-
Notifications
You must be signed in to change notification settings - Fork 27
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
reopen the egress policy debate :) #28
Comments
just clarifying , I won't write a KEP until 2025 :P |
/assign @astoycos |
This came up in the sig-network-policy API meeting on Monday May 28th 2022 (I recommend watching the recording if you were not able to make it) I will give a better summary of the discussion here in a bit to try and get the conversation going. |
Originally the design for Admin Network Policy did include N/S use cases such as the one described in #9. This was removed due to some of the same issues NetworkPolicy faced with IPblock selectors (i.e The pre/post SNAT ambiguity, etc), the fact that the proposal was already extremely complicated and lastly that we believed designing for N/S use cases would be better completed in a separate/new object (something like an Egress Firewall object). Even now in the Admin Network Policy API PR we still explicitly leave the selection of N/S traffic out of the API. However, there is some rational for re-opening this conversation while the implementation of the API is still active,
The way I see it we have a few options moving forward,
Please let me know what you all think! |
/assign @danwinship @thockin @caseydavenport |
This was brought up in the ANP KEP, but NetworkPolicy already requires plugins to be able to distinguish E/W from N/S traffic ( I brought up in the meeting (or tried to bring up; I was having trouble describing it) that if this really is a problem, then one way to deal with it might be to say that plugins are allowed to get confused about hosts "near the cluster", but they aren't allowed to get confused about hosts "far away from the cluster". So, like, if your plugin allocates pod IPs from the same subnet as node IPs, then a rule saying "allow egress to all pods" might end up allowing egress to nodes too, but it could never allow egress to (Although that's also a bad example because one of the things I brought up in my old ClusterEgressFirewall proto-KEP that you linked to is that admins really want a way to reliably refer specifically to "all node IPs".) |
As discussed today, I suspected we would need to reopen this, but let's get v0 committed and then iterate on this |
The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs. This bot triages issues and PRs according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle stale |
The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs. This bot triages issues and PRs according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle rotten |
/remove-lifecycle rotten |
The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs. This bot triages issues and PRs according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle stale |
The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs. This bot triages issues and PRs according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle rotten |
/remove-lifecycle stale |
/remove-lifecycle rotten |
/assign @tssurya I'd like to own and push this forward as there are a lot of users/customers wanting this support in ANP. What better time than to start doing this while the API is fairly new and in development. I also have additional downstream investment angle here as we are starting to implement this API in OVN-Kubernetes plugin. I have opened #86 -> Let's start with the user stories and then go from there? But for starters I'd rather have this support in the same API Object (ANP/BANP) than do a new object. |
The Kubernetes project currently lacks enough contributors to adequately respond to all issues. This bot triages un-triaged issues according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle stale |
Closing this in favour of #126 |
/close |
@tssurya: Closing this issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
Per sig network - the idea of mesh like features for choke points / egress policies, seems to have gotten a second wind.
maybe we should reopen #9
@rikatz :)
The text was updated successfully, but these errors were encountered: