Add support for AdminNetworkPolicy (#3501)

pkg/crds/calico/crd.projectcalico.org_felixconfigurations.yaml

@@ -264,6 +264,17 @@ spec:
                   information about the BPF policy programs, which can be examined
                   with the calico-bpf command-line tool.
                 type: boolean
+              bpfRedirectToPeer:
+                description: 'BPFRedirectToPeer controls which whether it is allowed
+                  to forward straight to the peer side of the workload devices. It
+                  is allowed for any host L2 devices by default (L2Only), but it breaks
+                  TCP dump on the host side of workload device as it bypasses it on
+                  ingress. Value of Enabled also allows redirection from L3 host devices
+                  like IPIP tunnel or Wireguard directly to the peer side of the workload''s
+                  device. This makes redirection faster, however, it breaks tools
+                  like tcpdump on the peer side. Use Enabled with caution. [Default:
+                  L2Only]'
+                type: string
               chainInsertMode:
                 description: 'ChainInsertMode controls whether Felix hooks the kernel''s
                   top-level iptables chains by inserting a rule at the top of the

pkg/crds/enterprise/crd.projectcalico.org_felixconfigurations.yaml

@@ -102,6 +102,17 @@ spec:
                   This will be deprecated. Use BPFConnectTimeLoadBalancing [Default:
                   true]'
                 type: boolean
+              bpfDNSPolicyMode:
+                description: 'BPFDNSPolicyMode specifies how DNS policy programming
+                  will be handled. Inline - BPF parses DNS response inline with DNS
+                  response packet processing. This guarantees the DNS rules reflect
+                  any change immediately. NoDelay - Felix does not introduce any delay
+                  to the packets. DNS rules may not have been programmed by the time
+                  the first packet traverses the policy rules. Client applications
+                  need to handle reconnection attempts if initial connection attempts
+                  fail. This may be problematic for some applications or for very
+                  low DNS TTLs. [Default: Inline]'
+                type: string
               bpfDSROptoutCIDRs:
                 description: BPFDSROptoutCIDRs is a list of CIDRs which are excluded
                   from DSR. That is, clients in those CIDRs will accesses nodeports
@@ -485,9 +496,9 @@ spec:
                   programmed by the time the first packet traverses the policy rules.
                   Client applications need to handle reconnection attempts if initial
                   connection attempts fail. This may be problematic for some applications
-                  or for very low DNS TTLs. \n On Windows, or when using the eBPF
-                  dataplane, this setting is ignored and \"NoDelay\" is always used.
-                  \n [Default: DelayDeniedPacket]"
+                  or for very low DNS TTLs. \n This setting is ignored on Windows
+                  and \"NoDelay\" is always used. \n This setting is ignored by eBPF
+                  and BPFDNSPolicyMode is used instead. \n [Default: DelayDeniedPacket]"
                 enum:
                 - NoDelay
                 - DelayDeniedPacket

pkg/render/apiserver.go

@@ -566,12 +566,18 @@ func (c *apiServerComponent) calicoCustomResourcesClusterRole() *rbacv1.ClusterR
 		},
 		{
 			// Kubernetes network policy resources.
-			APIGroups: []string{
-				"networking.k8s.io",
-			},
-			Resources: []string{
-				"networkpolicies",
+			APIGroups: []string{"networking.k8s.io"},
+			Resources: []string{"networkpolicies"},
+			Verbs: []string{
+				"get",
+				"list",
+				"watch",
 			},
+		},
+		{
+			// Kubernetes admin network policy resources.
+			APIGroups: []string{"policy.networking.k8s.io"},
+			Resources: []string{"adminnetworkpolicies"},
 			Verbs: []string{
 				"get",
 				"list",

pkg/render/node.go

@@ -397,6 +397,12 @@ func (c *nodeComponent) nodeRole() *rbacv1.ClusterRole {
 				Resources: []string{"networkpolicies"},
 				Verbs:     []string{"watch", "list"},
 			},
+			{
+				// For enforcing admin network policies.
+				APIGroups: []string{"policy.networking.k8s.io"},
+				Resources: []string{"adminnetworkpolicies"},
+				Verbs:     []string{"watch", "list"},
+			},
 			{
 				// Metadata from these are used in conjunction with network policy.
 				APIGroups: []string{""},

pkg/render/nonclusterhost/nonclusterhost.go

@@ -119,6 +119,12 @@ func (c *nonClusterHostComponent) clusterRole() *rbacv1.ClusterRole {
 			Resources: []string{"networkpolicies"},
 			Verbs:     []string{"watch", "list"},
 		},
+		{
+			// For enforcing admin network policies.
+			APIGroups: []string{"policy.networking.k8s.io"},
+			Resources: []string{"adminnetworkpolicies"},
+			Verbs:     []string{"watch", "list"},
+		},
 		{
 			// Metadata from these are used in conjunction with network policy.
 			APIGroups: []string{""},

pkg/render/typha.go

@@ -223,6 +223,12 @@ func (c *typhaComponent) typhaRole() *rbacv1.ClusterRole {
 				Resources: []string{"networkpolicies"},
 				Verbs:     []string{"watch", "list"},
 			},
+			{
+				// For enforcing admin network policies.
+				APIGroups: []string{"policy.networking.k8s.io"},
+				Resources: []string{"adminnetworkpolicies"},
+				Verbs:     []string{"watch", "list"},
+			},
 			{
 				// Metadata from these are used in conjunction with network policy.
 				APIGroups: []string{""},