Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Antrea-native policies should support appliedTo on a per rule basis #1327

Closed
Dyanngg opened this issue Sep 30, 2020 · 1 comment · Fixed by #1396
Closed

Antrea-native policies should support appliedTo on a per rule basis #1327

Dyanngg opened this issue Sep 30, 2020 · 1 comment · Fixed by #1396
Assignees
@Dyanngg
Labels
area/network-policy/api Issues or PRs related to the network policy API. kind/design Categorizes issue or PR as related to design.
Milestone
Antrea v0.12.0 re...

Comments

@Dyanngg
Copy link
Contributor

Dyanngg commented Sep 30, 2020
edited
Loading

Describe what you are trying to solve
Antrea NetworkPolicy CRDs like ACNP and ANP supports enforcing ingress/egress policies on workloads specified in the appliedTo field in the policy spec. However, cluster admins are often posed with the need to create policy that needs to be enforced on different workloads, but serve the same purpose. For instance, consider web and db instances running in four namespaces, web-1, web-2, db-1 and db-2. An admin user might want to create policy that denies ingress traffic from web-1 to db-2, and from web-2 to db-1. Since the rules need to be enforced on two distinct set of workloads (pods in db-1 and pods indb-2), user will need to create two separate Antrea-native policies (ACNP or CNP) for those two rules, while logically those rules should be grouped together instead.

Describe the solution you have in mind
Include a appliedTo field in ANP and ACNP "to/from" rules such that users can set whom this rule applies to on a per rule basis. This field however should not be set in conjunction with the appliedTo field in the policy spec. i.e. user can either

  1. set appliedTo in the policy spec section, without specifying appliedTo in any of the ingress/egress rules, or
  2. set appliedTo in each and every one of the ingress/egress rules defined in the policy, without setting appliedTo in the policy spec section. Validation needs to be done to ensure this.

As such, the rules mentioned in the section above can now be grouped into one policy:

apiVersion: security.antrea.tanzu.vmware.com/v1alpha1
kind: ClusterNetworkPolicy
metadata:
  name: cnp-drop-cross-namespace
spec:
    priority: 1
    tier: securityops
    ingress:
      - action: Drop
        appliedTo:
          - podSelector:
              matchLabels:
                 role: db-1
        from:
          - podSelector:
              matchLabels:
                role: web-2
      - action: Drop
        appliedTo:
          - podSelector:
              matchLabels:
                 role: db-2
        from:
          - podSelector:
              matchLabels:
                role: web-1

Describe how your solution impacts user flows
This change will not impact existing policies or rules where appliedTo is set in the policy spec section, as this will continue to be supported. When creating new ACNP and ANPs, user will be able to define the policy in either 1) or 2) format as mentioned in the section above.

Describe the main design/architecture of your solution
To be added.
@Dyanngg Dyanngg added area/network-policy/api Issues or PRs related to the network policy API. kind/design Categorizes issue or PR as related to design. labels Sep 30, 2020
@Dyanngg Dyanngg self-assigned this Sep 30, 2020
@Dyanngg Dyanngg added this to the Antrea v0.11.0 release milestone Oct 9, 2020
@Dyanngg Dyanngg mentioned this issue Oct 9, 2020
Closed
@Dyanngg Dyanngg mentioned this issue Oct 16, 2020
Merged
@antoninbas
Copy link
Contributor

We agreed to postpone this to v0.12

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@Dyanngg Dyanngg

Labels
area/network-policy/api Issues or PRs related to the network policy API. kind/design Categorizes issue or PR as related to design.
Projects
None yet
Milestone
Antrea v0.12.0 release
2 participants
@antoninbas @Dyanngg