +kubebuilder:printcolumn:name="RetProbe",type=boolean,JSONPath=`.spec.retprobe`,priority=1 | ||
| // +kubebuilder:printcolumn:name="Pid",type=integer,JSONPath=`.spec.pid`,priority=1 | ||
| type UprobeNsProgram struct { | ||
| metav1.TypeMeta `json:",inline"` | ||
| metav1.ObjectMeta `json:"metadata,omitempty"` | ||
|
|
||
| Spec UprobeProgramSpec `json:"spec"` | ||
| // +optional | ||
| Status UprobeProgramStatus `json:"status,omitempty"` | ||
| } | ||
|
|
||
| // +kubebuilder:object:root=true | ||
| // UprobeNsProgramList contains a list of UprobeNsPrograms | ||
| type UprobeNsProgramList struct { | ||
| metav1.TypeMeta `json:",inline"` | ||
| metav1.ListMeta `json:"metadata,omitempty"` | ||
| Items []UprobeNsProgram `json:"items"` | ||
| } |
Oops, something went wrong.