Should protocol be at a higher level than ports? #72
Comments
astoycos
added
the
api-review
|
This is a great issue @akhilles, I think we need to work through this a bit more as a group and will add it to the agenda to discuss tomorrow during the group meeting. |
|
Thanks! I'll try to attend the meeting. |
|
Kubernetes networking is mostly only defined for TCP, UDP, and SCTP. It is not defined how/whether NetworkPolicy affects other protocols. (Eg, if a pod is "isolated", does that mean it can't answer ARP requests?) For that matter, it is not defined how/whether other protocols even work on the pod network. (Eg, it's possible that the network plugin intercepts ARP requests and unicasts them rather than broadcasting them, or even just forges replies to them without ever sending them to the expected destination.) Administrators may have more use cases for lower-level protocols than app developers, but this still runs into the problem that it's not well-defined whether such protocols can traverse the pod network at all... |
|
We decided to start with documenting the fact that the behaviour for some protocols is undefined. Then we are going to get a list of use cases when this behaviour needs to be defined and update the docs for the corresponding cases. |
|
/assign @npinaeva |
|
The Kubernetes project currently lacks enough contributors to adequately respond to all issues. This bot triages un-triaged issues according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle stale |
k8s-ci-robot
added
the
lifecycle/stale
|
/remove-lifecycle stale |
k8s-ci-robot
removed
the
lifecycle/stale
|
The Kubernetes project currently lacks enough contributors to adequately respond to all issues. This bot triages un-triaged issues according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle stale |
k8s-ci-robot
added
the
lifecycle/stale
|
This effort will be tracked here #187 |
|
/close |
|
@npinaeva: Closing this issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
In the current API, port numbers/ranges are given priority over protocol:
This makes it tricky to express rules for port-less IP protocols such as ICMP, OSPF, etc. This is probably fine for IPv4, but I think this is a problem for IPv6 due it's heavy reliance on ICMP. I expect a use-case such as "allow (TCP, 443) and ICMP traffic" to become increasingly common as IPv6 adoption improves. Maybe ICMP should be special-cased? But that seems a bit awkward.
I'm wondering whether this use-case warrants making protocol a top-level field in AdminNetworkPolicyPort. E.g:
Or perhaps making protocols the one-of variants. E.g:
This is a much larger change, but it enables custom selectors for each protocol. Looks like the CNI-specific NetworkPolicy APIs have gone in this direction as well:
Apologies if this has already been discussed elsewhere, I wasn't able to find any previous threads on this topic.
The text was updated successfully, but these errors were encountered: