projectcalico · caseydavenport · Sep 17, 2024 · Sep 10, 2024 · Sep 10, 2024 · Sep 10, 2024
diff --git a/api/pkg/apis/projectcalico/v3/policy_common.go b/api/pkg/apis/projectcalico/v3/policy_common.go
@@ -1,4 +1,4 @@
-// Copyright (c) 2017-2018,2020-2021 Tigera, Inc. All rights reserved.
+// Copyright (c) 2017-2024 Tigera, Inc. All rights reserved.
 
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@@ -34,6 +34,12 @@ const (
 // criteria within a rule must be satisfied for a packet to match. A single rule can contain
 // the positive and negative version of a match and both must be satisfied for the rule to match.
 type Rule struct {
+	// Name is an identifier for this rule, that may be no more than 100 characters
+	// in length. This field is to improve observability and readability of rules.
+	// +optional
+	// +kubebuilder:validation:MaxLength=100
+	Name string `json:"name,omitempty"`
+	// Rule's action
 	Action Action `json:"action" validate:"action"`
 	// IPVersion is an optional field that restricts the rule to only match a specific IP
 	// version.

@@ -37,7 +37,8 @@ type Tier struct {
 }
 
 const (
-	DefaultTierOrder = float64(1_000_000) // 1 Million
+	DefaultTierOrder            = float64(1_000_000) // 1Million
+	AdminNetworkPolicyTierOrder = float64(1_000)     // 1K
 )
 
 // TierSpec contains the specification for a security policy tier resource.

diff --git a/api/pkg/openapi/openapi_generated.go b/api/pkg/openapi/openapi_generated.go
@@ -14,9 +14,9 @@ import (
 
 	v3 "github.com/projectcalico/api/pkg/apis/projectcalico/v3"
 
-	"github.com/projectcalico/calico/libcalico-go/lib/backend/k8s/conversion"
 	"github.com/projectcalico/calico/libcalico-go/lib/clientv3"
 	cerrors "github.com/projectcalico/calico/libcalico-go/lib/errors"
+	"github.com/projectcalico/calico/libcalico-go/lib/names"
 	"github.com/projectcalico/calico/libcalico-go/lib/options"
 	"github.com/projectcalico/calico/libcalico-go/lib/watch"
 )
@@ -27,7 +27,7 @@ func NewNetworkPolicyStorage(opts Options) (registry.DryRunnableStorage, factory
 	createFn := func(ctx context.Context, c clientv3.Interface, obj resourceObject, opts clientOpts) (resourceObject, error) {
 		oso := opts.(options.SetOptions)
 		res := obj.(*v3.NetworkPolicy)
-		if strings.HasPrefix(res.Name, conversion.K8sNetworkPolicyNamePrefix) {
+		if strings.HasPrefix(res.Name, names.K8sNetworkPolicyNamePrefix) {
 			return nil, cerrors.ErrorOperationNotSupported{
 				Operation:  "create or apply",
 				Identifier: obj,
@@ -39,7 +39,7 @@ func NewNetworkPolicyStorage(opts Options) (registry.DryRunnableStorage, factory
 	updateFn := func(ctx context.Context, c clientv3.Interface, obj resourceObject, opts clientOpts) (resourceObject, error) {
 		oso := opts.(options.SetOptions)
 		res := obj.(*v3.NetworkPolicy)
-		if strings.HasPrefix(res.Name, conversion.K8sNetworkPolicyNamePrefix) {
+		if strings.HasPrefix(res.Name, names.K8sNetworkPolicyNamePrefix) {
 			return nil, cerrors.ErrorOperationNotSupported{
 				Operation:  "update or apply",
 				Identifier: obj,
@@ -54,7 +54,7 @@ func NewNetworkPolicyStorage(opts Options) (registry.DryRunnableStorage, factory
 	}
 	deleteFn := func(ctx context.Context, c clientv3.Interface, ns string, name string, opts clientOpts) (resourceObject, error) {
 		odo := opts.(options.DeleteOptions)
-		if strings.HasPrefix(name, conversion.K8sNetworkPolicyNamePrefix) {
+		if strings.HasPrefix(name, names.K8sNetworkPolicyNamePrefix) {
 			return nil, cerrors.ErrorOperationNotSupported{
 				Operation:  "delete",
 				Identifier: name,

@@ -29,6 +29,7 @@ import (
 
 	"github.com/projectcalico/calico/libcalico-go/lib/apiconfig"
 	"github.com/projectcalico/calico/libcalico-go/lib/clientv3"
+	"github.com/projectcalico/calico/libcalico-go/lib/names"
 	"github.com/projectcalico/calico/libcalico-go/lib/options"
 
 	v3 "github.com/projectcalico/api/pkg/apis/projectcalico/v3"
@@ -522,13 +523,19 @@ func TestTierList(t *testing.T) {
 		}
 	}
 
-	defaultTier := makeTier("", "", v3.DefaultTierOrder)
 	opts := storage.GetOptions{IgnoreNotFound: false}
+	defaultTier := makeTier(names.DefaultTierName, "", v3.DefaultTierOrder)
 	err := store.Get(ctx, "projectcalico.org/tiers/default", opts, defaultTier)
 	if err != nil {
 		t.Fatalf("Get failed: %v", err)
 	}
 
+	anpTier := makeTier(names.AdminNetworkPolicyTierName, "", v3.AdminNetworkPolicyTierOrder)
+	err = store.Get(ctx, "projectcalico.org/tiers/adminnetworkpolicy", opts, anpTier)
+	if err != nil {
+		t.Fatalf("Get failed: %v", err)
+	}
+
 	tests := []struct {
 		prefix      string
 		pred        storage.SelectionPredicate
@@ -547,7 +554,7 @@ func TestTierList(t *testing.T) {
 				return nil, fields.Set{"metadata.name": tier.Name}, nil
 			},
 		},
-		expectedOut: []*v3.Tier{preset[1].storedObj, defaultTier},
+		expectedOut: []*v3.Tier{anpTier, preset[1].storedObj, defaultTier},
 	}}
 
 	for i, tt := range tests {

@@ -32,6 +32,7 @@ import (
 	"github.com/projectcalico/calico/calicoctl/calicoctl/commands/resourceloader"
 	"github.com/projectcalico/calico/calicoctl/calicoctl/util"
 	"github.com/projectcalico/calico/libcalico-go/lib/apis/v1/unversioned"
+	"github.com/projectcalico/calico/libcalico-go/lib/names"
 
 	cconversion "github.com/projectcalico/calico/libcalico-go/lib/backend/k8s/conversion"
 	"github.com/projectcalico/calico/libcalico-go/lib/upgrade/converters"
@@ -217,10 +218,8 @@ func convertK8sResource(convResource unversioned.Resource) (converters.Resource,
 
 		// Trim K8sNetworkPolicyNamePrefix from the policy name (the K8sNetworkPolicyToCalico
 		// function adds it for when it is used for coexisting calico/k8s policies).
-		k8snp.Name = strings.TrimPrefix(k8snp.Name, cconversion.K8sNetworkPolicyNamePrefix)
-
+		k8snp.Name = strings.TrimPrefix(k8snp.Name, names.K8sNetworkPolicyNamePrefix)
 		res = k8snp
-
 	default:
 		return nil, fmt.Errorf("conversion for the k8s resource type '%s' is not supported", k8sResKind)
 	}