Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

AdminNetworkPolicy support #2091

Open
abhiraut opened this issue Oct 8, 2020 · 33 comments
Open

AdminNetworkPolicy support #2091

abhiraut opened this issue Oct 8, 2020 · 33 comments
Assignees
Labels
lifecycle/frozen Indicates that an issue or PR should not be auto-closed due to staleness. sig/network Categorizes an issue or PR as relevant to SIG Network. tracked/no Denotes an enhancement issue is NOT actively being tracked by the Release Team tracked/out-of-tree Denotes an out-of-tree enhancement issue, which does not need to be tracked by the Release Team

Comments

@abhiraut
Copy link
Contributor

abhiraut commented Oct 8, 2020

Enhancement Description

Please keep this description up to date. This will help the Enhancement Team to track the evolution of the enhancement efficiently.

/sig network

@k8s-ci-robot k8s-ci-robot added the sig/network Categorizes an issue or PR as relevant to SIG Network. label Oct 8, 2020
@abhiraut
Copy link
Contributor Author

abhiraut commented Oct 8, 2020

/cc @andrewsykim @jayunit100 @rikatz

@kikisdeliveryservice kikisdeliveryservice added the tracked/no Denotes an enhancement issue is NOT actively being tracked by the Release Team label Oct 9, 2020
@fejta-bot
Copy link

fejta-bot commented Jan 13, 2021

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle stale

@k8s-ci-robot k8s-ci-robot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Jan 13, 2021
@abhiraut
Copy link
Contributor Author

abhiraut commented Jan 13, 2021

We are actively working on a proposal for this and a KEP should be submitted for review soon.

/remove-lifecycle stale

@k8s-ci-robot k8s-ci-robot removed the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Jan 13, 2021
@jayunit100
Copy link
Member

jayunit100 commented Jan 25, 2021

can you post a link to the ongoing design work in here @abhiraut ?

@rikatz
Copy link
Contributor

rikatz commented Jan 25, 2021

@k8s-ci-robot k8s-ci-robot added the lifecycle/active Indicates that an issue or PR is actively being worked on by a contributor. label Jan 25, 2021
@abhiraut abhiraut changed the title Allow expressing administrator intent using a cluster scoped NetworkPolicy Allow expressing administrator intent using a Cluster scoped NetworkPolicy Feb 18, 2021
@thockin thockin changed the title Allow expressing administrator intent using a Cluster scoped NetworkPolicy Cluster scoped NetworkPolicy Apr 30, 2021
@abhiraut
Copy link
Contributor Author

abhiraut commented Apr 30, 2021

@thockin you can find the KEP here -> #2522
I now updated this issue with the KEP link as well.

@thockin thockin added this to New (not evaluated) in SIG-Network KEPs via automation May 22, 2021
@thockin thockin moved this from New (not evaluated) to Pre-Alpha (code not merged) in SIG-Network KEPs Jun 1, 2021
@aojea aojea moved this from Pre-Alpha (code not merged) to New, not evaluated in SIG-Network KEPs Jun 1, 2021
@aojea aojea moved this from New, not evaluated to Evaluated, not committed in SIG-Network KEPs Jun 1, 2021
@aojea aojea moved this from Evaluated, not committed to Pre-Alpha (code not merged) in SIG-Network KEPs Jun 1, 2021
@abhiraut
Copy link
Contributor Author

abhiraut commented Jun 10, 2021

Update from 6/10/21 sig-network meeting:

  • Get reviews from sig-network folks on user stories -> https://github.com/kubernetes-sigs/network-policy-api/pulls (added some folks on individual PRs)
  • Need to close on some fundamental disagreements:
    -- IPBlock (external traffic; original source IP or follow NetworkPolicy v1)
    -- DNP CRD to solve weak (default) security rules or pick one of the alternatives suggested in the KEP
    -- Allow, Deny with Exceptions (authorize) model works for everyone? or Priority based or NP like whitelist

@abhiraut
Copy link
Contributor Author

abhiraut commented Jun 24, 2021

Most recent commits address the following:

Update in semantics from Authorize to Empower (no longer allowed but rather bypasses the Deny as exceptions)
updates to user stories
updates to Namespaces struct to include matching strategies -> Self, SameLabels; Selector
updates to KEP timelines/milestones

Key outstanding issues:

IPBlock external traffic -> we shall discuss this in sig-network for all things Netpol
Get feedback on `Empower`, `Deny` and `Allow` actions for CNP
Is "namespace user CAN override cluster admin rules" a valid use case to solve with this KEP? If yes, is DNP CRD overkill or we want to explore the alternatives suggested with a single CRD.

@thockin
Copy link
Member

thockin commented Sep 3, 2021

For the record: this is NOT flagged for 1.23

@abhiraut
Copy link
Contributor Author

abhiraut commented Sep 3, 2021

updated release targets

@k8s-triage-robot
Copy link

k8s-triage-robot commented Dec 2, 2021

The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Mark this issue or PR as fresh with /remove-lifecycle stale
  • Mark this issue or PR as rotten with /lifecycle rotten
  • Close this issue or PR with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

@k8s-ci-robot k8s-ci-robot added lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. and removed lifecycle/active Indicates that an issue or PR is actively being worked on by a contributor. labels Dec 2, 2021
@k8s-triage-robot
Copy link

k8s-triage-robot commented Jan 1, 2022

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Mark this issue or PR as fresh with /remove-lifecycle rotten
  • Close this issue or PR with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle rotten

@nate-double-u
Copy link

nate-double-u commented Feb 15, 2022

Hi @abhiraut 👋 1.24 Docs lead here.

This enhancement is marked as Needs Docs for the 1.24 release.

Please follow the steps detailed in the documentation to open a PR against the dev-1.24 branch in the k/website repo. This PR can be just a placeholder at this time and must be created before Thursday, March 31st, 2022 @ 18:00 PDT.

Also, if needed take a look at Documenting for a release to familiarize yourself with the docs requirement for the release.

Thanks!

@abhiraut
Copy link
Contributor Author

abhiraut commented Feb 23, 2022

@astoycos @Dyanngg we need to add a placeholder doc PR soon.. FYI

@astoycos
Copy link
Contributor

astoycos commented Feb 25, 2022

@abhiraut @Dyanngg I think this may have been a mistake, we're implementing this as an out of tree CRD so I don't think we need an in-tree docs PR and instead will need to follow what the Gateway API folks have done here

@nate-double-u Can you please confirm this?

@nate-double-u
Copy link

nate-double-u commented Mar 8, 2022

After having some chats with the release folks, I think you're right @astoycos. This KEP probably should be set to no docs needed as it's outside the purview of the docs release team (we normally just watch k/website).

@gracenng
Copy link
Member

gracenng commented Mar 15, 2022

Hi @abhiraut 1.24 Enhancements Team here,

With Code Freeze approaching on 18:00 PDT Tuesday March 29th 2022, the enhancement status is at risk as there is no linked code PR.
Is kubernetes-sigs/network-policy-api#30 part of the code PRs?
Kindly list them all in this issue. Thanks!

@valaparthvi
Copy link

valaparthvi commented Mar 21, 2022

Hi @abhiraut and @thockin 👋 1.24 Release Comms team here.

We have an opt-in process for the feature blog delivery. If you would like to publish a feature blog for this issue in this cycle, then please opt in on this tracking sheet.

The deadline for submissions and the feature blog freeze is scheduled for 01:00 UTC Wednesday 23rd March 2022 / 18:00 PDT Tuesday 22nd March 2022. Other important dates for delivery and review are listed here: https://github.com/kubernetes/sig-release/tree/master/releases/release-1.24#timeline.

For reference, here is the blog for 1.23.

Please feel free to reach out any time to me or on the #release-comms channel with questions or comments.

Thanks!

@astoycos
Copy link
Contributor

astoycos commented Mar 28, 2022

Hi @gracenng, yes kubernetes-sigs/network-policy-api#30 is part of the code PRs for this issue, however because this object is implemented out-of-tree we are not bound by the code-freeze deadline, resulting in review of the accompanying PR being generally de-prioritized by many sig-network members for the time being.

@gracenng gracenng added the tracked/out-of-tree Denotes an out-of-tree enhancement issue, which does not need to be tracked by the Release Team label Mar 29, 2022
@gracenng
Copy link
Member

gracenng commented Mar 29, 2022

Makes sense and tagged. Thanks!!

@valaparthvi
Copy link

valaparthvi commented Mar 29, 2022

Hi @abhiraut and @thockin wave 1.24 Release Comms team here.

We have an opt-in process for the feature blog delivery. If you would like to publish a feature blog for this issue in this cycle, then please opt in on this tracking sheet.

The deadline for submissions and the feature blog freeze is scheduled for 01:00 UTC Wednesday 23rd March 2022 / 18:00 PDT Tuesday 22nd March 2022. Other important dates for delivery and review are listed here: https://github.com/kubernetes/sig-release/tree/master/releases/release-1.24#timeline.

For reference, here is the blog for 1.23.

Please feel free to reach out any time to me or on the #release-comms channel with questions or comments.

Thanks!

@abhiraut Would you like to add this to the feature blog? I can add it on your behalf if you still do not have the permissions. If you would like to add this to the feature blog, then please add a placeholder PR as well by March 30.

Example of a feature blog PR: kubernetes/website#30538
Example of a feature blog: https://github.com/kubernetes/website/blob/main/content/en/blog/_posts/2021-12-08-dual-stack-networking-ga.md

@gracenng
Copy link
Member

gracenng commented Mar 30, 2022

Hi, 1.24 Enhancements Lead here 👋. With code freeze now in effect, this enhancement has not met the criteria for the freeze and has been removed from the milestone.

As a reminder, the criteria for code freeze is:

All PRs to the kubernetes/kubernetes repo have merged by the code freeze deadline
Feel free to file an exception to add this back to the release. If you plan to do so, please file this as early as possible.

Thanks!
/milestone clear

@k8s-ci-robot k8s-ci-robot removed this from the v1.24 milestone Mar 30, 2022
@gracenng gracenng added tracked/no Denotes an enhancement issue is NOT actively being tracked by the Release Team and removed tracked/yes Denotes an enhancement issue is actively being tracked by the Release Team labels Mar 30, 2022
@k8s-triage-robot
Copy link

k8s-triage-robot commented Jun 28, 2022

The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Mark this issue or PR as fresh with /remove-lifecycle stale
  • Mark this issue or PR as rotten with /lifecycle rotten
  • Close this issue or PR with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

@k8s-ci-robot k8s-ci-robot added lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. and removed lifecycle/active Indicates that an issue or PR is actively being worked on by a contributor. labels Jun 28, 2022
@rikatz
Copy link
Contributor

rikatz commented Jun 28, 2022

/lifecycle frozen

@k8s-ci-robot k8s-ci-robot added lifecycle/frozen Indicates that an issue or PR should not be auto-closed due to staleness. and removed lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. labels Jun 28, 2022
@thockin thockin moved this from Pre-Alpha (we want to do this but the KEP or code is not merged yet) to Alpha gated (code is merged) in SIG-Network KEPs Aug 4, 2022
@thockin
Copy link
Member

thockin commented Sep 29, 2022

Not really release-locked (yet?)

@astoycos
Copy link
Contributor

astoycos commented Sep 29, 2022

should we track this somewhere else @thockin? How did gateway-api go about this?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
lifecycle/frozen Indicates that an issue or PR should not be auto-closed due to staleness. sig/network Categorizes an issue or PR as relevant to SIG Network. tracked/no Denotes an enhancement issue is NOT actively being tracked by the Release Team tracked/out-of-tree Denotes an out-of-tree enhancement issue, which does not need to be tracked by the Release Team
Projects
SIG-Network KEPs
Alpha gated (code is merged)
Development

No branches or pull requests