Move NetworkPolicy to v1

[danwinship]

Move NetworkPolicy to v1

@kubernetes/sig-network-misc

Release note:

NetworkPolicy has been moved from `extensions/v1beta1` to the new
`networking.k8s.io/v1` API group. The structure remains unchanged from
the beta1 API.

The `net.beta.kubernetes.io/network-policy` annotation on Namespaces
to opt in to isolation has been removed. Instead, isolation is now
determined at a per-pod level, with pods being isolated if there is
any NetworkPolicy whose spec.podSelector targets them. Pods that are
targeted by NetworkPolicies accept traffic that is accepted by any of
the NetworkPolicies (and nothing else), and pods that are not targeted
by any NetworkPolicy accept all traffic by default.

Action Required:

When upgrading to Kubernetes 1.7 (and a network plugin that supports
the new NetworkPolicy v1 semantics), to ensure full behavioral
compatibility with v1beta1:

    1. In Namespaces that previously had the "DefaultDeny" annotation,
       you can create equivalent v1 semantics by creating a
       NetworkPolicy that matches all pods but does not allow any
       traffic:

           kind: NetworkPolicy
           apiVersion: networking.k8s.io/v1
           metadata:
             name: default-deny
           spec:
             podSelector:

       This will ensure that pods that aren't matched by any other
       NetworkPolicy will continue to be fully-isolated, as they were
       before.

    2. In Namespaces that previously did not have the "DefaultDeny"
       annotation, you should delete any existing NetworkPolicy
       objects. These would have had no effect before, but with v1
       semantics they might cause some traffic to be blocked that you
       didn't intend to be blocked.

[k8s-reviewable]

This change is 

[danwinship]

Here's an initial attempt at moving NetworkPolicy to v1... this still needs work.

(Just to clarify, that work is blocked on decisions being made about the questions I asked above)

[lavalamp]

Sorry for radio silence I was OOO and am still catching up. asking in the api-machinery slack channel is probably your best bet if you have open api machinery questions.

[thockin]

I think we need to address the issues of "real" service VIPs before we can merge this (on sig-network mailing list)

…

On Tue, Jan 10, 2017 at 5:23 PM, Daniel Smith ***@***.***> wrote: Sorry for radio silence I was OOO and am still catching up. asking in the api-machinery slack channel is probably your best bet if you have open api machinery questions. — You are receiving this because you were assigned. Reply to this email directly, view it on GitHub <#39164 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AFVgVGjaeV6gRi5Qms-3jlMvl5QhBt9Yks5rRC8ogaJpZM4LURyY> .

[danwinship]

Before declaring v1 done we should probably land #35660 (e2e NetworkPolicy tests), extend it to cover all features that are going to be part of v1, and make sure existing implementations actually implement all those features. And if most/all of them don't implement a feature, maybe we should consider dropping it for v1.

eg, as far as I can tell, none of Calico, Romana, or Weave implement string-valued Ports (qv #39769)

[danwinship]

How does migration between the v1beta1 net.beta.kubernetes.io/network-policy Namespace annotation and the v1 Namespace.NetworkPolicy field work

This message to kubernetes-dev says they're not maintaining any backward compatibility with alpha annotations for scheduling features so maybe we can do the same thing? (Although that's alpha->beta, not beta->v1...)

[caseydavenport]

Do the v1beta1 comment changes correctly describe the way that existing NetworkPolicy implementations work?

Yep, I think those comments are accurate now.

What should the unversioned→v1beta1 conversion do with policies containing an "allow no ports" or "allow no peers" rule? Currently it tries to represent that using a nil-vs-[] distinction, but that's obviously wrong since we're not documenting any such distinction any more (and the conversion to/from json won't respect that distinction). Should it return an error instead? (Presumably that would mean v1beta1 clients would get errors if they tried to fetch such policies?)

Well, a "match no ports" or a "match no peers" rule can be represented in the v1beta1 API by just removing that rule altogether, right? That rule is essentially useless I think.

Should NetworkPolicy stay in pkg/apis/extensions? If not, where should it move? (Does the infrastructure support moving APIs between versions? Eg, conversions.)

Not sure (and I don't think I have a very strong opinion).

How does migration between the v1beta1 net.beta.kubernetes.io/network-policy Namespace annotation and the v1 Namespace.NetworkPolicy field work, given that there is not actually a version number change for Namespace?

Can probably respect the annotation if it is present and the Namespace field is not, but prioritize the Namespace field if it is present? I don't think any special migration code is necessary - up to the implementations what they want to do, but I suspect that they'll want to support both for some period of time.

Do we want to simplify NamespaceNetworkPolicy at all? eg, it currently distinguishes between "default network policy" ({ "networkPolicy": nil }) "default ingress network policy (but possibly non-default egress policy)" ({ "networkPolicy": { "ingress": nil } }), and "default ingress isolation policy (but possibly non-default policy for other aspects of ingress)" ({ "networkPolicy": { "ingress": { "isolation": nil } } }). Do we still think NetworkPolicy will eventually describe things other than traffic isolation?

I'd opt for keeping it as is since we've seen no reason for changing it during it's time in beta. I'm really keen to not change things from beta -> GA unless we've seen a compelling reason to do so.

Where do we move docs/proposals/network-policy.md now that it's no longer a "proposal"? Also, presumably we update it to refer only to the v1 API? (Do we need to worry about documenting the v1beta1 Namespace annotation somewhere since it won't show up anywhere in the generated API docs?)

I imagine that can stay under proposals, right? I don't think the intention is that those evolve as the API evolves.

All-in-all, I'm still a little bit uneasy about the empty vs nil change. It feels like extra work for implementors that doesn't buy us anything. I keep asking myself "when did we ever get feedback from a user asking for this distinction? when did it confuse a user of the API? when did it make things harder for implementations?" and the answers always come back "never".

[bboreham]

eg, as far as I can tell, none of Calico, Romana, or Weave implement string-valued Ports (qv #39769)

Speaking for Weave, that is indeed not presently implemented. It complicates matters, but does not seem insurmountable.

[caseydavenport]

eg, as far as I can tell, none of Calico, Romana, or Weave implement string-valued Ports

Yep, Calico doesn't implement this yet either. It's not impossible but it's not a one-liner to add support.

I've not heard any user demand for this.

[danwinship]

Well, a "match no ports" or a "match no peers" rule can be represented in the v1beta1 API by just removing that rule altogether, right? That rule is essentially useless I think.

Ah, indeed

Where do we move docs/proposals/network-policy.md now that it's no longer a "proposal"?

I imagine that can stay under proposals, right? I don't think the intention is that those evolve as the API evolves.

Well, OK, but we need to document NetworkPolicy somewhere that isn't just a "proposal". But I guess that's an easier question: just add the new docs wherever they fit in best.

All-in-all, I'm still a little bit uneasy about the empty vs nil change. It feels like extra work for implementors that doesn't buy us anything. I keep asking myself "when did we ever get feedback from a user asking for this distinction? when did it confuse a user of the API? when did it make things harder for implementations?" and the answers always come back "never".

Yeah, I don't think anyone actually wanted the distinction, it's just that the way that v1beta1 ended up being implemented (empty Ports means "all ports", empty From means "from anywhere") makes us inconsistent with other APIs (and in particular, it makes Ports/From inconsistent with PodSelector/NamespaceSelector, meaning NetworkPolicy isn't even internally self-consistent).

But yeah, the "fix" is ugly. I'd be fine sticking with the v1beta1 behavior. (But there were objections to that when it was discussed in the SIG.)

[caseydavenport]

Yeah, I don't think anyone actually wanted the distinction, it's just that the way that v1beta1 ended up being implemented (empty Ports means "all ports", empty From means "from anywhere") makes us inconsistent with other APIs (and in particular, it makes Ports/From inconsistent with PodSelector/NamespaceSelector, meaning NetworkPolicy isn't even internally self-consistent).

I noticed while poking around the ClusterRole specification that it seems there are other APIs using an empty slice to indicate "all" rather than "none".

// ResourceNames is an optional white list of names that the rule applies to.  An empty set means that everything is allowed.
ResourceNames []string

[k8s-ci-robot]

@danwinship: The following test(s) failed:

Test name	Commit	Details	Rerun command
pull-kubernetes-cross	0923f86	link	@k8s-bot pull-kubernetes-cross test this

Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

[danwinship]

@thockin: fixed defaults, rebased, regenerated

[thockin]

/lgtm

…

On May 28, 2017 8:16 AM, "Dan Winship" ***@***.***> wrote: @thockin <https://github.com/thockin>: fixed defaults, rebased, regenerated — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#39164 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AFVgVDb3K28TWBHE2XI33mlF2oBvwHhmks5r-Y_KgaJpZM4LURyY> .

[k8s-github-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: danwinship, thockin

Needs approval from an approver in each of these OWNERS Files:

• api/OWNERS [thockin]
• cmd/kube-apiserver/OWNERS [thockin]
• cmd/libs/go2idl/client-gen/OWNERS [thockin]
• cmd/libs/go2idl/go-to-protobuf/OWNERS [thockin]
• docs/OWNERS [thockin]
• hack/OWNERS [thockin]
• pkg/OWNERS [thockin]
• staging/src/k8s.io/client-go/OWNERS [thockin]
• test/OWNERS [thockin]

You can indicate your approval by writing /approve in a comment
You can cancel your approval by writing /approve cancel in a comment

[k8s-github-robot]

Automatic merge from submit-queue

[enj]

If we delete the extensions.NetworkPolicy - who would register the v1beta1 endpoint? Ugh, I don't understand the apiserver anymore....

@thockin you could register the types from the other package. For example, pkg/apis/apps registers the pkg/apis/extensions types:

// Adds the list of known types to api.Scheme.
func addKnownTypes(scheme *runtime.Scheme) error {
	// TODO this will get cleaned up with the scheme types are fixed
	scheme.AddKnownTypes(SchemeGroupVersion,
		&extensions.Deployment{},
		&extensions.DeploymentList{},
		&extensions.DeploymentRollback{},
		&extensions.Scale{},
		&StatefulSet{},
		&StatefulSetList{},
	)
	return nil
}

[thockin]

I removed the should-be-totally-unnecessary code for NP from pkg/apis/extensions - leaving it in pkg/apis/extensions/v1beta1 It compiles. I can POST a networking/v1 object, and it is stored in etcd as extensions/v1beta1 - yay! I can NOT POST an extensions/v1beta1 object. ``` $ cat /tmp/netpol.yaml apiVersion: extensions/v1beta1 kind: NetworkPolicy metadata: name: my-netpol spec: podSelector: {} $ kubectl create -f /tmp/netpol.yaml error: error validating "/tmp/netpol.yaml": error validating data: couldn't find type: v1beta1.NetworkPolicy; if you choose to ignore these errors, turn validation off with --validate=false $ kubectl create -f /tmp/netpol.yaml --validate=false error: unable to recognize "/tmp/netpol.yaml": no matches for extensions/, Kind=NetworkPolicy ``` Looking up that 2nd error, I get to staging/src/ k8s.io/apimachinery/pkg/api/meta/multirestmapper.go, where I see things like: ``` return nil, &NoKindMatchError{PartialKind: gk.WithVersion("")} ``` ...and I am lost

…

On Mon, May 29, 2017 at 10:49 AM, Mo Khan ***@***.***> wrote: If we delete the extensions.NetworkPolicy - who would register the v1beta1 endpoint? Ugh, I don't understand the apiserver anymore.... @thockin <https://github.com/thockin> you could register the types from the other package. For example, pkg/apis/apps registers the pkg/apis/extensions types: // Adds the list of known types to api.Scheme.func addKnownTypes(scheme *runtime.Scheme) error { // TODO this will get cleaned up with the scheme types are fixed scheme.AddKnownTypes(SchemeGroupVersion, &extensions.Deployment{}, &extensions.DeploymentList{}, &extensions.DeploymentRollback{}, &extensions.Scale{}, &StatefulSet{}, &StatefulSetList{}, ) return nil } — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#39164 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AFVgVN6AGr3qfsvX3mYsIln_DGDVzpIrks5r-wVDgaJpZM4LURyY> .

[thockin]

https://github.com/kubernetes/kubernetes/compare/master...thockin:pr-39164-plus?expand=1

…

On Tue, May 30, 2017 at 2:14 PM, Tim Hockin ***@***.***> wrote: I removed the should-be-totally-unnecessary code for NP from pkg/apis/extensions - leaving it in pkg/apis/extensions/v1beta1 It compiles. I can POST a networking/v1 object, and it is stored in etcd as extensions/v1beta1 - yay! I can NOT POST an extensions/v1beta1 object. ``` $ cat /tmp/netpol.yaml apiVersion: extensions/v1beta1 kind: NetworkPolicy metadata: name: my-netpol spec: podSelector: {} $ kubectl create -f /tmp/netpol.yaml error: error validating "/tmp/netpol.yaml": error validating data: couldn't find type: v1beta1.NetworkPolicy; if you choose to ignore these errors, turn validation off with --validate=false $ kubectl create -f /tmp/netpol.yaml --validate=false error: unable to recognize "/tmp/netpol.yaml": no matches for extensions/, Kind=NetworkPolicy ``` Looking up that 2nd error, I get to staging/src/k8s.io/ apimachinery/pkg/api/meta/multirestmapper.go, where I see things like: ``` return nil, &NoKindMatchError{PartialKind: gk.WithVersion("")} ``` ...and I am lost On Mon, May 29, 2017 at 10:49 AM, Mo Khan ***@***.***> wrote: > If we delete the extensions.NetworkPolicy - who would register the > v1beta1 endpoint? Ugh, I don't understand the apiserver anymore.... > > @thockin <https://github.com/thockin> you could register the types from > the other package. For example, pkg/apis/apps registers the > pkg/apis/extensions types: > > // Adds the list of known types to api.Scheme.func addKnownTypes(scheme *runtime.Scheme) error { > // TODO this will get cleaned up with the scheme types are fixed > scheme.AddKnownTypes(SchemeGroupVersion, > &extensions.Deployment{}, > &extensions.DeploymentList{}, > &extensions.DeploymentRollback{}, > &extensions.Scale{}, > &StatefulSet{}, > &StatefulSetList{}, > ) > return nil > } > > — > You are receiving this because you were mentioned. > Reply to this email directly, view it on GitHub > <#39164 (comment)>, > or mute the thread > <https://github.com/notifications/unsubscribe-auth/AFVgVN6AGr3qfsvX3mYsIln_DGDVzpIrks5r-wVDgaJpZM4LURyY> > . >

[thockin]

At this point, I am stopping my investigation. I don't have time to crawl around. If the worst problem we have is duplicated code, I guess I will live. It does feel like this should be possible.

…

On Tue, May 30, 2017 at 2:15 PM, Tim Hockin ***@***.***> wrote: https://github.com/kubernetes/kubernetes/compare/master... thockin:pr-39164-plus?expand=1 On Tue, May 30, 2017 at 2:14 PM, Tim Hockin ***@***.***> wrote: > I removed the should-be-totally-unnecessary code for NP from > pkg/apis/extensions - leaving it in pkg/apis/extensions/v1beta1 > > It compiles. > > I can POST a networking/v1 object, and it is stored in etcd as > extensions/v1beta1 - yay! > > I can NOT POST an extensions/v1beta1 object. > > > ``` > $ cat /tmp/netpol.yaml > apiVersion: extensions/v1beta1 > kind: NetworkPolicy > metadata: > name: my-netpol > spec: > podSelector: {} > > $ kubectl create -f /tmp/netpol.yaml > error: error validating "/tmp/netpol.yaml": error validating data: > couldn't find type: v1beta1.NetworkPolicy; if you choose to ignore these > errors, turn validation off with --validate=false > > $ kubectl create -f /tmp/netpol.yaml --validate=false > error: unable to recognize "/tmp/netpol.yaml": no matches for > extensions/, Kind=NetworkPolicy > ``` > > Looking up that 2nd error, I get to staging/src/k8s.io/apimachi > nery/pkg/api/meta/multirestmapper.go, where I see things like: > > ``` > return nil, &NoKindMatchError{PartialKind: gk.WithVersion("")} > ``` > > ...and I am lost > > On Mon, May 29, 2017 at 10:49 AM, Mo Khan ***@***.***> > wrote: > >> If we delete the extensions.NetworkPolicy - who would register the >> v1beta1 endpoint? Ugh, I don't understand the apiserver anymore.... >> >> @thockin <https://github.com/thockin> you could register the types from >> the other package. For example, pkg/apis/apps registers the >> pkg/apis/extensions types: >> >> // Adds the list of known types to api.Scheme.func addKnownTypes(scheme *runtime.Scheme) error { >> // TODO this will get cleaned up with the scheme types are fixed >> scheme.AddKnownTypes(SchemeGroupVersion, >> &extensions.Deployment{}, >> &extensions.DeploymentList{}, >> &extensions.DeploymentRollback{}, >> &extensions.Scale{}, >> &StatefulSet{}, >> &StatefulSetList{}, >> ) >> return nil >> } >> >> — >> You are receiving this because you were mentioned. >> Reply to this email directly, view it on GitHub >> <#39164 (comment)>, >> or mute the thread >> <https://github.com/notifications/unsubscribe-auth/AFVgVN6AGr3qfsvX3mYsIln_DGDVzpIrks5r-wVDgaJpZM4LURyY> >> . >> > >

[gyliu513]

One question here is if I upgrade NetworkPolicy to v1, do I also need to upgrade the calico? Currently, I was using calico node image as 1.2.1 and calico policy controller image as 0.6.0. @danwinship

[gyliu513]

I filed an issue for calico https://github.com/projectcalico/k8s-policy/issues/108 , the NetworkPolicy of net.beta.kubernetes.io/network-policy still works in Kubernetes 1.7, but the CHANGELOG mentioned this has been removed in 1.7, is it a bug? @danwinship

---

NetworkPolicy has been promoted from extensions/v1beta1 to the new networking.k8s.io/v1 API group. The structure remains unchanged from the v1beta1 API. The net.beta.kubernetes.io/network-policy annotation on Namespaces (used to opt in to isolation) has been removed.