AdminNetworkPolicy support

[abhiraut]

Enhancement Description

• One-line enhancement description (can be used as a release note): Introduce cluster scoped AdminNetworkPolicy API.
• Kubernetes Enhancement Proposal: https://github.com/kubernetes/enhancements/tree/master/keps/sig-network/2091-admin-network-policy
• Discussion Link: https://www.youtube.com/watch?v=yX1nFb3DS3A&list=PL69nYSiGNLP2E8vmnqo5MwPOY25sDWIxb Minute 29:00
• Primary contact (assignee): @abhiraut
• Responsible SIGs: sig-network
• Enhancement target (which target equals to which milestone):
  • Alpha release target (x.y) - v1.24
  • Beta release target (x.y) - v1.26
  • Stable release target (x.y) - v1.28

Please keep this description up to date. This will help the Enhancement Team to track the evolution of the enhancement efficiently.

/sig network

[abhiraut]

/cc @andrewsykim @jayunit100 @rikatz

[fejta-bot]

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle stale

[abhiraut]

We are actively working on a proposal for this and a KEP should be submitted for review soon.

/remove-lifecycle stale

[jayunit100]

can you post a link to the ongoing design work in here @abhiraut ?

[rikatz]

https://docs.google.com/presentation/d/1Jk86jtS3TcGAugVSM_I4Yds5ukXFJ4F1ZCvxN5v2BaY/edit#slide=id.g338ac0a8b6_0_48

/lifecycle active

[abhiraut]

@thockin you can find the KEP here -> #2522
I now updated this issue with the KEP link as well.

[abhiraut]

Update from 6/10/21 sig-network meeting:

• Get reviews from sig-network folks on user stories -> https://github.com/kubernetes-sigs/network-policy-api/pulls (added some folks on individual PRs)
• Need to close on some fundamental disagreements:
  -- IPBlock (external traffic; original source IP or follow NetworkPolicy v1)
  -- DNP CRD to solve weak (default) security rules or pick one of the alternatives suggested in the KEP
  -- Allow, Deny with Exceptions (authorize) model works for everyone? or Priority based or NP like whitelist

[abhiraut]

Most recent commits address the following:

Update in semantics from Authorize to Empower (no longer allowed but rather bypasses the Deny as exceptions)
updates to user stories
updates to Namespaces struct to include matching strategies -> Self, SameLabels; Selector
updates to KEP timelines/milestones

Key outstanding issues:

IPBlock external traffic -> we shall discuss this in sig-network for all things Netpol
Get feedback on `Empower`, `Deny` and `Allow` actions for CNP
Is "namespace user CAN override cluster admin rules" a valid use case to solve with this KEP? If yes, is DNP CRD overkill or we want to explore the alternatives suggested with a single CRD.

[thockin]

For the record: this is NOT flagged for 1.23

[abhiraut]

updated release targets

[k8s-triage-robot]

The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue or PR as fresh with /remove-lifecycle stale
• Mark this issue or PR as rotten with /lifecycle rotten
• Close this issue or PR with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

[k8s-triage-robot]

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue or PR as fresh with /remove-lifecycle rotten
• Close this issue or PR with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle rotten

[k8s-triage-robot]

The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue or PR as fresh with /remove-lifecycle stale
• Mark this issue or PR as rotten with /lifecycle rotten
• Close this issue or PR with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

[rikatz]

/lifecycle frozen

[thockin]

Not really release-locked (yet?)

[astoycos]

should we track this somewhere else @thockin? How did gateway-api go about this?

[thockin]

Status: waiting on implementations. It's all out-of-tree so no milestone needed yet?

[adibraver]

Hello All. I am interested in using the AdminNetworkPolicy. I see that its status is "frozen". What does this mean in practice? Is it something I can use and rely on for the future? Thanks!

[tssurya]

Hello All. I am interested in using the AdminNetworkPolicy. I see that its status is "frozen". What does this mean in practice? Is it something I can use and rely on for the future? Thanks!

the v1alpha1 API for ANP is here: https://github.com/kubernetes-sigs/network-policy-api ; anyone can use it provided the CNI implements it.

[astoycos]

@thockin I think we should close this issue, since AdminNetworkPolicy is being implemented and tracked out of tree at https://github.com/kubernetes-sigs/network-policy-api

[thockin]

I have been meaning to figure out how we want to track it. Happy to close this.

[aauren]

Is there another issue in https://github.com/kubernetes-sigs/network-policy-api where we can easily watch for updates on this? I'm very interested in this effort and it would be good to have a centralized place where I can get email updates as progress occures.

[aojea]

@aauren sync wiht @astoycos and @tssurya and @npinaeva , they have periodic meetings and there is also a slack channel

[tssurya]

@aauren : Added you to slack channel.. let us know if you have any questions. Also see https://network-policy-api.sigs.k8s.io/

[aauren]

Thank you!