Automatic API update from tigera/calico-private release-calient-v3.23

Author: caseydavenport

config/crd/projectcalico.org_caliconodestatuses.yaml

@@ -224,4 +224,5 @@ spec:
           type: object
       served: true
       storage: true
-      subresources: {}
+      subresources:
+        status: {}

config/crd/projectcalico.org_policyrecommendationscopes.yaml

@@ -26,6 +26,22 @@ spec:
               type: object
             spec:
               properties:
+                hostEndpointSpec:
+                  properties:
+                    recommendationStatus:
+                      enum:
+                        - Enabled
+                        - Disabled
+                      type: string
+                    selector:
+                      maxLength: 4096
+                      type: string
+                    tierName:
+                      maxLength: 253
+                      type: string
+                  required:
+                    - selector
+                  type: object
                 initialLookback:
                   type: string
                 interval:
@@ -37,10 +53,15 @@ spec:
                     intraNamespacePassThroughTraffic:
                       type: boolean
                     recStatus:
+                      enum:
+                        - Enabled
+                        - Disabled
                       type: string
                     selector:
+                      maxLength: 4096
                       type: string
                     tierName:
+                      maxLength: 253
                       type: string
                   required:
                     - selector

lib.Makefile

@@ -1606,8 +1606,10 @@ $(REPO_ROOT)/.$(KIND_NAME).created: $(KUBECTL) $(KIND)
 	while ! KUBECONFIG=$(KIND_KUBECONFIG) $(KUBECTL) apply -f $(REPO_ROOT)/libcalico-go/config/crd/policy.networking.k8s.io_adminnetworkpolicies.yaml; do echo "Waiting for ANP CRDs to be created"; sleep 2; done
 	while ! KUBECONFIG=$(KIND_KUBECONFIG) $(KUBECTL) apply -f $(REPO_ROOT)/libcalico-go/config/crd/policy.networking.k8s.io_baselineadminnetworkpolicies.yaml; do echo "Waiting for CRDs to be created"; sleep 2; done
 
-	# Install mutating admission policies.
+	# Install mutating admission policies (only for v3 CRDs, since they reference projectcalico.org/v3 resources).
+ifeq ($(CALICO_API_GROUP),projectcalico.org/v3)
 	while ! KUBECONFIG=$(KIND_KUBECONFIG) $(KUBECTL) apply -f $(REPO_ROOT)/api/admission/; do echo "Waiting for mutating admission policies to be created"; sleep 2; done
+endif
 
 	touch $@
 

pkg/apis/projectcalico/v3/doc.go

@@ -2,6 +2,7 @@
 
 // +k8s:deepcopy-gen=package,register
 // +k8s:openapi-gen=true
+// +k8s:openapi-model-package=com.github.tigera.api.pkg.apis.projectcalico.v3
 
 // Package v3 is the v3 version of the API.
 // +groupName=projectcalico.org

pkg/apis/projectcalico/v3/nodestatus.go

@@ -39,6 +39,7 @@ type CalicoNodeStatusList struct {
 // +genclient:nonNamespaced
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
 // +kubebuilder:resource:scope=Cluster
+// +kubebuilder:subresource:status
 // +kubebuilder:printcolumn:name="Node",type=string,JSONPath=".spec.node",description="The name of the node"
 // +kubebuilder:printcolumn:name="Classes",type=string,JSONPath=".spec.classes",description="The types of information to monitor for this calico/node"
 

pkg/apis/projectcalico/v3/policyrecommendationscope.go

@@ -1,4 +1,4 @@
-// Copyright (c) 2022 Tigera, Inc. All rights reserved.
+// Copyright (c) 2022-2026 Tigera, Inc. All rights reserved.
 package v3
 
 import (
@@ -57,7 +57,12 @@ type PolicyRecommendationScopeSpec struct {
 	PoliciesLearningCutOff *int `json:"policiesLearningCutOff,omitempty"`
 
 	// The namespace spec contains the namespace relative recommendation vars.
-	NamespaceSpec PolicyRecommendationScopeNamespaceSpec `json:"namespaceSpec,omitempty"`
+	// +optional
+	NamespaceSpec *PolicyRecommendationScopeNamespaceSpec `json:"namespaceSpec,omitempty"`
+
+	// The host endpoint spec contains host endpoint relative recommendation vars.
+	// +optional
+	HostEndpointSpec *PolicyRecommendationScopeHostEndpointSpec `json:"hostEndpointSpec,omitempty"`
 }
 
 type PolicyRecommendationScopeStatus struct {
@@ -85,24 +90,45 @@ type PolicyRecommendationScopeNamespaceSpec struct {
 	// +optional
 	IntraNamespacePassThroughTraffic bool `json:"intraNamespacePassThroughTraffic,omitempty"`
 	// Recommendation status. One of Enabled, Disabled.
-	RecStatus PolicyRecommendationNamespaceStatus `json:"recStatus,omitempty" validate:"omitempty,policyrecstatus"`
+	RecStatus PolicyRecommendationStatus `json:"recStatus,omitempty" validate:"omitempty,policyrecstatus"`
 	// The namespace selector is an expression used to pick out the namespaces that the policy
 	// recommendation engine should create policies for. The syntax is the same as the
 	// NetworkPolicy.projectcalico.org resource selectors.
+	// +kubebuilder:validation:MaxLength=4096
 	Selector string `json:"selector" validate:"selector"`
 	// The name of the policy recommendation tier for namespace-isolated policies.
 	// [Default: "namespace-isolation"]
 	// +optional
+	// +kubebuilder:validation:MaxLength=253
 	TierName string `json:"tierName,omitempty" validate:"omitempty,name"`
 }
 
-type PolicyRecommendationNamespaceStatus string
+// +kubebuilder:validation:Enum=Enabled;Disabled
+type PolicyRecommendationStatus string
 
 const (
-	PolicyRecommendationScopeEnabled  PolicyRecommendationNamespaceStatus = "Enabled"
-	PolicyRecommendationScopeDisabled PolicyRecommendationNamespaceStatus = "Disabled"
+	PolicyRecommendationEnabled  PolicyRecommendationStatus = "Enabled"
+	PolicyRecommendationDisabled PolicyRecommendationStatus = "Disabled"
 )
 
+// PolicyRecommendationScopeHostEndpointSpec contains host endpoint information that defines the
+// host endpoint based recommended policy.
+type PolicyRecommendationScopeHostEndpointSpec struct {
+	// Recommendation status. One of Enabled, Disabled.
+	// +optional
+	RecommendationStatus PolicyRecommendationStatus `json:"recommendationStatus,omitempty" validate:"omitempty,policyrecstatus"`
+	// The selector is an expression used to pick out the host endpoints that the policy
+	// recommendation engine should create policies for. The syntax is the same as the
+	// NetworkPolicy.projectcalico.org resource selectors.
+	// +kubebuilder:validation:MaxLength=4096
+	Selector string `json:"selector" validate:"selector"`
+	// The name of the policy recommendation tier for host endpoint isolated policies.
+	// [Default: "hostendpoint-isolation"]
+	// +optional
+	// +kubebuilder:validation:MaxLength=253
+	TierName string `json:"tierName,omitempty" validate:"omitempty,name"`
+}
+
 // +genclient:nonNamespaced
 // +kubebuilder:resource:scope=Cluster
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object

pkg/apis/projectcalico/v3/policyrecommendationscope_test.go

@@ -0,0 +1,108 @@
+// Copyright (c) 2026 Tigera, Inc. All rights reserved.
+
+package v3_test
+
+import (
+	"encoding/json"
+	"testing"
+	"time"
+
+	. "github.com/onsi/gomega"
+	v3 "github.com/tigera/api/pkg/apis/projectcalico/v3"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+func TestPolicyRecommendationScopeHostEndpointSpecSerialization(t *testing.T) {
+	g := NewGomegaWithT(t)
+
+	scope := v3.PolicyRecommendationScope{
+		TypeMeta: metav1.TypeMeta{
+			Kind:       v3.KindPolicyRecommendationScope,
+			APIVersion: v3.GroupVersionCurrent,
+		},
+		ObjectMeta: metav1.ObjectMeta{
+			Name: "default",
+		},
+		Spec: v3.PolicyRecommendationScopeSpec{
+			Interval: &metav1.Duration{Duration: 150 * time.Second},
+			NamespaceSpec: &v3.PolicyRecommendationScopeNamespaceSpec{
+				RecStatus: v3.PolicyRecommendationEnabled,
+				Selector:  "all()",
+			},
+			HostEndpointSpec: &v3.PolicyRecommendationScopeHostEndpointSpec{
+				RecommendationStatus: v3.PolicyRecommendationEnabled,
+				Selector:             "hostendpoint.projectcalico.org/type == 'nonclusterhost'",
+				TierName:             "hostendpoint-isolation",
+			},
+		},
+	}
+
+	// Marshal to JSON.
+	data, err := json.Marshal(scope)
+	g.Expect(err).NotTo(HaveOccurred())
+
+	// Verify JSON contains the hostEndpointSpec fields.
+	var raw map[string]interface{}
+	err = json.Unmarshal(data, &raw)
+	g.Expect(err).NotTo(HaveOccurred())
+	spec := raw["spec"].(map[string]interface{})
+	g.Expect(spec).To(HaveKey("hostEndpointSpec"))
+	hostEndpointSpec := spec["hostEndpointSpec"].(map[string]interface{})
+	g.Expect(hostEndpointSpec["recommendationStatus"]).To(Equal("Enabled"))
+	g.Expect(hostEndpointSpec["selector"]).To(Equal("hostendpoint.projectcalico.org/type == 'nonclusterhost'"))
+	g.Expect(hostEndpointSpec["tierName"]).To(Equal("hostendpoint-isolation"))
+
+	// Unmarshal back and verify round-trip.
+	var decoded v3.PolicyRecommendationScope
+	err = json.Unmarshal(data, &decoded)
+	g.Expect(err).NotTo(HaveOccurred())
+	g.Expect(decoded.Spec.HostEndpointSpec).NotTo(BeNil())
+	g.Expect(decoded.Spec.HostEndpointSpec.RecommendationStatus).To(Equal(v3.PolicyRecommendationEnabled))
+	g.Expect(decoded.Spec.HostEndpointSpec.Selector).To(Equal("hostendpoint.projectcalico.org/type == 'nonclusterhost'"))
+	g.Expect(decoded.Spec.HostEndpointSpec.TierName).To(Equal("hostendpoint-isolation"))
+}
+
+func TestPolicyRecommendationScopeHostEndpointSpecOmittedWhenNil(t *testing.T) {
+	g := NewGomegaWithT(t)
+
+	scope := v3.PolicyRecommendationScope{
+		Spec: v3.PolicyRecommendationScopeSpec{
+			NamespaceSpec: &v3.PolicyRecommendationScopeNamespaceSpec{
+				Selector: "all()",
+			},
+		},
+	}
+
+	data, err := json.Marshal(scope)
+	g.Expect(err).NotTo(HaveOccurred())
+
+	var raw map[string]interface{}
+	err = json.Unmarshal(data, &raw)
+	g.Expect(err).NotTo(HaveOccurred())
+
+	spec := raw["spec"].(map[string]interface{})
+	// hostEndpointSpec is a pointer with omitempty, so a nil value is omitted from JSON.
+	g.Expect(spec).NotTo(HaveKey("hostEndpointSpec"))
+}
+
+func TestPolicyRecommendationScopeHostEndpointSpecDisabledStatus(t *testing.T) {
+	g := NewGomegaWithT(t)
+
+	scope := v3.PolicyRecommendationScope{
+		Spec: v3.PolicyRecommendationScopeSpec{
+			HostEndpointSpec: &v3.PolicyRecommendationScopeHostEndpointSpec{
+				RecommendationStatus: v3.PolicyRecommendationDisabled,
+				Selector:             "all()",
+			},
+		},
+	}
+
+	data, err := json.Marshal(scope)
+	g.Expect(err).NotTo(HaveOccurred())
+
+	var decoded v3.PolicyRecommendationScope
+	err = json.Unmarshal(data, &decoded)
+	g.Expect(err).NotTo(HaveOccurred())
+	g.Expect(decoded.Spec.HostEndpointSpec).NotTo(BeNil())
+	g.Expect(decoded.Spec.HostEndpointSpec.RecommendationStatus).To(Equal(v3.PolicyRecommendationDisabled))
+}