vmware-tanzu
diff --git a/‎build/yaml/crd/legacy/nsx.vmware.com_securitypolicies.yaml‎
Lines changed: 340 additions & 4 deletions b/‎build/yaml/crd/legacy/nsx.vmware.com_securitypolicies.yaml‎
Lines changed: 340 additions & 4 deletions
diff --git a/‎build/yaml/crd/vpc/crd.nsx.vmware.com_securitypolicies.yaml‎
Lines changed: 340 additions & 4 deletions b/‎build/yaml/crd/vpc/crd.nsx.vmware.com_securitypolicies.yaml‎
Lines changed: 340 additions & 4 deletions
diff --git a/‎build/yaml/samples/nsx_v1alpha1_securitypolicy.yaml‎
Lines changed: 38 additions & 1 deletion b/‎build/yaml/samples/nsx_v1alpha1_securitypolicy.yaml‎
Lines changed: 38 additions & 1 deletion
diff --git a/‎docs/ref/apis/legacy.md‎
Lines changed: 4 additions & 2 deletions b/‎docs/ref/apis/legacy.md‎
Lines changed: 4 additions & 2 deletions
diff --git a/‎docs/ref/apis/vpc.md‎
Lines changed: 4 additions & 2 deletions b/‎docs/ref/apis/vpc.md‎
Lines changed: 4 additions & 2 deletions
diff --git a/‎docs/security-policy.md‎
Lines changed: 76 additions & 20 deletions b/‎docs/security-policy.md‎
Lines changed: 76 additions & 20 deletions
diff --git a/‎pkg/apis/legacy/v1alpha1/securitypolicy_types.go‎
Lines changed: 8 additions & 0 deletions b/‎pkg/apis/legacy/v1alpha1/securitypolicy_types.go‎
Lines changed: 8 additions & 0 deletions
diff --git a/‎pkg/apis/legacy/v1alpha1/zz_generated.deepcopy.go‎
Lines changed: 14 additions & 0 deletions b/‎pkg/apis/legacy/v1alpha1/zz_generated.deepcopy.go‎
Lines changed: 14 additions & 0 deletions
diff --git a/‎pkg/apis/vpc/v1alpha1/securitypolicy_types.go‎
Lines changed: 8 additions & 0 deletions b/‎pkg/apis/vpc/v1alpha1/securitypolicy_types.go‎
Lines changed: 8 additions & 0 deletions
diff --git a/‎pkg/apis/vpc/v1alpha1/zz_generated.deepcopy.go‎
Lines changed: 14 additions & 0 deletions b/‎pkg/apis/vpc/v1alpha1/zz_generated.deepcopy.go‎
Lines changed: 14 additions & 0 deletions
@@ -41,4 +41,41 @@ spec:
               role: frontend
       ports:
         - protocol: TCP
-          port: 8000
+          port: 8000
+
+---
+
+# Example using from/to aliases (Kubernetes NetworkPolicy style)
+apiVersion: crd.nsx.vmware.com/v1alpha1
+kind: SecurityPolicy
+metadata:
+  name: from-to-policy-1
+  namespace: ns-1
+spec:
+  appliedTo:
+    - podSelector:
+        matchLabels:
+          role: db
+  rules:
+    - direction: Ingress
+      action: Allow
+      from:
+        - podSelector:
+            matchLabels:
+              role: frontend
+      ports:
+        - protocol: TCP
+          port: 3306
+    - direction: Out
+      action: Allow
+      to:
+        - podSelector:
+            matchLabels:
+              role: dns
+      ports:
+        - protocol: UDP
+          port: 53
+    - direction: Ingress
+      action: Drop
+    - direction: Out
+      action: Drop
@@ -357,8 +357,10 @@ _Appears in:_
 | `action` _[RuleAction](#ruleaction)_ | Action specifies the action to be applied on the rule. |  |  |
 | `appliedTo` _[SecurityPolicyTarget](#securitypolicytarget) array_ | AppliedTo is a list of rule targets.<br />Policy level 'Applied To' will take precedence over rule level. |  |  |
 | `direction` _[RuleDirection](#ruledirection)_ | Direction is the direction of the rule, including 'In' or 'Ingress', 'Out' or 'Egress'. |  |  |
-| `sources` _[SecurityPolicyPeer](#securitypolicypeer) array_ | Sources defines the endpoints where the traffic is from. For ingress rule only. |  |  |
-| `destinations` _[SecurityPolicyPeer](#securitypolicypeer) array_ | Destinations defines the endpoints where the traffic is to. For egress rule only. |  |  |
+| `sources` _[SecurityPolicyPeer](#securitypolicypeer) array_ | **Deprecated: use `from` instead.** Sources defines the endpoints where the traffic is from. For ingress rule only. |  |  |
+| `destinations` _[SecurityPolicyPeer](#securitypolicypeer) array_ | **Deprecated: use `to` instead.** Destinations defines the endpoints where the traffic is to. For egress rule only. |  |  |
+| `from` _[SecurityPolicyPeer](#securitypolicypeer) array_ | From defines the endpoints where the traffic is from. For ingress rule only. This is the preferred field over the deprecated Sources. |  |  |
+| `to` _[SecurityPolicyPeer](#securitypolicypeer) array_ | To defines the endpoints where the traffic is to. For egress rule only. This is the preferred field over the deprecated Destinations. |  |  |
 | `ports` _[SecurityPolicyPort](#securitypolicyport) array_ | Ports is a list of ports to be matched. |  |  |
 | `name` _string_ | Name is the display name of this rule. |  |  |
 
 
@@ -540,8 +540,10 @@ _Appears in:_
 | `action` _[RuleAction](#ruleaction)_ | Action specifies the action to be applied on the rule. |  |  |
 | `appliedTo` _[SecurityPolicyTarget](#securitypolicytarget) array_ | AppliedTo is a list of rule targets.<br />Policy level 'Applied To' will take precedence over rule level. |  |  |
 | `direction` _[RuleDirection](#ruledirection)_ | Direction is the direction of the rule, including 'In' or 'Ingress', 'Out' or 'Egress'. |  |  |
-| `sources` _[SecurityPolicyPeer](#securitypolicypeer) array_ | Sources defines the endpoints where the traffic is from. For ingress rule only. |  |  |
-| `destinations` _[SecurityPolicyPeer](#securitypolicypeer) array_ | Destinations defines the endpoints where the traffic is to. For egress rule only. |  |  |
+| `sources` _[SecurityPolicyPeer](#securitypolicypeer) array_ | **Deprecated: use `from` instead.** Sources defines the endpoints where the traffic is from. For ingress rule only. |  |  |
+| `destinations` _[SecurityPolicyPeer](#securitypolicypeer) array_ | **Deprecated: use `to` instead.** Destinations defines the endpoints where the traffic is to. For egress rule only. |  |  |
+| `from` _[SecurityPolicyPeer](#securitypolicypeer) array_ | From defines the endpoints where the traffic is from. For ingress rule only. This is the preferred field over the deprecated Sources. |  |  |
+| `to` _[SecurityPolicyPeer](#securitypolicypeer) array_ | To defines the endpoints where the traffic is to. For egress rule only. This is the preferred field over the deprecated Destinations. |  |  |
 | `ports` _[SecurityPolicyPort](#securitypolicyport) array_ | Ports is a list of ports to be matched. |  |  |
 | `name` _string_ | Name is the display name of this rule. |  |  |
 
 
@@ -82,6 +82,57 @@ to access through TCP with port 8000. The second rule allows the selected VMs to
 access Pods with label "role: dns" through UDP with port 53. The third and forth
 rules are to drop any other ingress and egress traffic to/from the selected VMs.
 
+### Kubernetes NetworkPolicy style (from/to)
+
+SecurityPolicy supports `from` and `to` fields as the preferred way to specify
+traffic peers, aligning with the standard Kubernetes NetworkPolicy syntax. The
+legacy `sources` and `destinations` fields are deprecated; use `from` and `to`
+instead. The following example is equivalent to the one above:
+
+```yaml
+apiVersion: nsx.vmware.com/v1alpha1
+kind: SecurityPolicy
+metadata:
+  name: db-isolation
+  namespace: prod-ns
+spec:
+  priority: 1
+  appliedTo:
+    - vmSelector:
+        matchLabels:
+          role: db
+  rules:
+    - direction: in
+      action: allow
+      from:
+        - namespaceSelector:
+            matchLabels:
+              role: control
+        - podSelector:
+            matchLabels:
+              role: frontend
+      ports:
+        - protocol: TCP
+          port: 8000
+    - direction: out
+      action: allow
+      to:
+        - podSelector:
+            matchLabels:
+              role: dns
+      ports:
+        - protocol: UDP
+          port: 53
+      appliedTo:
+        - vmSelector:
+            matchLabels:
+              user: internal
+    - direction: in
+      action: drop
+    - direction: out
+      action: drop
+```
+
 Below are explanations for the fields:
 
 **spec**: defines all the configurations for a SecurityPolicy CR.
@@ -107,29 +158,34 @@ or 'Egress'.
 **ports**: define protocol, specific port or port range. `ports.port` will be treated
 as destination port. More details refer to section `Targeting a range of Ports`
 
-**sources** and **destinations**: defines a list of peers where the traffic is from/to.
+**from** and **to**: defines a list of peers where the traffic is from/to.
 It could be `podSelector`, `vmSelector`, `namespaceSelector` and `ipBlocks`.
 `podSelector` and `namespaceSelector` in the same entry select particular Pods within
 particular Namespaces.
 `vmSelector` and `namespaceSelector` in the same entry select particular VMs within
 particular Namespaces.
-More details refer to section `Behavior of sources and destinations selectors`
+More details refer to section `Behavior of from and to selectors`
+
+**sources** and **destinations** *(deprecated)*: legacy names for `from` and `to`.
+These fields are still accepted for backward compatibility but users should migrate
+to `from`/`to`. If both `sources` and `from` (or `destinations` and `to`) are set
+in the same rule, `from`/`to` takes precedence.
 
 **status**: shows CR realization state. If there is any error during realization,
 nsx-operator will also update status with error message.
 
-## Behavior of sources and destinations selectors
+## Behavior of from and to selectors
 
-There are 6 kinds of selectors that can be specified in an `ingress` `sources` section
-or `egress` `destinations` section:
+There are 6 kinds of selectors that can be specified in an `ingress` `from`
+(or legacy `sources`) section or `egress` `to` (or legacy `destinations`) section:
 
 **podSelector**: This selects particular Pods in the same namespace as the SecurityPolicy
 as ingress sources or egress destinations.
 
 **namespaceSelector**: This selects particular namespaces for which all Pods and
 VMs as ingress sources or egress destinations.
 
-**namespaceSelector and podSelector**: A single `sources`/`destinations` entry that
+**namespaceSelector and podSelector**: A single `from`/`to` entry that
 specifies both `namespaceSelector` and `podSelector` selects particular Pods within
 particular namespaces. Be careful to use correct YAML syntax; this policy:
 
@@ -138,7 +194,7 @@ particular namespaces. Be careful to use correct YAML syntax; this policy:
   rules:
     - direction: in
       action: allow
-      sources:
+      from:
         - namespaceSelector:
             matchLabels:
               user: alice
@@ -147,15 +203,15 @@ particular namespaces. Be careful to use correct YAML syntax; this policy:
               role: client
   ...
 ```
-contains a single `sources` element allowing connections from Pods with the label
+contains a single `from` element allowing connections from Pods with the label
 `role=client` in namespaces with the label `user=alice`. But this policy:
 
 ```
   ...
   rules:
     - direction: in
       action: allow
-      sources:
+      from:
         - namespaceSelector:
             matchLabels:
               user: alice
@@ -164,7 +220,7 @@ contains a single `sources` element allowing connections from Pods with the labe
               role: client
   ...
 ```
-contains two elements in the sources array, and allows connections from Pods in
+contains two elements in the `from` array, and allows connections from Pods in
 the current Namespace with the label `role=client`, or from any Pod in the namespaces
 with the label `user=alice`.
 
@@ -176,7 +232,7 @@ the SecurityPolicy as ingress sources or egress destinations. E.g.
   rules:
     - direction: in
       action: allow
-      sources:
+      from:
         - vmSelector:
             matchLabels:
               role: client
@@ -185,7 +241,7 @@ the SecurityPolicy as ingress sources or egress destinations. E.g.
 allows connections from VirtualMachines with the label `role=client` in the current
 namespace.
 
-**namespaceSelector and vmSelector**: A single `sources`/`destinations` entry that
+**namespaceSelector and vmSelector**: A single `from`/`to` entry that
 specifies both `namespaceSelector` and `vmSelector` selects particular VirtualMachines
 within particular namespaces. E.g.
 
@@ -194,7 +250,7 @@ within particular namespaces. E.g.
   rules:
     - direction: in
       action: allow
-      sources:
+      from:
         - namespaceSelector:
             matchLabels:
               user: alice
@@ -203,7 +259,7 @@ within particular namespaces. E.g.
               role: client
   ...
 ```
-contains a single `sources` element allowing connections from VirtualMachines with
+contains a single `from` element allowing connections from VirtualMachines with
 the label `role=client` in namespaces with the label `user=alice`.
 
 **ipBlocks**: This selects particular IP CIDR ranges to allow as ingress sources
@@ -214,7 +270,7 @@ or egress destinations. E.g.
   rules:
     - direction: ingress
       action: allow
-      sources:
+      from:
         - ipBlocks:
             - cidr: 192.168.0.0/24
 ...
@@ -227,7 +283,7 @@ Particularly, it can be used for single IP by suffix `/32`. E.g.
   rules:
     - direction: ingress
       action: allow
-      sources:
+      from:
         - ipBlocks:
             - cidr: 100.64.232.1/32
 ...
@@ -243,7 +299,7 @@ port. E.g.
   rules:
     - direction: in
       action: allow
-      sources:
+      from:
         - podSelector:
             matchLabels:
               role: ui
@@ -270,17 +326,17 @@ In the same policy, the higher rule has the higher priority. E.g. in the policy:
   rules:
     - direction: in
       action: allow
-      sources:
+      from:
         - podSelector:
             matchLabels:
               role: client
     - direction: in
       action: drop
-      sources:
+      from:
         - podSelector: {}
     - direction: out
       action: drop
-      destinations:
+      to:
         - podSelector: {}
 ...
 ```
 
@@ -59,10 +59,18 @@ type SecurityPolicyRule struct {
 	AppliedTo []SecurityPolicyTarget `json:"appliedTo,omitempty"`
 	// Direction is the direction of the rule, including 'In' or 'Ingress', 'Out' or 'Egress'.
 	Direction *RuleDirection `json:"direction"`
+	// Deprecated: use From instead.
 	// Sources defines the endpoints where the traffic is from. For ingress rule only.
 	Sources []SecurityPolicyPeer `json:"sources,omitempty"`
+	// Deprecated: use To instead.
 	// Destinations defines the endpoints where the traffic is to. For egress rule only.
 	Destinations []SecurityPolicyPeer `json:"destinations,omitempty"`
+	// From defines the endpoints where the traffic is from. For ingress rule only.
+	// This is the preferred field over the deprecated Sources.
+	From []SecurityPolicyPeer `json:"from,omitempty"`
+	// To defines the endpoints where the traffic is to. For egress rule only.
+	// This is the preferred field over the deprecated Destinations.
+	To []SecurityPolicyPeer `json:"to,omitempty"`
 	// Ports is a list of ports to be matched.
 	Ports []SecurityPolicyPort `json:"ports,omitempty"`
 	// Name is the display name of this rule.
 
@@ -59,10 +59,18 @@ type SecurityPolicyRule struct {
 	AppliedTo []SecurityPolicyTarget `json:"appliedTo,omitempty"`
 	// Direction is the direction of the rule, including 'In' or 'Ingress', 'Out' or 'Egress'.
 	Direction *RuleDirection `json:"direction"`
+	// Deprecated: use From instead.
 	// Sources defines the endpoints where the traffic is from. For ingress rule only.
 	Sources []SecurityPolicyPeer `json:"sources,omitempty"`
+	// Deprecated: use To instead.
 	// Destinations defines the endpoints where the traffic is to. For egress rule only.
 	Destinations []SecurityPolicyPeer `json:"destinations,omitempty"`
+	// From defines the endpoints where the traffic is from. For ingress rule only.
+	// This is the preferred field over the deprecated Sources.
+	From []SecurityPolicyPeer `json:"from,omitempty"`
+	// To defines the endpoints where the traffic is to. For egress rule only.
+	// This is the preferred field over the deprecated Destinations.
+	To []SecurityPolicyPeer `json:"to,omitempty"`
 	// Ports is a list of ports to be matched.
 	Ports []SecurityPolicyPort `json:"ports,omitempty"`
 	// Name is the display name of this rule.