Implement the AdminNetworkPolicy api CRD #30
Conversation
k8s-ci-robot
added
cncf-cla: yes
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: astoycos The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
the
approved
astoycos
changed the title
k8s-ci-robot
added
the
do-not-merge/work-in-progress
astoycos
force-pushed
the
admin-network-policy-api
branch
from
8007eb0 to
ef25b93
Compare
|
/assign @Dyanngg |
|
@astoycos: GitHub didn't allow me to assign the following users: Dyanngg. Note that only kubernetes-sigs members, repo collaborators and people who have commented on this issue/PR can be assigned. Additionally, issues/PRs can only have 10 assignees at the same time. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
Maybe you should merge a PR with all the vendor stuff first so that this one can be just the actual API? |
|
Sure I can do that @danwinship, thanks! |
astoycos
force-pushed
the
admin-network-policy-api
branch
from
ef25b93 to
688335d
Compare
|
For now I broke the API changes explicitly out in it's own commit 389fc55 |
|
/assign @thockin @caseydavenport @danwinship |
astoycos
force-pushed
the
admin-network-policy-api
branch
from
688335d to
389fc55
Compare
astoycos
changed the title
k8s-ci-robot
removed
the
do-not-merge/work-in-progress
|
/assign @Dyanngg |
|
@astoycos: GitHub didn't allow me to assign the following users: Dyanngg. Note that only kubernetes-sigs members, repo collaborators and people who have commented on this issue/PR can be assigned. Additionally, issues/PRs can only have 10 assignees at the same time. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
/assign @abhiraut |
| metav1.ObjectMeta `json:"metadata,omitempty"` | ||
|
|
||
| // Specification of the desired behavior of AdminNetworkPolicy. | ||
| // +optional |
There was a problem hiding this comment.
For NetworkPolicy and a few other types in the core API it is, but I agree logically it doesn't make sense
|
|
||
| // NamespaceSetAndPod defines a flexible way to select Namespaces and pods in a | ||
| // cluster. The `Namespaces` and `Pods` fields are required and must not be empty. | ||
| type NamespaceAndPodSet struct { |
There was a problem hiding this comment.
I think I missed this point in the original KEP somehow... what's the intended difference between NamespaceAndPodSet and NamespacedPodSubject?
They seem like very similar structs so not sure what the purpose of having both is.
There was a problem hiding this comment.
NamespacedPodSubject is just a simple NamespaceSelector AND PodSelector but the abstraction allows AdminNetworkPolicySubject to still be built in a future-proof way. We don't use NamespaceSet(self, notself) here since the semantics don't work the same for defining the Subject pods of the policy vs defining a peer.
With NamespaceAndPodSet you can define the set of pods selected in a much more dynamic way since you have all the mechanisms provided by the NamespaceSet object(self, notself etc.) AND PodSet (currently just a generic PodSelector but possibly a PodSelector And ServiceSelector in the future). It also gives us a safe way to expand the API in the future if more selectors are added to either NamespaceSet or PodSet
|
Pushed changes in response to Dan's Review and meeting last week
|
| // Exactly one field must be set. | ||
| // +kubebuilder:validation:MaxProperties=1 | ||
| // +kubebuilder:validation:MinProperties=1 | ||
| type AdminNetworkPolicyPort struct { |
There was a problem hiding this comment.
@Dyanngg @danwinship @thockin PTAL
There was a problem hiding this comment.
AdminNetworkPolicyPort spec looks good
| // Exactly one field must be set. | ||
| // +kubebuilder:validation:MaxProperties=1 | ||
| // +kubebuilder:validation:MinProperties=1 | ||
| type AdminNetworkPolicyPort struct { |
There was a problem hiding this comment.
AdminNetworkPolicyPort spec looks good
|
@astoycos Could you also retry assigning me? I'm in the K8s org now, probably need you to add me as a maintainer for this repo |
|
/assign @Dyanngg |
Update the API in response to another round of reviews... Sepcifically - Fix Nits from Tim - Rework AdminNetworkPolicyPort - Add More validation to ensure all lists are bound, and then only one field may be set when necessary Signed-off-by: astoycos <[email protected]>
astoycos
force-pushed
the
admin-network-policy-api
branch
from
9e02bd7 to
7b7c961
Compare
| // Name is an identifier for this rule, that may be no more than 100 characters | ||
| // in length. | ||
| // +optional | ||
| // +kubebuilder:validation:MaxLength=100 | ||
| Name string `json:"name,omitempty"` |
There was a problem hiding this comment.
again, this needs to explain what the field is for, or the user will have no clue what to do with this.
There was a problem hiding this comment.
Sounds good, I was planning on including this rational in the accompanying docs, however I will also add a blurb on it here as well.
| // +kubebuilder:validation:MaxLength=100 | ||
| Name string `json:"name,omitempty"` | ||
|
|
||
| // Action specifies whether this rule must pass, allow or deny traffic. |
There was a problem hiding this comment.
"specifies the action taken on matched traffic?"
Is it guaranteed that action will always be Allow, Deny, or Pass; or is it possible other actions will be added in the future? ("Log"?) Might be good to be clear.
There was a problem hiding this comment.
Yeah it should be worded to be extensible in the future, I will alter this a bit!
apis/v1alpha1/shared_types.go
Outdated
| // follows standard label selector semantics; if present but empty, it selects | ||
| // all Namespaces. | ||
| // +optional | ||
| Selector *metav1.LabelSelector `json:"selector,omitempty"` |
There was a problem hiding this comment.
So:
subject:
namespaces:
matchLabels:
admin: "true"
but
from:
namespaces:
selector: <-- extra
matchLabels:
admin: "true"
also weird:
from:
namespaces:
selector: <--
matchLabels:
admin: "true"
but
from:
pods:
pods: <-- UGH
podSelector: <-- why not just "selector"?
matchLabels:
admin: "true"
apis/v1alpha1/shared_types.go
Outdated
| Namespaces NamespacedPeer `json:"namespaces"` | ||
|
|
||
| // Pods is used to select a set of Pods in the set of Namespaces. | ||
| Pods PodPeer `json:"pods"` |
There was a problem hiding this comment.
Why is PodPeer needed? Why can't this just be PodSelector *metav1.LabelSelector? If we want to define some other way of selecting pods in the future, then that should be a new option under AdminNetworkPolicyPeer, not a new option inside NamespacedPodPeer.
There was a problem hiding this comment.
After taking about this in the SIG meeting we decided to remove the PodPeer level of indirection
Fix some nits Remove a level of indirection: `PodPeer` Change Ports protocol default Update some comment documentation Signed-off-by: Andrew Stoycos <[email protected]>
|
Next round of changes have been pushed, I will work to create some sample yaml's for us to study this week. |
| // List of Egress rules to be applied to the selected pods BEFORE any | ||
| // NetworkPolicy or BaselineAdminNetworkPolicy rules have been applied. |
There was a problem hiding this comment.
maybe instead of repeating this on both Ingress and Egress it should be mentioned on Priority instead? ("All AdminNetworkPolicy rules have higher precedence than NetworkPolicy or BaselineAdminNetworkPolicy rules".)
There was a problem hiding this comment.
+1 This seems a bit repetitive
There was a problem hiding this comment.
However for BANP I'll leave the description on the rule fields since there is no priority field
| // +optional | ||
| NamespaceSelector *metav1.LabelSelector `json:"namespaceSelector,omitempty"` | ||
|
|
||
| // SameLabels is used to select a set of Namespaces that share the same values |
There was a problem hiding this comment.
hm... it's too bad we managed to squash Self/NotSelf but didn't manage to squash SameLabels/NotSameLabels.
It's also too bad that one of them uses "Self" and the other uses "Same" (which is confusing enough that you already got it wrong, above).
I don't have any suggestions for v1alpha1, but I think this might be something we could improve later...
There was a problem hiding this comment.
Yeah I'll think on this a bit more, We probably could combine into a RelatedLabels or something of the sort with a list of labels and a single Enum shared with Related possibly
| // for a set of labels. | ||
| // To be selected a Namespace must have all of the labels defined in SameLabels, | ||
| // and they must all have the same value as the subject of this policy. | ||
| // If Samelabels is Empty then nothing is selected. |
There was a problem hiding this comment.
as with the Ports thing above, we need to correctly distinguish nil (does not match on labels) from [] (matches if these 0 labels are all the same, which is to say, matches everything)
There was a problem hiding this comment.
For now i'll follow the same convention I did with Ports, i.e make it a pointer to a slice
- Some smaller changes in grammer and wording. - Internal ordering - TODOs, figure out if Pointer to a slice is valid, and Combine Same/NotSame Labels into a single field Signed-off-by: astoycos <[email protected]>
|
@danwinship I should have gotten to most of your comments in the latest commit :) |
|
/lgtm |
k8s-ci-robot
added
do-not-merge/hold
|
CC @thockin |
|
/unhold |
k8s-ci-robot
removed
the
do-not-merge/hold
|
We discussed this with Tim today in the impromptu sig-network-policy api meeting and he agreed we should go ahead and merge as is, and he will review/ open issues if needed. Thanks for all the help everyone! |
9 participants
This PR serves to implement the AdminNetworkPolicy CRD described in further detail with kubernetes/enhancements#2091.
The goal is to ensure this does not merge without solving all of the TODO's described in the KEP.