Added MirrordClusterPolicy

Razz4780 · Dec 10, 2024 · 4c7f358 · 4c7f358
1 parent 21a9f4c
commit 4c7f358
Show file tree

Hide file tree

Showing 2 changed files with 45 additions and 2 deletions.
diff --git a/mirrord/operator/src/crd/policy.rs b/mirrord/operator/src/crd/policy.rs
@@ -26,6 +26,8 @@ pub enum BlockedFeature {
 }
 
 /// Custom resource for policies that limit what mirrord features users can use.
+///
+/// This policy applies only to resources living in the same namespace.
 #[derive(CustomResource, Clone, Debug, Deserialize, Serialize, JsonSchema)]
 #[kube(
     // The operator group is handled by the operator, we want policies to be handled by k8s.
@@ -50,3 +52,37 @@ pub struct MirrordPolicySpec {
     /// List of features and operations blocked by this policy.
     pub block: Vec<BlockedFeature>,
 }
+
+/// Custom cluster-wide resource for policies that limit what mirrord features users can use.
+///
+/// This policy applies to resources across all namespaces in the cluster.
+#[derive(CustomResource, Clone, Debug, Deserialize, Serialize, JsonSchema)]
+#[kube(
+    // The operator group is handled by the operator, we want policies to be handled by k8s.
+    group = "policies.mirrord.metalbear.co",
+    version = "v1alpha",
+    kind = "MirrordClusterPolicy"
+)]
+#[serde(rename_all = "camelCase")] // target_path -> targetPath in yaml.
+pub struct MirrordClusterPolicySpec {
+    /// Specify the targets for which this policy applies, in the pod/my-pod deploy/my-deploy
+    /// notation. Targets can be matched using `*` and `?` where `?` matches exactly one
+    /// occurrence of any character and `*` matches arbitrary many (including zero) occurrences
+    /// of any character. If not specified, this policy does not depend on the target's path.
+    pub target_path: Option<String>,
+
+    /// If specified in a policy, the policy will only apply to targets with labels that match all
+    /// of the selector's rules.
+    pub selector: Option<LabelSelector>,
+
+    // TODO: make the k8s list type be set/map to prevent duplicates.
+    /// List of features and operations blocked by this policy.
+    pub block: Vec<BlockedFeature>,
+}
+
+#[test]
+fn check_one_api_group() {
+    use kube::Resource;
+
+    assert_eq!(MirrordPolicy::group(&()), MirrordClusterPolicy::group(&()),)
+}
diff --git a/mirrord/operator/src/setup.rs b/mirrord/operator/src/setup.rs
@@ -28,7 +28,7 @@ use thiserror::Error;
 
 use crate::crd::{
     kafka::{MirrordKafkaClientConfig, MirrordKafkaEphemeralTopic, MirrordKafkaTopicsConsumer},
-    policy::MirrordPolicy,
+    policy::{MirrordClusterPolicy, MirrordPolicy},
     MirrordOperatorUser, MirrordSqsSession, MirrordWorkloadQueueRegistry, TargetCrd,
 };
 
@@ -231,6 +231,9 @@ impl OperatorSetup for Operator {
         writer.write_all(b"---\n")?;
         MirrordPolicy::crd().to_writer(&mut writer)?;
 
+        writer.write_all(b"---\n")?;
+        MirrordClusterPolicy::crd().to_writer(&mut writer)?;
+
         if self.sqs_splitting {
             writer.write_all(b"---\n")?;
             MirrordWorkloadQueueRegistry::crd().to_writer(&mut writer)?;
@@ -563,8 +566,12 @@ impl OperatorClusterRole {
             },
             // Allow the operator to list+get mirrord policies.
             PolicyRule {
+                // Both namespaced and cluster-wide policies live in the same API group.
                 api_groups: Some(vec![MirrordPolicy::group(&()).into_owned()]),
-                resources: Some(vec![MirrordPolicy::plural(&()).into_owned()]),
+                resources: Some(vec![
+                    MirrordPolicy::plural(&()).into_owned(),
+                    MirrordClusterPolicy::plural(&()).into_owned(),
+                ]),
                 verbs: vec!["list".to_owned(), "get".to_owned()],
                 ..Default::default()
             },