add release channels and support levels

Add stable and experimental release channels in line with the gateway-api. Currently all of the apis we provide are experimental since they are at the alpha version. Add documentation on the new channels and update our NPEP process slightly. Update our CRD generation tooling to use the newly defined channels. Add documentation for support levels. Add support level annotations to all of our API fields. This will allow us to mark some features as Stable, Extended or Implementation-specific. Signed-off-by: Andrew Stoycos <[email protected]>
kubernetes-sigs · Sep 29, 2023 · 461f58c · 461f58c
1 parent 639f674
commit 461f58c
Show file tree

Hide file tree

Showing 15 changed files with 2,490 additions and 266 deletions.
diff --git a/apis/v1alpha1/adminnetworkpolicy_types.go b/apis/v1alpha1/adminnetworkpolicy_types.go
@@ -57,11 +57,17 @@ type AdminNetworkPolicySpec struct {
 	// All AdminNetworkPolicy rules have higher precedence than NetworkPolicy or
 	// BaselineAdminNetworkPolicy rules
 	// The behavior is undefined if two ANP objects have same priority.
+	//
+	// Support: Core
+	//
 	// +kubebuilder:validation:Minimum=0
 	// +kubebuilder:validation:Maximum=1000
 	Priority int32 `json:"priority"`
 
 	// Subject defines the pods to which this AdminNetworkPolicy applies.
+	//
+	// Support: Core
+	//
 	Subject AdminNetworkPolicySubject `json:"subject"`
 
 	// Ingress is the list of Ingress rules to be applied to the selected pods.
@@ -71,6 +77,9 @@ type AdminNetworkPolicySpec struct {
 	// is written. Thus, a rule that appears at the top of the ingress rules
 	// would take the highest precedence.
 	// ANPs with no ingress rules do not affect ingress traffic.
+	//
+	// Support: Core
+	//
 	// +optional
 	// +kubebuilder:validation:MaxItems=100
 	Ingress []AdminNetworkPolicyIngressRule `json:"ingress,omitempty"`
@@ -82,6 +91,9 @@ type AdminNetworkPolicySpec struct {
 	// is written. Thus, a rule that appears at the top of the egress rules
 	// would take the highest precedence.
 	// ANPs with no egress rules do not affect egress traffic.
+	//
+	// Support: Core
+	//
 	// +optional
 	// +kubebuilder:validation:MaxItems=100
 	Egress []AdminNetworkPolicyEgressRule `json:"egress,omitempty"`
@@ -95,6 +107,9 @@ type AdminNetworkPolicyIngressRule struct {
 	// in length. This field should be used by the implementation to help
 	// improve observability, readability and error-reporting for any applied
 	// AdminNetworkPolicies.
+	//
+	// Support: Core
+	//
 	// +optional
 	// +kubebuilder:validation:MaxLength=100
 	Name string `json:"name,omitempty"`
@@ -107,12 +122,18 @@ type AdminNetworkPolicyIngressRule struct {
 	// then pass execution to any NetworkPolicies that select the pod.
 	// If the pod is not selected by any NetworkPolicies then execution
 	// is passed to any BaselineAdminNetworkPolicies that select the pod.
+	//
+	// Support: Core
+	//
 	Action AdminNetworkPolicyRuleAction `json:"action"`
 
 	// From is the list of sources whose traffic this rule applies to.
 	// If any AdminNetworkPolicyPeer matches the source of incoming
 	// traffic then the specified action is applied.
 	// This field must be defined and contain at least one item.
+	//
+	// Support: Core
+	//
 	// +kubebuilder:validation:MinItems=1
 	// +kubebuilder:validation:MaxItems=100
 	From []AdminNetworkPolicyPeer `json:"from"`
@@ -122,6 +143,9 @@ type AdminNetworkPolicyIngressRule struct {
 	// the pods selected for this policy i.e the subject of the policy.
 	// So it matches on the destination port for the ingress traffic.
 	// If Ports is not set then the rule does not filter traffic via port.
+	//
+	// Support: Core
+	//
 	// +optional
 	// +kubebuilder:validation:MaxItems=100
 	Ports *[]AdminNetworkPolicyPort `json:"ports,omitempty"`
@@ -135,6 +159,9 @@ type AdminNetworkPolicyEgressRule struct {
 	// in length. This field should be used by the implementation to help
 	// improve observability, readability and error-reporting for any applied
 	// AdminNetworkPolicies.
+	//
+	// Support: Core
+	//
 	// +optional
 	// +kubebuilder:validation:MaxLength=100
 	Name string `json:"name,omitempty"`
@@ -147,25 +174,37 @@ type AdminNetworkPolicyEgressRule struct {
 	// then pass execution to any NetworkPolicies that select the pod.
 	// If the pod is not selected by any NetworkPolicies then execution
 	// is passed to any BaselineAdminNetworkPolicies that select the pod.
+	//
+	// Support: Core
+	//
 	Action AdminNetworkPolicyRuleAction `json:"action"`
 
 	// To is the List of destinations whose traffic this rule applies to.
 	// If any AdminNetworkPolicyPeer matches the destination of outgoing
 	// traffic then the specified action is applied.
 	// This field must be defined and contain at least one item.
+	//
+	// Support: Core
+	//
 	// +kubebuilder:validation:MinItems=1
 	// +kubebuilder:validation:MaxItems=100
 	To []AdminNetworkPolicyPeer `json:"to"`
 
 	// Ports allows for matching traffic based on port and protocols.
 	// This field is a list of destination ports for the outging egress traffic.
 	// If Ports is not set then the rule does not filter traffic via port.
+	//
+	// Support: Core
+	//
 	// +optional
 	// +kubebuilder:validation:MaxItems=100
 	Ports *[]AdminNetworkPolicyPort `json:"ports,omitempty"`
 }
 
 // AdminNetworkPolicyRuleAction string describes the AdminNetworkPolicy action type.
+//
+// Support: Core
+//
 // +enum
 type AdminNetworkPolicyRuleAction string
 

diff --git a/apis/v1alpha1/baselineadminnetworkpolicy_types.go b/apis/v1alpha1/baselineadminnetworkpolicy_types.go
@@ -51,6 +51,9 @@ type BaselineAdminNetworkPolicyStatus struct {
 // BaselineAdminNetworkPolicy.
 type BaselineAdminNetworkPolicySpec struct {
 	// Subject defines the pods to which this BaselineAdminNetworkPolicy applies.
+	//
+	// Support: Core
+	//
 	Subject AdminNetworkPolicySubject `json:"subject"`
 
 	// Ingress is the list of Ingress rules to be applied to the selected pods
@@ -61,6 +64,9 @@ type BaselineAdminNetworkPolicySpec struct {
 	// Thus, a rule that appears at the top of the ingress rules
 	// would take the highest precedence.
 	// BANPs with no ingress rules do not affect ingress traffic.
+	//
+	// Support: Core
+	//
 	// +optional
 	// +kubebuilder:validation:MaxItems=100
 	Ingress []BaselineAdminNetworkPolicyIngressRule `json:"ingress,omitempty"`
@@ -73,6 +79,9 @@ type BaselineAdminNetworkPolicySpec struct {
 	// Thus, a rule that appears at the top of the egress rules
 	// would take the highest precedence.
 	// BANPs with no egress rules do not affect egress traffic.
+	//
+	// Support: Core
+	//
 	// +optional
 	// +kubebuilder:validation:MaxItems=100
 	Egress []BaselineAdminNetworkPolicyEgressRule `json:"egress,omitempty"`
@@ -86,6 +95,9 @@ type BaselineAdminNetworkPolicyIngressRule struct {
 	// in length. This field should be used by the implementation to help
 	// improve observability, readability and error-reporting for any applied
 	// BaselineAdminNetworkPolicies.
+	//
+	// Support: Core
+	//
 	// +optional
 	// +kubebuilder:validation:MaxLength=100
 	Name string `json:"name,omitempty"`
@@ -94,12 +106,18 @@ type BaselineAdminNetworkPolicyIngressRule struct {
 	// Currently the following actions are supported:
 	// Allow: allows the selected traffic
 	// Deny: denies the selected traffic
+	//
+	// Support: Core
+	//
 	Action BaselineAdminNetworkPolicyRuleAction `json:"action"`
 
 	// From is the list of sources whose traffic this rule applies to.
 	// If any AdminNetworkPolicyPeer matches the source of incoming
 	// traffic then the specified action is applied.
 	// This field must be defined and contain at least one item.
+	//
+	// Support: Core
+	//
 	// +kubebuilder:validation:MinItems=1
 	From []AdminNetworkPolicyPeer `json:"from"`
 
@@ -108,6 +126,9 @@ type BaselineAdminNetworkPolicyIngressRule struct {
 	// the pods selected for this policy i.e the subject of the policy.
 	// So it matches on the destination port for the ingress traffic.
 	// If Ports is not set then the rule does not filter traffic via port.
+	//
+	// Support: Core
+	//
 	// +optional
 	// +kubebuilder:validation:MaxItems=100
 	Ports *[]AdminNetworkPolicyPort `json:"ports,omitempty"`
@@ -121,6 +142,9 @@ type BaselineAdminNetworkPolicyEgressRule struct {
 	// in length. This field should be used by the implementation to help
 	// improve observability, readability and error-reporting for any applied
 	// BaselineAdminNetworkPolicies.
+	//
+	// Support: Core
+	//
 	// +optional
 	// +kubebuilder:validation:MaxLength=100
 	Name string `json:"name,omitempty"`
@@ -129,13 +153,19 @@ type BaselineAdminNetworkPolicyEgressRule struct {
 	// Currently the following actions are supported:
 	// Allow: allows the selected traffic
 	// Deny: denies the selected traffic
+	//
+	// Support: Core
+	//
 	Action BaselineAdminNetworkPolicyRuleAction `json:"action"`
 
 	// To is the list of destinations whose traffic this rule applies to.
 	// If any AdminNetworkPolicyPeer matches the destination of outgoing
 	// traffic then the specified action is applied.
 	// This field must be defined and contain at least one item.
 	// +kubebuilder:validation:MinItems=1
+	//
+	// Support: Core
+	//
 	To []AdminNetworkPolicyPeer `json:"to"`
 
 	// Ports allows for matching traffic based on port and protocols.
@@ -148,6 +178,9 @@ type BaselineAdminNetworkPolicyEgressRule struct {
 
 // BaselineAdminNetworkPolicyRuleAction string describes the BaselineAdminNetworkPolicy
 // action type.
+//
+// Support: Core
+//
 // +enum
 type BaselineAdminNetworkPolicyRuleAction string
 

diff --git a/apis/v1alpha1/shared_types.go b/apis/v1alpha1/shared_types.go
@@ -51,27 +51,43 @@ type NamespacedPodSubject struct {
 // +kubebuilder:validation:MinProperties=1
 type AdminNetworkPolicyPort struct {
 	// Port selects a port on a pod(s) based on number.
+	//
+	// Support: Core
+	//
 	// +optional
 	PortNumber *Port `json:"portNumber,omitempty"`
 
 	// NamedPort selects a port on a pod(s) based on name.
+	//
+	// Support: Extended
+	//
+	// <network-policy-api:experimental>
 	// +optional
 	NamedPort *string `json:"namedPort,omitempty"`
 
 	// PortRange selects a port range on a pod(s) based on provided start and end
 	// values.
+	//
+	// Support: Core
+	//
 	// +optional
 	PortRange *PortRange `json:"portRange,omitempty"`
 }
 
 type Port struct {
 	// Protocol is the network protocol (TCP, UDP, or SCTP) which traffic must
 	// match. If not specified, this field defaults to TCP.
+	//
+	// Support: Core
+	//
 	Protocol v1.Protocol `json:"protocol"`
 
 	// Number defines a network port value.
 	// +kubebuilder:validation:Minimum=1
 	// +kubebuilder:validation:Maximum=65535
+	//
+	// Support: Core
+	//
 	Port int32 `json:"port"`
 }
 
@@ -80,18 +96,27 @@ type Port struct {
 type PortRange struct {
 	// Protocol is the network protocol (TCP, UDP, or SCTP) which traffic must
 	// match. If not specified, this field defaults to TCP.
+	//
+	// Support: Core
+	//
 	Protocol v1.Protocol `json:"protocol,omitempty"`
 
 	// Start defines a network port that is the start of a port range, the Start
 	// value must be less than End.
 	// +kubebuilder:validation:Minimum=1
 	// +kubebuilder:validation:Maximum=65535
+	//
+	// Support: Core
+	//
 	Start int32 `json:"start"`
 
 	// End defines a network port that is the end of a port range, the End value
 	// must be greater than Start.
 	// +kubebuilder:validation:Minimum=1
 	// +kubebuilder:validation:Maximum=65535
+	//
+	// Support: Core
+	//
 	End int32 `json:"end"`
 }
 
@@ -103,10 +128,16 @@ type PortRange struct {
 // +kubebuilder:validation:MinProperties=1
 type AdminNetworkPolicyPeer struct {
 	// Namespaces defines a way to select a set of Namespaces.
+	//
+	// Support: Core
+	//
 	// +optional
 	Namespaces *NamespacedPeer `json:"namespaces,omitempty"`
 	// Pods defines a way to select a set of pods in
 	// in a set of namespaces.
+	//
+	// Support: Core
+	//
 	// +optional
 	Pods *NamespacedPodPeer `json:"pods,omitempty"`
 }
@@ -121,6 +152,9 @@ type NamespacedPeer struct {
 	// NamespaceSelector is a labelSelector used to select Namespaces, This field
 	// follows standard label selector semantics; if present but empty, it selects
 	// all Namespaces.
+	//
+	// Support: Core
+	//
 	// +optional
 	NamespaceSelector *metav1.LabelSelector `json:"namespaceSelector,omitempty"`
 
@@ -129,6 +163,10 @@ type NamespacedPeer struct {
 	// To be selected a Namespace must have all of the labels defined in SameLabels,
 	// AND they must all have the same value as the subject of this policy.
 	// If Samelabels is Empty then nothing is selected.
+	//
+	// Support: Extended
+	//
+	// <network-policy-api:experimental>
 	// +optional
 	// +kubebuilder:validation:MaxItems=100
 	SameLabels []string `json:"sameLabels,omitempty"`
@@ -138,6 +176,10 @@ type NamespacedPeer struct {
 	// To be selected a Namespace must have all of the labels defined in NotSameLabels,
 	// AND at least one of them must have different values than the subject of this policy.
 	// If NotSameLabels is empty then nothing is selected.
+	//
+	// Support: Extended
+	//
+	// <network-policy-api:experimental>
 	// +optional
 	// +kubebuilder:validation:MaxItems=100
 	NotSameLabels []string `json:"notSameLabels,omitempty"`
@@ -147,10 +189,16 @@ type NamespacedPeer struct {
 // cluster. The `Namespaces` and `PodSelector` fields are required.
 type NamespacedPodPeer struct {
 	// Namespaces is used to select a set of Namespaces.
+	//
+	// Support: Core
+	//
 	Namespaces NamespacedPeer `json:"namespaces"`
 
 	// PodSelector is a labelSelector used to select Pods, This field is NOT optional,
 	// follows standard label selector semantics and if present but empty, it selects
 	// all Pods.
+	//
+	// Support: Core
+	//
 	PodSelector metav1.LabelSelector `json:"podSelector"`
 }