Implement Cluster Network Policy #10810
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
marvin-tigera
added
release-note-required
Contributor
There was a problem hiding this comment.
Pull Request Overview
This PR introduces support for Kubernetes Cluster Network Policy (ClusterNetworkPolicy) from the network-policy-api v1alpha2. The implementation adds new tiers (admin and baseline) for cluster-scoped network policies and integrates ClusterNetworkPolicy handling into the Calico data path.
Key changes:
- Adds new admin and baseline tier constants and initialization logic
- Implements ClusterNetworkPolicy client and conversion functions
- Updates dependency versions for Kubernetes and network-policy-api
Reviewed Changes
Copilot reviewed 11 out of 12 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
| libcalico-go/lib/names/policy.go | Adds tier names and policy name prefixes for admin/baseline cluster policies |
| libcalico-go/lib/clientv3/client.go | Initializes admin and baseline tiers during client setup |
| libcalico-go/lib/backend/syncersv1/felixsyncer/felixsyncerv1.go | Registers ClusterNetworkPolicy resource type for Felix syncing |
| libcalico-go/lib/backend/model/resource.go | Registers ClusterNetworkPolicy resource info |
| libcalico-go/lib/backend/model/kubeclusternetworkpolicy.go | Defines ClusterNetworkPolicy kind constant |
| libcalico-go/lib/backend/k8s/resources/kubeclusternetworkpolicy.go | Implements K8s client for ClusterNetworkPolicy resources |
| libcalico-go/lib/backend/k8s/k8s.go | Adds ClusterNetworkPolicy client initialization |
| libcalico-go/lib/backend/k8s/conversion/conversion.go | Adds conversion interface for ClusterNetworkPolicy |
| go.mod | Updates Kubernetes dependencies and adds network-policy-api dependency |
| felix/fv/infrastructure/infra_k8s.go | Updates tier cleanup to include new static tiers |
| api/pkg/apis/projectcalico/v3/tier.go | Adds tier order constants for admin and baseline tiers |
Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.
libcalico-go/lib/backend/k8s/resources/kubeclusternetworkpolicy.go
Outdated
Show resolved
Hide resolved
This was referenced Sep 17, 2025
🔗 Link your GitHub account to AtlassianTo enable Code Reviewer, please link your GitHub account to your Atlassian account. Click here to connect your accounts This is a one-time setup that takes less than a minute. |
This was referenced Oct 7, 2025
Merged
mazdakn
changed the title
mazdakn
force-pushed
the
cluster-network-policy
branch
from
edcec43 to
ec976a0
Compare
mazdakn
commented
Oct 22, 2025
metadata.mk
Outdated
|
|
||
| # The operator branch corresponding to this branch. | ||
| OPERATOR_BRANCH ?= master | ||
| OPERATOR_BRANCH ?= clusternetworkpolicy |
Member
Author
There was a problem hiding this comment.
Will revert this change when the operator PR is merged: tigera/operator#4155
fasaxc
approved these changes
Nov 7, 2025
Member
fasaxc
left a comment
fasaxc
left a comment
There was a problem hiding this comment.
LGTM, remember to fix OPERATOR_BRANCH.
libcalico-go/lib/backend/k8s/conversion/clusternetworkpolicy.go
Outdated
Show resolved
Hide resolved
3 tasks
5 tasks
sabags
pushed a commit
to sabags/calico
that referenced
this pull request
Dec 1, 2025
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
This PR implements ClusterNetwokrPolicy. It includes:
kube-admin, andkube-baseline.ClusterNetworkPolicyresources toGlobalNetworkPolicy.Adminis placed into Calicokube-admintier.Baselineis placed into Calicokube-baselinetier.This PR tracks the main branch of upstream repo: https://github.com/kubernetes-sigs/network-policy-api/tree/main
A follow up PR will pin to a specific tag when it's created upstream.
Related issues/PRs
Operator: tigera/operator#4155
Removing ANP/BANP: #11144
Goldmane support: #11417
Docs: tigera/docs#2416
Todos
Release Note
Reminder for the reviewer
Make sure that this PR has the correct labels and milestone set.
Every PR needs one
docs-*label.docs-pr-required: This change requires a change to the documentation that has not been completed yet.docs-completed: This change has all necessary documentation completed.docs-not-required: This change has no user-facing impact and requires no docs.Every PR needs one
release-note-*label.release-note-required: This PR has user-facing changes. Most PRs should have this label.release-note-not-required: This PR has no user-facing changes.Other optional labels:
cherry-pick-candidate: This PR should be cherry-picked to an earlier release. For bug fixes only.needs-operator-pr: This PR is related to install and requires a corresponding change to the operator.