Skip to content

feat: NetworkPolicy, ResourceQuota, LimitRange, ClusterRole, ClusterRoleBinding as first-class resource types#190

Merged
iAlexeze merged 4 commits into
mainfrom
feat/networkpolicy-resourcequota-limitrange
Jun 26, 2026
Merged

feat: NetworkPolicy, ResourceQuota, LimitRange, ClusterRole, ClusterRoleBinding as first-class resource types#190
iAlexeze merged 4 commits into
mainfrom
feat/networkpolicy-resourcequota-limitrange

Conversation

@iAlexeze

@iAlexeze iAlexeze commented Jun 26, 2026

Copy link
Copy Markdown
Collaborator

Summary

  • Five new first-class resource types: NetworkPolicy, ResourceQuota, LimitRange, ClusterRole, ClusterRoleBinding — fully implemented with Create/Update/Delete/CopyToNamespaces/Resolve and wired into the reconciler and builtins Detect registry.
  • Two new profile families: networkpolicy (deny-all, deny-all-ingress, deny-all-egress, allow-same-namespace, allow-dns-egress) and resourcequota (small, medium, large, xlarge).
  • Simulate: cross-namespace copy auto-skip — resources with fromNamespace/toNamespaces are automatically filtered before the fake reconciler runs. A note is printed for each skipped resource. Previously these errored and blocked all subsequent resources in the cycle.
  • Unit tests for every profile collector and every profile validator.
  • ork validate UX: Simulate and Motif output now use the same header + description + structured fields format as Katalog and E2E.
  • Docs: resource-types reference page, ResourceQuota/NetworkPolicy profile guides, simulate limitations updated.

Notes

  • ClusterRole and ClusterRoleBinding are cluster-scoped: no OwnerReferences. Ownership tracked via labels.OrkestraOwner, same pattern as Namespaces.
  • fromNamespace/toNamespaces copy resources are silently skipped in ork simulate with an explanatory note; they are fully exercised by ork e2e.

Test plan

  • make ork passes
  • go test ./pkg/types/... ./pkg/katalog/... — all new and existing tests pass
  • ork validate on a katalog using NetworkPolicy and ResourceQuota profiles
  • ork simulate with cross-namespace resources — PASS with skip note

iAlexeze added 4 commits June 26, 2026 16:13
…rRole, ClusterRoleBinding as first-class types

Promotes five resource types from PlaceholderSource stubs to fully implemented
Orkestra resources with Create/Update/Delete/CopyToNamespaces/Resolve support.

ClusterRole and ClusterRoleBinding are cluster-scoped and cannot carry
OwnerReferences to a namespace-scoped CR; ownership is tracked via the
labels.OrkestraOwner label instead, matching the pattern used by Namespaces.

Fixes IsEmpty() and FilterResources()/MergeFrom() to cover all five new types
so motif expander and condition-based resource filtering handle them correctly.
NetworkPolicy profiles: deny-all, deny-all-ingress, deny-all-egress,
allow-same-namespace, allow-dns-egress.

ResourceQuota profiles: small (2 cpu / 4Gi), medium (4 cpu / 8Gi),
large (8 cpu / 16Gi), xlarge (16 cpu / 32Gi).

Profiles are applied in each resource package's Resolve() and are mutually
exclusive with explicit inline fields.
…oad time

Adds CollectNetworkPolicyProfileEntries / CollectResourceQuotaProfileEntries
collectors and wires validateNetworkPolicyProfiles / validateResourceQuotaProfiles
into ValidateConfig as steps 30 and 31.

Unknown profile names and mixed profile+explicit-fields declarations are both
rejected with actionable error messages. Template expressions ({{ ... }}) are
deferred to reconcile time.

Also adds validateCrossNamespaceOps (step 32) which rejects katalogs where
fromNamespace is set without toNamespaces or vice versa.

Unit test coverage for all six profile validator families (HPA, PDB,
RollingUpdate, NetworkPolicy, ResourceQuota) and their underlying collectors.
…cy profile docs

- documentation/reference/schema/02-katalog/16-resource-types.md: supported
  and not-yet-supported resource types, ClusterRole ownership note
- documentation/concepts/profiles/08-resourcequota-profile.md: small/medium/
  large/xlarge presets, mutual exclusivity rules, dynamic profile selection
- documentation/concepts/profiles/09-networkpolicy-profile.md: all five
  profiles, layered composition example, how deny-all works
- contributing-resources.md: updated tables to reflect the five newly
  implemented types
@iAlexeze iAlexeze merged commit 68236a6 into main Jun 26, 2026
5 of 6 checks passed
@iAlexeze iAlexeze deleted the feat/networkpolicy-resourcequota-limitrange branch June 26, 2026 21:25
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant